Lines Matching +full:pseudo +full:- +full:differential
11 Copyright (C) 2017-2023
20 * Jean-Pierre FLORI (<mailto:jpflori@gmail.com>)
30 in the [ISO 14888-3:2018](https://www.iso.org/standard/76382.html)
34 * Core ISO 14888-3:2018 algorithms: ECDSA, ECKCDSA, ECGDSA, ECRDSA, EC{,O}SDSA, ECFSDSA, SM2.
36 …* BIGN (as standardized in [STB 34.101.45-2013](https://github.com/bcrypto/bign)). We allow a more…
38 … "Schnorr" Bitcoin proposal, as specified in [bip-0340](https://github.com/bitcoin/bips/blob/maste…
39 …tandard as we allow any curve and any hash function (the standard mandates SECP256K1 with SHA-256).
42 …-CDH (Elliptic Curve Cryptography Cofactor Diffie-Hellman) as described in [section 5.7.1.2 of the…
45 …STR3410-2001-CryptoPro{A,B,C,XchA,XchB,Test}-ParamSet, GOSTR3410-2012-{256,512}-ParamSet{A,B,C}, G…
47 * **Hash functions**: SHA-2 and SHA-3 hash functions (224, 256, 384, 512), SM3, RIPEMD-160,
48 GOST 34.11-2012 as described in [RFC 6986](https://datatracker.ietf.org/doc/html/rfc6986)
49 (also known as [Streebog](https://tc26.ru/en/events/research-projects-competition/streebog-competit…
50 SHAKE256 in its restricted version with 114 bytes output (mainly for Ed448), BELT-HASH (as standard…
51 [STB 34.101.31-2011](https://github.com/bcrypto/belt)), and BASH-{224,256,384,512} (as standardized…
52 [STB 34.101.77-2020](http://apmi.bsu.by/assets/files/std/bash-spec24.pdf)).
55 ECDSA comes in two variants: the classical non-deterministic one, and the **deterministic** ECDSA
57 generates nonces using a HMAC-DRBG process, and is suitable for situations where there is
62 attack context (i.e. which of side-channel attacks or fault attacks are easier to perform).
63 The same applies to BIGN that comes in two flavours as standardized in [STB 34.101.45-2013](https:/…
64 non-deterministic and deterministic (following an iterative generation process using the BELT hash …
67 all their variants (with context, pre-hashed).
70 …genies** as described in the [lwig-curve-representations](https://datatracker.ietf.org/doc/html/dr…
77 and keep the defense-in-depth (regarding software security and side-channels) focused on
81 [fault attacks](https://eprint.iacr.org/2017/1014.pdf) without having a non-deterministic
86 …FRG thread](https://mailarchive.ietf.org/arch/browse/cfrg/?gbt=1&index=5l3XCLHLCVfOmnkcv4mo2-pEV94)
87 for more insight on why deterministic versus non-deterministic EC signature schemes is still an ope…
91 **Batch verification** is implemented for the signature algorithms that support it - the signature …
93 This is the case for some "Schnorr" based schemes, namely ECFSDSA ("full Schnorr" from ISO14888-3),…
94 Batch verification allows (thanks to the Bos-Coster algorithm) to bring speedups between 2 to 6.5 t…
97 the batch verification makes heavy use of square root residues and the Tonelli-Shanks algorithm com…
99 batch verification comes at an increased memory cost: the Bos-Coster algorithm requires a scratchpa…
104 …tf.org/doc/html/rfc7091) and [draft-deremin-rfc4491-bis](https://datatracker.ietf.org/doc/html/dra…
106 This version of the algorithm **differs** from the ISO/IEC 14888-3 description and test vectors,
109 representation is used. This seems (to be confirmed) to be a discrepancy of ISO/IEC 14888-3 algorit…
117 **ECDH (Elliptic Curve Diffie-Hellman)** variants are also implemented in the
119 of ECC-CDH (Elliptic Curve Cryptography Cofactor Diffie-Hellman) as described
120 in [section 5.7.1.2 of the NIST SP 800-56A Rev. 3](https://csrc.nist.gov/publications/detail/sp/800…
132 * Pollard-Rho, Miller-Rabin and square residues over finite fields.
