Same changes as per the P-256 core.fix

1 files changed, 51 insertions, 10 deletions

diff --git a/stm32_driver/ecdsa384_driver_sample.c b/stm32_driver/ecdsa384_driver_sample.c
index 6ab62ee..b3ea24f 100644
--- a/stm32_driver/ecdsa384_driver_sample.c
+++ b/stm32_driver/ecdsa384_driver_sample.c
@@ -30,7 +30,8 @@
 
 // curve selection
 #define USE_CURVE				2
-#include "ecdsa_model.h"
+
+#include "../../../user/shatov/ecdsa_fpga_model/ecdsa_model.h"
 
 #define BUF_NUM_WORDS		(OPERAND_WIDTH / (sizeof(uint32_t) << 3))	// 8
 
@@ -49,9 +50,16 @@ static const uint32_t p384_i[BUF_NUM_WORDS]  = ECDSA_ONE;
 static const uint32_t p384_gx[BUF_NUM_WORDS] = ECDSA_G_X;
 static const uint32_t p384_gy[BUF_NUM_WORDS] = ECDSA_G_Y;
 
+static const uint32_t p384_hx[BUF_NUM_WORDS] = ECDSA_H_X;
+static const uint32_t p384_hy[BUF_NUM_WORDS] = ECDSA_H_Y;
+
 static const uint32_t p384_z[BUF_NUM_WORDS]  = ECDSA_ZERO;
 static const uint32_t p384_n[BUF_NUM_WORDS]  = ECDSA_N;
 
+static uint32_t p384_2[BUF_NUM_WORDS];	// 2
+static uint32_t p384_n1[BUF_NUM_WORDS];	// n + 1
+static uint32_t p384_n2[BUF_NUM_WORDS];	// n + 2
+
 //
 // prototypes
 //
@@ -88,17 +96,50 @@ int main()
     while (1);
   }
 
+	// prepare more numbers
+	size_t w;
+	for (w=0; w<BUF_NUM_WORDS; w++)
+	{	p384_2[w]  = p384_z[w];	// p384_2 = p384_z = 0
+		p384_n1[w] = p384_n[w];	// p384_n1 = p384_n = N
+		p384_n2[w] = p384_n[w];	// p384_n2 = p384_n = N
+	}
+	
+	p384_2[BUF_NUM_WORDS-1]  += 2;	// p384_2 = 2
+	p384_n1[BUF_NUM_WORDS-1] += 1;	// p384_n1 = N + 1
+	p384_n2[BUF_NUM_WORDS-1] += 2;	// p384_n2 = N + 2
   // repeat forever
-  while (1) {
+  while (1)
+	{
     ok = 1;
-    ok = ok && test_p384_multiplier(p384_d, p384_qx, p384_qy);
-    ok = ok && test_p384_multiplier(p384_k, p384_rx, p384_ry);
-    ok = ok && test_p384_multiplier(p384_z, p384_z,  p384_z);
-    ok = ok && test_p384_multiplier(p384_i, p384_gx, p384_gy);
-    ok = ok && test_p384_multiplier(p384_n, p384_z,  p384_z);
-
-    if (!ok) {		led_off(LED_GREEN);
-      led_on(LED_RED);
+
+    ok = ok && test_p384_multiplier(p384_d, p384_qx, p384_qy);	/* Q = d * G */
+    ok = ok && test_p384_multiplier(p384_k, p384_rx, p384_ry);	/* R = k * G */
+ 
+    ok = ok && test_p384_multiplier(p384_z, p384_z,  p384_z);	/* O = 0 * G */
+    ok = ok && test_p384_multiplier(p384_i, p384_gx, p384_gy);	/* G = 1 * G */
+
+    ok = ok && test_p384_multiplier(p384_n, p384_z,  p384_z);	/* O = n * G */
+
+    ok = ok && test_p384_multiplier(p384_n1, p384_gx, p384_gy);	/* G = (n + 1) * G */
+
+	//
+	// The following two vectors test the virtually never taken path in the curve point
+	// addition routine when both input points are the same. During the first test (2 * G)
+	// the double of the base point is computed at the second doubling step of the multiplication
+	// algorithm, which does not require any special handling. During the second test the
+	// precomputed double of the base point (stored in internal read-only memory) is returned,
+	// because after doubling of G * ((n + 1) / 2) we get G * (n + 1) = G. The adder then has to
+	// compute G + G for which the formulae don't work, and special handling is required. The two
+	// test vectors verify that the hardcoded double of the base point matches the one computed
+	// on the fly. Note that in practice one should never be multiplying by anything larger than (n-1),
+	// because both the secret key and the per-message (random) number must be from [1, n-1].
+	//
+	ok = ok && test_p384_multiplier(p384_2, p384_hx, p384_hy);	/* H = 2 * G */
+	ok = ok && test_p384_multiplier(p384_n2, p384_hx, p384_hy);	/* H = (n + 2) * G */			
+
+    if (!ok) {
+		led_off(LED_GREEN);
+	    led_on(LED_RED);
     }
 
     toggle_yellow_led();