Commit d583973e authored by Niels Möller's avatar Niels Möller

ECDH tests for additional curves.

parent 3112b263
2014-08-24 Niels Möller <nisse@lysator.liu.se>
* testsuite/ecdh-test.c: Test ecc_point_mul and ecc_point_mul_g,
using test data generated by ecc-ref.gp.
using test data generated by ecc-ref.gp. Tests for all curves
except curve25519, which doesn't yet work with the general
ecc_point interface.
* testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecdh-test.c.
* misc/ecc-ref.gp: Script to generate ECDH test data.
......
......@@ -9,22 +9,113 @@ out(apriv, A, bpriv, B, S) = print( \
"/* b_y */ \"", component(B[2], 2), "\",\n", \
"/* s_x */ \"", component(S[1], 2), "\",\n", \
"/* s_y */ \"", component(S[2], 2), "\",");
p192 = 2^192 - 2^64 - 1;
b192 = 2455155546008943817740293915197451784769108058161191238065;
g192 = Mod([602046282375688656758213480587526111916698976636884684818, \
g = Mod([602046282375688656758213480587526111916698976636884684818, \
174050332293622031404857552280219410364023488927386650641], p192);
secp192 = ellinit(Mod([0,0,0,-3, b192], p192));
q192 = 6277101735386680763835789423176059013767194773182842284081;
if (ellorder(secp192, g192) != q192, error("secp192 parameter error"));
a192 = 1+random(q192-1);
b192 = 1+random(q192-1);
A192 = ellpow(secp192, g192, a192);
B192 = ellpow(secp192, g192, b192);
S192 = ellpow(secp192, A192, b192);
if (S192 != ellpow(secp192, B192, a192), error("secp192 dh error"));
q = 6277101735386680763835789423176059013767194773182842284081;
if (ellpow(secp192, g, q) != [0], error("secp192 parameter error"));
a = 1+random(q-1);
b = 1+random(q-1);
A = ellpow(secp192, g, a);
B = ellpow(secp192, g, b);
S = ellpow(secp192, A, b);
if (S != ellpow(secp192, B, a), error("secp192 dh error"));
print("secp192");
out(a192, A192, b192, B192, S192);
out(a, A, b, B, S);
p224 = 2^224 - 2^96 + 1;
b224 = 18958286285566608000408668544493926415504680968679321075787234672564;
g = Mod([19277929113566293071110308034699488026831934219452440156649784352033,\
19926808758034470970197974370888749184205991990603949537637343198772], p224);
secp224 = ellinit(Mod([0,0,0,-3, b224], p224));
q = 26959946667150639794667015087019625940457807714424391721682722368061;
if (ellpow(secp224, g, q) != [0], error("secp224 parameter error"));
a = 1+random(q-1);
b = 1+random(q-1);
A = ellpow(secp224, g, a);
B = ellpow(secp224, g, b);
S = ellpow(secp224, A, b);
if (S != ellpow(secp224, B, a), error("secp224 dh error"));
print("secp224");
out(a, A, b, B, S);
p256 = 2^256 - 2^224 + 2^192 + 2^96 - 1;
b256 = 41058363725152142129326129780047268409114441015993725554835256314039467401291;
g = Mod([48439561293906451759052585252797914202762949526041747995844080717082404635286,\
36134250956749795798585127919587881956611106672985015071877198253568414405109], p256);
secp256 = ellinit(Mod([0,0,0,-3, b256], p256));
q = 115792089210356248762697446949407573529996955224135760342422259061068512044369;
if (ellpow(secp256, g, q) != [0], error("secp256 parameter error"));
a = 1+random(q-1);
b = 1+random(q-1);
A = ellpow(secp256, g, a);
B = ellpow(secp256, g, b);
S = ellpow(secp256, A, b);
if (S != ellpow(secp256, B, a), error("secp256 dh error"));
print("secp256");
out(a, A, b, B, S);
p384 = 2^384 - 2^128 - 2^96 + 2^32 - 1;
b384 = 27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575;
g = Mod([26247035095799689268623156744566981891852923491109213387815615900925518854738050089022388053975719786650872476732087,\
8325710961489029985546751289520108179287853048861315594709205902480503199884419224438643760392947333078086511627871], p384);
secp384 = ellinit(Mod([0,0,0,-3, b384], p384));
q = 39402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643;
if (ellpow(secp384, g, q) != [0], error("secp384 parameter error"));
a = 1+random(q-1);
b = 1+random(q-1);
A = ellpow(secp384, g, a);
B = ellpow(secp384, g, b);
S = ellpow(secp384, A, b);
if (S != ellpow(secp384, B, a), error("secp384 dh error"));
print("secp384");
out(a, A, b, B, S);
p521 = 2^521 - 1;
