date:20240414

Re: ppc64 micro optimization

2024-04-14 Thread Niels Möller

Niels Möller  writes:

> I've added tests that set the intial counter so that the four counter
> bytes wraps around 2^32, and I've verified that if these instructions
> should be changed to vadduwm, to get output that agrees with nettle's
> other gcm implementations.

I've commit those fixes, and a fix for big-endian support, on the branch 
ppc64-gcm-aes-rebased. I think that's now ready for merging.

I see some opportunities for further improvement, but that can be done
after merge, to aid consistency with related fixes to the other ppc64
assembly files.

> Another question on powerpc64 assembly: For the byte swapping, currently
> done using the vperm instruction and a mask word, is there any reason to
> not use the xxbrd instruction (VSX Vector Byte-Reverse Doubleword)
> instead? That applies to more functions than the new gcm-aes code.

A closer look at the spec indicated that xxbrd is only available from
power9 (i.e., if the processor supports VSX, *and* supports ISA 3.0, if
I've understood it correctly).

I think it would be a good idea to consistently use pseudoops like

  .machine "power8"

in the ppc assembly files, if that would let the assembler catch
accidental use of unavailable instructions.

Regards,
/Niels

-- 
Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677.
Internet email is subject to wholesale government surveillance.
___
nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se
To unsubscribe send an email to nettle-bugs-le...@lists.lysator.liu.se

Re: additional API for SHAKE streaming read

2024-04-14 Thread Niels Möller

Daiki Ueno  writes:

> Yes, I've consolidated the description and put it at the introduction.

Thanks, merged now!
/Niels

-- 
Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677.
Internet email is subject to wholesale government surveillance.
___
nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se
To unsubscribe send an email to nettle-bugs-le...@lists.lysator.liu.se

Deterministic (EC)DSA

2024-04-14 Thread Daiki Ueno

Hello,

The attached patch adds support for the deterministic DSA and ECDSA, as
defined in RFC 6979, which enables us to use the signing function
without randomness.

The original code has been hosted in GnuTLS for a while, implemented as
a custom random function which can be used in combination with dsa_sign
and ecdsa_sign.  While this approach works in general, it requires
pre/post processing: e.g., access to ECC q[1] and cancelling out the
Nettle's tweak in dsa_sign adding 1[2] to the random value.  Therefore,
I would rather like this to be included in Nettle itself.  Note also
that this implementation should be identical to the latest code in
GnuTLS, which addresses the Minerva attack[3].

The same patch is also available at GitLab:
https://git.lysator.liu.se/nettle/nettle/-/merge_requests/64

Footnotes:
[1]  
https://gitlab.com/gnutls/gnutls/-/blob/c1428c07d406f18cca94f94e2b7ca1f866df42d9/lib/nettle/int/ecdsa-compute-k.c#L32

[2]  
https://gitlab.com/gnutls/gnutls/-/blob/c1428c07d406f18cca94f94e2b7ca1f866df42d9/lib/nettle/int/dsa-compute-k.c#L212

[3]  https://nvd.nist.gov/vuln/detail/CVE-2024-28834

Regards,
-- 
Daiki Ueno
>From 0b9860dfa63becdc2e2d8468889c35a2991c0329 Mon Sep 17 00:00:00 2001
From: Daiki Ueno 
Date: Sun, 14 Apr 2024 09:05:19 +0900
Subject: [PATCH] Add support for deterministic DSA and ECDSA

This implements deterministic nonce construction for DSA and ECDSA,
as defined in RFC 6979.

Signed-off-by: Daiki Ueno 
---
 Makefile.in  |   5 +-
 dsa-compute-k.c  | 173 +++
 dsa-compute-k.h  |  49 
 dsa-sign.c   |  65 ++
 dsa.h|   9 ++
 ecdsa-sign.c |  26 
 ecdsa.h  |  10 ++
 gmp-glue.h   |   5 +-
 nettle-internal.h|   1 +
 testsuite/.gitignore |   2 +
 testsuite/Makefile.in|   3 +-
 testsuite/deterministic-dsa-test.c   |  96 +++
 testsuite/deterministic-ecdsa-test.c |  82 +
 13 files changed, 522 insertions(+), 4 deletions(-)
 create mode 100644 dsa-compute-k.c
 create mode 100644 dsa-compute-k.h
 create mode 100644 testsuite/deterministic-dsa-test.c
 create mode 100644 testsuite/deterministic-ecdsa-test.c

diff --git a/Makefile.in b/Makefile.in
index 29ad54d7..227c459a 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -225,7 +225,8 @@ hogweed_SOURCES = sexp.c sexp-format.c \
 		  ed25519-sha512.c ed25519-sha512-pubkey.c \
 		  ed25519-sha512-sign.c ed25519-sha512-verify.c \
 		  ed448-shake256.c ed448-shake256-pubkey.c \
-		  ed448-shake256-sign.c ed448-shake256-verify.c
+		  ed448-shake256-sign.c ed448-shake256-verify.c \
+		  dsa-compute-k.c
 
 OPT_SOURCES = fat-arm.c fat-arm64.c fat-ppc.c fat-s390x.c fat-x86_64.c mini-gmp.c
 
@@ -278,7 +279,7 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \
 	ctr-internal.h chacha-internal.h sha3-internal.h \
 	salsa20-internal.h umac-internal.h hogweed-internal.h \
 	rsa-internal.h pkcs1-internal.h dsa-internal.h eddsa-internal.h \
-	gmp-glue.h ecc-internal.h fat-setup.h oaep.h \
+	gmp-glue.h ecc-internal.h fat-setup.h oaep.h dsa-compute-k.h \
 	mini-gmp.h asm.m4 m4-utils.m4 \
 	nettle.texinfo nettle.info nettle.html nettle.pdf sha-example.c
 
diff --git a/dsa-compute-k.c b/dsa-compute-k.c
new file mode 100644
index ..28b4f6d5
--- /dev/null
+++ b/dsa-compute-k.c
@@ -0,0 +1,173 @@
+/* dsa-compute-k.c
+
+   The DSA publickey algorithm, deterministic nonce construction (RFC 6979).
+
+   Copyright (C) 2019-2024 Red Hat, Inc.
+
+   This file is part of GNU Nettle.
+
+   GNU Nettle is free software: you can redistribute it and/or
+   modify it under the terms of either:
+
+ * the GNU Lesser General Public License as published by the Free
+   Software Foundation; either version 3 of the License, or (at your
+   option) any later version.
+
+   or
+
+ * the GNU General Public License as published by the Free
+   Software Foundation; either version 2 of the License, or (at your
+   option) any later version.
+
+   or both in parallel, as here.
+
+   GNU Nettle is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   General Public License for more details.
+
+   You should have received copies of the GNU General Public License and
+   the GNU Lesser General Public License along with this program.  If
+   not, see http://www.gnu.org/licenses/.
+*/
+
+#if HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include "dsa-compute-k.h"
+
+#include "gmp-glue.h"
+#include "nettle-internal.h"
+#include 
+
+#define MIN(a,b) (((a) < (b)) ? (a) : (b))
+
+void
+_dsa_compute_k (mp_limb_t *k, const mp_limb_t *q, const mp_limb_t *x,
+		mp_bitcnt_t q_bits,
+		void *hmac_ctx, const struct nettle_mac

Re: ppc64 micro optimization

Re: additional API for SHAKE streaming read

Deterministic (EC)DSA

3 matches

Site Navigation

Mail list logo

Footer information