Re: [PATCH] ec: add support for several more GOST curves

Dmitry Baryshkov Sat, 28 Mar 2020 06:53:09 -0700

сб, 28 мар. 2020 г. в 11:30, Kinichiro Inoguchi <kinichiro.inogu...@gmail.com>:
>
> Hi,
>
> I have a 3 questions,
> - parameter set values for Twisted Edwards
> - description in _ec_list_element_st
> - naming about object identifier
>
> details are described below.
>
>
> On Thu, Mar 26, 2020 at 09:25:57PM +0300, dbarysh...@gmail.com wrote:
> > From: Dmitry Baryshkov <dbarysh...@gmail.com>
> >
> > Add support for GOST curves defined by RFC 7836 and
> > draft-deremin-rfc4491-bis. Add aliases for 256-bit GOST curves (see
> > draft-smyshlyaev-tls12-gost-suites).
> >
> > Sponsored by ROSA Linux.
> >
> > Signed-off-by: Dmitry Baryshkov <dbarysh...@gmail.com>
> > ---
> >  src/lib/libcrypto/ec/ec_curve.c       | 158 +++++++++++++++++++++++++-
> >  src/lib/libcrypto/objects/obj_mac.num |   6 +
> >  src/lib/libcrypto/objects/objects.txt |  10 +-
> >  3 files changed, 168 insertions(+), 6 deletions(-)
> >
> > diff --git a/src/lib/libcrypto/ec/ec_curve.c 
> > b/src/lib/libcrypto/ec/ec_curve.c
> > index e075b1ed3ea5..a1bc88ee2cc6 100644
> > --- a/src/lib/libcrypto/ec/ec_curve.c
> > +++ b/src/lib/libcrypto/ec/ec_curve.c
> > @@ -2900,11 +2900,101 @@ static const struct {
> >       }
> >  };
> >
> > +static const struct {
> > +     EC_CURVE_DATA h;
> > +     unsigned char data[0 + 32 * 6];
> > +}
> > + _EC_GOST_2012_256_TC26_A = {
> > +     {
> > +             NID_X9_62_prime_field, 0, 32, 1
> > +     },
> > +     {                       /* no seed */
> > +             0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,   
> >   /* p */
> > +             0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> > +             0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> > +             0xFD, 0x97,
> > +             0xc2, 0x17, 0x3f, 0x15, 0x13, 0x98, 0x16, 0x73, 0xaf, 0x48,   
> >   /* a */
> > +             0x92, 0xc2, 0x30, 0x35, 0xa2, 0x7c, 0xe2, 0x5e, 0x20, 0x13,
> > +             0xbf, 0x95, 0xaa, 0x33, 0xb2, 0x2c, 0x65, 0x6f, 0x27, 0x7e,
> > +             0x73, 0x35,
> > +             0x29, 0x5f, 0x9b, 0xae, 0x74, 0x28, 0xed, 0x9c, 0xcc, 0x20,   
> >   /* b */
> > +             0xe7, 0xc3, 0x59, 0xa9, 0xd4, 0x1a, 0x22, 0xfc, 0xcd, 0x91,
> > +             0x08, 0xe1, 0x7b, 0xf7, 0xba, 0x93, 0x37, 0xa6, 0xf8, 0xae,
> > +             0x95, 0x13,
> > +             0x91, 0xe3, 0x84, 0x43, 0xa5, 0xe8, 0x2c, 0x0d, 0x88, 0x09,   
> >   /* x */
> > +             0x23, 0x42, 0x57, 0x12, 0xb2, 0xbb, 0x65, 0x8b, 0x91, 0x96,
> > +             0x93, 0x2e, 0x02, 0xc7, 0x8b, 0x25, 0x82, 0xfe, 0x74, 0x2d,
> > +             0xaa, 0x28,
> > +             0x32, 0x87, 0x94, 0x23, 0xab, 0x1a, 0x03, 0x75, 0x89, 0x57,   
> >   /* y */
> > +             0x86, 0xc4, 0xbb, 0x46, 0xe9, 0x56, 0x5f, 0xde, 0x0b, 0x53,
> > +             0x44, 0x76, 0x67, 0x40, 0xaf, 0x26, 0x8a, 0xdb, 0x32, 0x32,
> > +             0x2e, 0x5c,
> > +             0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,   
> >   /* order */
> > +             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0xd8, 0xcd, 0xdf,
> > +             0xc8, 0x7b, 0x66, 0x35, 0xc1, 0x15, 0xaf, 0x55, 0x6c, 0x36,
> > +             0x0c, 0x67,
> > +     }
> > +};
> > +
>
>
> This diff adds * below, and 2 Twisted Edwards one misses m,e,d,u,v.
> Is this as you expected for now ?
>
>   Canonical:
>   *id-tc26-gost-3410-2012-512-paramSetTest order = m = q
>    id-tc26-gost-3410-2012-512-paramSetA    order = m = q
>    id-tc26-gost-3410-2012-512-paramSetB    order = m = q
>
>   Twisted Edwards:
>   *id-tc26-gost-3410-2012-512-paramSetC    order = q, misses m,e,d,u,v
>   *id-tc26-gost-3410-2012-256-paramSetA    order = q, misses m,e,d,u,v


