nettle-bugs June 2019

nettle-bugs@lists.lysator.liu.se

9 participants
16 discussions

Curve point decompression
by Wim Lewis 10 Nov '21

10 Nov '21

I'm looking at implementing elliptic curve point compression a la SEC1 (admittedly, mostly to reduce the number of "feature not supported" code paths in a library, but it seems like a somewhat useful ability). Nettle/Hogweed already implements it internally for curve25519, but I want to implement it for the "secp" curves as well. Point compression is easy enough, but point decompression requires some curve math, potentially dependent on the specific curve, and some of it is redundant with what's already done in ecc_point_set(). So I was thinking about moving this functionality into Hogweed as a function along the lines of ecc_point_set_compressed(), which would take, instead of a y-coordinate, an int containing the sign/parity of the y-coordinate. So my question for the list and for the maintainers is, is this a reasonable API to add to Hogweed? Is there interest in including it in Hogweed if I were to take the time to turn it into a tidy patch?

3 10

[PATCH 0/8] Implement Curve448 ECDH and Ed448
by Daiki Ueno 02 Jan '20

02 Jan '20

Hello, This patch series implements the Curve448 Diffie-Hellman protocol (RFC 7748) and the Ed448 signature scheme (RFC 8032). Although I tried to make it as close as possible to the Curve25519 and Ed25519 implementations, I had to add a few special cases, namely: - for Curve448, eccdata directly calculates points on the Edwards curve instead of the equivalent Montgomery curve - untwisted versions of ecc_add_eh* and ecc_dup_eh are added - the point decoding for Ed448 uses a different formula to recover u and v Also, optimized implementation of modular reduction is currently missing, which is beyond my expertise. I would appreciate any suggestions regarding that. The patches are also available on: https://gitlab.com/dueno/nettle/commits/wip/dueno/ed448 Thanks to Hubert Kario and Nikos Mavrogiannopoulos for initial reviews. Daiki Ueno (8): ecc-mul-test: Fix mpn_cmp calls eccdata: Emit correct ecc_Bmodq_shifted for curve448 eccdata: Redirect ecc_point_out to given stream, instead of stderr ecc: Add add_hh and dup members to ecc_curve ecc-eh-to-a, eddsa-sign: Parameterize hard-coded value Implement curve448 primitives Implement SHAKE128/256 functions Implement Ed448 signature scheme .gitignore | 1 + Makefile.in | 18 +- curve448-eh-to-x.c | 73 + curve448-mul-g.c | 74 + curve448-mul.c | 148 + curve448.h | 58 + ecc-192.c | 5 + ecc-224.c | 5 + ecc-25519.c | 5 + ecc-256.c | 5 + ecc-384.c | 5 + ecc-448.c | 273 ++ ecc-521.c | 5 + ecc-add-eh.c | 74 +- ecc-add-ehh.c | 77 +- ecc-dup-eh.c | 55 +- ecc-eh-to-a.c | 4 +- ecc-internal.h | 57 +- ecc-mul-a-eh.c | 12 +- ecc-mul-g-eh.c | 4 +- ecc-point-mul-g.c | 7 +- ecc-point-mul.c | 2 +- ecc-point.c | 15 + eccdata.c | 183 +- ecdsa-keygen.c | 4 +- ed25519-sha512-sign.c | 15 + ed448-shake256-pubkey.c | 60 + ed448-shake256-sign.c | 92 + ed448-shake256-verify.c | 66 + eddsa-compress.c | 11 +- eddsa-decompress.c | 15 +- eddsa-expand.c | 20 +- eddsa-hash.c | 35 + eddsa-pubkey.c | 2 +- eddsa-sign.c | 18 +- eddsa-verify.c | 16 +- eddsa.h | 24 + examples/ecc-benchmark.c | 1 + nettle-internal.h | 2 +- nettle-meta-hashes.c | 2 + nettle-meta.h | 2 + nettle.texinfo | 152 +- sha3.c | 13 + sha3.h | 56 + shake128-meta.c | 42 + shake128.c | 84 + shake256-meta.c | 42 + shake256.c | 84 + testsuite/.test-rules.make | 12 + testsuite/Makefile.in | 5 +- testsuite/curve448-dh-test.c | 100 + testsuite/ecc-add-test.c | 48 +- testsuite/ecc-dup-test.c | 12 +- testsuite/ecc-mul-a-test.c | 6 +- testsuite/ecc-mul-g-test.c | 6 +- testsuite/ecdh-test.c | 16 +- testsuite/ecdsa-keygen-test.c | 16 + testsuite/ed448-test.c | 240 ++ testsuite/eddsa-compress-test.c | 137 +- testsuite/eddsa-sign-test.c | 66 +- testsuite/eddsa-verify-test.c | 49 +- testsuite/meta-hash-test.c | 2 + testsuite/shake.awk | 14 + testsuite/shake128-test.c | 6183 +++++++++++++++++++++++++++++++++++++++ testsuite/shake256-test.c | 6183 +++++++++++++++++++++++++++++++++++++++ testsuite/testutils.c | 57 +- 66 files changed, 14976 insertions(+), 199 deletions(-) create mode 100644 curve448-eh-to-x.c create mode 100644 curve448-mul-g.c create mode 100644 curve448-mul.c create mode 100644 curve448.h create mode 100644 ecc-448.c create mode 100644 ed448-shake256-pubkey.c create mode 100644 ed448-shake256-sign.c create mode 100644 ed448-shake256-verify.c create mode 100644 shake128-meta.c create mode 100644 shake128.c create mode 100644 shake256-meta.c create mode 100644 shake256.c create mode 100644 testsuite/curve448-dh-test.c create mode 100644 testsuite/ed448-test.c create mode 100755 testsuite/shake.awk create mode 100644 testsuite/shake128-test.c create mode 100644 testsuite/shake256-test.c -- 2.13.3

2 35

ANNOUNCE: Nettle-3.5
by nisse＠lysator.liu.se 24 Sep '19

24 Sep '19

I'm happy to announce a new release of GNU Nettle, a low-level cryptographics library. This release includes a couple of new features and improved performance. The Nettle home page can be found at https://www.lysator.liu.se/~nisse/nettle/, and the manual at https://www.lysator.liu.se/~nisse/nettle/nettle.html. The release can be downloaded from https://ftp.gnu.org/gnu/nettle/nettle-3.5.tar.gz ftp://ftp.gnu.org/gnu/nettle/nettle-3.5.tar.gz https://www.lysator.liu.se/~nisse/archive/nettle-3.5.tar.gz Regards, /Niels NEWS for the Nettle 3.5 release This release adds a couple of new features and optimizations, and deletes or deprecates a few obsolete features. It is *not* binary (ABI) compatible with earlier versions. Except for deprecations listed below, it is intended to be fully source-level (API) compatible with Nettle-3.4.1. The shared library names are libnettle.so.7.0 and libhogweed.so.5.0, with sonames libnettle.so.7 and libhogweed.so.5. Changes in behavior: * Nettle's gcm_crypt will now call the underlying block cipher to process more than one block at a time. This is not a change to the documented behavior, but unfortunately breaks assumptions accidentally made in GnuTLS, up to and including version 3.6.1. New features: * Support for CFB8 (Cipher Feedback Mode, processing a single octet per block cipher operation), contributed by Dmitry Eremin-Solenikov. * Support for CMAC (RFC 4493), contributed by Nikos Mavrogiannopoulos. * Support for XTS mode, contributed by Simo Sorce. Optimizations: * Improved performance of the x86_64 AES implementation using the aesni instructions. Gives a large speedup for operations processing multiple blocks at a time (including CTR mode, GCM mode, and CBC decrypt, but *not* CBC encrypt). * Improved performance for CTR mode, for the common case of 16-byte block size. Pass more data at a time to underlying block cipher, and fill the counter blocks more efficiently. Extension to also handle GCM mode efficiently contributed by Nikos Mavrogiannopoulos. * New x86_64 implementation of sha1 and sha256, for processors supporting the sha_ni instructions. Speedup of 3-5 times on affected processors. * Improved parameters for the precomputation of tables used for ecc signatures. Roughly 10%-15% speedup of the ecdsa sign operation using the secp_256r1, secp_384r1 and secp_521r1 curves, and 25% speedup of ed25519 sign operation, benchmarked on x86_64. Table sizes unchanged, around 16 KB per curve. * In ARM fat builds, automatically select Neon implementation of Chacha, where possible. Contributed by Yuriy M. Kaminskiy. Deleted features: * The header file des-compat.h and everything declared therein has been deleted, as announced earlier. This file provided a subset of the old libdes/ssleay/openssl interface for DES and triple-DES. DES is still supported, via the functions declared in des.h. * Functions using the old struct aes_ctx have been marked as deprecated. Use the fixed key size interface instead, e.g., struct aes256_ctx, introduced in Nettle-3.0. * The header file nettle-stdint.h, and corresponding autoconf tests, have been deleted. Nettle now requires that the compiler/libc provides <stdint.h>. Miscellaneous: * Support for big-endian ARM systems, contributed by Michael Weiser. * The programs aesdata, desdata, twofishdata, shadata and gcmdata are no longer built by default. Makefile improvements contributed by Jay Foad. * The "example" program examples/eratosthenes.c has been deleted. * The contents of hash context structs, and the deprecated aes_ctx struct, have been reorganized, to enable later optimizations. -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance.

5 9

SIV-CMAC
by Nikos Mavrogiannopoulos 04 Jul '19

04 Jul '19

This patch adds the SIV-CMAC algorithm to nettle (an update of the previous attempt). It is an atypical cipher which fits into the encrypt_message interface. regards, Nikos

6 16

Add check for ECC at point 0
by Simo Sorce 02 Jul '19

02 Jul '19

While reviewing FIPS requirements for public key checks in Ephemeral Diffie-Hellman key exchanges it came out that FIPS requires checks that the public key point is not the (0, 0) coordinate and nettle is not doing it (only checks that neither point is negative. Add this check as we never want to allow this point in any case. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc

4 11

siv and cmac
by nisse＠lysator.liu.se 02 Jul '19

02 Jul '19

I think the siv code could benefit from a funtion to create a cmac digest in one step, without the update/digest split and the intermediate buffer. That would be something like cmac128_message(const struct cmac128_key *key, const void *cipher, nettle_crypt_func *encrypt, size_t digest_length, uint8_t *digest, size_t message_length, const uint8_t *message); Then the key need to be taken out from the cmac128_ctx. I'm trying that out, on the branch cmac-layout. Patch below. What do you think? Regards, /Niels commit 9b41e3b82b567abb68c1b7fc3b1e6b1a4ed87b26 Author: Niels Möller <nisse(a)lysator.liu.se> Date: 2019-06-01 10:30:29 +0200 New struct cmac128_key. diff --git a/ChangeLog b/ChangeLog index 53cdc41d..a7a4355f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2019-06-01 Niels Möller <nisse(a)lysator.liu.se> + + * cmac.h (struct cmac128_key): New struct. + * cmac.h (struct cmac128_ctx): Use struct cmac128_key. + * cmac.c (cmac128_set_key, cmac128_digest): Update accordingly. + 2019-05-12 Niels Möller <nisse(a)lysator.liu.se> Delete old libdes/openssl compatibility interface. diff --git a/cmac.c b/cmac.c index ed3b5eb8..07d805f3 100644 --- a/cmac.c +++ b/cmac.c @@ -83,8 +83,8 @@ cmac128_set_key(struct cmac128_ctx *ctx, const void *cipher, /* step 1 - generate subkeys k1 and k2 */ encrypt(cipher, 16, L->b, const_zero); - block_mulx(&ctx->K1, L); - block_mulx(&ctx->K2, &ctx->K1); + block_mulx(&ctx->key.K1, L); + block_mulx(&ctx->key.K2, &ctx->key.K1); } #define MIN(x,y) ((x)<(y)?(x):(y)) @@ -148,11 +148,11 @@ cmac128_digest(struct cmac128_ctx *ctx, const void *cipher, if (ctx->index < 16) { ctx->block.b[ctx->index] = 0x80; - memxor(ctx->block.b, ctx->K2.b, 16); + memxor(ctx->block.b, ctx->key.K2.b, 16); } else { - memxor(ctx->block.b, ctx->K1.b, 16); + memxor(ctx->block.b, ctx->key.K1.b, 16); } memxor3(Y.b, ctx->block.b, ctx->X.b, 16); diff --git a/cmac.h b/cmac.h index 6d107982..9d972ea5 100644 --- a/cmac.h +++ b/cmac.h @@ -55,18 +55,22 @@ extern "C" { #define cmac_aes256_update nettle_cmac_aes256_update #define cmac_aes256_digest nettle_cmac_aes256_digest -struct cmac128_ctx +struct cmac128_key { - /* Key */ union nettle_block16 K1; union nettle_block16 K2; +}; + +struct cmac128_ctx +{ + struct cmac128_key key; /* MAC state */ union nettle_block16 X; /* Block buffer */ - union nettle_block16 block; size_t index; + union nettle_block16 block; }; void -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance.

