From 6287435f551e7bb2de5af12efb6abf4d1c1e38f1 Mon Sep 17 00:00:00 2001 From: "Pavel V. Shatov (Meister)" Date: Sun, 11 Apr 2021 17:45:39 +0300 Subject: Updated the top layer to accomodate changes in the underlying architecture. --- ecdsa_fpga_model.cpp | 124 +++++++++++++++++++++++++-------------------------- 1 file changed, 61 insertions(+), 63 deletions(-) (limited to 'ecdsa_fpga_model.cpp') diff --git a/ecdsa_fpga_model.cpp b/ecdsa_fpga_model.cpp index 19be3c5..13ba3f9 100644 --- a/ecdsa_fpga_model.cpp +++ b/ecdsa_fpga_model.cpp @@ -106,6 +106,11 @@ int main() ok = test_base_point_multiplier(&ecdsa_d_nsa, &ecdsa_qx_nsa, &ecdsa_qy_nsa); if (!ok) return EXIT_FAILURE; + // bail out right after the first test, if debugging is enabled +#if defined(DUMP_CYCLE_STATES) || defined(DUMP_UOP_OUTPUTS) + return -1; +#endif + // test base point multiplier: R = k * G printf("Trying to sign something (NSA test vector)...\n\n"); ok = test_base_point_multiplier(&ecdsa_k_nsa, &ecdsa_rx_nsa, &ecdsa_ry_nsa); @@ -123,30 +128,6 @@ int main() // now run some intricate tests... - /* Excerpt from the commit message e718fdfae6443466e566ed6ce1515cdecc215ac0: - - The model does multiplication using the double-and-add algorithm. When adding - two points P and Q on curves P-256 and P-384, four special cases must be - considered. One of them is P = Q, in that situation the explicit addition - formulae don't work and either 2*P or 2*Q must be returned from the addition - routine. In this model Q is always the base point G, so when P = G, then 2*G - must be returned. Since G is fixed, this model stores precomputed point H = 2*G - and returns it when adding G + G for true constant-time operation. - - During multiplication the bits of k are scanned left-to-right, so doubling is - done before addition. This way the only situation when both inputs to the - addition routine are equal to G is when after doubling the result is G. This in - its turn is only possible when k = n + 2 (where n is the order of the base - point G). ECDSA requires integer k to be [1, n-1], one of the side effects - is that the model has a code path that will never be used under normal - operation. This code path can be verified by first multiplying by k = 2 - (special handling for P = G not triggered), then multiplying by k = n + 2 - (special handling for P = G triggered). Both multiplications should produce - the same output. In the former case the output will be calculated on-the-fly, - in the latter case the pre-computed coordinates of H will be used. - */ - - // test base point multiplier: H = 2 * G FPGA_BUFFER two; fpga_modular_add(&ECDSA_ONE, &ECDSA_ONE, &two); @@ -162,7 +143,7 @@ int main() printf("Trying to multiply the base point by its order plus one...\n\n"); ok = test_base_point_multiplier(&n1, &ECDSA_GX, &ECDSA_GY); if (!ok) return EXIT_FAILURE; - + // test base point multiplier: H = (n + 2) * G FPGA_BUFFER n2; fpga_modular_add(&ECDSA_N, &two, &n2); // n2 = n + two @@ -176,7 +157,7 @@ int main() // try to abuse internal point doubler ok = abuse_internal_point_doubler(); if (!ok) return EXIT_FAILURE; - + // try to abuse internal point adder ok = abuse_internal_point_adder(); if (!ok) return EXIT_FAILURE; @@ -430,7 +411,7 @@ bool abuse_internal_point_doubler() // try to double point at infinity (should produce point at infinity) printf("Trying to double something at infinity...\n\n"); - fpga_curve_double_jacobian(&px, &py, &pz, &qx, &qy, &qz); + fpga_curve_double_jacobian_shim(&px, &py, &pz, &qx, &qy, &qz); // handle result ok = compare_fpga_buffers(&ECDSA_ZERO, &qz); @@ -450,7 +431,7 @@ bool abuse_internal_point_adder() //------------------------------------------------------------------------------ // // This routine tries to abuse the internal curve point adder by forcing it to -// go throgh all the possible "corner cases". +// go through all the possible "corner cases". // //------------------------------------------------------------------------------ { @@ -458,6 +439,7 @@ bool abuse_internal_point_adder() bool ok; // flag FPGA_BUFFER px, py, pz; // input + FPGA_BUFFER qx, qy, qz; // input FPGA_BUFFER rx, ry, rz; // output // @@ -465,15 +447,19 @@ bool abuse_internal_point_adder() // { // set P.X and P.Y to some "random" garbage and P.Z to zero + // set Q to the base point for (w=0; w