 |
You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → wolfSSL (formerly CyaSSL) → How to set a fixed per-message secret number of ECDSA in cyaSSL
Hi admin,
For clarification of ECDSA algorithm with some specific crypto vectors, I want to set a fixed per-message secret number in ECDSA algorithm.
Could you kindly let me how to set a fixed per-message secret number in ECDSA sign API (ecc_sign_hash)?
Thanks. 
Are you sure you really want to do that? That's what got a large video game console manufacturer in trouble.
Hi John,
Thanks for your reply.
Yes, for checking with customer's requirement, we need to verify the output(signature) with the same input(per-message secret number). This is an evidence to check if the product could generate the same signature according to the crypto vectors.
Thus, could you please let me know how to get a fixed signature with a static per-message secret number in ECDSA sign API (ecc_sign_hash)?
Many thanks.
ECDSA uses a random number as part of the signature process. If you call ecc_sign_hash() multiple times with the same data, you will get a different signature every time. But, all the signatures will verify correctly with ecc_verify_hash(). Do they provide the secret number in a PEM or DER wrapper?
Hi John,
Sorry to reply you so late...
We are asked to calculate the secret number according to message payload data. This code modification had been completed by our team members in a modified wolfSSL library.
Currently, we are asked another requirement for ECDSA exception handling. There are 2 checking conditions for exception handling in ECDSA signing function[ecc_sign_hash()].
<< The request is described below: >>
When generating a digital signature, the application shall calculate a per-message Secret Number ‘k’.
1. If the value of 'k' so calculated is zero or greater than n-1. or
2. Results in an ‘r’ or ‘s’ value of 0.
Then, a new value for k shall be re-calculated.
After checking the source code in ecc_sign_hash() function. We think that the checking for 'r' or 's' value of 0 is included, but I am not sure if the checking for the 'k' value (0 < k <= n-1) is included.
int ecc_sign_hash(const byte* in, word32 inlen, byte* out, word32 *outlen,
RNG* rng, ecc_key* key)
{
...
/* make up a key and export the public copy */
if (err == MP_OKAY) {
ecc_key pubkey;
ecc_init(&pubkey);
for (;;) {
err = ecc_make_key_ex(rng, &pubkey, key->dp, NULL);
if (err != MP_OKAY) break;
/* find r = x1 mod n */
err = mp_mod(&pubkey.pubkey.x, &p, &r);
if (err != MP_OKAY) break;
if (mp_iszero(&r) == MP_YES) /*** <--- check r == 0 here. ***/
ecc_free(&pubkey);
else {
/* find s = (e + xr)/k */
err = mp_invmod(&pubkey.k, &p, &pubkey.k);
if (err != MP_OKAY) break;
err = mp_mulmod(&key->k, &r, &p, &s); /* s = xr */
if (err != MP_OKAY) break;
err = mp_add(&e, &s, &s); /* s = e + xr */
if (err != MP_OKAY) break;
err = mp_mod(&s, &p, &s); /* s = e + xr */
if (err != MP_OKAY) break;
err = mp_mulmod(&s, &pubkey.k, &p, &s); /* s = (e + xr)/k */
if (err != MP_OKAY) break;
ecc_free(&pubkey);
if (mp_iszero(&s) == MP_NO) /*** <--- check s != 0 here. ***/
break;
}
}
ecc_free(&pubkey);
}
...
}Could you please let me know if the checking of 'k' value (0 < k <= n-1) is included in ecc_sign_hash() function?
If not included, could you kindly guide me how to modify the code for 'k' value checking with 'n' value? We would like to modify the code to implement the checking mechanism.
Hi windsp,
Yes, ecc_sign_hash() checks to make sure the value of 'k' is within the required range. You can see this in ./wolfcrypt/src/ecc.c, around line #1738:
/* quick sanity check to make sure we're not dealing with a 0 key */
if (err == MP_OKAY) {
if (MP_YES == mp_iszero(&key->k))
err = MP_ZERO_E;
}
/* the key should be smaller than the order of base point */
if (err == MP_OKAY) {
if (mp_cmp(&key->k, &order) != MP_LT)
err = mp_mod(&key->k, &order, &key->k);
}Best Regards,
Chris
Hi Chrisc,
Thanks for your kindly comments, it is really helpful to us.
Best regards,
Ryan
wolfSSL - Embedded SSL Library → wolfSSL (formerly CyaSSL) → How to set a fixed per-message secret number of ECDSA in cyaSSL
Powered by PunBB, supported by Informer Technologies, Inc.