Commit 4418b01d authored by Niels Möller's avatar Niels Möller

Better point compare for _eddsa_varify.

parent 3ddcb5d1
2014-10-14 Niels Möller <nisse@lysator.liu.se> 2014-10-14 Niels Möller <nisse@lysator.liu.se>
* eddsa-verify.c (equal_h): New function.
(_eddsa_verify): Use it for a proper point compare, replacing an
ecc_add_ehh.
* testsuite/eddsa-verify-test.c: New testcase. * testsuite/eddsa-verify-test.c: New testcase.
* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added
eddsa-verify-test.c. eddsa-verify-test.c.
......
...@@ -41,14 +41,29 @@ ...@@ -41,14 +41,29 @@
#include "ecc-internal.h" #include "ecc-internal.h"
#include "nettle-meta.h" #include "nettle-meta.h"
/* FIXME: Use mpn_zero_p. Also duplicated in ecc-ecdsa-verify.c. */ /* Checks if x1/z1 == x2/z2 (mod p). Assumes z1 and z2 are
non-zero. */
static int static int
zero_p (const mp_limb_t *xp, mp_size_t n) equal_h (const struct ecc_modulo *p,
const mp_limb_t *x1, const mp_limb_t *z1,
const mp_limb_t *x2, const mp_limb_t *z2,
mp_limb_t *scratch)
{ {
while (n > 0) #define t0 scratch
if (xp[--n] > 0) #define t1 (scratch + p->size)
return 0;
return 1; ecc_mod_mul (p, t0, x1, z2);
if (mpn_cmp (t0, p->m, p->size) >= 0)
mpn_sub_n (t0, t0, p->m, p->size);
ecc_mod_mul (p, t1, x2, z1);
if (mpn_cmp (t1, p->m, p->size) >= 0)
mpn_sub_n (t1, t1, p->m, p->size);
return mpn_cmp (t0, t1, p->size) == 0;
#undef t0
#undef t1
} }
mp_size_t mp_size_t
...@@ -98,19 +113,17 @@ _eddsa_verify (const struct ecc_curve *ecc, ...@@ -98,19 +113,17 @@ _eddsa_verify (const struct ecc_curve *ecc,
/* Compute h A + R - s G, which should be the neutral point */ /* Compute h A + R - s G, which should be the neutral point */
ecc->mul (ecc, P, hp, A, scratch_out); ecc->mul (ecc, P, hp, A, scratch_out);
/* FIXME: Introduce an ecc->add method? */
ecc_add_eh (ecc, P, P, R, scratch_out); ecc_add_eh (ecc, P, P, R, scratch_out);
/* Produces s in the range 1 <= s <= q, with no carry. */ /* Move out of the way. */
mpn_sub_n (hp, ecc->q.m, sp, ecc->q.size); mpn_copyi (hp, sp, ecc->q.size);
ecc->mul_g (ecc, S, hp, scratch_out); ecc->mul_g (ecc, S, hp, scratch_out);
ecc_add_ehh (ecc, P, P, S, scratch_out);
return equal_h (&ecc->p,
/* Zero point iff x == 0 (mod p) iff (x == 0 or x == p) */ P, P + 2*ecc->p.size,
/* FIXME: Needs to differentiate between (0,1) and (0,-1). Implement S, S + 2*ecc->p.size, scratch_out)
point compare instead of the above ecc_add_ehh? && equal_h (&ecc->p,
/* FIXME: Introduce zero_p method? */ P + ecc->p.size, P + 2*ecc->p.size,
return (zero_p (P, ecc->p.size) S + ecc->p.size, S + 2*ecc->p.size, scratch_out);
|| mpn_cmp (P, ecc->p.m, ecc->p.size) == 0);
#undef R #undef R
#undef sp #undef sp
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment