Re: [PATCH v2 00/14] Add support for NIST P521 to ecdsa and ecdh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 2/16/24 14:40, Simo Sorce wrote:
On Fri, 2024-02-16 at 14:32 -0500, Stefan Berger wrote:

On 2/16/24 14:27, Simo Sorce wrote:
On Thu, 2024-02-15 at 18:13 -0500, Stefan Berger wrote:
This series of patches adds support for the NIST P521 curve to ecdsa and
ecdh. Test cases for NIST P521 are added to both modules.

An issue with the current code in ecdsa and ecdh is that it assumes that
input arrays providing key coordinates for example, are arrays of digits
(a 'digit' is a 'u64'). This works well for all currently supported
curves, such as NIST P192/256/384, but does not work for NIST P521 where
coordinates are 8 digits + 2 bytes long. So some of the changes deal with
converting byte arrays to digits and digits to byte arrays.


Regards,
     Stefan

v2:
   - Reformulated some patch descriptions
   - Fixed issue detected by krobot
   - Some other small changes to the code

Stefan Berger (14):
    crypto: ecdsa - Convert byte arrays with key coordinates to digits
    crypto: ecdsa - Adjust tests on length of key parameters
    crypto: ecdsa - Extend res.x mod n calculation for NIST P521
    crypto: ecc - Implement vli_mmod_fast_521 for NIST p521
    crypto: ecc - For NIST P521 use vli_num_bits to get number of bits
    crypto: ecc - Add NIST P521 curve parameters
    crypto: ecdsa - Register NIST P521 and extend test suite
    x509: Add OID for NIST P521 and extend parser for it
    crypto: ecdh - Use properly formatted digits to check for valid key
    crypto: ecc - Implement ecc_digits_to_bytes to convert digits to byte
      array
    crypto: Add nbits field to ecc_curve structure
    crypto: ecc - Implement and use ecc_curve_get_nbytes to get curve's
      nbytes
    crypto: ecdh - Use functions to copy digits from and to byte array
    crypto: ecdh - Add support for NIST P521 and add test case

   crypto/asymmetric_keys/x509_cert_parser.c |   3 +
   crypto/ecc.c                              |  71 +++++--
   crypto/ecc_curve_defs.h                   |  45 +++++
   crypto/ecdh.c                             |  59 +++++-
   crypto/ecdsa.c                            |  48 ++++-
   crypto/testmgr.c                          |  14 ++
   crypto/testmgr.h                          | 225 ++++++++++++++++++++++
   include/crypto/ecc_curve.h                |   3 +
   include/crypto/ecdh.h                     |   1 +
   include/crypto/internal/ecc.h             |  61 +++++-
   include/linux/oid_registry.h              |   1 +
   11 files changed, 495 insertions(+), 36 deletions(-)

Hi Stefan,
what kind of side-channel testing was performed on this code?
And what is the use case you are adding it for?

We're using public keys for signature verification. I am not aware that
public key usage is critical to side channels.

The use case for adding it is primarily driven by closing a gap to
complete the support for the common ECDSA NIST curves.

Is there an assumption the ECDH code uses exclusively ephemeral keys?

It can use both, provided keys and ephemeral keys. I think at this point it's best to drop ecdh support from this series.

   Stefan

Simo.





[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux