// Package ecdsa implements the Elliptic Curve Digital Signature Algorithm, as
// defined in FIPS 186-3.
-//
-// This implementation derives the nonce from an AES-CTR CSPRNG keyed by
-// ChopMD(256, SHA2-512(priv.D || entropy || hash)). The CSPRNG key is IRO by
-// a result of Coron; the AES-CTR stream is IRO under standard assumptions.
package ecdsa
// References:
import (
"crypto"
- "crypto/aes"
- "crypto/cipher"
"crypto/elliptic"
- "crypto/sha512"
"encoding/asn1"
"io"
"math/big"
)
-const (
- aesIV = "IV for ECDSA CTR"
-)
-
// PublicKey represents an ECDSA public key.
type PublicKey struct {
elliptic.Curve
// pair of integers. The security of the private key depends on the entropy of
// rand.
func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) {
- // Get max(log2(q) / 2, 256) bits of entropy from rand.
- entropylen := (priv.Curve.Params().BitSize + 7) / 16
- if entropylen > 32 {
- entropylen = 32
- }
- entropy := make([]byte, entropylen)
- _, err = rand.Read(entropy)
- if err != nil {
- return
- }
-
- // Initialize an SHA-512 hash context; digest ...
- md := sha512.New()
- md.Write(priv.D.Bytes()) // the private key,
- md.Write(entropy) // the entropy,
- md.Write(hash) // and the input hash;
- key := md.Sum(nil)[:32] // and compute ChopMD-256(SHA-512),
- // which is an indifferentiable MAC.
-
- // Create an AES-CTR instance to use as a CSPRNG.
- block, err := aes.NewCipher(key)
- if err != nil {
- return nil, nil, err
- }
-
- // Create a CSPRNG that xors a stream of zeros with
- // the output of the AES-CTR instance.
- csprng := cipher.StreamReader{
- R: zeroReader,
- S: cipher.NewCTR(block, []byte(aesIV)),
- }
-
// See [NSA] 3.4.1
c := priv.PublicKey.Curve
N := c.Params().N
var k, kInv *big.Int
for {
for {
- k, err = randFieldElement(c, csprng)
+ k, err = randFieldElement(c, rand)
if err != nil {
r = nil
return
x.Mod(x, N)
return x.Cmp(r) == 0
}
-
-type zr struct {
- io.Reader
-}
-
-// Read replaces the contents of dst with zeros.
-func (z *zr) Read(dst []byte) (n int, err error) {
- for i := range dst {
- dst[i] = 0
- }
- return len(dst), nil
-}
-
-var zeroReader = &zr{}
testSignAndVerify(t, elliptic.P521(), "p521")
}
-func testNonceSafety(t *testing.T, c elliptic.Curve, tag string) {
- priv, _ := GenerateKey(c, rand.Reader)
-
- hashed := []byte("testing")
- r0, s0, err := Sign(zeroReader, priv, hashed)
- if err != nil {
- t.Errorf("%s: error signing: %s", tag, err)
- return
- }
-
- hashed = []byte("testing...")
- r1, s1, err := Sign(zeroReader, priv, hashed)
- if err != nil {
- t.Errorf("%s: error signing: %s", tag, err)
- return
- }
-
- if s0.Cmp(s1) == 0 {
- // This should never happen.
- t.Errorf("%s: the signatures on two different messages were the same")
- }
-
- if r0.Cmp(r1) == 0 {
- t.Errorf("%s: the nonce used for two diferent messages was the same")
- }
-}
-
-func TestNonceSafety(t *testing.T) {
- testNonceSafety(t, elliptic.P224(), "p224")
- if testing.Short() {
- return
- }
- testNonceSafety(t, elliptic.P256(), "p256")
- testNonceSafety(t, elliptic.P384(), "p384")
- testNonceSafety(t, elliptic.P521(), "p521")
-}
-
-func testINDCCA(t *testing.T, c elliptic.Curve, tag string) {
- priv, _ := GenerateKey(c, rand.Reader)
-
- hashed := []byte("testing")
- r0, s0, err := Sign(rand.Reader, priv, hashed)
- if err != nil {
- t.Errorf("%s: error signing: %s", tag, err)
- return
- }
-
- r1, s1, err := Sign(rand.Reader, priv, hashed)
- if err != nil {
- t.Errorf("%s: error signing: %s", tag, err)
- return
- }
-
- if s0.Cmp(s1) == 0 {
- t.Errorf("%s: two signatures of the same message produced the same result")
- }
-
- if r0.Cmp(r1) == 0 {
- t.Errorf("%s: two signatures of the same message produced the same nonce")
- }
-}
-
-func TestINDCCA(t *testing.T) {
- testINDCCA(t, elliptic.P224(), "p224")
- if testing.Short() {
- return
- }
- testINDCCA(t, elliptic.P256(), "p256")
- testINDCCA(t, elliptic.P384(), "p384")
- testINDCCA(t, elliptic.P521(), "p521")
-}
-
func fromHex(s string) *big.Int {
r, ok := new(big.Int).SetString(s, 16)
if !ok {