Skip to content
  1. Jul 16, 2018
    • Nicola Tuveri's avatar
      EC2M Lopez-Dahab ladder: use it also for ECDSA verify · 01ad66f8
      Nicola Tuveri authored
      
      
      By default `ec_scalar_mul_ladder` (which uses the Lopez-Dahab ladder
      implementation) is used only for (k * Generator) or (k * VariablePoint).
      ECDSA verification uses (a * Generator + b * VariablePoint): this commit
      forces the use of `ec_scalar_mul_ladder` also for the ECDSA verification
      path, while using the default wNAF implementation for any other case.
      
      With this commit `ec_scalar_mul_ladder` loses the static attribute, and
      is added to ec_lcl.h so EC_METHODs can directly use it.
      
      While working on a new custom EC_POINTs_mul implementation, I realized
      that many checks (e.g. all the points being compatible with the given
      EC_GROUP, creating a temporary BN_CTX if `ctx == NULL`, check for the
      corner case `scalar == NULL && num == 0`) were duplicated again and
      again in every single implementation (and actually some
      implementations lacked some of the tests).
      I thought that it makes way more sense for those checks that are
      independent from the actual implementation and should always be done, to
      be moved in the EC_POINTs_mul wrapper: so this commit also includes
      these changes.
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6690)
      01ad66f8
    • Nicola Tuveri's avatar
      EC2M Lopez-Dahab ladder implementation · f45846f5
      Nicola Tuveri authored
      This commit uses the new ladder scaffold to implement a specialized
      ladder step based on differential addition-and-doubling in mixed
      Lopez-Dahab projective coordinates, modified to independently blind the
      operands.
      
      The arithmetic in `ladder_pre`, `ladder_step` and `ladder_post` is
      auto generated with tooling:
      - see, e.g., "Guide to ECC" Alg 3.40 for reference about the
        `ladder_pre` implementation;
      - see https://www.hyperelliptic.org/EFD/g12o/auto-code/shortw/xz/ladder/mladd-2003-s.op3
      
      
        for the differential addition-and-doubling formulas implemented in
        `ladder_step`;
      - see, e.g., "Fast Multiplication on Elliptic Curves over GF(2**m)
        without Precomputation" (Lopez and Dahab, CHES 1999) Appendix Alg Mxy
        for the `ladder_post` implementation to recover the `(x,y)` result in
        affine coordinates.
      
      Co-authored-by: default avatarBilly Brumley <bbrumley@gmail.com>
      Co-authored-by: default avatarSohaib ul Hassan <soh.19.hassan@gmail.com>
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6690)
      f45846f5
    • Billy Brumley's avatar
      [test] test some important ladder corner cases · 66b0bca8
      Billy Brumley authored
      
      and catch corner cases better and earlier
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6690)
      66b0bca8
    • Nicola Tuveri's avatar
      EC point multiplication: add `ladder` scaffold · 37124360
      Nicola Tuveri authored
      
      for specialized Montgomery ladder implementations
      
      PR #6009 and #6070 replaced the default EC point multiplication path for
      prime and binary curves with a unified Montgomery ladder implementation
      with various timing attack defenses (for the common paths when a secret
      scalar is feed to the point multiplication).
      The newly introduced default implementation directly used
      EC_POINT_add/dbl in the main loop.
      
      The scaffolding introduced by this commit allows EC_METHODs to define a
      specialized `ladder_step` function to improve performances by taking
      advantage of efficient formulas for differential addition-and-doubling
      and different coordinate systems.
      
      - `ladder_pre` is executed before the main loop of the ladder: by
        default it copies the input point P into S, and doubles it into R.
        Specialized implementations could, e.g., use this hook to transition
        to different coordinate systems before copying and doubling;
      - `ladder_step` is the core of the Montgomery ladder loop: by default it
        computes `S := R+S; R := 2R;`, but specific implementations could,
        e.g., implement a more efficient formula for differential
        addition-and-doubling;
      - `ladder_post` is executed after the Montgomery ladder loop: by default
        it's a noop, but specialized implementations could, e.g., use this
        hook to transition back from the coordinate system used for optimizing
        the differential addition-and-doubling or recover the y coordinate of
        the result point.
      
      This commit also renames `ec_mul_consttime` to `ec_scalar_mul_ladder`,
      as it better corresponds to what this function does: nothing can be
      truly said about the constant-timeness of the overall execution of this
      function, given that the underlying operations are not necessarily
      constant-time themselves.
      What this implementation ensures is that the same fixed sequence of
      operations is executed for each scalar multiplication (for a given
      EC_GROUP), with no dependency on the value of the input scalar.
      
      Co-authored-by: default avatarSohaib ul Hassan <soh.19.hassan@gmail.com>
      Co-authored-by: default avatarBilly Brumley <bbrumley@gmail.com>
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6690)
      37124360
    • Nicola Tuveri's avatar
      Remove stale SM2 error codes · 51f3021d
      Nicola Tuveri authored
      
      
      Run `make update ERROR_REBUILD=-rebuild` to remove some stale error
      codes for SM2 (which is now using its own submodule for error codes,
      i.e., `SM2_*`).
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6690)
      51f3021d
  2. Jul 15, 2018
  3. Jul 14, 2018
  4. Jul 13, 2018
  5. Jul 12, 2018
  6. Jul 11, 2018
  7. Jul 10, 2018
  8. Jul 09, 2018