[Cryptech-Commits] [user/shatov/ecdh_fpga_model] branch master updated: * Follow more closely what Verilog does * Don't use hardcoded numbers, use the ones built into fastecdsa package * Generate more test vectors to really abuse the core and trigger the rarely used code path in the point addition procedure

git at cryptech.is git at cryptech.is
Fri Apr 6 18:56:40 UTC 2018


This is an automated email from the git hooks/post-receive script.

meisterpaul1 at yandex.ru pushed a commit to branch master
in repository user/shatov/ecdh_fpga_model.

The following commit(s) were added to refs/heads/master by this push:
     new 5c26d79   * Follow more closely what Verilog does  * Don't use hardcoded numbers, use the ones built into fastecdsa package  * Generate more test vectors to really abuse the core and trigger the rarely    used code path in the point addition procedure
5c26d79 is described below

commit 5c26d791ba611a00af3a6010c014694f6582bf12
Author: Pavel V. Shatov (Meister) <meisterpaul1 at yandex.ru>
AuthorDate: Fri Apr 6 21:52:21 2018 +0300

     * Follow more closely what Verilog does
     * Don't use hardcoded numbers, use the ones built into fastecdsa package
     * Generate more test vectors to really abuse the core and trigger the rarely
       used code path in the point addition procedure
---
 fpga_curve.cpp                      | 20 +++++++-
 test_vectors/ecdh_test_vectors.v    | 91 ++++++++++++++++++++++++++++++------
 test_vectors/format_test_vectors.py | 93 ++++++++++++++++++++++++++-----------
 3 files changed, 162 insertions(+), 42 deletions(-)

diff --git a/fpga_curve.cpp b/fpga_curve.cpp
index 46f6f73..1efb8b6 100644
--- a/fpga_curve.cpp
+++ b/fpga_curve.cpp
@@ -305,9 +305,25 @@ void fpga_curve_scalar_multiply(FPGA_BUFFER *px, FPGA_BUFFER *py, FPGA_BUFFER *k
 	FPGA_BUFFER rx, ry, rz;		// intermediate result
 	FPGA_BUFFER tx, ty, tz;		// temporary variable
 
+		/* prepare for computation */
+	fpga_buffer_copy(px,         &rx);
+	fpga_buffer_copy(py,         &ry);
+	fpga_buffer_copy(&ecdsa_one, &rz);
+
 		/* obtain quantity 2 * P */
-	fpga_curve_double_jacobian(px, py, &ecdsa_one, &tx, &ty, &tz);
-	fpga_curve_point_to_affine(&tx, &ty, &tz, &ecdh_d_x, &ecdh_d_y);
+	fpga_curve_double_jacobian(&rx, &ry, &rz, &tx, &ty, &tz);
+
+		/* copy again */
+	fpga_buffer_copy(&tx, &rx);
+	fpga_buffer_copy(&ty, &ry);
+	fpga_buffer_copy(&tz, &rz);
+
+		/* convert to affine coordinates */
+	fpga_curve_point_to_affine(&rx, &ry, &rz, qx, qy);
+
+		/* store for later reuse */
+	fpga_buffer_copy(qx, &ecdh_d_x);
+	fpga_buffer_copy(qy, &ecdh_d_y);
 
 		/* set initial value of R to point at infinity */
 	fpga_buffer_copy(&ecdsa_one,  &rx);
diff --git a/test_vectors/ecdh_test_vectors.v b/test_vectors/ecdh_test_vectors.v
index 3b2e83e..7a5ef26 100644
--- a/test_vectors/ecdh_test_vectors.v
+++ b/test_vectors/ecdh_test_vectors.v
@@ -1,5 +1,9 @@
 /* Generated automatically, do not edit. */
 
+localparam [255:0] P_256_N =
+	{32'hffffffff, 32'h00000000, 32'hffffffff, 32'hffffffff, 
+	 32'hbce6faad, 32'ha7179e84, 32'hf3b9cac2, 32'hfc632551};
+
 localparam [255:0] P_256_DA =
 	{32'h404d4afa, 32'h3865a3d6, 32'hf921ccb4, 32'h7cdea4e9, 
 	 32'h276c3d45, 32'h6e84d196, 32'h63324daf, 32'h8c5e2f44};
@@ -12,17 +16,25 @@ localparam [255:0] P_256_QA_Y =
 	{32'hd1345bcc, 32'ha022ea89, 32'h53b04c2d, 32'h11fc24f8, 
 	 32'h0b3b7f84, 32'h7b79deee, 32'hd92ec430, 32'hd8ec3c98};
 
