Hello,
SP800-56A (revision 3) section 5.6.2.3.3 now mandates a check that the generated public key (Q) multiplied by the curve order (n) results in an identity element (= an infinity point).
It seem that it is not possible to implement this check with the Nettle's public API. The attached patch naively multiplies Q by n but it causes the valgrind errors below.
As it works with the curve order minus 1, I added the following check instead in my library, though I'm not sure if this satisfies the original requirement:
P = (n - 1) * Q
where P's x-coordinate is the same as Q's, and P also lies on the same curve so that indicates P + Q (= n * Q) is an infinity point, according to the group law.
Is there a better (direct) way to implement the check? Suggestions appreciated.
Conditional jump or move depends on uninitialised value(s) at 0x4880DFB: _nettle_ecc_mul_a (ecc-mul-a.c:145) by 0x48815F8: nettle_ecc_point_mul (ecc-point-mul.c:55) by 0x4012EB: main (ecc-test.c:36)
Conditional jump or move depends on uninitialised value(s) at 0x487D1D9: _nettle_sec_tabselect (sec-tabselect.c:54) by 0x4880E1B: _nettle_ecc_mul_a (ecc-mul-a.c:147) by 0x48815F8: nettle_ecc_point_mul (ecc-point-mul.c:55) by 0x4012EB: main (ecc-test.c:36)
Conditional jump or move depends on uninitialised value(s) at 0x487E0F3: _nettle_ecc_mod_add (ecc-mod-arith.c:53) by 0x487F51B: _nettle_ecc_dup_jj (ecc-dup-jj.c:81) by 0x4880E66: _nettle_ecc_mul_a (ecc-mul-a.c:171) by 0x48815F8: nettle_ecc_point_mul (ecc-point-mul.c:55) by 0x4012EB: main (ecc-test.c:36)
Regards,