Skip to content

k256/p256: use new SignPrimitive API; add BlindedScalar #99

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tarcieri merged 1 commit into from
Jul 28, 2020
Merged

k256/p256: use new SignPrimitive API; add BlindedScalar #99

tarcieri merged 1 commit into from
Jul 28, 2020

Conversation

@tarcieri
Copy link
Member

@tarcieri tarcieri commented Jul 28, 2020

Updates both crates with the SignPrimitive changes from RustCrypto/signatures#107.

These changes removed the masking_scalar argument from the trait, and replaced it with trait bounds that make it possible to substitute a blinded scalar.

In the p256 crate (which is the only one that presently implements a variable-time inversion) the masking_scalar is replaced with a BlindedScalar type that implements the previous blinded inversion.

The implementation it uses (including Scalar::invert_vartime) could potentially be made generic and extracted into the elliptic-curve crate, allowing it to be used with any curve which implements the arithmetic primitives used in the blinded inversion implementation.

However, for now, this PR leaves it in p256, and therefore at least has feature parity with the old implementation.

@tarcieri tarcieri requested a review from nickray July 28, 2020 21:05
@tarcieri tarcieri force-pushed the ecdsa-update-and-blinded-scalar branch from e273c86 to 87efa5a Compare July 28, 2020 21:10
@tarcieri
k256/p256: use new SignPrimitive API; add BlindedScalar
634f262 
Updates both crates with the `SignPrimitive` changes from
RustCrypto/signatures#107.

These changes removed the `masking_scalar` from the trait, and replaced
it with trait bounds that make it possible to substitute a blinded
scalar.

In the `p256` crate (which is the only one that presently implements a
variable-time inversion) the `masking_scalar` is replaced with a
`BlindedScalar` type that implements the previous blinded inversion.

The implementation it uses (including `Scalar::invert_vartime`) could
potentially be made generic and extracted into the `elliptic-curve`
crate, allowing it to be used with any curve which implements the
arithmetic primitives used in the blinded inversion implementation.
However, for now, this PR leaves it in `p256`, and therefore at least
has feature parity with the old implementation.
@tarcieri tarcieri force-pushed the ecdsa-update-and-blinded-scalar branch from 87efa5a to 634f262 Compare July 28, 2020 21:18
@codecov-commenter
Copy link

codecov-commenter commented Jul 28, 2020

Codecov Report

Merging #99 into master will decrease coverage by 0.25%.
The diff coverage is 0.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master      #99      +/-   ##
==========================================
- Coverage   53.08%   52.83%   -0.26%     
==========================================
  Files          18       19       +1     
  Lines        3415     3435      +20     
==========================================
+ Hits         1813     1815       +2     
- Misses       1602     1620      +18
Impacted Files Coverage Δ
k256/src/arithmetic/scalar.rs 74.17% <0.00%> (-1.42%) ⬇️
k256/src/ecdsa.rs 0.00% <0.00%> (ø)
p256/src/arithmetic/field.rs 78.04% <0.00%> (ø)
p256/src/arithmetic/scalar.rs 63.81% <0.00%> (-0.86%) ⬇️
p256/src/arithmetic/scalar/blinding.rs 0.00% <0.00%> (ø)
p256/src/ecdsa.rs 0.00% <0.00%> (ø)
k256/src/arithmetic/scalar/scalar_4x64.rs 76.55% <0.00%> (+0.73%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ac786d3...634f262. Read the comment docs.

tarcieri
tarcieri commented Jul 28, 2020
View reviewed changes
p256/src/ecdsa.rs
Comment on lines +116 to +127
fn scalar_blinding() {
let vector = &ECDSA_TEST_VECTORS[0];
let d = Scalar::from_bytes(vector.d.try_into().unwrap()).unwrap();
let k = Scalar::from_bytes(vector.k.try_into().unwrap()).unwrap();
let k_blinded = BlindedScalar::new(k, &mut OsRng);
let sig = d
.try_sign_prehashed(&k_blinded, GenericArray::from_slice(vector.m))
.unwrap();

assert_eq!(vector.r, sig.r().as_slice());
assert_eq!(vector.s, sig.s().as_slice());
}
Copy link
Member Author

@tarcieri tarcieri Jul 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI @nickray, here's the proposed alternative for masking_scalar.

I had it take an RNG argument directly, but we could also add an API to construct one from two Scalar values you generate however you want (perhaps that could be new, and the RNG-based one could be generate)

@tarcieri tarcieri merged commit 0381cd6 into master Jul 28, 2020
@tarcieri tarcieri deleted the ecdsa-update-and-blinded-scalar branch July 28, 2020 21:25
@tarcieri tarcieri mentioned this pull request Jul 28, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickray nickray Awaiting requested review from nickray

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tarcieri @codecov-commenter