Daiki Ueno <u...@gnu.org> writes:
> ni...@lysator.liu.se (Niels Möller) writes:
>
>> I see you've made some chenges to the needed scratch space, if I
>> understand it correctly, you need to allow h_to_a_itch larger than
>> mul_itch or mul_g_itch. You increase the value of ECC_ECDSA_SIGN_ITCH
>> and add a new ECC_ECDSA_KEYGEN_ITCH. Can you comment on that?
>>
>> The only reason ECDSA is affected at all by curve448, is that we have
>> tests for ecdsa over the curve25519 and curve448, even though that's
>> not the way these curves are intended to be used. Maybe that should
>> just be deleted.
>
> Indeed, I agree to remove the tests and affected parts in the library.
I'm considering the below patch. I think there's room for further
improvement, maybe splitting the h_to_a method up (it's called with op
== 0, and with op == 2 from the ecdsa, but never with op == 1). Maybe
adding a some ecc_mod_canonical function. But deleting this unneeded
code right away seems like an improvement in itself.
Regards,
/Niels
diff --git a/ecc-eh-to-a.c b/ecc-eh-to-a.c
index 8173b887..89d2b6e3 100644
--- a/ecc-eh-to-a.c
+++ b/ecc-eh-to-a.c
@@ -56,6 +56,8 @@ ecc_eh_to_a (const struct ecc_curve *ecc,
mp_limb_t cy;
+ assert(op == 0);
+
/* Needs 2*size + scratch for the invert call. */
ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size);
@@ -63,25 +65,6 @@ ecc_eh_to_a (const struct ecc_curve *ecc,
cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size);
cnd_copy (cy, r, tp, ecc->p.size);
- if (op)
- {
- /* Skip y coordinate */
- if (op > 1)
- {
- /* Reduce modulo q. Hardcoded for curve25519, duplicates end
- of ecc_25519_modq. FIXME: Is this needed at all? op > 0
- is only used by ecdsa code, and ecdsa on Edwards curves
- makes little sense and is is only used by tests. */
- unsigned shift;
- assert (ecc->p.bit_size == 255);
- shift = ecc->q.bit_size - 1 - GMP_NUMB_BITS * (ecc->p.size - 1);
- cy = mpn_submul_1 (r, ecc->q.m, ecc->p.size,
- r[ecc->p.size-1] >> shift);
- assert (cy < 2);
- cnd_add_n (cy, r, ecc->q.m, ecc->p.size);
- }
- return;
- }
ecc_modp_mul (ecc, tp, yp, izp);
cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
diff --git a/testsuite/ecdsa-keygen-test.c b/testsuite/ecdsa-keygen-test.c
index a96c09ef..0deb7214 100644
--- a/testsuite/ecdsa-keygen-test.c
+++ b/testsuite/ecdsa-keygen-test.c
@@ -78,6 +78,10 @@ test_main (void)
struct ecc_point pub;
struct ecc_scalar key;
+ if (ecc->p.bit_size == 255)
+ /* Exclude curve25519, which isn't supported with ECDSA. */
+ continue;
+
if (verbose)
fprintf (stderr, "Curve %d\n", ecc->p.bit_size);
diff --git a/testsuite/ecdsa-sign-test.c b/testsuite/ecdsa-sign-test.c
index 23275357..b240a31b 100644
--- a/testsuite/ecdsa-sign-test.c
+++ b/testsuite/ecdsa-sign-test.c
@@ -156,18 +156,4 @@ test_main (void)
"97536710 1F67D1CF 9BCCBF2F 3D239534"
"FA509E70 AAC851AE 01AAC68D 62F86647"
"2660"); /* s */
-
- /* Non-standard ecdsa using curve25519. Not interop-tested with
- anything else. */
- test_ecdsa (&_nettle_curve25519,
- "1db511101b8fd16f e0212c5679ef53f3"
- "323bde77f9efa442 617314d576d1dbcb", /* z */
- "aa2fa8facfdc3a99 ec466d41a2c9211c"
- "e62e1706f54037ff 8486e26153b0fa79", /* k */
- SHEX("e99df2a098c3c590 ea1e1db6d9547339"
- "ae760d5331496119 5d967fd881e3b0f5"), /* h */
- " 515c3a485f57432 0daf3353a0d08110"
- "64157c556296de09 4132f74865961b37", /* r */
- " 78f23367291b01 3fc430fb09322d95"
- "4384723649868d8e 88effc7ac8b141d7"); /* s */
}
diff --git a/testsuite/ecdsa-verify-test.c b/testsuite/ecdsa-verify-test.c
index 971988c3..6a593d6f 100644
--- a/testsuite/ecdsa-verify-test.c
+++ b/testsuite/ecdsa-verify-test.c
@@ -145,17 +145,4 @@ test_main (void)
"97536710 1F67D1CF 9BCCBF2F 3D239534"
"FA509E70 AAC851AE 01AAC68D 62F86647"
"2660"); /* s */
-
- test_ecdsa (&_nettle_curve25519,
- /* Public key corresponding to the key in ecdsa-sign-test */
- "59f8f317fd5f4e82 c02f8d4dec665fe1"
- "230f83b8572638e1 b2ac34a30028e24d", /* x */
- "1902a72dc1a6525a 811b9c1845978d56"
- "fd97dce5e278ebdd ec695349d7e41498", /* y */
- SHEX("e99df2a098c3c590 ea1e1db6d9547339"
- "ae760d5331496119 5d967fd881e3b0f5"), /* h */
- " 515c3a485f57432 0daf3353a0d08110"
- "64157c556296de09 4132f74865961b37", /* r */
- " 78f23367291b01 3fc430fb09322d95"
- "4384723649868d8e 88effc7ac8b141d7"); /* s */
}
--
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
_______________________________________________
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
