Lines Matching +full:compute +full:-
2 * Copyright (C) 2017 - This file is part of libecc project
7 * Jean-Pierre FLORI <jean-pierre.flori@ssi.gouv.fr>
32 * function returns 0 on success, -1 on error.
47 q = &(in_priv->params->ec_gen_order); in eckcdsa_init_pub_key()
53 MUST_HAVE((!nn_cmp(&(in_priv->x), q, &cmp)) && (cmp < 0), ret, err); in eckcdsa_init_pub_key()
55 /* Y = (x^-1)G */ in eckcdsa_init_pub_key()
56 G = &(in_priv->params->ec_gen); in eckcdsa_init_pub_key()
60 ret = nn_modinv_fermat(&xinv, &(in_priv->x), q); EG(ret, err); in eckcdsa_init_pub_key()
63 ret = prj_pt_mul_blind(&(out_pub->y), &xinv, G); EG(ret, err); in eckcdsa_init_pub_key()
65 out_pub->key_type = ECKCDSA; in eckcdsa_init_pub_key()
66 out_pub->params = in_priv->params; in eckcdsa_init_pub_key()
67 out_pub->magic = PUB_KEY_MAGIC; in eckcdsa_init_pub_key()
79 * -1 on error. On success, signature length is provided via 'siglen' out
101 * ISO 14888-3:2016 has some insane specific case when the digest size
104 * (= H(z||m)) and r (= H(FE2OS(W_x))) must be post-processed/mangled
107 * - h = I2BS(beta', (BS2I(gamma, h))) mod 2^beta'
108 * - r = I2BS(beta', (BS2I(gamma, r))) mod 2^beta'
115 * - the expected post-processing work is simply clearing the first
116 * (gamma - beta') bits at the beginning of h and r to keep only
118 * - In the library, we do not work on bitstring but byte strings in
120 * - In EC-KCDSA sig/verif, the result (h and then r) are then XORed
128 * (gamma - beta') / 8.
132 * shift = (gamma - beta') / 8 = 4
149 buf[i - shift] = buf[i]; in buf_lshift()
154 buf[buflen - i] = 0; in buf_lshift()
164 * Generic *internal* EC-KCDSA signature functions (init, update and finalize).
170 * Global EC-KCDSA signature process is as follows (I,U,F provides
174 *| IUF - EC-KCDSA signature
176 *| IUF 1. Compute h = H(z||m)
181 *| F 4. Compute W = (W_x,W_y) = kG
182 *| F 5. Compute r = H(FE2OS(W_x)).
186 *| F 7. Compute e = OS2I(r XOR h) mod q
187 *| F 8. Compute s = x(k - e) mod q
196 ((A)->magic == ECKCDSA_SIGN_MAGIC), ret, err)
199 * ECKCDSA signature initialization function. Returns 0 on success, -1 on
216 ret = key_pair_check_initialized_and_type(ctx->key_pair, ECKCDSA); EG(ret, err); in _eckcdsa_sign_init()
217 MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && in _eckcdsa_sign_init()
218 (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); in _eckcdsa_sign_init()
221 pub_key = &(ctx->key_pair->pub_key); in _eckcdsa_sign_init()
222 p_len = (u8)BYTECEIL(pub_key->params->ec_fp.p_bitlen); in _eckcdsa_sign_init()
223 z_len = ctx->h->block_size; in _eckcdsa_sign_init()
226 * 1. Compute h = H(z||m) in _eckcdsa_sign_init()
228 * We first need to compute z, the certificate data that will be in _eckcdsa_sign_init()
229 * prepended to the message m prior to hashing. In ISO-14888-3:2016, in _eckcdsa_sign_init()
241 ret = prj_pt_to_aff(&y_aff, &(pub_key->y)); EG(ret, err); in _eckcdsa_sign_init()
249 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _eckcdsa_sign_init()
250 ret = ctx->h->hfunc_init(&(ctx->sign_data.eckcdsa.h_ctx)); EG(ret, err); in _eckcdsa_sign_init()
251 ret = ctx->h->hfunc_update(&(ctx->sign_data.eckcdsa.h_ctx), tmp_buf, z_len); EG(ret, err); in _eckcdsa_sign_init()
