jaredpar
commented
2 years ago What is the advantage of removing big.Int from the crypto layer?
Closed qmuntal closed 2 years ago
jaredpar
commented
2 years ago What is the advantage of removing big.Int from the crypto layer?
qmuntal
commented
2 years ago What is the advantage of removing
big.Intfrom the crypto layer?
The Go security team is trying to reduce the usage of big.Int from crypto code, as it is slow, not constant time and not designed for being used in the cryptography foundations.
This is the commit were big.Int was removed from boring: https://go-review.googlesource.com/c/go/+/395877/12
And these are other issues related to removing big.Int from other packages or fixing it:
In our case, it will make security reviews a little bit easier, as by removing big.Int from our code there won't be any doubt we are really delegating big integer operations to OpenSSL.
This PR is an almost direct port of https://go-review.googlesource.com/c/go/+/395875/10. In our case there is no visible performance win, which was the motivation of the original CL, but it paves the path to removing
big.Intfromgo-crypto-openssl, which is necessary for go1.19.