+localparam [255:0] P_256_QA2_X =
+	{32'h1aa13502, 32'h273db88f, 32'h21b4b0be, 32'h688a06c6, 
+	 32'h6a6019ef, 32'h7a00eb42, 32'h8e84a4b0, 32'h1dac831a};
+
+localparam [255:0] P_256_QA2_Y =
+	{32'h60b3485e, 32'hf3357265, 32'h37fb2896, 32'h353d09c3, 
+	 32'he6b148bc, 32'h2674f25a, 32'h353be0d1, 32'hc1fd615b};
+
 localparam [255:0] P_256_DB =
 	{32'h7159a43b, 32'he8322471, 32'h19feaeb2, 32'h7a92466e, 
 	 32'h2b07c8df, 32'h29bbd7ea, 32'hd3232af8, 32'h44995a95};
 
-localparam [255:0] P_256_QB_X =
-	{32'h0514608d, 32'hc2dc6a21, 32'h74b084d6, 32'h168aad13, 
-	 32'h4acd3f52, 32'h6e49dc32, 32'hbf9872aa, 32'ha4be99d9};
+localparam [255:0] P_256_QB2_X =
+	{32'h7f1985aa, 32'h9dd4df67, 32'h2e1b8673, 32'ha0a9adf8, 
+	 32'h1f42adde, 32'had136ffb, 32'h0a89b382, 32'hb741238f};
 
-localparam [255:0] P_256_QB_Y =
-	{32'h724afa75, 32'h4c672b71, 32'he87c9bda, 32'he1e2b15f, 
-	 32'h784f480f, 32'heb62040e, 32'h281953bd, 32'hea382946};
+localparam [255:0] P_256_QB2_Y =
+	{32'h7281e72d, 32'h4c2aef64, 32'h048b04d5, 32'hf7d3a824, 
+	 32'h294e3da8, 32'h2ddf43d7, 32'h009a5760, 32'hea0bc5a7};
 
 localparam [255:0] P_256_S_X =
 	{32'ha001c11b, 32'h0d04b6c3, 32'hbe99551e, 32'h9115b811, 
@@ -32,6 +44,27 @@ localparam [255:0] P_256_S_Y =
 	{32'h14ed5674, 32'h62b6ba27, 32'h2ba0e01b, 32'h2647d725, 
 	 32'h5919bf5e, 32'hcbb542f7, 32'h659d40de, 32'h324524ac};
 
+localparam [255:0] P_256_G_X =
+	{32'h6b17d1f2, 32'he12c4247, 32'hf8bce6e5, 32'h63a440f2, 
+	 32'h77037d81, 32'h2deb33a0, 32'hf4a13945, 32'hd898c296};
+
+localparam [255:0] P_256_G_Y =
+	{32'h4fe342e2, 32'hfe1a7f9b, 32'h8ee7eb4a, 32'h7c0f9e16, 
+	 32'h2bce3357, 32'h6b315ece, 32'hcbb64068, 32'h37bf51f5};
+
+localparam [255:0] P_256_H_X =
+	{32'h7cf27b18, 32'h8d034f7e, 32'h8a523803, 32'h04b51ac3, 
+	 32'hc08969e2, 32'h77f21b35, 32'ha60b48fc, 32'h47669978};
+
+localparam [255:0] P_256_H_Y =
+	{32'h07775510, 32'hdb8ed040, 32'h293d9ac6, 32'h9f7430db, 
+	 32'hba7dade6, 32'h3ce98229, 32'h9e04b79d, 32'h227873d1};
+
+localparam [383:0] P_384_N =
+	{32'hffffffff, 32'hffffffff, 32'hffffffff, 32'hffffffff, 
+	 32'hffffffff, 32'hffffffff, 32'hc7634d81, 32'hf4372ddf, 
+	 32'h581a0db2, 32'h48b0a77a, 32'hecec196a, 32'hccc52973};
+
 localparam [383:0] P_384_DA =
 	{32'he733d9db, 32'hb8867b57, 32'h3cbbc0bd, 32'h899c88db, 
 	 32'h669322e8, 32'h0435c1a4, 32'he2b0ddb1, 32'h5e757371, 
@@ -47,20 +80,30 @@ localparam [383:0] P_384_QA_Y =
 	 32'h8ee6a89a, 32'haeccd8fb, 32'h61b35364, 32'hc70dfb48, 
 	 32'heb5c685c, 32'h810bd9cb, 32'h2d184fb1, 32'h096ab30f};
 
