[Cryptech Tech] Plan for ECDSA core (review, please)

Rob Austein sra at hactrn.net
Thu May 28 13:11:21 UTC 2015


One of my action items this week is helping to specify what it is that
we meant when we asked Pavel to go off and write us an ECDSA core.

Here's what I have so far:

- We probably don't need the core to do ECDSA verification, only
  signing.

- We probably only care about two named curves: P-256 and P-384.

The real specification appears to be X9.62.  ECDSA is also included in
several NIST documents (186-[234]) but NIST refers to X9.62 as the
primary specification.

NIST has test vectors.  The relevant ones are probably:

    http://csrc.nist.gov/groups/STM/cavp/documents/dss/186-3ecdsatestvectors.zip

We're probably only interested in the P-256/SHA-256 and P-384/SHA-384 cases.

There are of course various software implementations, including
Cryptlib, and including a pure Python implementation (named "ecdsa" of
all things).

Pavel has requested that we give him a slightly lower-level spec than
this, in terms of expected inputs, expected outputs, and samples of
each, which is entirely reasonable, but before going there I wanted to
make sure we have agreement that this is what we want.


More information about the Tech mailing list