b521 = 1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984;
g = Mod([2661740802050217063228768716723360960729859168756973147706671368418802944996427808491545080627771902352094241225065558662157113545570916814161637315895999846,\
3757180025770020463545507224491183603594455134769762486694567779615544477440556316691234405012945539562144444537289428522585666729196580810124344277578376784], p521);
secp521 = ellinit(Mod([0,0,0,-3, b521], p521));
q = 6864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532963996371363321113864768612440380340372808892707005449;
if (ellpow(secp521, g, q) != [0], error("secp521 parameter error"));
a = 1+random(q-1);
b = 1+random(q-1);
A = ellpow(secp521, g, a);
B = ellpow(secp521, g, b);
S = ellpow(secp521, A, b);
if (S != ellpow(secp521, B, a), error("secp521 dh error"));
print("secp521");
out(a, A, b, B, S);
p25519 = 2^255 - 19;
b25519 = 486662;
x = Mod(9, p25519);
y = sqrt(x^3 + b25519*x^2 + x);
g = [x, y];
curve25519 = ellinit(Mod([0, b25519, 0, 1, 0], p25519));
q = 2^252 + 27742317777372353535851937790883648493;
if (ellpow(curve25519, g, q) != [0], error("curve25519 parameter error"));
a = 1+random(q-1);
b = 1+random(q-1);
A = ellpow(curve25519, g, a);
B = ellpow(curve25519, g, b);
S = ellpow(curve25519, A, b);
if (S != ellpow(curve25519, B, a), error("curve25519 dh error"));
print("curve25519");
out(a, A, b, B, S);
quit
......@@ -54,7 +54,7 @@ set_scalar (struct ecc_scalar *s,
}
static void
check_point (const char *label,
check_point (const char *name, const char *label,
const struct ecc_point *P,
const struct ecc_point *R)
{
......@@ -69,9 +69,9 @@ check_point (const char *label,
ecc_point_get (R, rx, ry);
/* FIXME: Should have a public point compare function */
if (mpz_cmp (px, rx) != 0 || mpz_cmp (py, ry) != 0)
if (mpz_cmp (px, rx) != 0 || mpz_cmp (py, ry) != 0)
{
fprintf (stderr, "Failed %s\np_x = ", label);
fprintf (stderr, "Failed %s %s\np_x = ", name, label);
mpz_out_str (stderr, 10, px);
fprintf (stderr, "\nr_x = ");
mpz_out_str (stderr, 10, rx);
......@@ -89,7 +89,7 @@ check_point (const char *label,
}
static void
test_dh (const struct ecc_curve *ecc,
test_dh (const char *name, const struct ecc_curve *ecc,
const char *a_priv, const char *ax, const char *ay,
const char *b_priv, const char *bx, const char *by,
const char *sx, const char *sy)
......@@ -113,16 +113,16 @@ test_dh (const struct ecc_curve *ecc,
ecc_point_init (&T, ecc);
ecc_point_mul_g (&T, &A_priv);
check_point ("a g", &T, &A);
check_point (name, "a g", &T, &A);
ecc_point_mul (&T, &B_priv, &T);
check_point ("b (a g)", &T, &S);
check_point (name, "b (a g)", &T, &S);
ecc_point_mul_g (&T, &B_priv);
check_point ("b g", &T, &B);
check_point (name, "b g", &T, &B);
ecc_point_mul (&T, &A_priv, &T);
check_point ("a (b g)", &T, &S);
check_point (name, "a (b g)", &T, &S);
ecc_scalar_clear (&A_priv);
ecc_scalar_clear (&B_priv);
......@@ -136,7 +136,7 @@ test_dh (const struct ecc_curve *ecc,
void
test_main(void)
{
test_dh (&nettle_secp_192r1,
test_dh ("secp-192r1", &nettle_secp_192r1,
"3406157206141798348095184987208239421004566462391397236532",
"1050363442265225480786760666329560655512990381040021438562",
"5298249600854377235107392014200406283816103564916230704184",
......@@ -145,4 +145,58 @@ test_main(void)
"293088185788565313717816218507714888251468410990708684573",
"149293809021051532782730990145509724807636529827149481690",
"2891131861147398318714693938158856874319184314120776776192");
test_dh ("secp-224r1", &nettle_secp_224r1,
"1321072106881784386340709783538698930880431939595776773514895067682",
"6768311794185371282972144247871764855860666277647541840973645586477",
"2880077809069104378181313860274147139049600284805670362929579614547",
"13934723037778859565852601874354272638301919827851286722006496784914",
"373124771833407982305885866158843810218322878380632071540538232035",
"24223309755162432227459925493224336241652868856405241018762887667883",
"8330362698029245839097779050425944245826040430538860338085968752913",