This is expected. These curves are defined in Weierstrass form (a, b,
x, y) and in birationally equivalent Twisted Edwards form (e, d, u,
v). One can perform calculations in any of these forms. In this RFC m
= order of a whole curve, q is an order of the subgroup. Version 2 of
the patch will fix cofactors.


> >  #endif
> >
> >  typedef struct _ec_list_element_st {
> > @@ -3147,8 +3291,14 @@ static const ec_list_element curve_list[] = {
> >       {NID_id_GostR3410_2001_CryptoPro_C_ParamSet, 
> > &_EC_GOST_2001_CryptoPro_C.h, 0, "GOST R 34.10-2001 CryptoPro-C"},
> >       {NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet, 
> > &_EC_GOST_2001_CryptoPro_A.h, 0, "GOST R 34.10-2001 CryptoPro-XchA"},
> >       {NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet, 
> > &_EC_GOST_2001_CryptoPro_C.h, 0, "GOST R 34.10-2001 CryptoPro-XchB"},
> > -     {NID_id_tc26_gost_3410_2012_512_paramSetA, &_EC_GOST_2012_TC26_A.h, 
> > 0, "GOST R 34.10-2012 TC26-A"},
> > -     {NID_id_tc26_gost_3410_2012_512_paramSetB, &_EC_GOST_2012_TC26_B.h, 
> > 0, "GOST R 34.10-2012 TC26-B"},
> > +     {NID_id_tc26_gost_3410_2012_256_paramSetA, 
> > &_EC_GOST_2012_256_TC26_A.h, 0, "GOST R 34.10-2012 256 TC26-A"},
> > +     {NID_id_tc26_gost_3410_2012_256_paramSetB, 
> > &_EC_GOST_2001_CryptoPro_A.h, 0, "GOST R 34.10-2001 512 TC26-B"},
> > +     {NID_id_tc26_gost_3410_2012_256_paramSetC, 
> > &_EC_GOST_2001_CryptoPro_B.h, 0, "GOST R 34.10-2001 512 TC26-C"},
> > +     {NID_id_tc26_gost_3410_2012_256_paramSetD, 
> > &_EC_GOST_2001_CryptoPro_C.h, 0, "GOST R 34.10-2012 512 TC26-D"},
>
>
> Are the 4th parameter above respectively
> "GOST R 34.10-2012 256 TC26-B" ?
> "GOST R 34.10-2012 256 TC26-C" ?
> "GOST R 34.10-2012 256 TC26-D" ?

Yes. C&P error. Fixing now.