+localparam [383:0] P_384_QA2_X =
+	{32'ha7b06d0d, 32'hb185275b, 32'he0a76c9f, 32'h0d7e1037, 
+	 32'hb1b993a6, 32'hb055426c, 32'h82d1c569, 32'hab12f11f, 
+	 32'h78c9b620, 32'heeca809d, 32'hfe7f31ed, 32'hcef06af5};
+
+localparam [383:0] P_384_QA2_Y =
+	{32'h1cfa89ed, 32'h774860c8, 32'h1ee725b0, 32'h9773be94, 
+	 32'h58c4e140, 32'h8caa4964, 32'hd0044b57, 32'h92f5e0c9, 
+	 32'h8fa62798, 32'h86c1bcbc, 32'h67ab059a, 32'hc38a59a1};
+
 localparam [383:0] P_384_DB =
 	{32'h5601820d, 32'h705224a5, 32'hdd6ddb13, 32'he0a15e76, 
 	 32'h869e6abe, 32'h37ba2235, 32'h792af9f6, 32'ha9bf114a, 
 	 32'hd1fd319d, 32'hd8181e06, 32'h44f15448, 32'h4e73a75a};
 
-localparam [383:0] P_384_QB_X =
-	{32'h37ab556d, 32'h0652c6b9, 32'he352c643, 32'h4502be19, 
-	 32'h9fb9c50f, 32'h2ade049b, 32'h06e50c30, 32'hcdab0673, 
-	 32'h69efe0c0, 32'h6e114a76, 32'hf1338175, 32'hdb4f4982};
+localparam [383:0] P_384_QB2_X =
+	{32'hdf3317b1, 32'hba767101, 32'h33c69cd8, 32'hc70de5b6, 
+	 32'h68b78d56, 32'hf0d851ec, 32'hf1697b04, 32'hd2ade0e8, 
+	 32'h30a6e6d6, 32'h2467d70d, 32'hbe12e265, 32'haccdd5ed};
 
-localparam [383:0] P_384_QB_Y =
-	{32'h21cddae0, 32'hf117b656, 32'h7c9d477b, 32'hc1fc5d24, 
-	 32'h3b26651e, 32'h1406f1ee, 32'hb3418552, 32'h739c9395, 
-	 32'h6774c84d, 32'h20cedc15, 32'h92fd5de0, 32'h4bbf98ad};
+localparam [383:0] P_384_QB2_Y =
+	{32'h6d8c1907, 32'ha63f3e87, 32'hd186f8b5, 32'h06fcf6d9, 
+	 32'h2cc2a8a7, 32'hd38fa0ee, 32'hd9b67320, 32'h7181bcf4, 
+	 32'h408e0dd0, 32'h25dfee03, 32'h6916632a, 32'h8335fba2};
 
 localparam [383:0] P_384_S_X =
 	{32'h15ac62cb, 32'hbb51e1ed, 32'hd41d489f, 32'hdfa05d45, 
@@ -72,3 +115,23 @@ localparam [383:0] P_384_S_Y =
 	 32'hf62be0a3, 32'h73da36ef, 32'h8992e7c9, 32'h6cf7619d, 
 	 32'ha2d6c0a2, 32'hd31ad05d, 32'hb3a16a95, 32'h0cb7055f};
 
+localparam [383:0] P_384_G_X =
+	{32'haa87ca22, 32'hbe8b0537, 32'h8eb1c71e, 32'hf320ad74, 
+	 32'h6e1d3b62, 32'h8ba79b98, 32'h59f741e0, 32'h82542a38, 
+	 32'h5502f25d, 32'hbf55296c, 32'h3a545e38, 32'h72760ab7};
+
+localparam [383:0] P_384_G_Y =
+	{32'h3617de4a, 32'h96262c6f, 32'h5d9e98bf, 32'h9292dc29, 
+	 32'hf8f41dbd, 32'h289a147c, 32'he9da3113, 32'hb5f0b8c0, 
+	 32'h0a60b1ce, 32'h1d7e819d, 32'h7a431d7c, 32'h90ea0e5f};
+
+localparam [383:0] P_384_H_X =
+	{32'h08d99905, 32'h7ba3d2d9, 32'h69260045, 32'hc55b97f0, 
+	 32'h89025959, 32'ha6f434d6, 32'h51d207d1, 32'h9fb96e9e, 
+	 32'h4fe0e86e, 32'hbe0e64f8, 32'h5b96a9c7, 32'h5295df61};
+
+localparam [383:0] P_384_H_Y =
+	{32'h8e80f1fa, 32'h5b1b3ced, 32'hb7bfe8df, 32'hfd6dba74, 
+	 32'hb275d875, 32'hbc6cc43e, 32'h904e505f, 32'h256ab425, 
+	 32'h5ffd43e9, 32'h4d39e22d, 32'h61501e70, 32'h0a940e80};
+
diff --git a/test_vectors/format_test_vectors.py b/test_vectors/format_test_vectors.py
index 57f2de1..2d4744a 100644
--- a/test_vectors/format_test_vectors.py
+++ b/test_vectors/format_test_vectors.py
@@ -44,8 +44,8 @@
 #
 import sys
 import subprocess
-from fastecdsa.curve import P256
-from fastecdsa.curve import P384
+from fastecdsa import keys, curve
+from fastecdsa.curve import P256, P384
 from fastecdsa.point import Point
 