"24167244512472228715617822000878192535267113543393576038737592837010");
test_dh ("secp-256r1", &nettle_secp_256r1,
"94731533361265297353914491124013058635674217345912524033267198103710636378786",
"22441589863306126152768848344973918725077248391248404659242620344938484650846",
"8673475622926171928656873398933611700804732317466515884933832073457396747355",
"97657865959185011849283028361556797595752581630732610898393589042714626616209",
"18453500628354973083413728373777272885280811435138222441593126858566687017580",
"14365748655141740924607822284126054269177292284541187981786689038777833170313",
"102958799567030688009123101477538973715497039396202015119148334812951370853564",
"29188877854984806245046208182450375893010623119030341548941791125497546766367");
test_dh ("secp-384r1", &nettle_secp_384r1,
"39086550219018474560700767788227987514008150214902287969462741484831311917159729009715909108606822193356890811565070",
"15536343869384820642787280162462493474000839389760580357050317691132784247078954166759523572989472049798969369413707",
"23268351460749985365652822073294615614961429585671989812206213135127969284347174876010177880230302801199500921999966",
"36869963309577906178833120963925446333578086292605692048464445726274368063284094788012795873582576522541658781990645",
"6571571183519639697971973492227725184968062063941037806786906539419849188357322949908539215960508669158121817812397",
"36555212611228586427448926841660565534959679681904941933188284044726925984417589749068550977832780023128545833460008",
"27780263733159299625371532605243698753833039933618994121416145881861678645978369807598146716869504289033472077532789",
"12327518461490664021199432424728005314646140038116972426756705356672414772151215711157356913456651047992140493843405");
test_dh ("secp-521r1", &nettle_secp_521r1,
"1177787298234877762125077260641419691552146813662613924864132680693789861345339466386194840381422980702458955378518702648732728796955434922249345867267377826",
"3168153642368000846168628288850857848098131369578410603904155841373678828215434925507474033105518841999665785152501356092020415699294327720257651796364374116",
"278603899104240796379373331240296114411332466119196525390128418935585486485808560319073463912513286987331907013829243645911963547435764718505394265715321106",
"4632844957395758597246278843156350179301194123641664447791935593091018103746003967476919616681982477804041933745387575872964923485212972039478646226080044590",
"3278857364905061449863537070675297207767865967146919975942590789168732752489407699106980407552332044280575891715425195464227794423128203118286002006478070253",
"4488572162727491199625798812850846214916160870437505769058530973184916706326908828109446998319674522651965593412129100088877891410841200092694907512496020182",
"2126311732129869456512627735193938710331935978955001830871465201548004444073866677974896970734635601049909886616595755762740651165670628002084824920216966370",
"4803556648772727869384704240411011976585308117802975396033423138930126997561438092192867119930177133880625991019440171972612468402200399449807843995563872782");
#if 0
/* NOTE: This isn't quite the standard way to do curve25519
diffie-hellman, but it tests that the ecc_point interface works
also with curve25519. FIXME: Which it doesn't yet do. */
test_dh ("curve25519", &nettle_curve25519,
"238301186166219052901200372289459967515481170332211409964804596991365959539",
"16689431791973914300519294566135927090340942991104989847654071982531922134636",
"20308418066388251043787233144732111482161260158474210903552303016733832642783",
"3795950278952272509684177709511717492358770264218705926196469999516028451559",
"33748673775975978547568270043630771161978032265709185964960751948965332685487",
"45040108202870901856797106334440548809561721639881101469282515918034252408802",
"12684624775789228333626692483521764247362476074160626230698999100180553618972",
"22635121008463339848034566659860493350277619617839914078958064757823336329514");
#endif
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment