Lines Matching +full:num +full:- +full:vectors
2 * Copyright (C) 2017 - This file is part of libecc project
7 * Jean-Pierre FLORI <jean-pierre.flori@ssi.gouv.fr>
43 q = &(in_priv->params->ec_gen_order); in ecfsdsa_init_pub_key()
46 MUST_HAVE(!nn_cmp(&(in_priv->x), q, &cmp) && (cmp < 0), ret, err); in ecfsdsa_init_pub_key()
49 G = &(in_priv->params->ec_gen); in ecfsdsa_init_pub_key()
51 ret = prj_pt_mul_blind(&(out_pub->y), &(in_priv->x), G); EG(ret, err); in ecfsdsa_init_pub_key()
53 out_pub->key_type = ECFSDSA; in ecfsdsa_init_pub_key()
54 out_pub->params = in_priv->params; in ecfsdsa_init_pub_key()
55 out_pub->magic = PUB_KEY_MAGIC; in ecfsdsa_init_pub_key()
80 * tests against test vectors can be made without ugly hack in the code
83 * Global EC-FSDSA signature process is as follows (I,U,F provides
87 *| IUF - ECFSDSA signature
103 * b) in EC-FSDSA, the public part of the key is not needed per se during
104 * the signature but - as it is needed in other signature algs implemented
105 * in the library - the whole key pair is passed instead of just the
107 * c) Implementation of EC-FSDSA in an init()/update()/finalize() logic
118 ((A)->magic == ECFSDSA_SIGN_MAGIC), ret, err)
140 ret = key_pair_check_initialized_and_type(ctx->key_pair, ECFSDSA); EG(ret, err); in _ecfsdsa_sign_init()
141 MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && in _ecfsdsa_sign_init()
142 (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); in _ecfsdsa_sign_init()
145 priv_key = &(ctx->key_pair->priv_key); in _ecfsdsa_sign_init()
146 G = &(priv_key->params->ec_gen); in _ecfsdsa_sign_init()
147 q = &(priv_key->params->ec_gen_order); in _ecfsdsa_sign_init()
148 r = ctx->sign_data.ecfsdsa.r; in _ecfsdsa_sign_init()
149 k = &(ctx->sign_data.ecfsdsa.k); in _ecfsdsa_sign_init()
150 p_bit_len = priv_key->params->ec_fp.p_bitlen; in _ecfsdsa_sign_init()
155 dbg_nn_print("p", &(priv_key->params->ec_fp.p)); in _ecfsdsa_sign_init()
159 dbg_pub_key_print("Y", &(ctx->key_pair->pub_key)); in _ecfsdsa_sign_init()
165 /* NOTE: when we do not need self tests for known vectors, in _ecfsdsa_sign_init()
170 MUST_HAVE((ctx->rand == nn_get_random_mod), ret, err); in _ecfsdsa_sign_init()
172 MUST_HAVE((ctx->rand != NULL), ret, err); in _ecfsdsa_sign_init()
173 ret = ctx->rand(k, q); EG(ret, err); in _ecfsdsa_sign_init()
208 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _ecfsdsa_sign_init()
209 ret = ctx->h->hfunc_init(&(ctx->sign_data.ecfsdsa.h_ctx)); EG(ret, err); in _ecfsdsa_sign_init()
211 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _ecfsdsa_sign_init()
212 ret = ctx->h->hfunc_update(&(ctx->sign_data.ecfsdsa.h_ctx), r, r_len); EG(ret, err); in _ecfsdsa_sign_init()
214 ctx->sign_data.ecfsdsa.magic = ECFSDSA_SIGN_MAGIC; in _ecfsdsa_sign_init()
243 ECFSDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.ecfsdsa), ret, err); in _ecfsdsa_sign_update()
247 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _ecfsdsa_sign_update()
248 ret = ctx->h->hfunc_update(&(ctx->sign_data.ecfsdsa.h_ctx), chunk, chunklen); EG(ret, err); in _ecfsdsa_sign_update()
