From: Stefan Berger <stefanb@linux.ibm.com>
To: Bharat Bhushan <bbhushan2@marvell.com>,
Stefan Berger <stefanb@linux.vnet.ibm.com>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
"herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>,
"davem@davemloft.net" <davem@davemloft.net>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"saulo.alessandre@tse.jus.br" <saulo.alessandre@tse.jus.br>,
"lukas@wunner.de" <lukas@wunner.de>,
"jarkko@kernel.org" <jarkko@kernel.org>
Subject: Re: [PATCH v6 06/13] crypto: ecc - Implement vli_mmod_fast_521 for NIST p521
Date: Mon, 18 Mar 2024 14:38:32 -0400 [thread overview]
Message-ID: <4151f2f0-aa92-480d-aad5-2bf4333b4265@linux.ibm.com> (raw)
In-Reply-To: <SN7PR18MB5314CB6B4CF9678BDDF0D012E32D2@SN7PR18MB5314.namprd18.prod.outlook.com>
On 3/18/24 01:47, Bharat Bhushan wrote:
>
>
>> -----Original Message-----
>> From: Stefan Berger <stefanb@linux.vnet.ibm.com>
>> Sent: Wednesday, March 13, 2024 12:06 AM
>> To: keyrings@vger.kernel.org; linux-crypto@vger.kernel.org;
>> herbert@gondor.apana.org.au; davem@davemloft.net
>> Cc: linux-kernel@vger.kernel.org; saulo.alessandre@tse.jus.br;
>> lukas@wunner.de; Bharat Bhushan <bbhushan2@marvell.com>;
>> jarkko@kernel.org; Stefan Berger <stefanb@linux.ibm.com>
>> Subject: [EXTERNAL] [PATCH v6 06/13] crypto: ecc - Implement
>> vli_mmod_fast_521 for NIST p521
>>
>> Prioritize security for external emails: Confirm sender and content safety
>> before clicking links or opening attachments
>>
>> ----------------------------------------------------------------------
>> From: Stefan Berger <stefanb@linux.ibm.com>
>>
>> Implement vli_mmod_fast_521 following the description for how to calculate
>> the modulus for NIST P521 in the NIST publication "Recommendations for
>> Discrete Logarithm-Based Cryptography: Elliptic Curve Domain Parameters"
>> section G.1.4.
>>
>> NIST p521 requires 9 64bit digits, so increase the ECC_MAX_DIGITS so that
>> arrays fit the larger numbers.
>>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> ---
>> crypto/ecc.c | 25 +++++++++++++++++++++++++
>> include/crypto/internal/ecc.h | 3 ++-
>> 2 files changed, 27 insertions(+), 1 deletion(-)
>>
>> diff --git a/crypto/ecc.c b/crypto/ecc.c index 415a2f4e7291..99d41887c005
>> 100644
>> --- a/crypto/ecc.c
>> +++ b/crypto/ecc.c
>> @@ -902,6 +902,28 @@ static void vli_mmod_fast_384(u64 *result, const
>> u64 *product, #undef AND64H #undef AND64L
>>
>> +/*
>> + * Computes result = product % curve_prime
>> + * from "Recommendations for Discrete Logarithm-Based Cryptography:
>> + * Elliptic Curve Domain Parameters" section G.1.4
>> + */
>> +static void vli_mmod_fast_521(u64 *result, const u64 *product,
>> + const u64 *curve_prime, u64 *tmp) {
>> + const unsigned int ndigits = ECC_CURVE_NIST_P521_DIGITS;
>> + size_t i;
>> +
>> + /* Initialize result with lowest 521 bits from product */
>> + vli_set(result, product, ndigits);
>> + result[8] &= 0x1ff;
>> +
>> + for (i = 0; i < ndigits; i++)
>> + tmp[i] = (product[8 + i] >> 9) | (product[9 + i] << 55);
>> + tmp[8] &= 0x1ff;
>
> Can we get away from this hardcoding, like 9, 55, 0x1ff etc.
> Or at least add comment about these.
>
>> +
>> + vli_mod_add(result, result, tmp, curve_prime, ndigits); }
>> +
>> /* Computes result = product % curve_prime for different curve_primes.
>> *
>> * Note that curve_primes are distinguished just by heuristic check and @@ -
>> 941,6 +963,9 @@ static bool vli_mmod_fast(u64 *result, u64 *product,
>> case ECC_CURVE_NIST_P384_DIGITS:
>> vli_mmod_fast_384(result, product, curve_prime, tmp);
>> break;
>> + case ECC_CURVE_NIST_P521_DIGITS:
>> + vli_mmod_fast_521(result, product, curve_prime, tmp);
>> + break;
>> default:
>> pr_err_ratelimited("ecc: unsupported digits size!\n");
>> return false;
>> diff --git a/include/crypto/internal/ecc.h b/include/crypto/internal/ecc.h index
>> ab722a8986b7..4e2f5f938e91 100644
>> --- a/include/crypto/internal/ecc.h
>> +++ b/include/crypto/internal/ecc.h
>> @@ -33,7 +33,8 @@
>> #define ECC_CURVE_NIST_P192_DIGITS 3
>> #define ECC_CURVE_NIST_P256_DIGITS 4
>> #define ECC_CURVE_NIST_P384_DIGITS 6
>> -#define ECC_MAX_DIGITS (512 / 64) /* due to ecrdsa */
>> +#define ECC_CURVE_NIST_P521_DIGITS 9
>
> Maybe these can be defined as:
> #define ECC_CURVE_NIST_P521_DIGITS (DIV_ROUND_UP(521, 64) /* NIST P521 */)
I think for NIST P521 9 can be pre-calculated. It will not change
anymore in the future.