135 functions such as MD2, MD4, MD5, SHA-0, SHA-1, MDC-2, GOSTR34-11-94 and so on in order to be compli…
139 …* The DSA cryptosystem as defined in [FIPS 186-4](https://csrc.nist.gov/publications/detail/fips/1…
140 * The SDSA (Schnorr DSA) as defined in ISO14888-3
141 * The KCDSA (Korean DSA) as defined in ISO14888-3
142 * The GOSTR34-10-94 function as defined in [RFC4491](https://www.rfc-editor.org/rfc/rfc4491)
152 and DSA and other El-Gamal based algorithms): these primitives are only included as
156 time using the `-DUSER_NN_BIT_LEN=4096` toggle in the `CFLAGS` or `EXTRA_CFLAGS` as explained
157 in [the dedicated section](https://github.com/ANSSI-FR/libecc#modifying-the-big-numbers-size).
164 with no dynamic allocation and includes pre/post-asserts in the code.
174 and fit "common" platforms, see the [dedicated section](#constrained-devices)).
177 [section about portability](#compatibility-and-portability) for more information.
204 * **libsign.a**: this library is based on libec.a and contains all our ISO 14888-3 signature
207 * **ec\_self\_tests**: the self tests for signature/verification algorithm of ISO 14888-3
216 [+] ECDSA-SHA224/secp224r1 selftests: known test vectors sig/verif ok
217 [+] ECDSA-SHA256/secp256r1 selftests: known test vectors sig/verif ok
218 [+] ECDSA-SHA512/secp256r1 selftests: known test vectors sig/verif ok
227 [+] ECDSA-SHA224/FRP256V1 randtests: random import/export with sig(0)/verif(0) ok
228 [+] ECDSA-SHA224/SECP224R1 randtests: random import/export with sig(0)/verif(0) ok
237 [+] ECDSA-SHA224/FRP256V1 perf: 462 sign/s and 243 verif/s
238 [+] ECDSA-SHA224/SECP224R1 perf: 533 sign/s and 276 verif/s
249 - **ec\_utils**: a tool for signing and verifying user defined files, with a user
288 this mode). The rationale behind these commands is to ease the production/verification of self-cont…
302 …[Miller-Rabin](https://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test) composition (or …
310 …the [Tonelli-Shanks](https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm) algorithm for…
320 …how to implement an [Elliptic Curve Diffie-Hellman](https://en.wikipedia.org/wiki/Elliptic_curve_D…
333 …n to libecc core algorithms, in [src/examples/hash](src/examples/hash) (MD2, MD4, MD5, MDC2, SHA-0,
334 SHA-1, and TDES for supporting MDC2). Please **be careful** when using them, it is advised to use t…
337 * Pre-ECC Signature schemes (based on Fp finite fields discrete logarithm) in [src/examples/sig](sr…
338 GOSTR34-10-94). Beware that for these signatures, you will have to expand the NN size to bigger val…
341 side-channel attack and so on).
377 $ meson setup -Dwith_wordsize=32 -Dwith_debug=true builddir && cd builddir && meson dist
409 ECFSDA using SHA3-256 on BrainpoolP256R1, this can be done by keeping only the
430 Please refer to the [portability guide](#libecc-portability-guide) for details on this.
443 5300 bits for 64-bit words, around 2650 bits for 32-bit words, and around 1300 bits for 16-bit word…
447 with `-DUSER_NN_BIT_LEN=` (see [the dedicated section](#overloading-makefile-variables) for more on…
491 $ python scripts/expand_libecc.py -h
499 **test vectors** for the new curve with the `--add-test-vectors` toggle.
