1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-11-30 11:28:21 +00:00
Commit Graph

86 Commits

Author SHA1 Message Date
Jochen Hoenicke
774ac9cb22 Simplified test for doubling in point_jacobian_add 2015-08-07 11:26:00 +02:00
Jochen Hoenicke
f93b003cbc Extended comments, new function bn_add, a bug fix.
Describe normalized, partly reduced and reduced numbers.
Comment which function expects which kind of input.
Removed unused bn_bitlen.
Add bn_add that does not reduce.
Bug fix in ecdsa_validate_pubkey: bn_mod before bn_is_equal.
Bug fix in hdnode_private_ckd: bn_mod after bn_addmod.
2015-08-06 19:09:23 +02:00
Jochen Hoenicke
f2081d88d8 New jacobian_add that handles doubling.
Fix bug where jacobian_add is called with two identical points.
2015-08-05 21:23:04 +02:00
Jochen Hoenicke
60e36dac3b Fixed conditional_negate for larger numbers
Without the bn_mod the numbers get larger (but still < 2*prime), so
conditional_negate should handle this.
2015-08-05 19:36:30 +02:00
Jochen Hoenicke
6ba4d288b0 Cleaned up bignum code
1. Fixed bn_multiply_step to handle small primes.
2. Removed many calls to bn_mod to prevent side-channel leakage.
2015-08-05 19:36:30 +02:00
Pavol Rusnak
d659fd49a5 return back normalization of signatures 2015-08-03 21:47:06 +02:00
Pavol Rusnak
71c24673ce Merge branch 'ssh-agent' of git://github.com/romanz/trezor-crypto into romanz-ssh-agent
Conflicts:
	ecdsa.c
2015-06-28 21:22:50 +02:00
Pavol Rusnak
36caf5b33a Merge pull request #35 from romanz/master
ecdsa: generate_k_rfc6979() should cleanup its stack before exit
2015-06-28 21:01:57 +02:00
Roman Zeyde
36847ac0d7 ecdsa: generate_k_rfc6979() should cleanup its stack before exit 2015-06-27 10:08:18 +03:00
Roman Zeyde
7c58fc11a4 Add support for NIST256P1 elliptic curve
This enables SSH ECDSA public key authentication.
2015-06-26 10:33:14 +03:00
John Dvorak
85cebfe968 Change return value of ecdsa_sign_digest
Error codes were not being propagated, always returned as 0.
2015-06-18 09:55:12 -04:00
Pavol Rusnak
21d0bb437a cleanup coding style 2015-04-13 18:19:33 +02:00
netanelkl
3fd32df8ed More of the same. 2015-04-09 15:05:28 -04:00
Pavol Rusnak
a757693fe3 Merge pull request #26 from jhoenicke/bignum_improvements
Bignum improvements
2015-03-30 17:48:43 +02:00
Oleg Andreev
a5a4333a8e typo fix (no, this was not a bug) 2015-03-30 17:25:34 +02:00
Jochen Hoenicke
56f5777b68 Refactored code for point doubling.
New function `bn_mult_3_2` that multiplies by 3/2.
This function is used in point_double and point_jacobian_double.
Cleaned up point_add and point_double, more comments.
2015-03-22 17:55:01 +01:00
Jochen Hoenicke
edf0fc4902 New fast variant of point_multiply.
Use a similar algorithm for `point_multiply` as for
`scalar_multiply` but with less precomputation.
Added double for points in Jacobian coordinates.
Simplified `point_jacobian_add` a little.
2015-03-21 21:10:08 +01:00
Jochen Hoenicke
1700caf2ad scalar_mult based on Jacobian representation
This version of scalar_mult should be faster and much better
against side-channel attacks.  Except bn_inverse and bn_mod
all functions are constant time.  bn_inverse is only used
in the last step and its input is randomized.  The function
bn_mod is only taking extra time in 2^32/2^256 cases, so
in practise it should not occur at all.  The input to bn_mod
is also depending on the random value.

There is secret dependent array access in scalar_multiply,
so cache may be an issue.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
2c38929d03 Make scalar_multiply timing attack safe.
This should make side-channel attacks much more difficult. However,

1. Timing of bn_inverse, which is used in point_add depends on input.
2. Timing of reading secp256k1_cp may depend on input due to cache.
3. The conditions in point_add are not timing attack safe.
   However point_add is always a straight addition, never double or some
   other special case.

In the long run, I would like to use a specialized point_add using Jacobian
representation plus a randomization when converting the first point to
Jacobian representation.  The Jacobian representation would also make
the procedure a bit faster.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
ec057a5102 "More" constant time point multiplication
About the same speed, about the same precomputation table requirements.
Simpler code.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
eb6e74f361 Improve speed of scalar_multiply.
We also allow for substracting values to be able to do 3 bits at a time.
2015-03-17 19:18:34 +01:00
Jochen Hoenicke
d4788bddfd Added modulus to bn_subtractmod 2015-03-17 19:17:56 +01:00
Pavol Rusnak
e37ba822e6 bn_substract -> bn_subtractmod, bn_substract_noprime -> bn_subtract
remove dead code
2015-03-17 14:19:50 +01:00
Jochen Hoenicke
e2dd0b8e8d Always check for validity in ecdsa_read_pubkey.
An invalid point may crash the implementation or, worse,
reveal information about the private key if used in a ECDH
context (e.g. cryptoMessageEn/Decrypt).

Therefore, check all user supplied points even if
USE_PUBKEY_VALIDATE is not set.

To improve speed, we don't check if the point lies in the
main group, since the secp256k1 curve does not have
any other subgroup.
2015-03-08 21:09:21 +01:00
Jochen Hoenicke
ed9d8c1ebb Fix RFC6979 generation of k.
The standard says:
step h:
  Set T to the empty sequence.
  while tlen < qlen
    V = HMAC_K(V)
    T = T || V
  k = bits2int(T)

in this case (HMAC-SHA256, qlen=256bit) this simplifies to
  V = HMAC_K(V)
  T = V
  k = bits2int(T)
and T can be omitted.

The old code (wrong) did:
  T = HMAC_K(V)
  k = bits2int(T)
Note that V will only be used again if the first k is out of range.
Thus, the old code produced the right result with a very high probability.
2015-01-30 22:34:37 +01:00
Pavol Rusnak
795579cbac invert pby when normalizing S during signing 2014-12-23 18:13:33 +01:00
Pavol Rusnak
89a7d7797b replace base58 implementation 2014-12-23 03:11:58 +01:00
Pavol Rusnak
b4cdba8489 export pby from ecdsa_sign functions 2014-12-08 21:08:49 +01:00
Pavol Rusnak
9469a64a0a use bn_is_zero and bn_is_equal where possible 2014-11-17 17:17:14 +01:00
Pavol Rusnak
df3606dd5e introduce ecdsa_get_address_raw 2014-11-16 21:17:39 +01:00
Pavol Rusnak
0fe1857513 normalize y^2 in pubkey validation
fix last commit
2014-07-07 21:11:25 +02:00
Pavol Rusnak
b9d5896174 make pubkey validation optional, extract options to separate header 2014-07-07 20:14:36 +02:00
Ondrej Mikle
b34516bc49 Removed unnessary point copy. 2014-07-07 16:35:53 +02:00
Ondrej Mikle
03fee34550 Validating of public key curve point. 2014-07-07 15:11:40 +02:00
Ondrej Mikle
7fd81a1e0c Removed superfluous bn_mod, it's done now in point_add and point_double. 2014-07-06 14:50:12 +02:00
Ondrej Mikle
323da2d434 Keep results after point_add() and point_double() inside the finite field. Simplified point_is_negative_of(). 2014-07-05 22:07:03 +02:00
Ondrej Mikle
d827b2c862 Account for case when point.y == 0 when doubling. 2014-07-04 17:40:35 +02:00
Ondrej Mikle
6d61cefdb3 Removed test for point equality in ecdsa_verify_digest, point_add() already handles that. 2014-07-04 15:50:29 +02:00
Ondrej Mikle
da6a09880d Handling of special cases in EC arithmetic. 2014-07-04 15:30:15 +02:00
Pavol Rusnak
82ed3f31db fix comparison of points 2014-07-04 15:07:02 +02:00
Pavol Rusnak
eec5f7df15 fix bug in unoptimized branch of code 2014-07-03 10:16:19 +02:00
Pavol Rusnak
019d779a94 Revert "Revert "add more precomputation to ecdsa signing""
This reverts commit 3747ba4323.
2014-07-03 10:09:45 +02:00
Pavol Rusnak
3747ba4323 Revert "add more precomputation to ecdsa signing"
This reverts commit 06dd166a82.
2014-07-03 01:18:00 +02:00
Ondrej Mikle
0ad302ea4e Hashing of secp256k1 pubkey recognizes point at infinity. 2014-07-01 16:16:06 +02:00
Pavol Rusnak
5e9cd15527 use new base58 code for address functions, add function for obtaining wif 2014-05-22 22:29:53 +02:00
Pavol Rusnak
612f5ab050 fix copyright headers 2014-05-22 20:54:58 +02:00
Pavol Rusnak
06dd166a82 add more precomputation to ecdsa signing 2014-05-15 17:11:26 +02:00
Pavol Rusnak
94d4a3733e fix typos 2014-04-11 15:33:29 +02:00
Pavol Rusnak
b5ceb14f8d extract ecdsa_get_pubkeyhash 2014-02-21 23:33:14 +01:00
Pavol Rusnak
d0e152a088 replace SHA256/SHA512 prefix with sha256/sha512 (OpenSSL clash) 2014-02-19 21:26:42 +01:00