 # list of curve names of interest
@@ -53,12 +53,10 @@ CURVE_P256 = "p256"
 CURVE_P384 = "p384"
 
 # the base point for p-256
-P256_GX = 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296
-P256_GY = 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5
+P256_BASE = keys.get_public_key(1, curve.P256)
 
 # the base point for p-384
-P384_GX = 0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7
-P384_GY = 0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f  
+P384_BASE = keys.get_public_key(1, curve.P384)
 
 #
 # format one test vector
@@ -83,7 +81,14 @@ def format_c_header(f, curve, da, qax, qay, db, qbx, qby, sx, sy):
 #
 # format one test vector
 #
-def format_verilog_include(f, curve, da, qax, qay, db, qbx, qby, sx, sy):
+def format_verilog_include(	f, curve, n,
+							da, qax, qay,
+							db, qbx, qby,
+							sx, sy,
+							gx, gy,
+							hx, hy,
+							qa2x, qa2y,
+							qb2x, qb2y):
 
 	if curve == CURVE_P256:
 		curve_str = "P_256"
@@ -94,16 +99,26 @@ def format_verilog_include(f, curve, da, qax, qay, db, qbx, qby, sx, sy):
 		msb_index = "383"
 
 		# write all numbers in vector
-	format_verilog_concatenation(f, da,  "localparam [" + msb_index + ":0] " + curve_str + "_DA"   + " =\n")
-	format_verilog_concatenation(f, qax, "localparam [" + msb_index + ":0] " + curve_str + "_QA_X" + " =\n")
-	format_verilog_concatenation(f, qay, "localparam [" + msb_index + ":0] " + curve_str + "_QA_Y" + " =\n")
+	format_verilog_concatenation(f, n,    "localparam [" + msb_index + ":0] " + curve_str + "_N"     + " =\n")
 
-	format_verilog_concatenation(f, db,  "localparam [" + msb_index + ":0] " + curve_str + "_DB"   + " =\n")
-	format_verilog_concatenation(f, qbx, "localparam [" + msb_index + ":0] " + curve_str + "_QB_X" + " =\n")
-	format_verilog_concatenation(f, qby, "localparam [" + msb_index + ":0] " + curve_str + "_QB_Y" + " =\n")
+	format_verilog_concatenation(f, da,   "localparam [" + msb_index + ":0] " + curve_str + "_DA"    + " =\n")
+	format_verilog_concatenation(f, qax,  "localparam [" + msb_index + ":0] " + curve_str + "_QA_X"  + " =\n")
+	format_verilog_concatenation(f, qay,  "localparam [" + msb_index + ":0] " + curve_str + "_QA_Y"  + " =\n")
+	format_verilog_concatenation(f, qa2x, "localparam [" + msb_index + ":0] " + curve_str + "_QA2_X" + " =\n")
+	format_verilog_concatenation(f, qa2y, "localparam [" + msb_index + ":0] " + curve_str + "_QA2_Y" + " =\n")
 
