Add support for secp256k1 elliptic curve

[dkostic]

Issues:

CryptoAlg-1024

Description of changes:

The change adds support for secp256k1 elliptic curve (required by ACCP).
We use the generic |EC_GFp_mont_method| for the new curve.

The largest part of the change is adding tests to cover as much as
possible the potential use of the curve. We have added EC, ECDH, and
ECDSA tests. In all three cases we generate the test vectors by newly
added Go scripts. The standard Go library doesn't have support for
secp256k1, and moreover, we can't instantiate the curve on our own
because Go's implementation assumes a curve given by y^2 = x^3 + ax + b
has a = -3, which is not the case for secp256k1. We work around this
issue by using the most widely used secp256k1 Go implementation,
Ethereum's go-ethereum/crypto/secp256k1 module. Also, EVP Wycheproof
tests specific to secp256k1 were added.

A small issue with FIPS service indicator test for ECDH is also fixed.
The test assumed in one case that the indicator should always return
APPROVED, when in reality the indicator status should depened on which
elliptic curve is used in the protocol. For example, when a non FIPS
approved curve like secp256k1 is used, we expect the indicator to
return NOT_APPROVED.

Call-outs:

Point out areas that need special attention or support during the review process. Discuss architecture or design changes.

Testing:

How is this change tested (unit tests, fuzz tests, etc.)? Are there any testing steps to be verified by the reviewer?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[torben-hansen]

Nice.

I see some missing tests in crypto/fipsmodule/ec/ec_test.cc.

Also check out crypto/evp_extra/evp_test.cc. Could potentially also add some p256k1-specific tests there?

[dkostic]

The changes are ported from this feature branch: https://github.com/awslabs/aws-lc/tree/add_secp192r1_secp256k1. Since we don't need to support P-192 curve I ported only changes relevant to secp256k1.

[nebeid]

Just curious: why EC_curve_name2nid and EC_curve_nid2name are no longer needed?

[nebeid]

Should there be a reference here to where the tests were generated from?

[dkostic]

done, also in ecdsa_verify_tests.txt

[nebeid]

Nit: In the order below, secp256k1 is checked for before secp160r1.

[dkostic]

Forgot to change this before I pushed the update. If you don't mind I'd let it be like this?

[nebeid]

Sure

[dkostic]

I see some missing tests in crypto/fipsmodule/ec/ec_test.cc.
Also check out crypto/evp_extra/evp_test.cc. Could potentially also add some p256k1-specific tests there?

@torben-hansen Added more tests both in ec_test.cc and evp_test.cc. Let me know if I missed anything.

Just curious: why EC_curve_name2nid and EC_curve_nid2name are no longer needed?

@nebeid They were not needed in the first place, I realized that only now.

[nebeid]

How were the new tests generated?

[dkostic]

I used Sage to generate a random point :)

[dkostic]

For posterity, the Sage code to generate a random point on secp256k1. The setup of the curve is taken from this very useful webpage (that covers many other curves as well): https://neuromancer.sk/std/secg/secp256k1#

p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
K = GF(p)
a = K(0x0000000000000000000000000000000000000000000000000000000000000000)
b = K(0x0000000000000000000000000000000000000000000000000000000000000007)
E = EllipticCurve(K, (a, b))
G = E(0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798, 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)
E.set_order(0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 * 0x1)

(x, y, z) = E.random_element()