nmav at gnutls.org
Sun Aug 14 20:47:13 CEST 2011
On 08/14/2011 07:43 PM, Niels Möller wrote:
>> +/* assume curve is y^2 = x^3 - 3x + b
>> + * instead of the generic y^2 = x^3 + ax + b
>> + *
>> + * (XXX: the generic case has been tested only
>> + * with the SECG curves.)
>> + */
> Maybe the naming in the itnerface should reflect that it's a special
You can use the generic code by keeping ecc_projective_add_point.c
instead of ecc_projective_add_point_3.c. I have not tested the
generic code though with other curves than the SECP that use
a = -3. The improvement from the special case is not that
>> +/* ---- ECC Routines ---- */
>> +/* size of our temp buffers for exported keys */
>> +#define ECC_BUF_SIZE 512
>> +/* max private key size */
>> +#define ECC_MAXSIZE 66
> Where do these maximums come from?
>From the sizes of the supported groups.
>> +/* Key generation */
>> +int ecc_make_key(void *random_ctx, nettle_random_func random, ecc_key *key, const ecc_set_type *dp);
>> +int ecc_make_key_ex(void *random_ctx, nettle_random_func random, ecc_key *key, mpz_t prime, mpz_t order, mpz_t A, mpz_t Gx, mpz_t Gy);
>> +void ecc_free(ecc_key *key);
> I haven't figured out exactly what these do, but naming should most
> likele be _init and _clear, for consistency with the rest of nettle and
> with gmp.
make_key is actually _init and _generate in one.
>> +/* EC-Diffie-Hellman */
>> +int ecc_shared_secret(ecc_key *private_key, ecc_key *public_key,
>> + unsigned char *out, unsigned long *outlen);
> Haven't looked at this; for diffie-hellman over the normal ring one
> would just use gmp's powm function. I think the corresponding ecc
> function should also be public (maybe it already is?).
Could be. This is a convenience function.
>> +/* ECDSA */
>> +int ecc_sign_hash(const unsigned char *in, unsigned long inlen,
>> + struct dsa_signature *signature,
>> + void *random_ctx, nettle_random_func random, ecc_key *key);
>> +int ecc_verify_hash(struct dsa_signature * signature,
>> + const unsigned char *hash, unsigned long hashlen,
>> + int *stat, ecc_key *key);
> Do these correspond to the _sign_digest and _verify_digest functions for
> dsa and rsa?
Indeed but they are not limited to a particular digest. Any hash can be
>> +/* point ops (mp == montgomery digit) */
>> +/* R = 2P */
>> +int ecc_projective_dbl_point(ecc_point *P, ecc_point *R, mpz_t a, mpz_t modulus);
>> +/* R = P + Q */
>> +int ecc_projective_add_point(ecc_point *P, ecc_point *Q, ecc_point *R, mpz_t A, mpz_t modulus);
> Is it customary jargon and notation to think about the the ecc group
> operation as addition rather than multiplication? (Choice is arbitrary).
I've never seen multiplication being used to describe this operation
(either in cryptography or pure mathematics).
>> +int mp_init_multi(mpz_t *a, ...);
>> +void mp_clear_multi(mpz_t *a, ...);
> Not sure I like these.
They simplify code utilizing multiple mpz_ts significantly.
More information about the nettle-bugs