From: Saulo Alessandre <saulo.alessandre@xxxxxxxxxx> Why ECDSA on kernel: I work on Brazilian Supreme Electoral Court [http://www.tse.jus.br], we are using ECDSA for module and elf32 binaries verification including shared libraries on about 450k T-DRE voting machines [5]. This is the first part of our try to contribution, we pretend to share the elf32 signature mechanism and elf32 kernel verification and start to work on elf64 verification too. We have an team of about 12 techs, between cryptologist, developers, testers, managers, staff and the coffee machine :). Recently we receive authorization to share this codes. Somes advantages from ECDSA are: . is more secure against current methos of cracking [2]; . gives optimal security with shorter key lenghts [2]; First, comparing key size RSA vs ECDSA we have: Table 1: Comparable key sizes table. ref [3] |----------+-----+--------+ |Security in bits | |----------+-----+--------+ |Symmetric | ECC | RSA | | 80 | 163 | 1.024 | | 112 | 233 | 2.240 | | 128 | 283 | 3.072 | | 192 | 409 | 7.680 | | 256 | 571 | 15.360 | |----------+-----+--------+ So, We need a bigger key in RSA to have the same security against ECDSA. This can be see on [1] too. Second, comparing speed performance RSA vs ECDSA we have: Table 2: Signature performance table. ref: [3] |-------------+------+------+ | Key Length | Time (s) | |-----+-------+------+------+ | ECC | RSA | ECC | RSA | |-----+-------+------+------+ | 163 | 1024 | 0.15 | 0.01 | | 233 | 2240 | 0.34 | 0.15 | | 283 | 3072 | 0.59 | 0.21 | | 409 | 7680 | 1.18 | 1.53 | | 571 | 15360 | 3.07 | 9.20 | |-----+-------+------+------+ Table 3: Signature verification performance table. ref: [3] |-------------+------+------+ | Key Length | Time (s) | |-----+-------+------+------+ | ECC | RSA | ECC | RSA | |-----+-------+------+------+ | 163 | 1024 | 0.23 | 0.01 | | 233 | 2240 | 0.51 | 0.01 | | 283 | 3072 | 0.86 | 0.01 | | 409 | 7680 | 1.80 | 0.01 | | 571 | 15360 | 4.53 | 0.03 | |-----+-------+------+------+ On tables 2 and 3, we can see that ECDSA is more fast for strong key signatures and very slow for verification when comparable to RSA. Although something is not so fast to check, it pays off in safety. References: [1] - https://www.ecrypt.eu.org/csa/documents/D5.4-FinalAlgKeySizeProt.pdf [2] - https://sectigostore.com/blog/ecdsa-vs-rsa-everything-you-need-to-know/ [3] - http://nicj.net/files/performance_comparison_of_elliptic_curve_and_rsa_digital_signatures.pdf [4] - Mathematical-routines-for-the-NIST-prime-elliptic-curves.pdf [google it] [5] - https://www.researchgate.net/publication/221046512_T-DRE_a_hardware_trusted_computing_base_for_direct_recording_electronic_vote_machines --- Saulo Alessandre (4): ecdsa: add params to ecdsa algo ecdsa: prepare akcipher and x509 parser to use incoming ecdsa ecdsa: change ecc.c and ecc.h to support ecdsa ecdsa: implements ecdsa signature verification Documentation/admin-guide/module-signing.rst | 10 + crypto/Kconfig | 12 + crypto/Makefile | 7 + crypto/asymmetric_keys/pkcs7_parser.c | 7 +- crypto/asymmetric_keys/pkcs7_verify.c | 5 +- crypto/asymmetric_keys/public_key.c | 30 +- crypto/asymmetric_keys/x509_cert_parser.c | 37 +- crypto/ecc.c | 338 +++++++++--- crypto/ecc.h | 59 ++- crypto/ecc_curve_defs.h | 82 +++ crypto/ecdsa.c | 509 +++++++++++++++++++ crypto/ecdsa_params.asn1 | 1 + crypto/ecdsa_signature.asn1 | 6 + crypto/testmgr.c | 17 +- crypto/testmgr.h | 78 +++ include/crypto/ecdh.h | 2 + include/linux/oid_registry.h | 12 + lib/oid_registry.c | 100 ++++ 18 files changed, 1201 insertions(+), 111 deletions(-) create mode 100644 crypto/ecdsa.c create mode 100644 crypto/ecdsa_params.asn1 create mode 100644 crypto/ecdsa_signature.asn1 -- 2.25.1