255 ctx->sign_data.eckcdsa.magic = ECKCDSA_SIGN_MAGIC; in _eckcdsa_sign_init()
267 /* ECKCDSA signature update function. Returns 0 on success, -1 on error. */
275 * part too. This guarantees the context is an EC-KCDSA in _eckcdsa_sign_update()
280 ECKCDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.eckcdsa), ret, err); in _eckcdsa_sign_update()
282 /* 1. Compute h = H(z||m) */ in _eckcdsa_sign_update()
284 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _eckcdsa_sign_update()
285 ret = ctx->h->hfunc_update(&(ctx->sign_data.eckcdsa.h_ctx), chunk, chunklen); in _eckcdsa_sign_update()
292 * ECKCDSA signature finalization function. Returns 0 on success, -1 on
321 * part too. This guarantees the context is an EC-KCDSA in _eckcdsa_sign_finalize()
325 ECKCDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.eckcdsa), ret, err); in _eckcdsa_sign_finalize()
332 priv_key = &(ctx->key_pair->priv_key); in _eckcdsa_sign_finalize()
333 G = &(priv_key->params->ec_gen); in _eckcdsa_sign_finalize()
334 q = &(priv_key->params->ec_gen_order); in _eckcdsa_sign_finalize()
335 hsize = ctx->h->digest_size; in _eckcdsa_sign_finalize()
336 p_len = (u8)BYTECEIL(priv_key->params->ec_fp.p_bitlen); in _eckcdsa_sign_finalize()
337 q_bit_len = priv_key->params->ec_gen_order_bitlen; in _eckcdsa_sign_finalize()
340 x = &(priv_key->x); in _eckcdsa_sign_finalize()
351 dbg_nn_print("p", &(priv_key->params->ec_fp.p)); in _eckcdsa_sign_finalize()
356 /* 1. Compute h = H(z||m) */ in _eckcdsa_sign_finalize()
358 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _eckcdsa_sign_finalize()
359 ret = ctx->h->hfunc_finalize(&(ctx->sign_data.eckcdsa.h_ctx), hzm); EG(ret, err); in _eckcdsa_sign_finalize()
360 dbg_buf_print("h = H(z||m) pre-mask", hzm, hsize); in _eckcdsa_sign_finalize()
367 shift = (u8)((hsize > r_len) ? (hsize - r_len) : 0); in _eckcdsa_sign_finalize()
371 dbg_buf_print("h = H(z||m) post-mask", hzm, r_len); in _eckcdsa_sign_finalize()
381 MUST_HAVE((ctx->rand == nn_get_random_mod), ret, err); in _eckcdsa_sign_finalize()
383 MUST_HAVE((ctx->rand != NULL), ret, err); in _eckcdsa_sign_finalize()
384 ret = ctx->rand(&k, q); EG(ret, err); in _eckcdsa_sign_finalize()
394 /* 4. Compute W = (W_x,W_y) = kG */ in _eckcdsa_sign_finalize()
405 /* 5 Compute r = h(FE2OS(W_x)). */ in _eckcdsa_sign_finalize()
409 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _eckcdsa_sign_finalize()
410 ret = ctx->h->hfunc_init(&r_ctx); EG(ret, err); in _eckcdsa_sign_finalize()
411 ret = ctx->h->hfunc_update(&r_ctx, tmp_buf, p_len); EG(ret, err); in _eckcdsa_sign_finalize()
412 ret = ctx->h->hfunc_finalize(&r_ctx, r); EG(ret, err); in _eckcdsa_sign_finalize()
421 dbg_buf_print("r pre-mask", r, hsize); in _eckcdsa_sign_finalize()
425 dbg_buf_print("r post-mask", r, r_len); in _eckcdsa_sign_finalize()
427 /* 7. Compute e = OS2I(r XOR h) mod q */ in _eckcdsa_sign_finalize()
437 /* In case of blinding, we compute (k*b - e*b) * x * b^-1 */ in _eckcdsa_sign_finalize()
446 * 8. Compute s = x(k - e) mod q in _eckcdsa_sign_finalize()
448 * This is equivalent to computing s = x(k + (q - e)) mod q. in _eckcdsa_sign_finalize()
456 /* Unblind s with b^-1 */ in _eckcdsa_sign_finalize()
