Use GCD to check RSA moduli for small primes (letsencrypt#4883)

cipherboy · web-flow · commit a505ff80bbba · 2020-06-24T13:05:47.000-07:00
The existing checkSmallPrimes function maintains a table of primes,
converts them to an array of *big.Int and uses the resulting values
for comparing against a RSA modulus as follows:

    for _, prime := range smallPrimes {
        if modulus % prime != 0 {
            return invalid
        }
    }
    return valid

This incurs substantial overhead as each prime is checked individually,
invoking QuoRem(...) each time. By multiplying the primes together into
a single *big.Int, we can utilize a single library call, GCD(...), and
check all the values at once. While a single GCD invocation is slower
than a single QuoRem, 133 such invocations of QuoRem are together
slower than the single GCD.

BenchmarkSmallPrimeGCD
BenchmarkSmallPrimeGCD-4                       72759             16240 ns/op
BenchmarkSmallPrimeIndividualMods
BenchmarkSmallPrimeIndividualMods-4             8866            165265 ns/op

This gives us room to later increase the number of smallPrimes, if
desired, while keeping the same timing profile. Currently the product
of the 133 primes in smallPrimes fits within 1040 bits.

Signed-off-by: Alexander Scheel &lt;alexander.m.scheel@gmail.com&gt;
diff --git a/goodkey/good_key.go b/goodkey/good_key.go
@@ -36,7 +36,7 @@ var smallPrimeInts = []int64{
 // singleton defines the object of a Singleton pattern
 var (
 	smallPrimesSingleton sync.Once
-	smallPrimes          []*big.Int
+	smallPrimesProduct   *big.Int
 )
 
 // BlockedKeyCheckFunc is used to pass in the sa.BlockedKey method to KeyPolicy,
@@ -316,20 +316,26 @@ func (policy *KeyPolicy) goodKeyRSA(key *rsa.PublicKey) (err error) {
 //
 // Short circuits; execution time is dependent on i. Do not use this on secret
 // values.
+//
+// Rather than checking each prime individually (invoking Mod on each),
+// multiply the primes together and let GCD do our work for us: if the
+// GCD between <key> and <product of primes> is not one, we know we have
+// a bad key. This is substantially faster than checking each prime
+// individually.
 func checkSmallPrimes(i *big.Int) bool {
 	smallPrimesSingleton.Do(func() {
+		smallPrimesProduct = big.NewInt(1)
 		for _, prime := range smallPrimeInts {
-			smallPrimes = append(smallPrimes, big.NewInt(prime))
+			smallPrimesProduct.Mul(smallPrimesProduct, big.NewInt(prime))
 		}
 	})
 
-	for _, prime := range smallPrimes {
-		var result big.Int
-		result.Mod(i, prime)
-		if result.Sign() == 0 {
-			return true
-		}
-	}
+	// When the GCD is 1, i and smallPrimesProduct are coprime, meaning they
+	// share no common factors. When the GCD is not one, it is the product of
+	// all common factors, meaning we've identified at least one small prime
+	// which invalidates i as a valid key.
 
-	return false
+	var result big.Int
+	result.GCD(nil, nil, i, smallPrimesProduct)
+	return result.Cmp(big.NewInt(1)) != 0
 }
