From c6a3e43164be86ca3239e6213c439cf9be44dd96 Mon Sep 17 00:00:00 2001
From: Kai Engert <kaie@kuix.de>
Date: Thu, 7 May 2026 10:44:55 +0200
Subject: [PATCH] Change Key::validate to use variable time division to fix
 performance regression.

---
 src/lib/crypto/elgamal.cpp | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/lib/crypto/elgamal.cpp b/src/lib/crypto/elgamal.cpp
index bf432e1c3..99efa94a5 100644
--- a/src/lib/crypto/elgamal.cpp
+++ b/src/lib/crypto/elgamal.cpp
@@ -30,7 +30,6 @@
 #include <botan/ffi.h>
 #include <botan/bigint.h>
 #include <botan/numthry.h>
-#include <botan/reducer.h>
 #include "botan_utils.hpp"
 #include <rnp/rnp_def.h>
 #include "elgamal.h"
@@ -101,10 +100,13 @@ Key::validate(bool secret) const noexcept
             return false;
         }
         /* check for small order subgroups */
-        Botan::Modular_Reducer reducer(bp);
+        /* Note: we use (v * bg) % bp instead of Modular_Reducer::multiply() because
+         * Botan >= 3.8.0 changed Modular_Reducer::reduce() to use constant-time
+         * ct_modulo(), causing a ~190x slowdown.
+         * BigInt::operator% uses variable-time division. */
         Botan::BigInt          v = bg;
         for (size_t i = 2; i < (1 << 17); i++) {
-            v = reducer.multiply(v, bg);
+            v = (v * bg) % bp;
             if (!v.cmp_word(1)) {
                 RNP_LOG("Small subgroup detected. Order %zu", i);
                 return false;