>
>> +#define ECC_MAX_DIGITS DIV_ROUND_UP(521, 64) /* NIST P521 */
>
> /* NIST_P521 is max digits */
> #define ECC_MAX_DIGITS ECC_CURVE_ _DIGITS
In this case I think the DIV_ROUND_UP() along with the comment shows
that it needs to be updated if ever a larger curve comes along.
>
> Thanks
> -Bharat
>
>>
>> #define ECC_DIGITS_TO_BYTES_SHIFT 3
>>
>> --
>> 2.43.0
>
next prev parent reply other threads:[~2024-03-18 18:38 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-12 18:36 [PATCH v6 00/13] Add support for NIST P521 to ecdsa Stefan Berger
2024-03-12 18:36 ` [PATCH v6 01/13] crypto: ecc - Use ECC_CURVE_NIST_P192/256/384_DIGITS where possible Stefan Berger
2024-03-18 20:08 ` Jarkko Sakkinen
2024-03-12 18:36 ` [PATCH v6 02/13] crypto: ecdsa - Convert byte arrays with key coordinates to digits Stefan Berger
2024-03-18 20:21 ` Jarkko Sakkinen
2024-03-18 20:35 ` Lukas Wunner
2024-03-18 22:20 ` Jarkko Sakkinen
2024-03-12 18:36 ` [PATCH v6 03/13] crypto: ecdsa - Adjust tests on length of key parameters Stefan Berger
2024-03-18 20:25 ` Jarkko Sakkinen
2024-03-18 20:32 ` Lukas Wunner
2024-03-18 22:25 ` Jarkko Sakkinen
2024-03-12 18:36 ` [PATCH v6 04/13] crypto: ecdsa - Extend res.x mod n calculation for NIST P521 Stefan Berger
2024-03-18 20:33 ` Jarkko Sakkinen
2024-03-18 20:39 ` Lukas Wunner
2024-03-18 22:19 ` Jarkko Sakkinen
2024-03-12 18:36 ` [PATCH v6 05/13] crypto: ecc - Add nbits field to ecc_curve structure Stefan Berger
2024-03-18 20:34 ` Jarkko Sakkinen
2024-03-12 18:36 ` [PATCH v6 06/13] crypto: ecc - Implement vli_mmod_fast_521 for NIST p521 Stefan Berger
2024-03-18 5:47 ` [EXTERNAL] " Bharat Bhushan
2024-03-18 18:38 ` Stefan Berger [this message]
2024-03-19 3:53 ` Bharat Bhushan
2024-03-18 20:35 ` Jarkko Sakkinen
2024-03-12 18:36 ` [PATCH v6 07/13] crypto: ecc - Add special case for NIST P521 in ecc_point_mult Stefan Berger
2024-03-18 20:50 ` Jarkko Sakkinen
2024-03-12 18:36 ` [PATCH v6 08/13] crypto: ecc - Add NIST P521 curve parameters Stefan Berger
2024-03-18 21:05 ` Jarkko Sakkinen
2024-03-18 22:54 ` Stefan Berger
2024-03-12 18:36 ` [PATCH v6 09/13] crypto: ecdsa - Replace ndigits with nbits where precision is needed Stefan Berger
2024-03-18 21:06 ` Jarkko Sakkinen
2024-03-12 18:36 ` [PATCH v6 10/13] crypto: ecdsa - Rename keylen to bufsize where necessary Stefan Berger
2024-03-18 21:07 ` Jarkko Sakkinen
2024-03-12 18:36 ` [PATCH v6 11/13] crypto: ecdsa - Register NIST P521 and extend test suite Stefan Berger
2024-03-18 21:08 ` Jarkko Sakkinen
2024-03-12 18:36 ` [PATCH v6 12/13] crypto: asymmetric_keys - Adjust signature size calculation for NIST P521 Stefan Berger
2024-03-18 5:58 ` [EXTERNAL] " Bharat Bhushan
2024-03-18 7:06 ` Lukas Wunner
2024-03-19 3:38 ` Bharat Bhushan
2024-03-18 21:12 ` Jarkko Sakkinen
2024-03-18 22:42 ` Stefan Berger
2024-03-19 18:21 ` Jarkko Sakkinen
2024-03-12 18:36 ` [PATCH v6 13/13] crypto: x509 - Add OID for NIST P521 and extend parser for it Stefan Berger
2024-03-15 17:10 ` [PATCH v6 00/13] Add support for NIST P521 to ecdsa Stefan Berger
2024-03-18 18:48 ` Lukas Wunner
2024-03-18 22:42 ` Stefan Berger
2024-03-19 18:22 ` Jarkko Sakkinen
2024-03-19 18:25 ` Jarkko Sakkinen
2024-03-19 18:55 ` Stefan Berger
2024-03-19 19:14 ` Jarkko Sakkinen
2024-03-20 5:40 ` Lukas Wunner
2024-03-20 14:41 ` Konstantin Ryabitsev
2024-03-21 16:17 ` Jarkko Sakkinen
2024-03-21 16:19 ` Jarkko Sakkinen
2024-03-21 16:36 ` Stefan Berger
2024-03-21 16:50 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4151f2f0-aa92-480d-aad5-2bf4333b4265@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=bbhushan2@marvell.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=saulo.alessandre@tse.jus.br \
--cc=stefanb@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox