Daiki Ueno ueno@gnu.org writes:
It seem that it is not possible to implement this check with the Nettle's public API. The attached patch naively multiplies Q by n but it causes the valgrind errors below.
I think the point multiplication functions were written under the assumption that the scalar should be less than the group order. Docs could perhaps be improved on that.
But I don't known now exactly how it fails. It's good you get the valgrind failures, but line numbers don't quite match my version.
If ecc_mul_a can be made to support this, I take it the output will be a point with z = 0 (mod p) in homogenenous coordinates.
And then the special case z = 0 has to be detected in some way in the conversion to affine coordinates. That's done by ecc_j_to_a, but that assumes a finite input point, since it inverts z without checking for zero.
As it works with the curve order minus 1, I added the following check instead in my library, though I'm not sure if this satisfies the original requirement:
P = (n - 1) * Q
Checking that (n-1) * Q = -Q should be mathematically equivalent. There's a similar test in testsuite/ecc-mul-a-test.c and testsuite/ecc-mul-g-test.c (but testing with the generator rather than with an arbitrary public key).
If the point of the requirements of "SP800-56A (revision 3)" is to check the mathematical properties of the point, rather than testing a particular implementation of the ecc arithmetics, then (n-1) Q = -Q sounds good enough to me. You should first check that Q really lies on the curve (otherwise both left-hand side and right-hand side operations suffer garbage-in-garbage-out), but you probably do that already.
Regards, /Niels