Lines Matching +full:compute +full:-
2 * Copyright (C) 2017 - This file is part of libecc project
7 * Jean-Pierre FLORI <jean-pierre.flori@ssi.gouv.fr>
40 * leaking can be possible through side-channel attacks.
88 /* We compute bits2octets(hash) here */ in __ecdsa_rfc6979_nonce()
91 ret = nn_rshift(k, k, (bitcnt_t)((8 * hsize) - q_bit_len)); EG(ret, err); in __ecdsa_rfc6979_nonce()
110 /* We compute bits2octets(hash) here */ in __ecdsa_rfc6979_nonce()
125 * 3. Compute: in __ecdsa_rfc6979_nonce()
127 * If that value of k is within the [1,q-1] range, and is in __ecdsa_rfc6979_nonce()
131 * Otherwise, compute: in __ecdsa_rfc6979_nonce()
147 ret = nn_rshift(k, k, (bitcnt_t)((8 * q_len) - q_bit_len)); EG(ret, err); in __ecdsa_rfc6979_nonce()
185 q = &(in_priv->params->ec_gen_order); in __ecdsa_init_pub_key()
188 MUST_HAVE((!nn_cmp(&(in_priv->x), q, &cmp)) && (cmp < 0), ret, err); in __ecdsa_init_pub_key()
191 G = &(in_priv->params->ec_gen); in __ecdsa_init_pub_key()
193 ret = prj_pt_mul_blind(&(out_pub->y), &(in_priv->x), G); EG(ret, err); in __ecdsa_init_pub_key()
195 out_pub->key_type = key_type; in __ecdsa_init_pub_key()
196 out_pub->params = in_priv->params; in __ecdsa_init_pub_key()
197 out_pub->magic = PUB_KEY_MAGIC; in __ecdsa_init_pub_key()
225 * Global EC-DSA signature process is as follows (I,U,F provides
229 *| IUF - ECDSA signature
231 *| UF 1. Compute h = H(m)
236 *| F 5. Compute W = (W_x,W_y) = kG
237 *| F 6. Compute r = W_x mod q
240 *| F 9. Compute s = k^-1 * (xr + e) mod q
246 * a) Usually (this is for instance the case in ISO 14888-3 and X9.62), the
255 * c) in EC-DSA, the public part of the key is not needed per se during the
256 * signature but - as it is needed in other signature algs implemented
257 * in the library - the whole key pair is passed instead of just the
263 MUST_HAVE((((void *)(A)) != NULL) && ((A)->magic == ECDSA_SIGN_MAGIC), ret, err)
273 ret = key_pair_check_initialized_and_type(ctx->key_pair, key_type); EG(ret, err); in __ecdsa_sign_init()
275 MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && in __ecdsa_sign_init()
276 (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); in __ecdsa_sign_init()
283 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in __ecdsa_sign_init()
284 ret = ctx->h->hfunc_init(&(ctx->sign_data.ecdsa.h_ctx)); EG(ret, err); in __ecdsa_sign_init()
286 ctx->sign_data.ecdsa.magic = ECDSA_SIGN_MAGIC; in __ecdsa_sign_init()
304 ECDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.ecdsa), ret, err); in __ecdsa_sign_update()
307 ret = key_pair_check_initialized_and_type(ctx->key_pair, key_type); EG(ret, err); in __ecdsa_sign_update()
309 /* 1. Compute h = H(m) */ in __ecdsa_sign_update()
311 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in __ecdsa_sign_update()
312 ret = ctx->h->hfunc_update(&(ctx->sign_data.ecdsa.h_ctx), chunk, chunklen); in __ecdsa_sign_update()
346 ECDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.ecdsa), ret, err); in __ecdsa_sign_finalize()
350 ret = key_pair_check_initialized_and_type(ctx->key_pair, key_type); EG(ret, err); in __ecdsa_sign_finalize()
356 priv_key = &(ctx->key_pair->priv_key); in __ecdsa_sign_finalize()
357 q = &(priv_key->params->ec_gen_order); in __ecdsa_sign_finalize()
358 q_bit_len = priv_key->params->ec_gen_order_bitlen; in __ecdsa_sign_finalize()
359 G = &(priv_key->params->ec_gen); in __ecdsa_sign_finalize()
361 x = &(priv_key->x); in __ecdsa_sign_finalize()
362 hsize = ctx->h->digest_size; in __ecdsa_sign_finalize()
364 MUST_HAVE((priv_key->key_type == key_type), ret, err); in __ecdsa_sign_finalize()
373 dbg_nn_print("p", &(priv_key->params->ec_fp.p)); in __ecdsa_sign_finalize()
374 dbg_nn_print("q", &(priv_key->params->ec_gen_order)); in __ecdsa_sign_finalize()
376 dbg_ec_point_print("G", &(priv_key->params->ec_gen)); in __ecdsa_sign_finalize()
