Revision control
Copy as Markdown
Other Tools
From c6a3e43164be86ca3239e6213c439cf9be44dd96 Mon Sep 17 00:00:00 2001
From: Kai Engert <kaie@kuix.de>
Date: Thu, 7 May 2026 10:44:55 +0200
Subject: [PATCH] Change Key::validate to use variable time division to fix
performance regression.
---
src/lib/crypto/elgamal.cpp | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/lib/crypto/elgamal.cpp b/src/lib/crypto/elgamal.cpp
index bf432e1c3..99efa94a5 100644
--- a/src/lib/crypto/elgamal.cpp
+++ b/src/lib/crypto/elgamal.cpp
@@ -30,7 +30,6 @@
#include <botan/ffi.h>
#include <botan/bigint.h>
#include <botan/numthry.h>
-#include <botan/reducer.h>
#include "botan_utils.hpp"
#include <rnp/rnp_def.h>
#include "elgamal.h"
@@ -101,10 +100,13 @@ Key::validate(bool secret) const noexcept
return false;
}
/* check for small order subgroups */
- Botan::Modular_Reducer reducer(bp);
+ /* Note: we use (v * bg) % bp instead of Modular_Reducer::multiply() because
+ * Botan >= 3.8.0 changed Modular_Reducer::reduce() to use constant-time
+ * ct_modulo(), causing a ~190x slowdown.
+ * BigInt::operator% uses variable-time division. */
Botan::BigInt v = bg;
for (size_t i = 2; i < (1 << 17); i++) {
- v = reducer.multiply(v, bg);
+ v = (v * bg) % bp;
if (!v.cmp_word(1)) {
RNP_LOG("Small subgroup detected. Order %zu", i);
return false;