Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ECDSA P-384 signing. #209

Closed
briansmith opened this issue May 31, 2016 · 3 comments
Closed

Add ECDSA P-384 signing. #209

briansmith opened this issue May 31, 2016 · 3 comments
Assignees
@briansmith
Milestone
0.8.n

Comments

@briansmith
Copy link
Owner

This is similar to #207, but harder because we don't have any good (constant-time) code for ECC operations on the P-384 curve at all.

See #205 for general concerns/requirements on signing APIs.
@briansmith briansmith mentioned this issue May 31, 2016
Closed
5 tasks
@briansmith
Copy link
Owner Author

briansmith commented Jun 3, 2016
edited
Loading

Status update:

  • digest -> scalar conversion (shared with P-256)
  • close-to-constant-time multiplication and squaring (mod n).
  • constant-time inversion mod n (to the extent multiplication and squaring are constant-time).
  • constant-time Jacobian -> affine conversion (including constant-time inversion mod q) and serialization of public keys (shared with P-256)
  • constant-time point doubling and point addition*
  • constant-time base point multiplication
  • The actual ECDSA signing function, serialization of signatures, key generation, serialization of private keys, deserialization of private keys (all shared with P-256).
  • Tests
  • Benchmarks in crypto-bench
  • Audit and document side channel resistance, including base assumptions
  • Nonce reuse prevention hardening

Everything checked off above is in master. Note that the point addition should be constant time on the assumption that the exceptional cases are never hit during ECDH and ECDSA signing, which is the same assumption that OpenSSL has. It would be worthwhile to write up a proof that that is the case.

@briansmith briansmith self-assigned this Jun 6, 2016
@briansmith briansmith removed their assignment Jul 24, 2016
@briansmith briansmith self-assigned this Jan 30, 2017
@briansmith briansmith modified the milestones: 0.6.1, 0.7.n Jan 30, 2017
@lawliet89 lawliet89 mentioned this issue Apr 5, 2017
Open
@briansmith briansmith modified the milestones: 0.7.n, 0.8.n Apr 10, 2017
@briansmith
Copy link
Owner Author

I've added the initial implementation of P-384 ECDSA signing in e5a4fe9 and I updated the checklist above to indicate what work is needed to call this "complete." The nonce reuse hardening will be added soon.

@briansmith
Copy link
Owner Author

I'm calling this done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@briansmith briansmith

Labels
None yet
Projects
None yet
Milestone
0.8.n
Development

No branches or pull requests
1 participant
@briansmith