377 dbg_pub_key_print("Y", &(ctx->key_pair->pub_key)); in __ecdsa_sign_finalize()
382 /* 1. Compute h = H(m) */ in __ecdsa_sign_finalize()
385 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in __ecdsa_sign_finalize()
386 ret = ctx->h->hfunc_finalize(&(ctx->sign_data.ecdsa.h_ctx), hash); EG(ret, err); in __ecdsa_sign_finalize()
400 rshift = (bitcnt_t)((hsize * 8) - q_bit_len); in __ecdsa_sign_finalize()
404 * 3. Compute e = OS2I(h) mod q, i.e. by converting h to an in __ecdsa_sign_finalize()
424 if(ctx->rand != nn_get_random_mod){ in __ecdsa_sign_finalize()
430 ret = -1; in __ecdsa_sign_finalize()
435 if(ctx->rand != NULL){ in __ecdsa_sign_finalize()
436 /* Non-deterministic generation, or deterministic with in __ecdsa_sign_finalize()
439 ret = ctx->rand(&k, q); in __ecdsa_sign_finalize()
446 ret = -1; in __ecdsa_sign_finalize()
450 ret = __ecdsa_rfc6979_nonce(&k, q, q_bit_len, &(priv_key->x), in __ecdsa_sign_finalize()
451 hash, hsize, ctx->h->type); in __ecdsa_sign_finalize()
456 ret = -1; in __ecdsa_sign_finalize()
461 ret = -1; in __ecdsa_sign_finalize()
475 /* 5. Compute W = (W_x,W_y) = kG */ in __ecdsa_sign_finalize()
486 /* 6. Compute r = W_x mod q */ in __ecdsa_sign_finalize()
520 /* 9. Compute s = k^-1 * (xr + e) mod q */ in __ecdsa_sign_finalize()
528 * In case of blinding, we compute (b*k)^-1, and b^-1 will in __ecdsa_sign_finalize()
533 /* Compute k^-1 mod q */ in __ecdsa_sign_finalize()
539 dbg_nn_print("k^-1 mod q", &kinv); in __ecdsa_sign_finalize()
541 /* s = k^-1 * tmp2 mod q */ in __ecdsa_sign_finalize()
572 IGNORE_RET_VAL(local_memset(&(ctx->sign_data.ecdsa), 0, sizeof(ecdsa_sign_data))); in __ecdsa_sign_finalize()
599 *| IUF - ECDSA verification
602 *| UF 2. Compute h = H(m)
605 *| F 4. Compute e = OS2I(h) mod q
606 *| F 5. Compute u = (s^-1)e mod q
607 *| F 6. Compute v = (s^-1)r mod q
608 *| F 7. Compute W' = uG + vY
610 *| F 9. Compute r' = W'_x mod q
617 MUST_HAVE((((void *)(A)) != NULL) && ((A)->magic == ECDSA_VERIFY_MAGIC), ret, err)
632 ret = pub_key_check_initialized_and_type(ctx->pub_key, key_type); EG(ret, err); in __ecdsa_verify_init()
633 MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && in __ecdsa_verify_init()
634 (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); in __ecdsa_verify_init()
638 q = &(ctx->pub_key->params->ec_gen_order); in __ecdsa_verify_init()
639 q_bit_len = ctx->pub_key->params->ec_gen_order_bitlen; in __ecdsa_verify_init()
641 r = &(ctx->verify_data.ecdsa.r); in __ecdsa_verify_init()
642 s = &(ctx->verify_data.ecdsa.s); in __ecdsa_verify_init()
662 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in __ecdsa_verify_init()
663 ret = ctx->h->hfunc_init(&(ctx->verify_data.ecdsa.h_ctx)); EG(ret, err); in __ecdsa_verify_init()
665 ctx->verify_data.ecdsa.magic = ECDSA_VERIFY_MAGIC; in __ecdsa_verify_init()
689 ECDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.ecdsa), ret, err); in __ecdsa_verify_update()
691 ret = pub_key_check_initialized_and_type(ctx->pub_key, key_type); EG(ret, err); in __ecdsa_verify_update()
693 /* 2. Compute h = H(m) */ in __ecdsa_verify_update()
695 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in __ecdsa_verify_update()
696 ret = ctx->h->hfunc_update(&(ctx->verify_data.ecdsa.h_ctx), chunk, chunklen); in __ecdsa_verify_update()
728 ECDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.ecdsa), ret, err); in __ecdsa_verify_finalize()
730 ret = pub_key_check_initialized_and_type(ctx->pub_key, key_type); EG(ret, err); in __ecdsa_verify_finalize()
737 G = &(ctx->pub_key->params->ec_gen); in __ecdsa_verify_finalize()
738 Y = &(ctx->pub_key->y); in __ecdsa_verify_finalize()
739 q = &(ctx->pub_key->params->ec_gen_order); in __ecdsa_verify_finalize()
740 q_bit_len = ctx->pub_key->params->ec_gen_order_bitlen; in __ecdsa_verify_finalize()