505 $ openssl ecparam -param_enc explicit -outform DER -name brainpoolP320r1 -out brainpoolP320r1.der
508 This creates a DER file 'brainpoolP320r1.der' embedding the parameters (beware of the `-param_enc e…
511 …$ python scripts/expand_libecc.py --name="mynewcurve" --ECfile=brainpoolP320r1.der --add-test-vect…
533 [+] ECDSA-SHA224/USER_DEFINED_MYNEWCURVE randtests: random import/export with sig/verif ok
537 [+] ECDSA-SHA224/USER_DEFINED_MYNEWCURVE perf: 269 sign/s and 141 verif/s
556 $ python scripts/expand_libecc.py --remove --name mynewcurve
563 $ python scripts/expand_libecc.py --remove-all
570 libecc, there is no real use of generating them - the script is only here to serve as a showcase fo…
593 example of how to do this with SHA-224.
628 This means for instance that curves using pseudo-Mersenne primes (such as NIST's SECP curves) won't…
629 curves using generic random primes (such as Brainpool curves), though pseudo-Mersenne primes can be…
631 [here](https://tls.mbed.org/kb/cryptography/elliptic-curve-performance-nist-vs-brainpool) for furth…
635 [fixed-base comb](https://link.springer.com/chapter/10.1007/3-540-45537-X_21) precomputations.
649 * **Core i7-5500U** (Broadwell family) is a typical x86 mid-range current laptop CPU.
650 * **Xeon E3-1535M** (Skylake family) is a typical x86 high-end CPU.
651 * **Power-7** is a typical server CPU of the previous generation (2010) with
654 For all the platforms in this subsection, the CPUs have been tested in 64-bit mode.
657 | **libecc** | Core i7-5500U @ 2.40GHz | Xeon E3-1535M v5 @ 2.90GHz | Power-7 …
658 |-----------------|:----------------------------|:------------------------------|:-----------------…
659 | BP256R1 | 583 sign/s - 300 verif/s | 700 sign/s - 355 verif/s | 213 sign/s - 110 …
660 | BP384R1 | 231 sign/s - 118 verif/s | 283 sign/s - 150 verif/s | 98 sign/s - 50 v…
661 | BP512R1 | 111 sign/s - 56 verif/s | 133 sign/s - 68 verif/s | 51 sign/s - 26 v…
663 | **mbedTLS** | Core i7-5500U @ 2.40GHz | Xeon E3-1535M v5 @ 2.90GHz | Power-7 …
664 |-----------------|:----------------------------|:------------------------------|:-----------------…
665 | BP256R1 | 426 sign/s - 106 verif/s | 552 sign/s - 141 verif/s | 178 sign/s - 45 v…
666 | BP384R1 | 239 sign/s - 56 verif/s | 322 sign/s - 77 verif/s | 44 sign/s - 23 v…
667 | BP512R1 | 101 sign/s - 26 verif/s | 155 sign/s - 34 verif/s | 38 sign/s - 12 v…
669 | **OpenSSL** | Core i7-5500U @ 2.40GHz | Xeon E3-1535M v5 @ 2.90GHz | Power-7 …
670 |-----------------|:----------------------------|:------------------------------|:-----------------…
671 | BP256R1 | 2463 sign/s - 1757 verif/s | 2873 sign/s - 2551 verif/s | 1879 sign/s - 165…
672 | BP384R1 | 1091 sign/s - 966 verif/s | 1481 sign/s - 1265 verif/s | 792 sign/s - 70…
673 | BP512R1 | 727 sign/s - 643 verif/s | 1029 sign/s - 892 verif/s | 574 sign/s - 52…
678 This SoC is built around a Cortex-A9 ARMv7-A 32-bit architecture.
679 * **BCM2837** is a Broadcom SoC built around the recent 64-bit ARMv8-A architecture, with a
680 Cortex-A53 core. This SoC can be found in the Raspberry Pi 3, and also represents what can
683 coloration, it uses a 64-bit mode that we have tested here.