-	format_verilog_concatenation(f, sx,  "localparam [" + msb_index + ":0] " + curve_str + "_S_X"  + " =\n")
-	format_verilog_concatenation(f, sy,  "localparam [" + msb_index + ":0] " + curve_str + "_S_Y"  + " =\n")
+	format_verilog_concatenation(f, db,   "localparam [" + msb_index + ":0] " + curve_str + "_DB"    + " =\n")
+	format_verilog_concatenation(f, qb2x, "localparam [" + msb_index + ":0] " + curve_str + "_QB2_X" + " =\n")
+	format_verilog_concatenation(f, qb2y, "localparam [" + msb_index + ":0] " + curve_str + "_QB2_Y" + " =\n")
+
+	format_verilog_concatenation(f, sx,   "localparam [" + msb_index + ":0] " + curve_str + "_S_X"   + " =\n")
+	format_verilog_concatenation(f, sy,   "localparam [" + msb_index + ":0] " + curve_str + "_S_Y"   + " =\n")
+
+	format_verilog_concatenation(f, gx,   "localparam [" + msb_index + ":0] " + curve_str + "_G_X"   + " =\n")
+	format_verilog_concatenation(f, gy,   "localparam [" + msb_index + ":0] " + curve_str + "_G_Y"   + " =\n")
+
+	format_verilog_concatenation(f, hx,   "localparam [" + msb_index + ":0] " + curve_str + "_H_X"   + " =\n")
+	format_verilog_concatenation(f, hy,   "localparam [" + msb_index + ":0] " + curve_str + "_H_Y"   + " =\n")
 
 #
 # nicely format multi-word integer into C array initializer
@@ -283,11 +298,11 @@ def get_key(party, curve):
 	
 		# another sanity check (make sure, that Q is actually d * G)
 	if curve == CURVE_P256:
-		G = Point(P256_GX, P256_GY, curve=P256)
+		G = P256_BASE
 		Q = Point(key_pub_x, key_pub_y, curve=P256)
 
 	if curve == CURVE_P384:
-		G = Point(P384_GX, P384_GY, curve=P384)
+		G = P384_BASE
 		Q = Point(key_pub_x, key_pub_y, curve=P384)
 	
 		# multiply using fastecdsa
@@ -314,19 +329,34 @@ if __name__ == "__main__":
 	file_v.write("/* Generated automatically, do not edit. */\n\n")
 	
 		# process all the keys
-	for curve in curves:
+	for next_curve in curves:
 
 			# load keys
-		da, qax, qay = get_key("alice", curve)
-		db, qbx, qby = get_key("bob",   curve)
+		da, qax, qay = get_key("alice", next_curve)
+		db, qbx, qby = get_key("bob",   next_curve)
 		
 			# Alice's public key
-		if (curve == CURVE_P256): QA = Point(qax, qay, curve=P256)
-		if (curve == CURVE_P384): QA = Point(qax, qay, curve=P384)
+		if (next_curve == CURVE_P256): QA = Point(qax, qay, curve=P256)
+		if (next_curve == CURVE_P384): QA = Point(qax, qay, curve=P384)
 
 			# Bob's public key
-		if (curve == CURVE_P256): QB = Point(qbx, qby, curve=P256)
-		if (curve == CURVE_P384): QB = Point(qbx, qby, curve=P384)
+		if (next_curve == CURVE_P256): QB = Point(qbx, qby, curve=P256)
+		if (next_curve == CURVE_P384): QB = Point(qbx, qby, curve=P384)
+		
+			# the base point
+		if (next_curve == CURVE_P256): G = P256_BASE
+		if (next_curve == CURVE_P384): G = P384_BASE
+		
+			# double of the base point
+		H = 2 * G
+		
+			# doubles of QA and QB
+		QA2 = 2 * QA
+		QB2 = 2 * QB
+		
+			# order of the base point
+		if (next_curve == CURVE_P256): n = curve.P256.q
+		if (next_curve == CURVE_P384): n = curve.P384.q
 		
 			# we derive the shared secret two different ways (from Alice's and
 			# from Bob's perspective, they must be identical of course
@@ -339,8 +369,19 @@ if __name__ == "__main__":
 		print("Derived shared secret.");
 
 			# format numbers and write to file
-		format_c_header(file_h, curve, da, qax, qay, db, qbx, qby, QAB.x, QBA.y)
-		format_verilog_include(file_v, curve, da, qax, qay, db, qbx, qby, QAB.x, QBA.y)
+		format_c_header(	file_h, next_curve,
+							da, qax, qay,
+							db, qbx, qby,
+							QAB.x, QBA.y)
+							
+		format_verilog_include(	file_v, next_curve, n,
+								da, qax, qay,
+								db, qbx, qby,
+								QAB.x, QBA.y,
+								G.x, G.y,
+								H.x, H.y,
+								QA2.x, QA2.y,
+								QB2.x, QB2.y)
 
 		# done
 	file_h.close()

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the Commits mailing list