Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
My main concern is that rsa_private_key_prepare() multiplies q and p,
I don't quite like that either, but I don't think it matters much for performance. The time for that multiplication is only a tiny fraction of the time needed to create a single signature.
It's needed to get the correct octet size of n. And it's possible to get rid of it in the common cases, although I'm not sure it's worth the effort.
Say sp is the bit size of p and sq is the bit size of q. Then sn, the bit size of n, is either sp + sq, or sp + sq - 1. And the octet size is ceil (sn / 8).
Now for typical RSA keys, p and q both have the top 2 bits set, and then we know that sn = sp + sq. Furthermore, typically sp + sq is a multiple of 8, but ceil ((sp + sq - 1)/8) differs from ceil ((sp + sq)/8) only if sp + sq = 1 (mod 8).
Do you think it is sufficient for gnutls to add an extra check that p and q are odd in nettle's rsa_compute_root? (Used also by rsa_compute_root_tr).
It makes sense for sanity check reasons as well (detect broken keys early rather than late).
I'll add that then.
Regards, /Niels