686 |-----------------|:----------------------|----------------------------|:-----------------------|
687 | BP256R1 | 64 sign/s - 33 verif/s| 43 sign/s - 22 verif/s | 68 sign/s - 35 verif/s |
688 | BP384R1 | 24 sign/s - 12 verif/s| 17 sign/s - 9 verif/s | 25 sign/s - 13 verif/s |
689 | BP512R1 | 11 sign/s - 5 verif/s | 8 sign/s - 4 verif/s | 12 sign/s - 6 verif/s |
691 | **mbedTLS** | Marvell A388 @ 1.6GHz | BCM2837 (aarch64) @ 1.2GHz | Atom D2700 @ 2.13GHz -|
692 |-----------------|:----------------------|----------------------------|:------------------------|
693 | BP256R1 | 33 sign/s - 8 verif/s | 14 sign/s - 4 verif/s | 87 sign/s - 22 verif/s|
694 | BP384R1 | 20 sign/s - 4 verif/s | 8 sign/s - 2 verif/s | 50 sign/s - 11 verif/s|
695 | BP512R1 | 10 sign/s - 2 verif/s | 4 sign/s - 1 verif/s | 23 sign/s - 5 verif/s |
698 |-----------------|:------------------------|----------------------------|:------------------------|
699 | BP256R1 | 369 sign/s - 332 verif/s| 124 sign/s - 112 verif/s | 372 sign/s - 334 verif/s|
700 | BP384R1 | 102 sign/s - 94 verif/s | 54 sign/s - 49 verif/s | 163 sign/s - 149 verif/s|
701 | BP512R1 | 87 sign/s - 81 verif/s | 31 sign/s - 29 verif/s | 92 sign/s - 83 verif/s |
704 ### <a name="constrained-devices"></a> Very constrained embedded devices
705 The library, when configured for a 256-bit curve (SECP256R1, FRP256), SHA-256 and ECDSA signature f…
707 chosen WORDSIZE (16, 32, 64), the compilation options (optimization for space `-Os` or speed `-O3`)…
709 A 521-bit curve with SHA-256 hash function and ECDSA signature should fit in 38 Kilo Bytes of flash…
718 can have big limitations when accessing so called "program memory" as data. The 8-bit
721 and/or provide [non-standard ways](http://www.atmel.com/webdoc/avrlibcreferencemanual/pgmspace_1pgm…
728 …tware stack containing a known test vector scenario has been compiled and tested on a **Cortex-M0**
730 It has also been compiled and tested on a **Cortex-M3** ([STM32F103C8T6](http://www.st.com/en/micro…
734 **Note**: The Cortex-M0 case is a bit special in the ARM family. Since this MCU lacks a 32-bit x 32…
740 | **libecc** | STM32F103C8T6 (Cortex-M3 @ 72MHz) | STM32F030R8T6 (Cortex-M0 @ 48MHz) |
741 |-----------------|:----------------------------------|:----------------------------------|
748 Cortex-M3 taken from a [recent study by ARM](http://csrc.nist.gov/groups/ST/lwc-workshop2015/presen…
752 | **mbedTLS** | LPC1768 (Cortex-M3 @ 92MHz)<sup>1</sup> |
753 |-----------------|:------------------------------|
765 ## <a name="compatibility-and-portability"></a> Compatibility and Portability
774 * A target **OS** (Linux, Windows, Mac OS, ...) or more low level firmware (including a **bare-meta…
775 programming model or exotic real-time OS for microcontrollers for instance).
