Hello,
вс, 19 апр. 2020 г. в 17:13, Niels Möller nisse@lysator.liu.se:
Dmitry Baryshkov dbaryshkov@gmail.com writes:
From: Dmitry Eremin-Solenikov dbaryshkov@gmail.com
Thanks for the update and explanation.
+/*
- Shared key derivation/key agreement for GOST DSA algorithm.
- It is defined in RFC 4357 Section 5.2 and RFC 7836 Section 4.3.1
- Basically shared key is equal to hash(cofactor * ukm * priv * pub). This
- function does multiplication. Caller should do hashing on his own.
So this could be implemented as a (mod q) multiplication of scalars (there's no public api to do that) and an ecc_point_mul, at least as long as the cofactor is 1.
For the two curves defined in RFC 7836 cofactor is equal to 4. Basically to keep all these details in single place I'd prefer to have single API rather than low level functions.
For the hashing, one could consider pass in a hashing context and a nettle_hash_update_func, instead of the {out, out_length} arguments.
Possible change, yes.
+void +gostdsa_vko(const struct ecc_scalar *priv,
const struct ecc_point *pub,size_t ukm_length, const uint8_t *ukm,size_t out_length, uint8_t *out)+{
- const struct ecc_curve *ecc = priv->ecc;
- unsigned bsize = (ecc_bit_size(ecc) + 7) / 8;
- mp_size_t size = ecc->p.size;
- mp_size_t itch = 4*size + ecc->mul_itch;
- mp_limb_t *scratch;
- if (itch < 5*size + ecc->h_to_a_itch)
itch = 5*size + ecc->h_to_a_itch;- assert (pub->ecc == ecc);
- assert (priv->ecc == ecc);
- assert (out_length == 2 * bsize);
- assert (ukm_length <= bsize);
So the caller must compute bsize (in the same way, from ecc_bit_size), to be able to call this function correctly. That makes the out_length argument a bit redundant.
I preferred to be on a safe side here, but if you wish, I can change it. VKO is used only with Streebog (or legacy gosthash94cp) hash functions.
Not quite sure what to do. If it is essential to get away from access to internal symbols, I could merge as is.
Let's beat it into agreeable shape if possible, so that we won't have to change it right after the release.
But longer term, I think it would be better if we could add needed primitives, e.g., mod q operations, so that applications can do things like this themselves, using more general primitives. Like there's no Nettle functions specifically for doing non-gost ECC DH for TLS.
For ECC DH it is quite simple: ecc_point_mul. For GOST VKO there are too many details (in my opinion).