trezor-firmware

Commit Graph

Author	SHA1	Message	Date
Jochen Hoenicke	409783ba64	New function ecdsa_verify_recover Moved the code from Trezor firmware to here for recovering the public key when verifying a bitcoin message. Fixed the signing and verification for the unlikely case the r value overflows.	9 years ago
Jochen Hoenicke	698f40f385	BIP-32 without gaps, prepare non-ecdsa curves * Split ecdsa_curve into curve_info and ecdsa_curve to support bip32 on curves that don't have a ecdsa_curve. * Don't fail in key derivation but retry with a new hash. * Adapted test case accordingly	9 years ago
Jochen Hoenicke	533c3beb63	Fixed uncompress_coords for NIST curve The bn_sqrti was broken. It didn't handle primes where all bits are set in the lowest limb.	9 years ago
Jochen Hoenicke	0bc1b70c4a	Use different seed modifier for different curves	9 years ago
Jochen Hoenicke	472b90d8ed	Added myself to copyright lines.	9 years ago
Jochen Hoenicke	774ac9cb22	Simplified test for doubling in point_jacobian_add	9 years ago
Jochen Hoenicke	f93b003cbc	Extended comments, new function bn_add, a bug fix. Describe normalized, partly reduced and reduced numbers. Comment which function expects which kind of input. Removed unused bn_bitlen. Add bn_add that does not reduce. Bug fix in ecdsa_validate_pubkey: bn_mod before bn_is_equal. Bug fix in hdnode_private_ckd: bn_mod after bn_addmod.	9 years ago
Jochen Hoenicke	f2081d88d8	New jacobian_add that handles doubling. Fix bug where jacobian_add is called with two identical points.	9 years ago
Jochen Hoenicke	60e36dac3b	Fixed conditional_negate for larger numbers Without the bn_mod the numbers get larger (but still < 2*prime), so conditional_negate should handle this.	9 years ago
Jochen Hoenicke	6ba4d288b0	Cleaned up bignum code 1. Fixed bn_multiply_step to handle small primes. 2. Removed many calls to bn_mod to prevent side-channel leakage.	9 years ago
Pavol Rusnak	d659fd49a5	return back normalization of signatures	9 years ago
Pavol Rusnak	71c24673ce	Merge branch 'ssh-agent' of git://github.com/romanz/trezor-crypto into romanz-ssh-agent Conflicts: ecdsa.c	9 years ago
Pavol Rusnak	36caf5b33a	Merge pull request #35 from romanz/master ecdsa: generate_k_rfc6979() should cleanup its stack before exit	9 years ago
Roman Zeyde	36847ac0d7	ecdsa: generate_k_rfc6979() should cleanup its stack before exit	9 years ago
Roman Zeyde	7c58fc11a4	Add support for NIST256P1 elliptic curve This enables SSH ECDSA public key authentication.	9 years ago
John Dvorak	85cebfe968	Change return value of ecdsa_sign_digest Error codes were not being propagated, always returned as 0.	9 years ago
Pavol Rusnak	21d0bb437a	cleanup coding style	10 years ago
netanelkl	3fd32df8ed	More of the same.	10 years ago
Pavol Rusnak	a757693fe3	Merge pull request #26 from jhoenicke/bignum_improvements Bignum improvements	10 years ago
Oleg Andreev	a5a4333a8e	typo fix (no, this was not a bug)	10 years ago
Jochen Hoenicke	56f5777b68	Refactored code for point doubling. New function `bn_mult_3_2` that multiplies by 3/2. This function is used in point_double and point_jacobian_double. Cleaned up point_add and point_double, more comments.	10 years ago
Jochen Hoenicke	edf0fc4902	New fast variant of point_multiply. Use a similar algorithm for `point_multiply` as for `scalar_multiply` but with less precomputation. Added double for points in Jacobian coordinates. Simplified `point_jacobian_add` a little.	10 years ago
Jochen Hoenicke	1700caf2ad	scalar_mult based on Jacobian representation This version of scalar_mult should be faster and much better against side-channel attacks. Except bn_inverse and bn_mod all functions are constant time. bn_inverse is only used in the last step and its input is randomized. The function bn_mod is only taking extra time in 2^32/2^256 cases, so in practise it should not occur at all. The input to bn_mod is also depending on the random value. There is secret dependent array access in scalar_multiply, so cache may be an issue.	10 years ago