776 * A proper compilation **(cross-)toolchain** producing binaries for the platform. This toolchain wi…
781 * libecc is in pure C-99 (no assembly), so it should compile on **any platform** with a decent C-99
784 * The Makefile has been tested with clang and gcc under Linux, as well as gcc cross-compilation var…
787 * The library supports 16-bit/32-bit/64-bit word sizes, which should ensure compatibility with most…
788 for 8-bit MCUs to 64-bit CPUs. If the toolchain does not have a [`stdint.h`](http://pubs.opengroup.…
806 ### <a name="compiling-libecc-for-arm-cortex-m-with-GNU-gcc-arm"></a> Compiling libecc for ARM Cort…
808 Compiling for Cortex-M targets should be straightforward using the arm-gcc none-eabi (for bare meta…
809 well as the specific Cortex-M target platform SDK. In order to compile the core libsign.a static li…
812 $ CROSS_COMPILE=arm-none-eabi- CC=gcc CFLAGS="$(TARGET_OPTS) -W -Wextra -Wall -Wunreachable-code \
813 -pedantic -fno-builtin -std=c99 -Os \
814 -ffreestanding -fno-builtin -nostdlib -DWORDSIZE=64" \
818 …_OPTS)` are the flags specific to the considered target: `-mcpu=cortex-m3 -mthumb` for Cortex-M3 f…
819 flag should be adapted to `-DWORDSIZE=32` for the specific case of Cortex-M0/M0+ as discussed in th…
820 (because of the lacking of 32-bit to 64-bit native multiplication instruction). The library can the…
825 …ncies have been implemented by the user, it is also possible to build a self-tests binary by addin…
828 $ CROSS_COMPILE=arm-none-eabi- CFLAGS="$(TARGET_OPTS) -W -Wextra -Wall -Wunreachable-code \
829 -pedantic -fno-builtin -std=c99 -Os \
830 -ffreestanding -fno-builtin -nostdlib -DWORDSIZE=64" \
831 LDFLAGS="-T linker_script.ld" \
836 (sometimes necessary, specifically on devices with very constrained RAM, such as Cortex-M0 with 8KB…
846 **NOTE3**: libecc has also been successfully tested with other non-GNU compilation SDK and toolchai…
849 ### <a name="libecc-portability-guide"></a> libecc portability guide
851 This section is dedicated to giving some more details on how to compile libecc when non-GNU compile…
853 do not provide a **GNU make** compilation style (this is generally the case for all-in-one IDEs suc…
856 #### 1 - Compilers and C99 standard compliance
879 #### 2 - Compiling with environments without GNU make
909 …src/hash/sha384.o src/hash/sha3-512.o src/hash/sha512.o src/hash/sha3-256.o src/hash/sha3-224.o sr…
910 …src/hash/sha3-384.o src/hash/sha224.o src/hash/hash_algs.o src/sig/ecsdsa.o src/sig/ecdsa.o src/si…
917 #### 3 - Dealing with the standard library and stdint
938 #### <a name="overloading-makefile-variables"></a> 4 - Overloading Makefile variables
952 …mpile libecc with an old version of gcc that does not support the `-fstack-protector-strong` option
957 …$ CFLAGS="-W -Werror -Wextra -Wall -Wunreachable-code -pedantic -fno-builtin -std=c99 -D_FORTIFY_S…
958 -fstack-protector-all -O3 -DWITH_STDLIB -fPIC" make
961 …we keep the other `CFLAGS` from default compilation while replacing `-fstack-protector-strong` with
962 the **less efficient but more compatible** `-fstack-protector-all`.
970 …ce_arch32` and `make force_arch64` will force 32-bit and 64-bit architectures compilation (`-m32` …
971 flags under gcc). These targets allow cross-compilation for a 32-bit (respectively 64-bit) target u…
972 32-bit) host: a typical example is compiling for i386 under x86\_64.
975 a: `CFLAGS="-fstack-protector-all" make debug16`
976 …ile all the binaries for debug, with a word size of 16 bits and a `-fstack-protector-all` stack pr…
979 #### 5 - A concrete example with SDCC
986 other compilers (`-c` flag to generate object files, `-o` flag to define output file).
1002 * Overload `CFLAGS="-mbgz80 --std-sdcc99"` to specify the target, and ask for the C99 compatibility…
1007 $ CC=sdcc AR=sdar RANLIB=sdranlib CFLAGS="-mgbz80 --std-sdcc99" LDFLAGS=" " make
1014 do it by overloading `WORDSIZE=16`: the Z80 is an 8-bit CPU, so it seems reasonable to fit the word
1015 size to 16-bit (8-bit half words). The second attempt will go further but will fail at some point w…
1018 $ CC=sdcc AR=sdar RANLIB=sdranlib CFLAGS="-mgbz80 --std-sdcc99 -DWORDSIZE=16" LDFLAGS=" " make
1039 $ sdcc -mgbz80 -DWORDSIZE=16 --std-sdcc99 src/tests/ec_self_tests.c build/libsign.lib
1052 …r base as described in the [previous sections](#compiling-libecc-for-arm-cortex-m-with-GNU-gcc-arm…
1081 …(https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2018/rohnp-return-of-the-hidd…
1091 …ding is as simple as using the ``BLINDIG=1`` environment variable (or the ``-DUSE_SIG_BLINDING`` C…
