p384: arithmetic + ECDSA support

[jedisct1]

Hi,

Is there a way to compute and verify p384 signatures yet?

p384 has an ecdsa feature, but I couldn't get anything done with it.
ProjectiveArithmetic is not implemented for NistP384. The arithmetic feature of the elliptic_curve crate isn't set, so I wasn't even able to manually compute a public key.

Is it possible to use it in a similar way as p256 and k256? Or to use it for ECDSA at all? Or is it still a work in progress?

Thanks for your help :)

[tarcieri]

p384 arithmetic is presently unimplemented and there are no plans to implement it. All it currently provides is a set of types for representing things like P-384 keys and ECDSA signatures.

The only way to use it for ECDSA/P-384 for now is via the ring-compat crate, which wraps the ECDSA/P-384 implementation in ring:

https://docs.rs/ring-compat/0.1.0/ring_compat/signature/ecdsa/p384/index.html

Perhaps if #218 works out we can see if the generic implementation is capable of expressing it.

[newpavlov]

Yes, the weierstrass crate should be able to express p384 arithmetic. I have some changes in mind before merging it, so let's call it work in progress. :)

[tarcieri]

I think we could potentially ship an initial implementation of p384 arithmetic by leveraging the field arithmetic implementations synthesized by fiat-crypto:

• https://github.com/mit-plv/fiat-crypto/blob/master/fiat-rust/src/p384_32.rs
• https://github.com/mit-plv/fiat-crypto/blob/master/fiat-rust/src/p384_64.rs

It would also provide a good testbed to work on a Scalar type based on crypto_bigint::UInt which could potentially be made generic and used by all of the crates in this repo.

[rod-chapman]

For what it's worth, I'd also like to see the p384 implementation support the ecdh and arithmetic capabilities. I am happy to test and review anything that emerges, although I very much doubt that my skills are up to contributing to the actual work at this point.

[tarcieri]

As a quick update here, we recently shipped elliptic-curve v0.11 which implements quite a bit of scalar arithmetic generically on top of crypto-bigint in the form of the ScalarCore type.

This is more or less the culmination of work started in #376, but generic over the curve's order.

Between that and the base field implementation from fiat-crypto, it shouldn't be terribly difficult to adapt the existing addition/multiplication formulas from p256.

[rod-chapman]

Tony - a possibly stupid question: is your work on RustCrypto funded, either by your own organization, or by any other external source? I can think of several organizations that would be happy to support such efforts if it were possible. If Company X really wanted to pay for support, who would they approach?

[tarcieri]

@rod-chapman it's not funded, although you can feel free to support me via GitHub Sponsors

[rod-chapman]

OK... I can think of several organizations here in the UK that would be interested in using RustCrypto, but would be happy to contribute for support if it were available on commercial terms.

[jedisct1]

https://github.com/jedisct1/rust-p384 has an implementation, if you ever need this.

[tarcieri]

Nice! I can take a look at merging that into the p384 crate. It seems to largely follow the same structure.

[rod-chapman]

Interesting... I would like to compare performance of that with the WolfCrypt C implementation...

[Erik1000]

I'd be happy if we could merge that and therefore remove the broken-arithmetic-do-not-use stuff ^^

[tarcieri]

@jedisct1 I opened a draft PR here: #565

Alternatively if you'd like to open a PR yourself, that works too

[tarcieri]

An arithmetic implementation derived from p384-rs was merged in #565.

Thank you @jedisct1 and @brycx! And vicarious thanks to the fiat-crypto people!

For anyone following this issue, I've opened a tracking issue for a v0.11 release with arithmetic support: #566