Daiki Ueno ueno@gnu.org writes:
nisse@lysator.liu.se (Niels Möller) writes:
I see you've made some chenges to the needed scratch space, if I understand it correctly, you need to allow h_to_a_itch larger than mul_itch or mul_g_itch. You increase the value of ECC_ECDSA_SIGN_ITCH and add a new ECC_ECDSA_KEYGEN_ITCH. Can you comment on that?
The only reason ECDSA is affected at all by curve448, is that we have tests for ecdsa over the curve25519 and curve448, even though that's not the way these curves are intended to be used. Maybe that should just be deleted.
Indeed, I agree to remove the tests and affected parts in the library.
I'm considering the below patch. I think there's room for further improvement, maybe splitting the h_to_a method up (it's called with op == 0, and with op == 2 from the ecdsa, but never with op == 1). Maybe adding a some ecc_mod_canonical function. But deleting this unneeded code right away seems like an improvement in itself.
Regards, /Niels
diff --git a/ecc-eh-to-a.c b/ecc-eh-to-a.c index 8173b887..89d2b6e3 100644 --- a/ecc-eh-to-a.c +++ b/ecc-eh-to-a.c @@ -56,6 +56,8 @@ ecc_eh_to_a (const struct ecc_curve *ecc,
mp_limb_t cy;
+ assert(op == 0); + /* Needs 2*size + scratch for the invert call. */ ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size);
@@ -63,25 +65,6 @@ ecc_eh_to_a (const struct ecc_curve *ecc, cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, r, tp, ecc->p.size);
- if (op) - { - /* Skip y coordinate */ - if (op > 1) - { - /* Reduce modulo q. Hardcoded for curve25519, duplicates end - of ecc_25519_modq. FIXME: Is this needed at all? op > 0 - is only used by ecdsa code, and ecdsa on Edwards curves - makes little sense and is is only used by tests. */ - unsigned shift; - assert (ecc->p.bit_size == 255); - shift = ecc->q.bit_size - 1 - GMP_NUMB_BITS * (ecc->p.size - 1); - cy = mpn_submul_1 (r, ecc->q.m, ecc->p.size, - r[ecc->p.size-1] >> shift); - assert (cy < 2); - cnd_add_n (cy, r, ecc->q.m, ecc->p.size); - } - return; - } ecc_modp_mul (ecc, tp, yp, izp); cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); diff --git a/testsuite/ecdsa-keygen-test.c b/testsuite/ecdsa-keygen-test.c index a96c09ef..0deb7214 100644 --- a/testsuite/ecdsa-keygen-test.c +++ b/testsuite/ecdsa-keygen-test.c @@ -78,6 +78,10 @@ test_main (void) struct ecc_point pub; struct ecc_scalar key;
+ if (ecc->p.bit_size == 255) + /* Exclude curve25519, which isn't supported with ECDSA. */ + continue; + if (verbose) fprintf (stderr, "Curve %d\n", ecc->p.bit_size);
diff --git a/testsuite/ecdsa-sign-test.c b/testsuite/ecdsa-sign-test.c index 23275357..b240a31b 100644 --- a/testsuite/ecdsa-sign-test.c +++ b/testsuite/ecdsa-sign-test.c @@ -156,18 +156,4 @@ test_main (void) "97536710 1F67D1CF 9BCCBF2F 3D239534" "FA509E70 AAC851AE 01AAC68D 62F86647" "2660"); /* s */ - - /* Non-standard ecdsa using curve25519. Not interop-tested with - anything else. */ - test_ecdsa (&_nettle_curve25519, - "1db511101b8fd16f e0212c5679ef53f3" - "323bde77f9efa442 617314d576d1dbcb", /* z */ - "aa2fa8facfdc3a99 ec466d41a2c9211c" - "e62e1706f54037ff 8486e26153b0fa79", /* k */ - SHEX("e99df2a098c3c590 ea1e1db6d9547339" - "ae760d5331496119 5d967fd881e3b0f5"), /* h */ - " 515c3a485f57432 0daf3353a0d08110" - "64157c556296de09 4132f74865961b37", /* r */ - " 78f23367291b01 3fc430fb09322d95" - "4384723649868d8e 88effc7ac8b141d7"); /* s */ } diff --git a/testsuite/ecdsa-verify-test.c b/testsuite/ecdsa-verify-test.c index 971988c3..6a593d6f 100644 --- a/testsuite/ecdsa-verify-test.c +++ b/testsuite/ecdsa-verify-test.c @@ -145,17 +145,4 @@ test_main (void) "97536710 1F67D1CF 9BCCBF2F 3D239534" "FA509E70 AAC851AE 01AAC68D 62F86647" "2660"); /* s */ - - test_ecdsa (&_nettle_curve25519, - /* Public key corresponding to the key in ecdsa-sign-test */ - "59f8f317fd5f4e82 c02f8d4dec665fe1" - "230f83b8572638e1 b2ac34a30028e24d", /* x */ - "1902a72dc1a6525a 811b9c1845978d56" - "fd97dce5e278ebdd ec695349d7e41498", /* y */ - SHEX("e99df2a098c3c590 ea1e1db6d9547339" - "ae760d5331496119 5d967fd881e3b0f5"), /* h */ - " 515c3a485f57432 0daf3353a0d08110" - "64157c556296de09 4132f74865961b37", /* r */ - " 78f23367291b01 3fc430fb09322d95" - "4384723649868d8e 88effc7ac8b141d7"); /* s */ }