Daiki Ueno <u...@gnu.org> writes: > ni...@lysator.liu.se (Niels Möller) writes: > >> I see you've made some chenges to the needed scratch space, if I >> understand it correctly, you need to allow h_to_a_itch larger than >> mul_itch or mul_g_itch. You increase the value of ECC_ECDSA_SIGN_ITCH >> and add a new ECC_ECDSA_KEYGEN_ITCH. Can you comment on that? >> >> The only reason ECDSA is affected at all by curve448, is that we have >> tests for ecdsa over the curve25519 and curve448, even though that's >> not the way these curves are intended to be used. Maybe that should >> just be deleted. > > Indeed, I agree to remove the tests and affected parts in the library.
I'm considering the below patch. I think there's room for further improvement, maybe splitting the h_to_a method up (it's called with op == 0, and with op == 2 from the ecdsa, but never with op == 1). Maybe adding a some ecc_mod_canonical function. But deleting this unneeded code right away seems like an improvement in itself. Regards, /Niels diff --git a/ecc-eh-to-a.c b/ecc-eh-to-a.c index 8173b887..89d2b6e3 100644 --- a/ecc-eh-to-a.c +++ b/ecc-eh-to-a.c @@ -56,6 +56,8 @@ ecc_eh_to_a (const struct ecc_curve *ecc, mp_limb_t cy; + assert(op == 0); + /* Needs 2*size + scratch for the invert call. */ ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size); @@ -63,25 +65,6 @@ ecc_eh_to_a (const struct ecc_curve *ecc, cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, r, tp, ecc->p.size); - if (op) - { - /* Skip y coordinate */ - if (op > 1) - { - /* Reduce modulo q. Hardcoded for curve25519, duplicates end - of ecc_25519_modq. FIXME: Is this needed at all? op > 0 - is only used by ecdsa code, and ecdsa on Edwards curves - makes little sense and is is only used by tests. */ - unsigned shift; - assert (ecc->p.bit_size == 255); - shift = ecc->q.bit_size - 1 - GMP_NUMB_BITS * (ecc->p.size - 1); - cy = mpn_submul_1 (r, ecc->q.m, ecc->p.size, - r[ecc->p.size-1] >> shift); - assert (cy < 2); - cnd_add_n (cy, r, ecc->q.m, ecc->p.size); - } - return; - } ecc_modp_mul (ecc, tp, yp, izp); cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size); diff --git a/testsuite/ecdsa-keygen-test.c b/testsuite/ecdsa-keygen-test.c index a96c09ef..0deb7214 100644 --- a/testsuite/ecdsa-keygen-test.c +++ b/testsuite/ecdsa-keygen-test.c @@ -78,6 +78,10 @@ test_main (void) struct ecc_point pub; struct ecc_scalar key; + if (ecc->p.bit_size == 255) + /* Exclude curve25519, which isn't supported with ECDSA. */ + continue; + if (verbose) fprintf (stderr, "Curve %d\n", ecc->p.bit_size); diff --git a/testsuite/ecdsa-sign-test.c b/testsuite/ecdsa-sign-test.c index 23275357..b240a31b 100644 --- a/testsuite/ecdsa-sign-test.c +++ b/testsuite/ecdsa-sign-test.c @@ -156,18 +156,4 @@ test_main (void) "97536710 1F67D1CF 9BCCBF2F 3D239534" "FA509E70 AAC851AE 01AAC68D 62F86647" "2660"); /* s */ - - /* Non-standard ecdsa using curve25519. Not interop-tested with - anything else. */ - test_ecdsa (&_nettle_curve25519, - "1db511101b8fd16f e0212c5679ef53f3" - "323bde77f9efa442 617314d576d1dbcb", /* z */ - "aa2fa8facfdc3a99 ec466d41a2c9211c" - "e62e1706f54037ff 8486e26153b0fa79", /* k */ - SHEX("e99df2a098c3c590 ea1e1db6d9547339" - "ae760d5331496119 5d967fd881e3b0f5"), /* h */ - " 515c3a485f57432 0daf3353a0d08110" - "64157c556296de09 4132f74865961b37", /* r */ - " 78f23367291b01 3fc430fb09322d95" - "4384723649868d8e 88effc7ac8b141d7"); /* s */ } diff --git a/testsuite/ecdsa-verify-test.c b/testsuite/ecdsa-verify-test.c index 971988c3..6a593d6f 100644 --- a/testsuite/ecdsa-verify-test.c +++ b/testsuite/ecdsa-verify-test.c @@ -145,17 +145,4 @@ test_main (void) "97536710 1F67D1CF 9BCCBF2F 3D239534" "FA509E70 AAC851AE 01AAC68D 62F86647" "2660"); /* s */ - - test_ecdsa (&_nettle_curve25519, - /* Public key corresponding to the key in ecdsa-sign-test */ - "59f8f317fd5f4e82 c02f8d4dec665fe1" - "230f83b8572638e1 b2ac34a30028e24d", /* x */ - "1902a72dc1a6525a 811b9c1845978d56" - "fd97dce5e278ebdd ec695349d7e41498", /* y */ - SHEX("e99df2a098c3c590 ea1e1db6d9547339" - "ae760d5331496119 5d967fd881e3b0f5"), /* h */ - " 515c3a485f57432 0daf3353a0d08110" - "64157c556296de09 4132f74865961b37", /* r */ - " 78f23367291b01 3fc430fb09322d95" - "4384723649868d8e 88effc7ac8b141d7"); /* s */ } -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs