lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <98005c8e-816f-4b58-9572-f2af538e6728@linux.ibm.com>
Date: Mon, 19 Feb 2024 09:40:38 -0500
From: Stefan Berger <stefanb@...ux.ibm.com>
To: Simo Sorce <simo@...hat.com>, keyrings@...r.kernel.org,
        linux-crypto@...r.kernel.org, herbert@...dor.apana.org.au,
        davem@...emloft.net
Cc: linux-kernel@...r.kernel.org, saulo.alessandre@....jus.br
Subject: Re: [PATCH v2 00/14] Add support for NIST P521 to ecdsa and ecdh



On 2/16/24 14:40, Simo Sorce wrote:
> On Fri, 2024-02-16 at 14:32 -0500, Stefan Berger wrote:
>>
>> On 2/16/24 14:27, Simo Sorce wrote:
>>> On Thu, 2024-02-15 at 18:13 -0500, Stefan Berger wrote:
>>>> This series of patches adds support for the NIST P521 curve to ecdsa and
>>>> ecdh. Test cases for NIST P521 are added to both modules.
>>>>
>>>> An issue with the current code in ecdsa and ecdh is that it assumes that
>>>> input arrays providing key coordinates for example, are arrays of digits
>>>> (a 'digit' is a 'u64'). This works well for all currently supported
>>>> curves, such as NIST P192/256/384, but does not work for NIST P521 where
>>>> coordinates are 8 digits + 2 bytes long. So some of the changes deal with
>>>> converting byte arrays to digits and digits to byte arrays.
>>>>
>>>>
>>>> Regards,
>>>>      Stefan
>>>>
>>>> v2:
>>>>    - Reformulated some patch descriptions
>>>>    - Fixed issue detected by krobot
>>>>    - Some other small changes to the code
>>>>
>>>> Stefan Berger (14):
>>>>     crypto: ecdsa - Convert byte arrays with key coordinates to digits
>>>>     crypto: ecdsa - Adjust tests on length of key parameters
>>>>     crypto: ecdsa - Extend res.x mod n calculation for NIST P521
>>>>     crypto: ecc - Implement vli_mmod_fast_521 for NIST p521
>>>>     crypto: ecc - For NIST P521 use vli_num_bits to get number of bits
>>>>     crypto: ecc - Add NIST P521 curve parameters
>>>>     crypto: ecdsa - Register NIST P521 and extend test suite
>>>>     x509: Add OID for NIST P521 and extend parser for it
>>>>     crypto: ecdh - Use properly formatted digits to check for valid key
>>>>     crypto: ecc - Implement ecc_digits_to_bytes to convert digits to byte
>>>>       array
>>>>     crypto: Add nbits field to ecc_curve structure
>>>>     crypto: ecc - Implement and use ecc_curve_get_nbytes to get curve's
>>>>       nbytes
>>>>     crypto: ecdh - Use functions to copy digits from and to byte array
>>>>     crypto: ecdh - Add support for NIST P521 and add test case
>>>>
>>>>    crypto/asymmetric_keys/x509_cert_parser.c |   3 +
>>>>    crypto/ecc.c                              |  71 +++++--
>>>>    crypto/ecc_curve_defs.h                   |  45 +++++
>>>>    crypto/ecdh.c                             |  59 +++++-
>>>>    crypto/ecdsa.c                            |  48 ++++-
>>>>    crypto/testmgr.c                          |  14 ++
>>>>    crypto/testmgr.h                          | 225 ++++++++++++++++++++++
>>>>    include/crypto/ecc_curve.h                |   3 +
>>>>    include/crypto/ecdh.h                     |   1 +
>>>>    include/crypto/internal/ecc.h             |  61 +++++-
>>>>    include/linux/oid_registry.h              |   1 +
>>>>    11 files changed, 495 insertions(+), 36 deletions(-)
>>>
>>> Hi Stefan,
>>> what kind of side-channel testing was performed on this code?
>>> And what is the use case you are adding it for?
>>
>> We're using public keys for signature verification. I am not aware that
>> public key usage is critical to side channels.
>>
>> The use case for adding it is primarily driven by closing a gap to
>> complete the support for the common ECDSA NIST curves.
> 
> Is there an assumption the ECDH code uses exclusively ephemeral keys?
> 
It can use both, provided keys and ephemeral keys. I think at this point 
it's best to drop ecdh support from this series.

    Stefan

> Simo.
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