speedup in ecdsa_do_verify by not using montgomery ladder for sidechannel silencing ?

classic Classic list List threaded Threaded
2 messages Options
;
Reply | Threaded
Open this post in threaded view
|

speedup in ecdsa_do_verify by not using montgomery ladder for sidechannel silencing ?

;

Hi Guys

Wouldnt it be much faster to non sidechannel silencing montgomery variants for muls in ecdsa_do_verify?
I mean since for verify we use only public keys anyways.

ecdsa_do_verify  calls generic EC_POINT_mul which calls (plugged in during init) ec_GFp_mont_field_mul instead of ec_wNAF_mul ?
wouldnt it be better then to call ec_wNAF_mul instead of EC_POINT_mul in ecdsa_do_verify  ?

Just thinking about it since speeding up indexing bitcoin on first start by speeding up ecc.verify would be great. 
Sorry for stupid idea ;)

Ladislav Nevery

--
-
Reply | Threaded
Open this post in threaded view
|

Re: speedup in ecdsa_do_verify by not using montgomery ladder for sidechannel silencing ?

Billy Brumley
ec_GFp_mont_field_mul is for the field multiplication. It depends on the curve, but most GF(p) curves will drill down to a function pointer to ec_wNAF_mul for the point multiplication. Check crypto/ec/ec_lib.c.

BBB


On Tue, Apr 22, 2014 at 7:10 PM, ; <[hidden email]> wrote:

Hi Guys

Wouldnt it be much faster to non sidechannel silencing montgomery variants for muls in ecdsa_do_verify?
I mean since for verify we use only public keys anyways.

ecdsa_do_verify  calls generic EC_POINT_mul which calls (plugged in during init) ec_GFp_mont_field_mul instead of ec_wNAF_mul ?
wouldnt it be better then to call ec_wNAF_mul instead of EC_POINT_mul in ecdsa_do_verify  ?

Just thinking about it since speeding up indexing bitcoin on first start by speeding up ecc.verify would be great. 
Sorry for stupid idea ;)

Ladislav Nevery

--
-