3 4

Changes after 3.5.1
by Dmitry Eremin-Solenikov 02 Jul '19

02 Jul '19

Hello, I have several patch series that were sitting in my local gost tree. Most of them were posted to this mailing list for review with little to no feedback. For now they are incorporated into GnuTLS for testing and maturing. I'd like to understand, how should I proceed if I'd like to get them included into nettle to spare GnuTLS from having more and more crypto code. - CMAC-64 support (together with CMAC-TDES for testing). - Changes to GOST R 34.11-94 (gosthash94) code - GOST 28147-89/Magma 64-bit cipher (depend on gosthash94 changes) - Additional cipher modes required for full GOST 28147-89 support - Streebog hash algorithm (GOST R 34.11-2012) - Several GOST curves (2 for now, other require changes to ecc backend) - GOST ECC-based digital signature scheme - GOST ECC-based key agreement - small chunks of additional support code -- With best wishes Dmitry

2 2

ANNOUNCE: Nettle-3.5.1
by nisse＠lysator.liu.se 27 Jun '19

27 Jun '19

There was a packaging problem with the Nettle-3.5 release of yesterday, breaking certain x86_64 configurations. The Nettle home page can be found at https://www.lysator.liu.se/~nisse/nettle/, and the manual at https://www.lysator.liu.se/~nisse/nettle/nettle.html. The corrected release can be downloaded from https://ftp.gnu.org/gnu/nettle/nettle-3.5.1.tar.gz ftp://ftp.gnu.org/gnu/nettle/nettle-3.5.1.tar.gz https://www.lysator.liu.se/~nisse/archive/nettle-3.5.1.tar.gz Regards, /Niels NEWS for the Nettle 3.5.1 release The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5. The new directory x86_64/sha_ni were missing in the tar file, breaking x86_64 builds with --enable-fat, and producing worse performance than promised for builds with --enable-x86-sha-ni. Also a few unused in-progress assembly files were accidentally included in the tar file. These problems are corrected in Nettle-3.5.1. There are no other changes, and also the library version numbers are unchanged. NEWS for the Nettle 3.5 release This release adds a couple of new features and optimizations, and deletes or deprecates a few obsolete features. It is *not* binary (ABI) compatible with earlier versions. Except for deprecations listed below, it is intended to be fully source-level (API) compatible with Nettle-3.4.1. The shared library names are libnettle.so.7.0 and libhogweed.so.5.0, with sonames libnettle.so.7 and libhogweed.so.5. Changes in behavior: * Nettle's gcm_crypt will now call the underlying block cipher to process more than one block at a time. This is not a change to the documented behavior, but unfortunately breaks assumptions accidentally made in GnuTLS, up to and including version 3.6.1. New features: * Support for CFB8 (Cipher Feedback Mode, processing a single octet per block cipher operation), contributed by Dmitry Eremin-Solenikov. * Support for CMAC (RFC 4493), contributed by Nikos Mavrogiannopoulos. * Support for XTS mode, contributed by Simo Sorce. Optimizations: * Improved performance of the x86_64 AES implementation using the aesni instructions. Gives a large speedup for operations processing multiple blocks at a time (including CTR mode, GCM mode, and CBC decrypt, but *not* CBC encrypt). * Improved performance for CTR mode, for the common case of 16-byte block size. Pass more data at a time to underlying block cipher, and fill the counter blocks more efficiently. Extension to also handle GCM mode efficiently contributed by Nikos Mavrogiannopoulos. * New x86_64 implementation of sha1 and sha256, for processors supporting the sha_ni instructions. Speedup of 3-5 times on affected processors. * Improved parameters for the precomputation of tables used for ecc signatures. Roughly 10%-15% speedup of the ecdsa sign operation using the secp_256r1, secp_384r1 and secp_521r1 curves, and 25% speedup of ed25519 sign operation, benchmarked on x86_64. Table sizes unchanged, around 16 KB per curve. * In ARM fat builds, automatically select Neon implementation of Chacha, where possible. Contributed by Yuriy M. Kaminskiy. Deleted features: * The header file des-compat.h and everything declared therein has been deleted, as announced earlier. This file provided a subset of the old libdes/ssleay/openssl interface for DES and triple-DES. DES is still supported, via the functions declared in des.h. * Functions using the old struct aes_ctx have been marked as deprecated. Use the fixed key size interface instead, e.g., struct aes256_ctx, introduced in Nettle-3.0. * The header file nettle-stdint.h, and corresponding autoconf tests, have been deleted. Nettle now requires that the compiler/libc provides <stdint.h>. Miscellaneous: * Support for big-endian ARM systems, contributed by Michael Weiser. * The programs aesdata, desdata, twofishdata, shadata and gcmdata are no longer built by default. Makefile improvements contributed by Jay Foad. * The "example" program examples/eratosthenes.c has been deleted. * The contents of hash context structs, and the deprecated aes_ctx struct, have been reorganized, to enable later optimizations. -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance.

1 0

[PATCH 1/3] build: allow overriding the debug flags
by Alon Bar-Lev 26 Jun '19

26 Jun '19

In Gentoo and probably other downstream distributions we let package management to manage the flags Signed-off-by: Alon Bar-Lev <alon.barlev(a)gmail.com> --- configure.ac | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 00d2bf5d..379c021c 100644 --- a/configure.ac +++ b/configure.ac @@ -949,13 +949,16 @@ LIBS="$old_LIBS" AC_SUBST(BENCH_LIBS) +AC_ARG_VAR([GCC_DEBUG_FLAGS], [GCC debug flags]) +test -z "${GCC_DEBUG_FLAGS}" && GCC_DEBUG_FLAGS="-ggdb3" + # Set these flags *last*, or else the test programs won't compile if test x$GCC = xyes ; then # Using -ggdb3 makes (some versions of) Redhat's gcc-2.96 dump core if $CC --version | grep '^2\.96$' 1>/dev/null 2>&1; then true else - CFLAGS="$CFLAGS -ggdb3" + CFLAGS="$CFLAGS ${GCC_DEBUG_FLAGS}" fi # FIXME: It would be better to actually test if this option works and/or is needed. # Or perhaps use -funsigned-char. -- 2.21.0

4 20

nettle-3.5rc1
by nisse＠lysator.liu.se 15 Jun '19

15 Jun '19

Hi, I've been talking about release for quite some time, without getting to it. I think the current state is pretty good, and I'd like to get the release out before summer vacations. I know there are several very desirable features being worked on, and I'm very happy about that, but release line has to be drawn somewhere. So I've prepared a nettle-3.5rc1 tarball, https://www.lysator.liu.se/~nisse/archive/nettle-3.5rc1.tar.gz, and there's a corresponding "nettle_3.5rc1" tag in the repository. I'll run tests on some of the gmp and gcc test machines. I think I'll get coverage for x86_64, mips, arm, power, maybe sparc. These machines mainly free operating systems, gnu/linux or freebsd. Help with testing on additional systems is highly appreciated, in particular testingon android and on any proprietary OS:es of interest. Please also review the NEWS file, if there's anything NEWS-worthy that I have missed, speak up. Or if there are some additional improvements that really ought to get into the 3.5 release. I aim to have the release happen in a week or two. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

nettle-bugs June 2019