489 IGNORE_RET_VAL(local_memset(&(ctx->sign_data.eckcdsa), 0, sizeof(eckcdsa_sign_data))); in _eckcdsa_sign_finalize()
507 * Generic *internal* EC-KCDSA verification functions (init, update and
513 * Global EC-CKDSA verification process is as follows (I,U,F provides
517 *| IUF - EC-KCDSA verification
520 *| - if |H| > bitlen(q), r must be of length
522 *| - if |H| <= bitlen(q), r must be of length hsize
524 *| IUF 3. Compute h = H(z||m)
528 *| F 5. Compute e = OS2I(r XOR h) mod q
529 *| F 6. Compute W' = sY + eG, where Y is the public key
530 *| F 7. Compute r' = h(W'x)
541 ((A)->magic == ECKCDSA_VERIFY_MAGIC), ret, err)
544 * ECKCDSA verification finalization function. Returns 0 on success, -1 on error.
565 ret = pub_key_check_initialized_and_type(ctx->pub_key, ECKCDSA); EG(ret, err); in _eckcdsa_verify_init()
566 MUST_HAVE((ctx->h != NULL) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && in _eckcdsa_verify_init()
567 (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err); in _eckcdsa_verify_init()
571 pub_key = ctx->pub_key; in _eckcdsa_verify_init()
572 p_len = (u8)BYTECEIL(pub_key->params->ec_fp.p_bitlen); in _eckcdsa_verify_init()
573 q_bit_len = pub_key->params->ec_gen_order_bitlen; in _eckcdsa_verify_init()
574 q = &(pub_key->params->ec_gen_order); in _eckcdsa_verify_init()
575 hsize = ctx->h->digest_size; in _eckcdsa_verify_init()
578 z_len = ctx->h->block_size; in _eckcdsa_verify_init()
582 * - if |H| > bitlen(q), r must be of length in _eckcdsa_verify_init()
584 * - if |H| <= bitlen(q), r must be of length hsize in _eckcdsa_verify_init()
599 * 3. Compute h = H(z||m) in _eckcdsa_verify_init()
601 * We first need to compute z, the certificate data that will be in _eckcdsa_verify_init()
602 * prepended to the message m prior to hashing. In ISO-14888-3:2016, in _eckcdsa_verify_init()
614 ret = prj_pt_to_aff(&y_aff, &(pub_key->y)); EG(ret, err); in _eckcdsa_verify_init()
622 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _eckcdsa_verify_init()
623 ret = ctx->h->hfunc_init(&(ctx->verify_data.eckcdsa.h_ctx)); EG(ret, err); in _eckcdsa_verify_init()
624 ret = ctx->h->hfunc_update(&(ctx->verify_data.eckcdsa.h_ctx), tmp_buf, in _eckcdsa_verify_init()
632 ret = local_memcpy(ctx->verify_data.eckcdsa.r, sig, r_len); EG(ret, err); in _eckcdsa_verify_init()
633 ret = nn_copy(&(ctx->verify_data.eckcdsa.s), &s); EG(ret, err); in _eckcdsa_verify_init()
635 ctx->verify_data.eckcdsa.magic = ECKCDSA_VERIFY_MAGIC; in _eckcdsa_verify_init()
647 IGNORE_RET_VAL(local_memset(&(ctx->verify_data.eckcdsa), 0, in _eckcdsa_verify_init()
664 /* ECKCDSA verification update function. Returns 0 on success, -1 on error. */
672 * part too. This guarantees the context is an EC-KCDSA in _eckcdsa_verify_update()
677 ECKCDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.eckcdsa), ret, err); in _eckcdsa_verify_update()
679 /* 3. Compute h = H(z||m) */ in _eckcdsa_verify_update()
681 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _eckcdsa_verify_update()
682 ret = ctx->h->hfunc_update(&(ctx->verify_data.eckcdsa.h_ctx), in _eckcdsa_verify_update()
690 * ECKCDSA verification finalization function. Returns 0 on success, -1 on error.
