From 2bddd947fd1c11b4ec461576db65a5e34fea1b07 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 21 May 2015 16:24:36 +0200 Subject: ecc: Add key generation flag "no-keytest". * src/cipher.h (PUBKEY_FLAG_NO_KEYTEST): New. * cipher/pubkey-util.c (_gcry_pk_util_parse_flaglist): Add flag "no-keytest". Return an error for invalid flags of length 10. * cipher/ecc.c (nist_generate_key): Replace arg random_level by flags set random level depending on flags. * cipher/ecc-eddsa.c (_gcry_ecc_eddsa_genkey): Ditto. * cipher/ecc.c (ecc_generate): Pass flags to generate fucntion and remove var random_level. (nist_generate_key): Implement "no-keytest" flag. * tests/keygen.c (check_ecc_keys): Add tests for transient-key and no-keytest. -- After key creation we usually run a test to check whether the keys really work. However for transient keys this might be too time consuming and given that a failed test would anyway abort the process the optional use of a flag to skip the test is appropriate. Using Ed25519 for EdDSA and the "no-keytest" flags halves the time to create such a key. This was measured by looping the last test from check_ecc_keys() 1000 times with and without the flag. Due to a bug in the flags parser unknown flags with a length of 10 characters were not detected. Thus the "no-keytest" flag can be employed by all software even for libraries before this. That bug is however solved with this version. Signed-off-by: Werner Koch --- doc/gcrypt.texi | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'doc/gcrypt.texi') diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi index ab4f685b..f13695a3 100644 --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -2327,6 +2327,13 @@ random number generator. This flag may be used for keys which are only used for a short time or per-message and do not require full cryptographic strength. +@item no-keytest +@cindex no-keytest +This flag skips internal failsafe tests to assert that a generated key +is properly working. It currently has an effect only for standard ECC +key generation. It is mostly useful along with transient-key to +achieve fastest ECC key generation. + @item use-x931 @cindex X9.31 Force the use of the ANSI X9.31 key generation algorithm instead of -- cgit v1.2.1