On Mon, Feb 18, 2013 at 10:55 AM, Niels Möller nisse@lysator.liu.se wrote:
Nikos Mavrogiannopoulos nmav@gnutls.org writes:
If there is a function to do the DH multiplication k*(ecdsa_public_key) I think the gnutls could be tested with that interface, if I get some time to do that.
I'm looking into an interface redesign of the high-level ecdsa, using types
/* Represents a point on the ECC curve */ struct ecc_point { const struct ecc_curve *ecc; /* Allocated using the same allocation function as GMP. */ mp_limb_t *p; };
Wouldn't you need more than one members there? I'd expect x,y,z. Or you plan to work internally using X9.62 format? Would you also need to keep the size of limb_t?
/* Represents a non-zero scalar, an element of Z_q^*, where q is the group order of the curve. */ struct ecc_scalar { const struct ecc_curve *ecc; /* Allocated using the same allocation function as GMP. */ mp_limb_t *p; };
Why not keep the scalar as just a number (i.e. mpz_t)? Is there any advantage in treating it as related to the curve?
- For the final multiplication in ECDH, do you want the complete point, or do you need the x coordinate only?
For TLS we only need x. I don't know about other protocols. P1363 should discuss some but it is not publicly available (and it is a shame that IETF ECC-TLS only refers to that).
- I wonder if I should somehow add some aliases, ecdsa_public_key <=> ecc_point, ecdsa_private_key <=> ecc_scalar?
They could typedefs, or defines, but I don't know whether this would make it more clear.
- Is there any need to support operations involving the zero point (group zero, curve infinity)? For now, I don't have any high-level function to add two points.
Few implementations don't handle it at all, but couldn't that be the result of an intermediate calculation? (quite unlikely though but still possible). In that case I'm not sure what happens (those implementations would still return some result).
And during signing, would it make sense to check if z s_1 = h (here, z is the private key, s_1 is the x coordinate of k G, and h is the message digest), and try a new random k in that case? In addition to the checks for s_1 == 0 or s_2 == 0?
The check looks like a good one on a first read, but isn't it the same as checking for k being 3? (or whatever fixed value).
regards, Nikos