[Cryptech-Commits] [user/shatov/ecdsa_fpga_model] 01/01: This commit fixes a theoretical bug in the base point multiplier model. The model does multiplication using the double-and-add algorithm. When adding two points P and Q on curves P-256 and P-384, four special cases must be considered. One of them is P = Q, in that situation the explicit addition formulae don't work and either 2P or 2Q must be returned from the addition routine. In this model Q is always the base point G, so when P = G, then 2*G must be returned. Since G is fixed, this mo [...]

git at cryptech.is git at cryptech.is
Mon Feb 26 10:14:25 UTC 2018

Previous message (by thread): [Cryptech-Commits] [user/shatov/ecdsa_fpga_model] branch fix created (now e718fdf)
Next message (by thread): [Cryptech-Commits] [sw/libhal] branch hashsig created (now b26b375)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is an automated email from the git hooks/post-receive script.

meisterpaul1 at yandex.ru pushed a commit to branch fix
in repository user/shatov/ecdsa_fpga_model.

commit e718fdfae6443466e566ed6ce1515cdecc215ac0
Author: Pavel V. Shatov (Meister) <meisterpaul1 at yandex.ru>
AuthorDate: Sun Feb 25 14:25:49 2018 +0300

    This commit fixes a theoretical bug in the base point multiplier model. The
    model does multiplication using the double-and-add algorithm. When adding two
    points P and Q on curves P-256 and P-384, four special cases must be
    considered. One of them is P = Q, in that situation the explicit addition
    formulae don't work and either 2*P or 2*Q must be returned from the addition
    routine. In this model Q is always the base point G, so when P = G, then 2*G
    must be returned. Since G is fixed, this model stores precomputed point H = 2*G
    and returns it when adding G+G for true constant-time operation. The problem is
    that the currently stored coordinates of the point H are wrong. I think I used
    the doubling routine (which returns in projective Jacobian coordinates) to
    calculate H = 2*G, but then screwed up and forgot to convert it to affine
    coordinates before storing x and y.
    
    During multiplication the bits of k are scanned left-to-right, so doubling is
    done before addition. This way the only situation when both inputs to the
    addition routine are equal to G is when after doubling the result is G. This in
    its turn is only possible when k = n + 2 (where n is the order of the base
    point G). ECDSA requires integer k to be [1, n-1], so the current wrong
    coordinates should never be used in practice. I'm not aware of any attacks
    based on this bug, but I feel that it must be fixed, moreover the fix is
    straightforward and only involves changing two lines of code used to initialize
    arrays. One of the side effects is that the model has a code path that will
    never be used under normal operation. This code path can be verified by first
    multiplying by k = 2 (special handling for P = G not triggered), then
    multiplying by k = n+2 (special handling for P = G triggered). Both
    multiplications should produce the same output. In the former case the output
    will be calculated on-the-fly, in the latter case the pre-computed coordinates
    of H will be used.
---
 ecdsa_model.h        | 10 +++++-----
 ecdsa_model_fpga.cpp | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 5 deletions(-)

diff --git a/ecdsa_model.h b/ecdsa_model.h
index fc7e571..4039e25 100644
--- a/ecdsa_model.h
+++ b/ecdsa_model.h
@@ -45,7 +45,7 @@
 // USE_CURVE == 2  -> P-384
 //
 //------------------------------------------------------------------------------
-#define USE_CURVE	2
+#define USE_CURVE	1
 
 
 //------------------------------------------------------------------------------
@@ -79,8 +79,8 @@
 #define P_256_G_Y		{0x4fe342e2, 0xfe1a7f9b, 0x8ee7eb4a, 0x7c0f9e16, 0x2bce3357, 0x6b315ece, 0xcbb64068, 0x37bf51f5}
 
 /* Doubled Base Point */
-#define P_256_H_X		{0x29d05c19, 0x3da77b71, 0x0e863235, 0x38b77e1b, 0x11f904fe, 0xa42998be, 0x16bd8d74, 0x4ece7ad0}
-#define P_256_H_Y		{0xb01cbd1c, 0x01e58065, 0x711814b5, 0x83f061e9, 0xd431cca9, 0x94cea131, 0x3449bf97, 0xc840ae07}
+#define P_256_H_X		{0x7cf27b18, 0x8d034f7e, 0x8a523803, 0x04b51ac3, 0xc08969e2, 0x77f21b35, 0xa60b48fc, 0x47669978}
+#define P_256_H_Y		{0x07775510, 0xdb8ed040, 0x293d9ac6, 0x9f7430db, 0xba7dade6, 0x3ce98229, 0x9e04b79d, 0x227873d1}
 
