1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-11-27 09:58:27 +00:00
Commit Graph

37 Commits

Author SHA1 Message Date
Jochen Hoenicke
533c3beb63 Fixed uncompress_coords for NIST curve
The bn_sqrti was broken.  It didn't handle primes where all bits are set
in the lowest limb.
2016-04-20 15:09:11 +02:00
Roman Zeyde
437f8b3856 bignum: constant time implementation for bn_mod() 2015-08-31 20:55:02 +03:00
Jochen Hoenicke
472b90d8ed Added myself to copyright lines. 2015-08-19 21:45:21 +02:00
Jochen Hoenicke
f93b003cbc Extended comments, new function bn_add, a bug fix.
Describe normalized, partly reduced and reduced numbers.
Comment which function expects which kind of input.
Removed unused bn_bitlen.
Add bn_add that does not reduce.
Bug fix in ecdsa_validate_pubkey: bn_mod before bn_is_equal.
Bug fix in hdnode_private_ckd: bn_mod after bn_addmod.
2015-08-06 19:09:23 +02:00
Jochen Hoenicke
f2081d88d8 New jacobian_add that handles doubling.
Fix bug where jacobian_add is called with two identical points.
2015-08-05 21:23:04 +02:00
Jochen Hoenicke
6ba4d288b0 Cleaned up bignum code
1. Fixed bn_multiply_step to handle small primes.
2. Removed many calls to bn_mod to prevent side-channel leakage.
2015-08-05 19:36:30 +02:00
Roman Zeyde
793234a0ec bignum: use constant time comparisons 2015-08-03 10:57:09 +03:00
Roman Zeyde
ea16aa0b86 Remove unnecessary #include "secp256k1.h" 2015-07-07 10:39:12 +03:00
Roman Zeyde
587d6a65ea Update documentation regarding ECDSA curves support 2015-07-07 10:38:16 +03:00
Roman Zeyde
7c58fc11a4 Add support for NIST256P1 elliptic curve
This enables SSH ECDSA public key authentication.
2015-06-26 10:33:14 +03:00
Pavol Rusnak
21d0bb437a cleanup coding style 2015-04-13 18:19:33 +02:00
netanelkl
3fd32df8ed More of the same. 2015-04-09 15:05:28 -04:00
Jochen Hoenicke
56f5777b68 Refactored code for point doubling.
New function `bn_mult_3_2` that multiplies by 3/2.
This function is used in point_double and point_jacobian_double.
Cleaned up point_add and point_double, more comments.
2015-03-22 17:55:01 +01:00
Jochen Hoenicke
1700caf2ad scalar_mult based on Jacobian representation
This version of scalar_mult should be faster and much better
against side-channel attacks.  Except bn_inverse and bn_mod
all functions are constant time.  bn_inverse is only used
in the last step and its input is randomized.  The function
bn_mod is only taking extra time in 2^32/2^256 cases, so
in practise it should not occur at all.  The input to bn_mod
is also depending on the random value.

There is secret dependent array access in scalar_multiply,
so cache may be an issue.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
d4788bddfd Added modulus to bn_subtractmod 2015-03-17 19:17:56 +01:00
Jochen Hoenicke
62b95ee414 Optimized conversion functions.
Also added a few more comments
2015-03-17 19:17:56 +01:00
Jochen Hoenicke
7d4cf5cedd Optimized the bn_inverse method.
The new method needs about 30 % less time for prime256k1 and is about
twice as fast for other moduli.  The base algorithm is the same.
The code is also a bit smaller and doesn't need the 8 kb precomputed
table.

Important canges:
1. even/odd distinction so that we need to test only one of the numbers
   for being even.  This also leads to less duplicated code.
2. Allow for shifting by 32 bits at a time in the even test.
3. Pack u,s and v,r into the same array, which saves a bit of stack memory.
4. Don't divide by two after subtraction; this simplifies code.
5. Abort as soon as u,v are equal, instead of subtracting them.
6. Use s instead of r after the loop; no negation needed.
7. New code that divides by 2^k fast without any precomputed values.
2015-03-17 19:17:47 +01:00
Pavol Rusnak
e37ba822e6 bn_substract -> bn_subtractmod, bn_substract_noprime -> bn_subtract
remove dead code
2015-03-17 14:19:50 +01:00
Jochen Hoenicke
7e98c02afd Added comments to the tricky algorithms.
Added invariants for bn_multiply and bn_inverse.
Explain that bn_multiply and bn_fast_mod doesn't work for
an arbitrary modulus.  The modulus must be close to 2^256.
2015-03-09 12:06:46 +01:00
Pavol Rusnak
03a8925e0f rename BN_PRINT define to USE_BN_PRINT 2014-07-07 21:24:10 +02:00
Pavol Rusnak
019d779a94 Revert "Revert "add more precomputation to ecdsa signing""
This reverts commit 3747ba4323.
2014-07-03 10:09:45 +02:00
Pavol Rusnak
3747ba4323 Revert "add more precomputation to ecdsa signing"
This reverts commit 06dd166a82.
2014-07-03 01:18:00 +02:00
Pavol Rusnak
612f5ab050 fix copyright headers 2014-05-22 20:54:58 +02:00
Pavol Rusnak
06dd166a82 add more precomputation to ecdsa signing 2014-05-15 17:11:26 +02:00
Jan Pochyla
67eb76fd1b llu -> ull for MSVC compatibility 2014-02-15 15:57:41 +01:00
Pavol Rusnak
2e4ec7fe0a introduce ecdsa_address_to_hash160 2014-01-30 20:34:05 +01:00
Pavol Rusnak
8423c7abfd add check that pub.y != res.y 2014-01-04 17:39:37 +01:00
Pavol Rusnak
9205c0d952 use canonical signatures (if S > Order/2: S = Order - S) 2013-10-08 14:06:48 +02:00
Pavol Rusnak
678e5b1af2 use #if instead of #ifdef for conditional macros 2013-10-03 17:32:27 +02:00
Pavol Rusnak
f4f246f3d7 optimize computations 2013-09-27 15:42:52 +02:00
Pavol Rusnak
7ed18947ba simplify divmod58 2013-09-25 12:39:23 +02:00
Pavol Rusnak
74a5b04b81 verify now supports compressed keys 2013-09-24 18:48:46 +02:00
Pavol Rusnak
638cf2310b cleanup 2013-09-20 21:49:17 +02:00
Pavol Rusnak
92f070498f add function for computing addresses 2013-09-20 17:13:24 +02:00
Pavol Rusnak
1fda6fe339 add bn_zero, bn_bits, bn_lshift, bn_rshift, bn_normalize to bignum 2013-09-19 02:54:10 +02:00
Pavol Rusnak
afc9bcfe30 implement bip32 - https://en.bitcoin.it/wiki/BIP_0032 2013-09-12 21:20:03 +02:00
Pavol Rusnak
07d1c22730 refactor code -> bignum.c/h 2013-09-12 03:18:35 +02:00