Closed git-n-pissed closed 1 year ago
@git-n-pissed fixed by 6695e73 can you verify?
Yup, that fixed it! Any idea why TFM is exhibiting this behavior?
the montgomery reduction d = a**b (mod c) need odd c (modulus) to work correctly
probably a clean solution could be
if (fp_isodd(&c_fp_int) == FP_YES)
{
fp_exptmod(&a_fp_int, &b_fp_int, &c_fp_int, &d_fp_int);
}
else
{
fp_pow3(&a_fp_int, &b_fp_int, &c_fp_int, &d_fp_int);
}
Honestly, I would like to leave the exptmod
function unchanged and trigger an exception in the case of even modulus.
in addition to the exptmod
method I also add the fast_pow
method to be called if it is required.
what do you think?
I think checking for an odd modulus was a good idea. Should be more performant than letting the unnecessary processing of exptmod
happen only to then have to handle an exception and then call fast_pow
. Another option would be leaving exptmod
as is, but updating fast_pow
to use exptmod
in the event of an odd modulus.
i have opted to tomsfastmath.exptmod(x, y, z, safe=True)
with default value false
and added fast_pow
method
closed this issue as resolved, in case of problems do not hesitate to reopen it.
Thanks for the report and testing
closed this issue as resolved, in case of problems do not hesitate to reopen it.
Thanks for the report and testing
I think one additional change may be needed here, or perhaps a revert. Before this change was implemented, an even modulus would fail. I think that implementation was correct, because if an even modulus is allowed, that means one of its factors is 2. If the intent was for the exptmod
function to perform generic modular exponentiation operations I think this change would have been appropriate, but the goal is the generation of strong RSA keys.
The documentation for TFM's exptmod
function also claims only an odd exponent should be used. This I'm still trying to understand completely. If ucrypto uses a default exponent of 65537 as is standard, maybe it doesn't matter?
The change made by default is disabled for the very reasons you stated
The change made by default is disabled for the very reasons you stated
Is it not possible then for ucrypto to provide this function with an even exponent or modulus? If you believe the change made by this issue was still a good one, TFM's invmod also only works with odd modulus, and exptmod (even the current implementation which also uses fast_pow) does not accept a negative exponent. I don't think these changes are necessary, just saying ;)
EDIT:
I think the TFM documentation for invmod
is incorrect (not surprising, the authors don't seem big on documentation). My testing shows it does work with even modulus. In fact, I think it invmod
must work with an even modulus because n = (p - 1) * (q - 1)
will always be even (right?). From the docs:
The fp invmod() function will find the modular inverse of
a
modulo an odd modulusb
and store it inc
(provided it exists).
I've been playing around with various RSA libraries and found an oddity in the
pow3_
function which uses TFMfp_exptmod
. I'm not sure if what I'm seeing is an error, but it isn't what I'm expecting. Here is the test I'm running on an ESP32-S3:And here is the adafruit
fast_pow
function. The output of the function below always matches the output of CPython'spow
function as well:And here are the results:
It is unclear to me why the
fp_exptmod
output isn't matching otherpow
implementations. I have tried disablingTFM_CHECK
andTFM_TIMING_RESISTANT
, but disabling the former doesn't appear to make any difference, and disabling the latter results in a stackoverflow.