> > +     {NID_id_tc26_gost_3410_2012_512_paramSetTest, 
> > &_EC_GOST_2012_512_Test.h, 0, "GOST R 34.10-2012 512 Test Curve"},
> > +     {NID_id_tc26_gost_3410_2012_512_paramSetA, 
> > &_EC_GOST_2012_512_TC26_A.h, 0, "GOST R 34.10-2012 512 TC26-A"},
> > +     {NID_id_tc26_gost_3410_2012_512_paramSetB, 
> > &_EC_GOST_2012_512_TC26_B.h, 0, "GOST R 34.10-2012 512 TC26-B"},
> > +     {NID_id_tc26_gost_3410_2012_512_paramSetC, 
> > &_EC_GOST_2012_512_TC26_C.h, 0, "GOST R 34.10-2012 512 TC26-C"},
> >  #endif
> >  };
> >
> > diff --git a/src/lib/libcrypto/objects/obj_mac.num 
> > b/src/lib/libcrypto/objects/obj_mac.num
> > index 8405ba5e319b..a7cfe548d6bd 100644
> > --- a/src/lib/libcrypto/objects/obj_mac.num
> > +++ b/src/lib/libcrypto/objects/obj_mac.num
> > @@ -990,3 +990,9 @@ dhSinglePass_cofactorDH_sha512kdf_scheme  989
> >  dh_std_kdf   990
> >  dh_cofactor_kdf      991
> >  pSpecified   992
> > +id_tc26_gost_3410_2012_256_paramSetA         993
> > +id_tc26_gost_3410_2012_256_paramSetB         994
> > +id_tc26_gost_3410_2012_256_paramSetC         995
> > +id_tc26_gost_3410_2012_256_paramSetD         996
> > +id_tc26_gost_3410_2012_512_paramSetTest              997
> > +id_tc26_gost_3410_2012_512_paramSetC         998
> > diff --git a/src/lib/libcrypto/objects/objects.txt 
> > b/src/lib/libcrypto/objects/objects.txt
> > index ea7700724f00..e097c50e696b 100644
> > --- a/src/lib/libcrypto/objects/objects.txt
> > +++ b/src/lib/libcrypto/objects/objects.txt
> > @@ -1372,8 +1372,14 @@ member-body 643 7 1    : tc26
> >  tc26 1 2 2           : streebog256 : GOST R 34.11-2012 (256 bit)
> >  !Cname id-tc26-gost3411-2012-512
> >  tc26 1 2 3           : streebog512 : GOST R 34-11-2012 (512 bit)
> > -tc26 2 1 2 1         : id-tc26-gost-3410-2012-512-paramSetA
> > -tc26 2 1 2 2         : id-tc26-gost-3410-2012-512-paramSetB
> > +tc26 2 1 1 1         : id-tc26-gost-3410-2012-256-paramSetA : GOST R 
> > 34.10-2012 (256 bit) ParamSet A
> > +tc26 2 1 1 2         : id-tc26-gost-3410-2012-256-paramSetB : GOST R 
> > 34.10-2012 (256 bit) ParamSet B
> > +tc26 2 1 1 3         : id-tc26-gost-3410-2012-256-paramSetC : GOST R 
> > 34.10-2012 (256 bit) ParamSet C
> > +tc26 2 1 1 4         : id-tc26-gost-3410-2012-256-paramSetD : GOST R 
> > 34.10-2012 (256 bit) ParamSet D
> > +tc26 2 1 2 0         : id-tc26-gost-3410-2012-512-paramSetTest : GOST R 
> > 34.10-2012 (512 bit) testing parameter set
> > +tc26 2 1 2 1         : id-tc26-gost-3410-2012-512-paramSetA : GOST R 
> > 34.10-2012 (512 bit) ParamSet A
> > +tc26 2 1 2 2         : id-tc26-gost-3410-2012-512-paramSetB : GOST R 
> > 34.10-2012 (512 bit) ParamSet B
>
>
> These 2 are added in obj_mac.num and objects.txt (-2012-).
>   id-tc26-gost-3410-2012-512-paramSetA
>   id-tc26-gost-3410-2012-512-paramSetB

These two are already present in LibreSSL's sources, I've just added LNs.
They were added long time ago, when there was discrepancy where -2012-
or -12- should be used.

> But in RFC7836 these 2 parameter set object identifiers are described (-12-),
>   id-tc26-gost-3410-12-512-paramSetA
>   id-tc26-gost-3410-12-512-paramSetB
>
> Is -2012- right ?
> I thought this diff would be right and RFC should be fixed.

I have followed OpenSSL's lead here (they use -2012-). The registry
uses -12- however (see
https://tc26.ru/about/protsedury-i-reglamenty/identifikatory-obektov-oid-tekhnicheskogo-komiteta-po-standartizatsii-kriptograficheskaya-zashchita-1.html).
I'll change all of them to -12-.

> > +tc26 2 1 2 3         : id-tc26-gost-3410-2012-512-paramSetC : GOST R 
> > 34.10-2012 (512 bit) ParamSet C
> >  tc26 2 5 1 1         : id-tc26-gost-28147-param-Z
> >  tc26 1 1 1           : id-tc26-gost3410-2012-256 : GOST R 34.10-2012 (256 
> > bit)
> >  tc26 1 1 2           : id-tc26-gost3410-2012-512 : GOST R 34.10-2012 (512 
> > bit)

-- 
With best wishes
Dmitry

Re: [PATCH] ec: add support for several more GOST curves

Reply via email to