ECDSA with SHA384 - Verification

Mon, 14 Nov 2011 03:10:51 -0800 

Hellol,

We have some software that uses OpenSSL for digital signature creation
and verification.  I have to implement a means to test this against
known answers and so have fished out the test vectors for ECDSA from
http://csrc.nist.gov/groups/STM/cavp/

 

We are using the curve 'secp384r1' and so I have selected the
[P-384,SHA384] test vectors (I assume this is right) which look like
this....

 

[P-384,SHA-384]

Msg =
6b45d88037392e1371d9fd1cd174e9c1838d11c3d6133dc17e65fa0c485dcca9f52d41b6
0161246039e42ec784d49400bffdb51459f5de654091301a09378f93464d52118b48d44b
30d781eb1dbed09da11fb4c818dbd442d161aba4b9edc79f05e4b7e401651395b53bd8b5
bd3f2aaa6a00877fa9b45cadb8e648550b4c6cbe

d =
201b432d8df14324182d6261db3e4b3f46a8284482d52e370da41e6cbdf45ec2952f5db7
ccbce3bc29449f4fb080ac97

Qx =
c2b47944fb5de342d03285880177ca5f7d0f2fcad7678cce4229d6e1932fcac11bfc3c3e
97d942a3c56bf34123013dbf

Qy =
37257906a8223866eda0743c519616a76a758ae58aee81c5fd35fbf3a855b7754a36d4a0
672df95d6c44a81cf7620c2d

k =
dcedabf85978e090f733c6e16646fa34df9ded6e5ce28c6676a00f58a25283db8885e16c
e5bf97f917c81e1f25c9c771

R =
50835a9251bad008106177ef004b091a1e4235cd0da84fff54542b0ed755c1d6f251609d
14ecf18f9e1ddfe69b946e32

S =
0475f3d30c6463b646e8d3bf2455830314611cbde404be518b14464fdb195fdcc92eb222
e61f426a4a592c00a6a89721

 

The Msg is self explanatory, d is the private key, Qx,Qy are the
corresponding public keys and R,S are the signature.  The variable k is
the per message secret number (PMSN) without which ECDSA is not
deterministic.

 

Anyway, to the question supposing all of the above assumptions are
correct.  Our code calls into ECDSA_do_sign_ex(..) which looks like...

 

ECDSA_SIG* ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen,

    const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey);

 

So most of the test vectors fit into this nicely barring k.  The
function requires the inverse of k (kinv) and I can't figure out how to
get that from k (maths was never my strong point).  I've tried playing
with BN_mod_inverse() but the call always returns NULL so I guess I'm
using it wrong.   

Any help appreciated.

Reply via email to