1114 * ADPA (Address-bit DPA) is limited using Itoh et al. Double and Add Always
1116 Address-Bit Differential Power Analysis" by Itoh, Izu and Takenaka for more information.
1128 might depend on the low-level compilation process and are difficult to handle
1129 at high-level in pure C.
1185 >Hash functions (SHA-2 and SHA-3 based algorithms
1252 +-------------------------+
1254 |algorithms | <------------------+
1255 |(ISO 14888-3) [6] | |
1256 +-----------+-------------+ |
1259 +-----------+-------------+ +----------+------------+
1263 +-----------+-------------+ +-----------------------+
1266 +-----------+-------------+ @ +------------------------+@
1268 | core (scalar mul, ...) | @ +------------------------+@
1269 +-----------+-------------+ @ | Sig Self tests [9] |@
1272 | @ +------------------------+@
1274 +-----------+-------------+ @ +------------------------+@
1276 | arithmetic | @ +------------------------+@
1277 +-----------+-------------+ @ | Scripts [14] |@
1278 ^ @ +------------------------+@
1280 +-----------+-------------+ +------------------------+
1281 | NN natural [2] | <------+ Machine related |
1283 +-------------------------+ +------------------------+
1290 with the [IPECC](https://github.com/ANSSI-FR/IPECC) hardware accelerator
1299 $ git checkout -b IPECC
1302 Then fetch the dedicated driver on the [IPECC repository](https://github.com/ANSSI-FR/IPECC)
1312 …$ make clean && CC=arm-linux-gnueabihf-gcc EXTRA_CFLAGS="-Wall -Wextra -O3 -g3 -mcpu=cortex-a9 -mf…
1318 We also override the `CC` compiler to `arm-linux-gnueabihf-gcc` for the Zynq platform (adapt at you…
1319 target), and add some necessary extra CFLAGS for the platform (as well as a `-static` binary compil…
1320 … is used here for thread safety during hardware access: this flag is necessary for multi-threading.
1322 …tested on a [Zynq Arty Z7](https://digilent.com/reference/programmable-logic/arty-z7/start) board …
1326 az7-ecc-axi:/home/petalinux# ./ec_self_tests_sw perf
1328 [+] ECDSA-SHA224/FRP256V1 perf: 6 sign/s and 6 verif/s
1329 [+] ECDSA-SHA224/SECP192R1 perf: 9 sign/s and 9 verif/s
1330 [+] ECDSA-SHA224/SECP224R1 perf: 7 sign/s and 7 verif/s
1331 [+] ECDSA-SHA224/SECP256R1 perf: 6 sign/s and 6 verif/s
1334 az7-ecc-axi:/home/petalinux# ./ec_self_tests_hw perf
1336 [+] ECDSA-SHA224/FRP256V1 perf: 34 sign/s and 32 verif/s
1337 [+] ECDSA-SHA224/SECP192R1 perf: 57 sign/s and 52 verif/s
1338 [+] ECDSA-SHA224/SECP224R1 perf: 44 sign/s and 39 verif/s
1339 [+] ECDSA-SHA224/SECP256R1 perf: 34 sign/s and 32 verif/s
1340 [+] ECDSA-SHA224/SECP384R1 perf: 16 sign/s and 15 verif/s
1341 [+] ECDSA-SHA224/SECP521R1 perf: 8 sign/s and 8 verif/s
1342 [+] ECDSA-SHA224/BRAINPOOLP192R1 perf: 57 sign/s and 52 verif/s
1343 [+] ECDSA-SHA224/BRAINPOOLP224R1 perf: 44 sign/s and 40 verif/s