Add support for small curves #223
Conversation
tomato42
added
feature
tomato42
force-pushed
the
small-curves
branch
from
46bdd1e to
3704153
Compare
the public key recovery needs to truncate large hashes just like the signature verification and creation, so reuse the code that does that
tomato42
force-pushed
the
small-curves
branch
from
3704153 to
a81c7e3
Compare
tomato42
force-pushed
the
small-curves
branch
from
a81c7e3 to
bb8254a
Compare
| _Gy = int(remove_whitespace("CF5AC839 5BAFEB13 C02DA292 DDED7A83"), 16) | ||
| _r = int(remove_whitespace("FFFFFFFE 00000000 75A30D1B 9038A115"), 16) | ||
| _h = 1 | ||
| curve_128r1 = ellipticcurve.CurveFp(_p, -3, _b, _h) |
There was a problem hiding this comment.
I do not see the -3 argument in neither of specifications I was able to find.
There was a problem hiding this comment.
because it's -3 % p or _p - 3 in this code
src/ecdsa/test_pyecdsa.py
Outdated
| def test_to_openssl_secp128r1(self): | ||
| self.do_test_to_openssl(SECP128r1) | ||
|
|
||
| @pytest.mark.slow |
There was a problem hiding this comment.
nit: This change is probably not strictly related to the content of this commit. Same above.
It is actually removed in the following commit, which makes is a good candidate for removal already here.
There was a problem hiding this comment.
ah, yeah, it's a leftover from when I cherry-picked it from the mutation testing PR, will fix
| # secp160r1 | ||
| _p = int(remove_whitespace("FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 7FFFFFFF"), 16) | ||
| # S = 1053CDE4 2C14D696 E6768756 1517533B F3F83345 | ||
| # _a = -3 |
There was a problem hiding this comment.
Same here -- the specifications mention a=0xffffffffffffffffffffffffffffffff7ffffffc. If there is a trivial reason in the ECC theory that I miss, it might make sense to add at least a comment as all the sources come with the above.
There was a problem hiding this comment.
actually, the -3 curves are special: https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html we just don't use this property in the implementation (at least not now)
| - python: 2.7 | ||
| env: INSTRUMENTAL=yes | ||
| dist: bionic | ||
| sudo: true |
There was a problem hiding this comment.
This does not do anything in current travis (see the "View config" -> "Config validation" in the travis build)
There was a problem hiding this comment.
yes, "sudo: true" is supposed to not do anything, but it breaks when i don't use it... so I keep it
There was a problem hiding this comment.
weird. Can you be more specific what breaks? I think I removed all these from OpenSC and all works fine.
There was a problem hiding this comment.
I wasn't getting the distribution versions and thus python versions I expected from configuration, that being said I tried it some time ago...
Something to try when travis build queue isn't measured in hours...
the secret multiplier is limited by the order of the base point, that also informs the size of elements for the signature (as they are calculated modulo order), but the public point is a point, so its elements are modulo prime from the curve. The same thing applies to the shared secret: it's just one coordinate of the point, so it's modulo p of the curve, not modulo order of generator. for all curves up till now the size of order and size of the prime was the same so it worked fine, but secp160r1 is different, so it showed the bugs so fix this bug and add secp160r1 as the test coverage for it
if we don't ignore _compat for the new checkout, we will get a big decrease in code coverage
many tests (in particular ecdh) require new OpenSSL, so run it on a distro with new OpenSSL
make it easier to test instrumental coverage
looks like there is some test coverage variability from hypothesis so do few static examples
tomato42
force-pushed
the
small-curves
branch
from
6767973 to
4bd1d1c
Compare
| - python: 2.7 | ||
| env: INSTRUMENTAL=yes | ||
| dist: bionic | ||
| sudo: true |
There was a problem hiding this comment.
weird. Can you be more specific what breaks? I think I removed all these from OpenSC and all works fine.
3 participants
finish fixing #197, fix #224
fix #24
because we deduplicate some fairly well-tested code, the overall percentage coverage of
ecdsa.keysfalls, making straight-up change fail instrumental testing; add some test coverage for it to counteract italso adds some static test coverage for
is_prime()to stop the line coverage fluctuating based on hypothesis choices