2  *  Copyright (C) 2021 - This file is part of libecc project
27  * one corresponding to SDSA as described in the ISO14888-3 standard.
43  * time and blinding WHEN activated with BLINDING=1), please consider this
46  * All-in-all, this piece of code can be useful in some contexts, or risky to
47  * use in other sensitive ones where advanced side-channels or fault attacks
93 	/* alpha is the bit length of p, beta is the bit length of q */  in sdsa_sign()
103 	/* This is a bit too much for stack space, but we need it for  in sdsa_sign()
122 	p = &(priv->p);  in sdsa_sign()
123 	q = &(priv->q);  in sdsa_sign()
124 	g = &(priv->g);  in sdsa_sign()
125 	x = &(priv->x);  in sdsa_sign()
133 	/* Let alpha be the bit length of p */  in sdsa_sign()
135 	/* Let beta be the bit length of q */  in sdsa_sign()
201          * In case of blinding, we compute b^-1 with  in sdsa_sign()
223 	ret = _i2osp(&s, sig + hlen, (u16)(siglen - hlen)); EG(ret, err);  in sdsa_sign()
256 	/* alpha is the bit length of p, beta is the bit length of q */  in sdsa_verify()
265 	/* This is a bit too much for stack space, but we need it for  in sdsa_verify()
282 	p = &(pub->p);  in sdsa_verify()
283 	q = &(pub->q);  in sdsa_verify()
284 	g = &(pub->g);  in sdsa_verify()
285 	y = &(pub->y);  in sdsa_verify()
293 	/* Let alpha be the bit length of p */  in sdsa_verify()
295 	/* Let beta be the bit length of q */  in sdsa_verify()
306 	ret = _os2ip(&s, sig + hlen, (u16)(siglen - hlen)); EG(ret, err);  in sdsa_verify()
327 	/* Compute (y ** -r) mod (p) */  in sdsa_verify()
328 	ret = nn_sub(&r, q, &r); EG(ret, err); /* compute -r = (q - r) mod q */  in sdsa_verify()
332 	/* Compute (y ** -r) * (g ** s) mod (p) */  in sdsa_verify()
347 	ret = (cmp != 1) ? -1 : 0;  in sdsa_verify()
369 	/* This example is taken from ISO14888-3 SDSA (Appendix F "Numerical examples" */  in main()
373 …, 0xAA, 0x3B, 0xF4, 0x29, 0x6D, 0x83, 0x0E, 0x9A, 0x7C, 0x20, 0x9E, 0x0C, 0x64, 0x97, 0x51, 0x7A, …  in main()
378 …0x67, 0xE1, 0x44, 0xE5, 0x14, 0x05, 0x64, 0x25, 0x1C, 0xCA, 0xCB, 0x83, 0xE6, 0xB4, 0x86, 0xF6, 0x…  in main()
386 		0xA3, 0x08, 0xB0, 0xFE, 0x64, 0xF5, 0xFB, 0xD3,  in main()
394 …, 0xAA, 0xB8, 0xA8, 0x62, 0x8A, 0xC3, 0x76, 0xD2, 0x82, 0xD6, 0xED, 0x38, 0x64, 0xE6, 0x79, 0x82, …  in main()
395 …0x1D, 0x14, 0x34, 0x8F, 0x6F, 0x2F, 0x91, 0x93, 0xB5, 0x04, 0x5A, 0xF2, 0x76, 0x71, 0x64, 0xE1, 0x…  in main()
398 …0xB3, 0x35, 0x3B, 0xBB, 0x64, 0xE0, 0xEC, 0x37, 0x7F, 0xD0, 0x28, 0x37, 0x0D, 0xF9, 0x2B, 0x52, 0x…  in main()
410 …, 0x35, 0xCE, 0x42, 0xFF, 0x3A, 0x9F, 0x22, 0x5E, 0xDE, 0x65, 0x02, 0x12, 0x64, 0x08, 0xFC, 0xB1, …  in main()
411 …0x80, 0xB1, 0x49, 0xC4, 0x64, 0xE1, 0x76, 0xEB, 0xF0, 0x3B, 0xA6, 0x51, 0x0D, 0x82, 0x06, 0xC9, 0x…  in main()
413 …0xDF, 0x2E, 0xB4, 0xD3, 0xD9, 0x42, 0x4E, 0x57, 0xD9, 0x64, 0x39, 0x8D, 0xBE, 0x1C, 0x63, 0x62, 0x…  in main()
414 …0x1D, 0x64, 0x79, 0x6C, 0xA5, 0x98, 0x48, 0x0D, 0xFD, 0xD9, 0x58, 0x0E, 0x55, 0x08, 0x53, 0x45, 0x…  in main()
438 	 * NOTE: the double parentheses are here to handle -Wunreachable-code  in main()
442 		ext_printf("  => Please recompile libecc with EXTRA_CFLAGS=\"-DUSER_NN_BIT_LEN=4096\"\n");  in main()
444 …ext_printf("     Then recompile the current examples with the same EXTRA_CFLAGS=\"-DUSER_NN_BIT_LE…  in main()
457 …ret = sdsa_sign(&priv, msg, sizeof(msg)-1, nonce, sizeof(nonce), sig, sizeof(sig), HASH_SHA256); E…  in main()
461 	ret = sdsa_verify(&pub, msg, sizeof(msg)-1, sig, sizeof(sig), HASH_SHA256);  in main()