 /* Base Point Order */
 #define P_256_N			{0xffffffff, 0x00000000, 0xffffffff, 0xffffffff, 0xbce6faad, 0xa7179e84, 0xf3b9cac2, 0xfc632551}
@@ -119,8 +119,8 @@
 #define P_384_G_Y		{0x3617de4a, 0x96262c6f, 0x5d9e98bf, 0x9292dc29, 0xf8f41dbd, 0x289a147c, 0xe9da3113, 0xb5f0b8c0, 0x0a60b1ce, 0x1d7e819d, 0x7a431d7c, 0x90ea0e5f}
 
 /* Doubled Base Point */
-#define P_384_H_X		{0xaaf06bba, 0x82e9f590, 0xe29c71c2, 0x19bea517, 0x23c5893a, 0xe8b0c8cf, 0x4c117c3e, 0xfb57ab8d, 0x55fa1b42, 0x8155ad27, 0x8b574391, 0x1b13ea8a}
-#define P_384_H_Y		{0xc9e821b5, 0x69d9d390, 0xa2616740, 0x6d6d23d6, 0x070be242, 0xd765eb83, 0x1625ceec, 0x4a0f473e, 0xf59f4e30, 0xe2817e62, 0x85bce284, 0x6f15f19d}
+#define P_384_H_X		{0x08d99905, 0x7ba3d2d9, 0x69260045, 0xc55b97f0, 0x89025959, 0xa6f434d6, 0x51d207d1, 0x9fb96e9e, 0x4fe0e86e, 0xbe0e64f8, 0x5b96a9c7, 0x5295df61}
+#define P_384_H_Y		{0x8e80f1fa, 0x5b1b3ced, 0xb7bfe8df, 0xfd6dba74, 0xb275d875, 0xbc6cc43e, 0x904e505f, 0x256ab425, 0x5ffd43e9, 0x4d39e22d, 0x61501e70, 0x0a940e80}
 
 /* Base Point Order */
 #define P_384_N			{0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xc7634d81, 0xf4372ddf, 0x581a0db2, 0x48b0a77a, 0xecec196a, 0xccc52973}
diff --git a/ecdsa_model_fpga.cpp b/ecdsa_model_fpga.cpp
index 8ad0962..546e206 100644
--- a/ecdsa_model_fpga.cpp
+++ b/ecdsa_model_fpga.cpp
@@ -111,6 +111,39 @@ int main()
 	if (!ok) return EXIT_FAILURE;
 
 
+		//
+		// test base point multiplier: H = 2 * G
+		//
+	FPGA_BUFFER two;
+	fpga_modular_add(&ecdsa_one, &ecdsa_one, &two);
+
+	printf("Trying to double the base point...\n\n");
+	ok = test_base_point_multiplier(&two, &ecdsa_h_x, &ecdsa_h_y);
+	if (!ok) return EXIT_FAILURE;
+
+	
+		//
+		// test base point multiplier: G = (n + 1) * G
+		//
+	FPGA_BUFFER n1;
+	fpga_modular_add(&ecdsa_n, &ecdsa_one, &n1);	// n1 = n + 1
+
+	printf("Trying to multiply the base point by its order plus one...\n\n");
+	ok = test_base_point_multiplier(&n1, &ecdsa_g_x, &ecdsa_g_y);
+	if (!ok) return EXIT_FAILURE;
+
+
+		//
+		// test base point multiplier: G = (n + 2) * G
+		//
+	FPGA_BUFFER n2;
+	fpga_modular_add(&ecdsa_n, &two, &n2);	// n2 = n + two
+
+	printf("Trying to multiply the base point by its order plus two...\n\n");
+	ok = test_base_point_multiplier(&n2, &ecdsa_h_x, &ecdsa_h_y);
+	if (!ok) return EXIT_FAILURE;
+
+	
 		//
 		// try to abuse internal point doubler
 		//

Previous message (by thread): [Cryptech-Commits] [user/shatov/ecdsa_fpga_model] branch fix created (now e718fdf)
Next message (by thread): [Cryptech-Commits] [sw/libhal] branch hashsig created (now b26b375)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Commits mailing list