Scale ops count for larger curves

From a user's perspective, you want a "basic operation" to take approximately the same amount of time regardless of the curve size, especially since max_ops is a global setting: otherwise if you pick a limit suitable for P-384 then when you do an operation on P-256 it will return way more often than needed. Said otherwise, a user is actually interested in actual running time, and we do the API in terms of "basic ops" for practical reasons (no timers) but then we should make sure it's a good proxy for running time.
2025-07-29 11:41:15 +03:00 · 2017-03-20 14:35:19 +01:00
parent d3a0ca8500
commit e685449004
2 changed files with 18 additions and 8 deletions
--- a/library/ecp.c
+++ b/library/ecp.c
@ -166,10 +166,18 @@ static int ecp_check_budget( const mbedtls_ecp_group *grp, unsigned ops )
 {
    if( grp->rs != NULL )
    {
+        /* scale depending on curve size: the chosen reference is 256-bit,
+         * and multiplication is quadratic. Round to the closest integer. */
+        if( grp->pbits >= 512 )
+            ops *= 4;
+        else if( grp->pbits >= 384 )
+            ops *= 2;
+
        /* avoid infinite loops: always allow first step */
        if( grp->rs->ops_done != 0 && grp->rs->ops_done + ops > ecp_max_ops )
            return( MBEDTLS_ERR_ECP_IN_PROGRESS );

+        /* update running count */
        grp->rs->ops_done += ops;
    }