Jochen Hoenicke	2c38929d03	Make scalar_multiply timing attack safe. This should make side-channel attacks much more difficult. However, 1. Timing of bn_inverse, which is used in point_add depends on input. 2. Timing of reading secp256k1_cp may depend on input due to cache. 3. The conditions in point_add are not timing attack safe. However point_add is always a straight addition, never double or some other special case. In the long run, I would like to use a specialized point_add using Jacobian representation plus a randomization when converting the first point to Jacobian representation. The Jacobian representation would also make the procedure a bit faster.	10 years ago
Jochen Hoenicke	ec057a5102	"More" constant time point multiplication About the same speed, about the same precomputation table requirements. Simpler code.	10 years ago
Jochen Hoenicke	eb6e74f361	Improve speed of scalar_multiply. We also allow for substracting values to be able to do 3 bits at a time.	10 years ago
Jochen Hoenicke	d4788bddfd	Added modulus to bn_subtractmod	10 years ago
Pavol Rusnak	e37ba822e6	bn_substract -> bn_subtractmod, bn_substract_noprime -> bn_subtract remove dead code	10 years ago
Jochen Hoenicke	e2dd0b8e8d	Always check for validity in ecdsa_read_pubkey. An invalid point may crash the implementation or, worse, reveal information about the private key if used in a ECDH context (e.g. cryptoMessageEn/Decrypt). Therefore, check all user supplied points even if USE_PUBKEY_VALIDATE is not set. To improve speed, we don't check if the point lies in the main group, since the secp256k1 curve does not have any other subgroup.	10 years ago
Jochen Hoenicke	ed9d8c1ebb	Fix RFC6979 generation of k. The standard says: step h: Set T to the empty sequence. while tlen < qlen V = HMAC_K(V) T = T \|\| V k = bits2int(T) in this case (HMAC-SHA256, qlen=256bit) this simplifies to V = HMAC_K(V) T = V k = bits2int(T) and T can be omitted. The old code (wrong) did: T = HMAC_K(V) k = bits2int(T) Note that V will only be used again if the first k is out of range. Thus, the old code produced the right result with a very high probability.	10 years ago
Pavol Rusnak	795579cbac	invert pby when normalizing S during signing	10 years ago
Pavol Rusnak	89a7d7797b	replace base58 implementation	10 years ago
Pavol Rusnak	b4cdba8489	export pby from ecdsa_sign functions	10 years ago
Pavol Rusnak	9469a64a0a	use bn_is_zero and bn_is_equal where possible	10 years ago
Pavol Rusnak	df3606dd5e	introduce ecdsa_get_address_raw	10 years ago
Pavol Rusnak	0fe1857513	normalize y^2 in pubkey validation fix last commit	10 years ago
Pavol Rusnak	b9d5896174	make pubkey validation optional, extract options to separate header	10 years ago
Ondrej Mikle	b34516bc49	Removed unnessary point copy.	10 years ago
Ondrej Mikle	03fee34550	Validating of public key curve point.	10 years ago
Ondrej Mikle	7fd81a1e0c	Removed superfluous bn_mod, it's done now in point_add and point_double.	10 years ago
Ondrej Mikle	323da2d434	Keep results after point_add() and point_double() inside the finite field. Simplified point_is_negative_of().	10 years ago
Ondrej Mikle	d827b2c862	Account for case when point.y == 0 when doubling.	10 years ago
Ondrej Mikle	6d61cefdb3	Removed test for point equality in ecdsa_verify_digest, point_add() already handles that.	10 years ago
Ondrej Mikle	da6a09880d	Handling of special cases in EC arithmetic.	10 years ago
Pavol Rusnak	82ed3f31db	fix comparison of points	10 years ago
Pavol Rusnak	eec5f7df15	fix bug in unoptimized branch of code	10 years ago
Pavol Rusnak	019d779a94	Revert "Revert "add more precomputation to ecdsa signing"" This reverts commit `3747ba4323`.	10 years ago
Pavol Rusnak	3747ba4323	Revert "add more precomputation to ecdsa signing" This reverts commit `06dd166a82`.	10 years ago
Ondrej Mikle	0ad302ea4e	Hashing of secp256k1 pubkey recognizes point at infinity.	10 years ago
Pavol Rusnak	5e9cd15527	use new base58 code for address functions, add function for obtaining wif	10 years ago

1 2

91 Commits (2002c815ff101a40c841ff257ae353e195297e95)