279 ECFSDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.ecfsdsa), ret, err); in _ecfsdsa_sign_finalize()
283 priv_key = &(ctx->key_pair->priv_key); in _ecfsdsa_sign_finalize()
284 q = &(priv_key->params->ec_gen_order); in _ecfsdsa_sign_finalize()
285 x = &(priv_key->x); in _ecfsdsa_sign_finalize()
286 p_bit_len = ctx->key_pair->priv_key.params->ec_fp.p_bitlen; in _ecfsdsa_sign_finalize()
287 q_bit_len = ctx->key_pair->priv_key.params->ec_gen_order_bitlen; in _ecfsdsa_sign_finalize()
288 k = &(ctx->sign_data.ecfsdsa.k); in _ecfsdsa_sign_finalize()
291 hsize = ctx->h->digest_size; in _ecfsdsa_sign_finalize()
292 r = ctx->sign_data.ecfsdsa.r; in _ecfsdsa_sign_finalize()
309 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _ecfsdsa_sign_finalize()
312 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _ecfsdsa_sign_finalize()
313 ret = ctx->h->hfunc_finalize(&(ctx->sign_data.ecfsdsa.h_ctx), e_buf); EG(ret, err); in _ecfsdsa_sign_finalize()
371 IGNORE_RET_VAL(local_memset(&(ctx->sign_data.ecfsdsa), 0, sizeof(ecfsdsa_sign_data))); in _ecfsdsa_sign_finalize()
392 * that compliance tests against test vectors can be made without ugly
395 * Global EC-FSDSA verification process is as follows (I,U,F provides
399 *| IUF - ECFSDSA verification
404 *| F 4. Convert h to an integer and then compute e = -h mod q
414 ((A)->magic == ECFSDSA_VERIFY_MAGIC), ret, err)
433 ret = pub_key_check_initialized_and_type(ctx->pub_key, ECFSDSA); EG(ret, err); in _ecfsdsa_verify_init()
434 MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && in _ecfsdsa_verify_init()
435 (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); in _ecfsdsa_verify_init()
439 q = &(ctx->pub_key->params->ec_gen_order); in _ecfsdsa_verify_init()
440 p_bit_len = ctx->pub_key->params->ec_fp.p_bitlen; in _ecfsdsa_verify_init()
441 q_bit_len = ctx->pub_key->params->ec_gen_order_bitlen; in _ecfsdsa_verify_init()
445 s = &(ctx->verify_data.ecfsdsa.s); in _ecfsdsa_verify_init()
453 ret = fp_init(&rx, ctx->pub_key->params->ec_curve.a.ctx); EG(ret, err); in _ecfsdsa_verify_init()
455 ret = fp_init(&ry, ctx->pub_key->params->ec_curve.a.ctx); EG(ret, err); in _ecfsdsa_verify_init()
459 ret = is_on_shortw_curve(&rx, &ry, &(ctx->pub_key->params->ec_curve), &on_curve); EG(ret, err); in _ecfsdsa_verify_init()
475 ret = local_memcpy(&(ctx->verify_data.ecfsdsa.r), r, r_len); EG(ret, err); in _ecfsdsa_verify_init()
477 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _ecfsdsa_verify_init()
478 ret = ctx->h->hfunc_init(&(ctx->verify_data.ecfsdsa.h_ctx)); EG(ret, err); in _ecfsdsa_verify_init()
481 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _ecfsdsa_verify_init()
482 ret = ctx->h->hfunc_update(&(ctx->verify_data.ecfsdsa.h_ctx), r, r_len); EG(ret, err); in _ecfsdsa_verify_init()
484 ctx->verify_data.ecfsdsa.magic = ECFSDSA_VERIFY_MAGIC; in _ecfsdsa_verify_init()
496 IGNORE_RET_VAL(local_memset(&(ctx->verify_data.ecfsdsa), 0, in _ecfsdsa_verify_init()
524 ECFSDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.ecfsdsa), ret, err); in _ecfsdsa_verify_update()
528 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _ecfsdsa_verify_update()
529 ret = ctx->h->hfunc_update(&(ctx->verify_data.ecfsdsa.h_ctx), chunk, in _ecfsdsa_verify_update()
562 ECFSDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.ecfsdsa), ret, err); in _ecfsdsa_verify_finalize()
569 G = &(ctx->pub_key->params->ec_gen); in _ecfsdsa_verify_finalize()
570 Y = &(ctx->pub_key->y); in _ecfsdsa_verify_finalize()
571 q = &(ctx->pub_key->params->ec_gen_order); in _ecfsdsa_verify_finalize()
572 hsize = ctx->h->digest_size; in _ecfsdsa_verify_finalize()
573 s = &(ctx->verify_data.ecfsdsa.s); in _ecfsdsa_verify_finalize()
574 r = ctx->verify_data.ecfsdsa.r; in _ecfsdsa_verify_finalize()
575 p_bit_len = ctx->pub_key->params->ec_fp.p_bitlen; in _ecfsdsa_verify_finalize()
581 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _ecfsdsa_verify_finalize()
582 ret = ctx->h->hfunc_finalize(&(ctx->verify_data.ecfsdsa.h_ctx), e_buf); EG(ret, err); in _ecfsdsa_verify_finalize()
585 * 4. Convert h to an integer and then compute e = -h mod q in _ecfsdsa_verify_finalize()
588 * e = q - (h mod q) (except when h is 0). in _ecfsdsa_verify_finalize()
603 ret = fp_export_to_buf(r_prime, p_len, &(Wprime->X)); EG(ret, err); in _ecfsdsa_verify_finalize()
604 ret = fp_export_to_buf(r_prime + p_len, p_len, &(Wprime->Y)); EG(ret, err); in _ecfsdsa_verify_finalize()
610 ret = check ? 0 : -1; in _ecfsdsa_verify_finalize()
625 IGNORE_RET_VAL(local_memset(&(ctx->verify_data.ecfsdsa), 0, in _ecfsdsa_verify_finalize()
644 * NOTE: among all the EC-SDSA ISO14888-3 variants, only EC-FSDSA supports
653 * This returns 0 if *all* the signatures are correct, and -1 if at least
658 const u8 **m, const u32 *m_len, u32 num, ec_alg_type sig_type, in _ecfsdsa_verify_batch_no_memory() argument
688 MUST_HAVE((num > 0), ret, err); in _ecfsdsa_verify_batch_no_memory()
698 hsize = hm->digest_size; in _ecfsdsa_verify_batch_no_memory()
701 for(i = 0; i < num; i++){ in _ecfsdsa_verify_batch_no_memory()
711 MUST_HAVE((pub_key->params) == (pub_key0->params), ret, err); in _ecfsdsa_verify_batch_no_memory()
713 q = &(pub_key->params->ec_gen_order); in _ecfsdsa_verify_batch_no_memory()
714 shortw_curve = &(pub_key->params->ec_curve); in _ecfsdsa_verify_batch_no_memory()
715 pub_key_y = &(pub_key->y); in _ecfsdsa_verify_batch_no_memory()
716 key_type = pub_key->key_type; in _ecfsdsa_verify_batch_no_memory()
717 G = &(pub_key->params->ec_gen); in _ecfsdsa_verify_batch_no_memory()
718 p_bit_len = pub_key->params->ec_fp.p_bitlen; in _ecfsdsa_verify_batch_no_memory()
719 q_bit_len = pub_key->params->ec_gen_order_bitlen; in _ecfsdsa_verify_batch_no_memory()
744 /* Get a pseudo-random scalar a for randomizing the linear combination */ in _ecfsdsa_verify_batch_no_memory()
773 ret = hm->hfunc_init(&h_ctx); EG(ret, err); in _ecfsdsa_verify_batch_no_memory()
774 ret = hm->hfunc_update(&h_ctx, &sig[0], (u32)(2 * p_len)); EG(ret, err); in _ecfsdsa_verify_batch_no_memory()
775 ret = hm->hfunc_update(&h_ctx, m[i], m_len[i]); EG(ret, err); in _ecfsdsa_verify_batch_no_memory()
776 ret = hm->hfunc_finalize(&h_ctx, hash); EG(ret, err); in _ecfsdsa_verify_batch_no_memory()
797 /* Now multiply W by -a */ in _ecfsdsa_verify_batch_no_memory()
815 ret = (iszero == 1) ? 0 : -1; in _ecfsdsa_verify_batch_no_memory()
840 const u8 **m, const u32 *m_len, u32 num, ec_alg_type sig_type, in _ecfsdsa_verify_batch() argument
874 MUST_HAVE(((2 * num) >= num), ret, err); in _ecfsdsa_verify_batch()
875 MUST_HAVE(((2 * num) + 1) >= num, ret, err); in _ecfsdsa_verify_batch()
884 if(num <= 1){ in _ecfsdsa_verify_batch()
892 ret = _ecfsdsa_verify_batch_no_memory(s, s_len, pub_keys, m, m_len, num, sig_type, in _ecfsdsa_verify_batch()
898 expected_len = ((2 * num) + 1) * sizeof(verify_batch_scratch_pad); in _ecfsdsa_verify_batch()
902 /* Return the needed size: we need to keep track of (2 * num) + 1 NN numbers in _ecfsdsa_verify_batch()
903 * and (2 * num) + 1 projective points, plus (2 * num) + 1 indices in _ecfsdsa_verify_batch()
918 hsize = hm->digest_size; in _ecfsdsa_verify_batch()
921 for(i = 0; i < num; i++){ in _ecfsdsa_verify_batch()
931 MUST_HAVE((pub_key->params) == (pub_key0->params), ret, err); in _ecfsdsa_verify_batch()
933 q = &(pub_key->params->ec_gen_order); in _ecfsdsa_verify_batch()
934 shortw_curve = &(pub_key->params->ec_curve); in _ecfsdsa_verify_batch()
935 pub_key_y = &(pub_key->y); in _ecfsdsa_verify_batch()
936 key_type = pub_key->key_type; in _ecfsdsa_verify_batch()
937 G = &(pub_key->params->ec_gen); in _ecfsdsa_verify_batch()
938 p_bit_len = pub_key->params->ec_fp.p_bitlen; in _ecfsdsa_verify_batch()
939 q_bit_len = pub_key->params->ec_gen_order_bitlen; in _ecfsdsa_verify_batch()
955 ret = nn_init(&elements[(2 * num)].number, 0); EG(ret, err); in _ecfsdsa_verify_batch()
956 ret = prj_pt_copy(&elements[(2 * num)].point, G); EG(ret, err); in _ecfsdsa_verify_batch()
959 /* Get a pseudo-random scalar a for randomizing the linear combination */ in _ecfsdsa_verify_batch()
974 ret = nn_mod_add(&elements[(2 * num)].number, &elements[(2 * num)].number, in _ecfsdsa_verify_batch()
979 Y = &elements[num + i].point; in _ecfsdsa_verify_batch()
988 e = &elements[num + i].number; in _ecfsdsa_verify_batch()
990 ret = hm->hfunc_init(&h_ctx); EG(ret, err); in _ecfsdsa_verify_batch()
991 ret = hm->hfunc_update(&h_ctx, &sig[0], (u32)(2 * p_len)); EG(ret, err); in _ecfsdsa_verify_batch()
992 ret = hm->hfunc_update(&h_ctx, m[i], m_len[i]); EG(ret, err); in _ecfsdsa_verify_batch()
993 ret = hm->hfunc_finalize(&h_ctx, hash); EG(ret, err); in _ecfsdsa_verify_batch()
1018 /****** Bos-Coster algorithm ****************/ in _ecfsdsa_verify_batch()
1019 ret = ec_verify_bos_coster(elements, (2 * num) + 1, q_bit_len); in _ecfsdsa_verify_batch()
1021 if(ret == -2){ in _ecfsdsa_verify_batch()
1022 /* In case of Bos-Coster time out, we fall back to the in _ecfsdsa_verify_batch()
1025 ret = _ecfsdsa_verify_batch_no_memory(s, s_len, pub_keys, m, m_len, num, sig_type, in _ecfsdsa_verify_batch()
1037 ret = iszero ? 0 : -1; in _ecfsdsa_verify_batch()
1058 const u8 **m, const u32 *m_len, u32 num, ec_alg_type sig_type, in ecfsdsa_verify_batch() argument
1066 ret = _ecfsdsa_verify_batch(s, s_len, pub_keys, m, m_len, num, sig_type, in ecfsdsa_verify_batch()
1072 ret = _ecfsdsa_verify_batch_no_memory(s, s_len, pub_keys, m, m_len, num, sig_type, in ecfsdsa_verify_batch()