741 hsize = ctx->h->digest_size; in __ecdsa_verify_finalize()
742 r = &(ctx->verify_data.ecdsa.r); in __ecdsa_verify_finalize()
743 s = &(ctx->verify_data.ecdsa.s); in __ecdsa_verify_finalize()
745 /* 2. Compute h = H(m) */ in __ecdsa_verify_finalize()
747 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in __ecdsa_verify_finalize()
748 ret = ctx->h->hfunc_finalize(&(ctx->verify_data.ecdsa.h_ctx), hash); EG(ret, err); in __ecdsa_verify_finalize()
762 rshift = (bitcnt_t)((hsize * 8) - q_bit_len); in __ecdsa_verify_finalize()
766 * 4. Compute e = OS2I(h) mod q, by converting h to an integer in __ecdsa_verify_finalize()
780 /* Compute s^-1 mod q */ in __ecdsa_verify_finalize()
785 /* 5. Compute u = (s^-1)e mod q */ in __ecdsa_verify_finalize()
787 dbg_nn_print("u = (s^-1)e mod q", &uv); in __ecdsa_verify_finalize()
790 /* 6. Compute v = (s^-1)r mod q */ in __ecdsa_verify_finalize()
792 dbg_nn_print("v = (s^-1)r mod q", &uv); in __ecdsa_verify_finalize()
795 /* 7. Compute W' = uG + vY */ in __ecdsa_verify_finalize()
802 /* 9. Compute r' = W'_x mod q */ in __ecdsa_verify_finalize()
804 dbg_nn_print("W'_x", &(W_prime->X.fp_val)); in __ecdsa_verify_finalize()
805 dbg_nn_print("W'_y", &(W_prime->Y.fp_val)); in __ecdsa_verify_finalize()
806 ret = nn_mod(&r_prime, &(W_prime->X.fp_val), q); EG(ret, err); in __ecdsa_verify_finalize()
810 ret = (cmp != 0) ? -1 : 0; in __ecdsa_verify_finalize()
825 IGNORE_RET_VAL(local_memset(&(ctx->verify_data.ecdsa), 0, sizeof(ecdsa_verify_data))); in __ecdsa_verify_finalize()
851 * (p - q) / p. Actually, some small multiples of r are also tested,
891 G = &(params->ec_gen); in __ecdsa_public_key_from_sig()
892 p = &(params->ec_fp.p); in __ecdsa_public_key_from_sig()
893 q = &(params->ec_gen_order); in __ecdsa_public_key_from_sig()
894 q_bit_len = params->ec_gen_order_bitlen; in __ecdsa_public_key_from_sig()
896 Y1 = &(out_pub1->y); in __ecdsa_public_key_from_sig()
897 Y2 = &(out_pub2->y); in __ecdsa_public_key_from_sig()
928 ret = -1; in __ecdsa_public_key_from_sig()
934 * Compute e. in __ecdsa_public_key_from_sig()
944 rshift = (bitcnt_t)((hsize * 8) - q_bit_len); in __ecdsa_public_key_from_sig()
955 ret = fp_init(&(uG.X), &(params->ec_fp)); EG(ret, err); in __ecdsa_public_key_from_sig()
956 ret = fp_init(&(uG.Y), &(params->ec_fp)); EG(ret, err); in __ecdsa_public_key_from_sig()
957 ret = fp_init(&(uG.Z), &(params->ec_fp)); EG(ret, err); in __ecdsa_public_key_from_sig()
959 ret = aff_pt_y_from_x(&(uG.X), &(uG.Y), &(uG.Z), &(params->ec_curve)); in __ecdsa_public_key_from_sig()
967 ret = -1; in __ecdsa_public_key_from_sig()
974 ret = fp_init(&(Y2->Z), &(params->ec_fp)); EG(ret, err); in __ecdsa_public_key_from_sig()
975 ret = fp_one(&(Y2->Z)); EG(ret, err); in __ecdsa_public_key_from_sig()
977 ret = prj_pt_init_from_coords(Y1, &(params->ec_curve), &(uG.Z), &(uG.X), &(Y2->Z)); EG(ret, err); in __ecdsa_public_key_from_sig()
979 ret = prj_pt_init_from_coords(Y2, &(params->ec_curve), &(uG.Z), &(uG.Y), &(Y1->Z)); EG(ret, err); in __ecdsa_public_key_from_sig()
981 /* Now compute u = (-e r^-1) mod q, and v = (s r^-1) mod q */ in __ecdsa_public_key_from_sig()
987 /* NOTE: -x mod q is (q - x) mod q, i.e. (q - x) when x is reduced, except for 0 */ in __ecdsa_public_key_from_sig()
992 /* Compute uG */ in __ecdsa_public_key_from_sig()
994 /* Compute vR1 and possible Y1 */ in __ecdsa_public_key_from_sig()
997 /* Compute vR2 and possible Y2 */ in __ecdsa_public_key_from_sig()
1003 out_pub1->key_type = key_type; in __ecdsa_public_key_from_sig()
1004 out_pub1->params = params; in __ecdsa_public_key_from_sig()
1005 out_pub1->magic = PUB_KEY_MAGIC; in __ecdsa_public_key_from_sig()
1007 out_pub2->key_type = key_type; in __ecdsa_public_key_from_sig()
1008 out_pub2->params = params; in __ecdsa_public_key_from_sig()
1009 out_pub2->magic = PUB_KEY_MAGIC; in __ecdsa_public_key_from_sig()