720 * part too. This guarantees the context is an EC-KCDSA in _eckcdsa_verify_finalize()
724 ECKCDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.eckcdsa), ret, err); in _eckcdsa_verify_finalize()
731 pub_key = ctx->pub_key; in _eckcdsa_verify_finalize()
732 G = &(pub_key->params->ec_gen); in _eckcdsa_verify_finalize()
733 Y = &(pub_key->y); in _eckcdsa_verify_finalize()
734 q = &(pub_key->params->ec_gen_order); in _eckcdsa_verify_finalize()
735 p_bit_len = pub_key->params->ec_fp.p_bitlen; in _eckcdsa_verify_finalize()
736 q_bit_len = pub_key->params->ec_gen_order_bitlen; in _eckcdsa_verify_finalize()
738 hsize = ctx->h->digest_size; in _eckcdsa_verify_finalize()
740 r = ctx->verify_data.eckcdsa.r; in _eckcdsa_verify_finalize()
741 s = &(ctx->verify_data.eckcdsa.s); in _eckcdsa_verify_finalize()
743 /* 3. Compute h = H(z||m) */ in _eckcdsa_verify_finalize()
745 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _eckcdsa_verify_finalize()
746 ret = ctx->h->hfunc_finalize(&(ctx->verify_data.eckcdsa.h_ctx), hzm); EG(ret, err); in _eckcdsa_verify_finalize()
747 dbg_buf_print("h = H(z||m) pre-mask", hzm, hsize); in _eckcdsa_verify_finalize()
754 shift = (u8)((hsize > r_len) ? (hsize - r_len) : 0); in _eckcdsa_verify_finalize()
757 dbg_buf_print("h = H(z||m) post-mask", hzm, r_len); in _eckcdsa_verify_finalize()
759 /* 5. Compute e = OS2I(r XOR h) mod q */ in _eckcdsa_verify_finalize()
769 /* 6. Compute W' = sY + eG, where Y is the public key */ in _eckcdsa_verify_finalize()
774 dbg_nn_print("W'_x", &(Wprime->X.fp_val)); in _eckcdsa_verify_finalize()
775 dbg_nn_print("W'_y", &(Wprime->Y.fp_val)); in _eckcdsa_verify_finalize()
777 /* 7. Compute r' = h(W'x) */ in _eckcdsa_verify_finalize()
779 ret = fp_export_to_buf(tmp_buf, p_len, &(Wprime->X)); EG(ret, err); in _eckcdsa_verify_finalize()
781 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err); in _eckcdsa_verify_finalize()
782 ret = ctx->h->hfunc_init(&r_prime_ctx); EG(ret, err); in _eckcdsa_verify_finalize()
783 ret = ctx->h->hfunc_update(&r_prime_ctx, tmp_buf, p_len); EG(ret, err); in _eckcdsa_verify_finalize()
784 ret = ctx->h->hfunc_finalize(&r_prime_ctx, r_prime); EG(ret, err); in _eckcdsa_verify_finalize()
793 dbg_buf_print("r' pre-mask", r_prime, hsize); in _eckcdsa_verify_finalize()
795 dbg_buf_print("r' post-mask", r_prime, r_len); in _eckcdsa_verify_finalize()
800 ret = check ? 0 : -1; in _eckcdsa_verify_finalize()
813 IGNORE_RET_VAL(local_memset(&(ctx->verify_data.eckcdsa), 0, in _eckcdsa_verify_finalize()