Add support to Ed448 in EdDSA #5824
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Largely inspired by the curve25519 definition. Signed-off-by: Aurelien Jarno <[email protected]> Signed-off-by: Pol Henarejos <[email protected]>
Also tweak mbedtls_ecp_get_type to handle the edwards case. FIXME: there is probably a cleaner way of doing that. Signed-off-by: Aurelien Jarno <[email protected]>
The RFC8032 recommends to implement ed25519 in extended coordinates and ed448 in projective coordinates. The two coordinates systems are very close with T=x*y for extended coordinates. The corresponding point addition and point doubling formulas are actually very similar. Note that the formulas given in the RFC are the EFD one simplified with a = -1 for ed25519 and a = 1 for ed448. The Mbed TLS philosophy is to share as much code as possible, so projective coordinates are used for both Twisted Edwards and Edwards curves, using the formulas from EFD, which do include the a parameter of the quation. This also matches the mbedtls_ecp_point implementation which supports up to three coordinates. In order to verify EdDSA signatures, it is necessary to add two points. A new mbedtls_ecp_add function is therefore exported in the API. It is only implemented for Edwards curve and returns MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE for other curves. The ecp_check_pubkey function simply checks that the points is on the curve as there are no recommended checks in the RFC8032 nor in the FIPS 186-5 draft. FIXME: There is currently no check for mbedtls_ecp_check_privkey. It's not clear what check should be implemented. FIXME: mbedtls_ecp_set_zero and mbedtls_ecp_is_zero are wrong for Edwards curve, the neutral element being (0, 1). This is not possible to fix that without changing the API as the group parameter is currently not in argument. FIXME: ecp_normalize_edxyz uses a modular inversion. For elliptic curves over GF(p) modular inversions could be done using x^-1 = x^(p-2) (mod p). As it doesn't seem to bring any measureable speed improvement, I kept the modular inversion. FIXME: The mbedtls_ecp_keypair type and the related functions (mbedtls_ecp_gen_key, mbedtls_ecp_read_key, mbedtls_ecp_check_pub_priv) assume that the secret key is a scalar and that the public key is a curve point that is obtained by the scalar multiplication of the base point by the secret key. This is only partially true for the EdDSA algorithm, which employs point enconding and hashes to manipulate those. Signed-off-by: Aurelien Jarno <[email protected]> Signed-off-by: Pol Henarejos <[email protected]> # Conflicts: # library/ecp.c
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
…lti. Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
…lti. Signed-off-by: Pol Henarejos <[email protected]>
This commit contains the necessary commits of SHA-3 and SHAKE256. Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
7 tasks
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
tom-cosgrove-arm
added
enhancement
component-crypto
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
|
so are reviews coming along? I'd have thought mbedtls wants this in and it's been at least 2 years in the waiting? |
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds support to EdDSA. It extends #5819
Status
READY
Requires Backporting
NO
Migrations
NO
Additional comments
It depends on PR #5820 and #5821
Todos