Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

p521: field arithmetic implementation not working correctly #947

Closed
tarcieri opened this issue Nov 1, 2023 · 8 comments · Fixed by #953
Closed

p521: field arithmetic implementation not working correctly #947

tarcieri opened this issue Nov 1, 2023 · 8 comments · Fixed by #953

Comments

@tarcieri
Copy link
Member

tarcieri commented Nov 1, 2023

This is a tracking issue for promoting p521's wip-arithmetic-do-not-use feature to a working arithmetic feature.

Notably the base field implementation in p521 uses code generated by fiat-crypto specific to Solinas primes, which is different from the Montgomery representation which is easily supported using macros in the primeorder crate.

#945 fixed an issue where fiat_p521_tight_field_element uses a different limb representation than U576, however this was not sufficient to make the basic field arithmetic tests work: #946
This was referenced Nov 1, 2023
Merged
Closed
@MasterAwesome
Copy link
Contributor

What's remaining in terms of tests before promoting this into a sem-ver feature arithmetic?

@tarcieri
Copy link
Member Author

tarcieri commented Nov 2, 2023

When #951 lands we should basically be there, although I'd also like to wire up an ECDSA feature and add the Wycheproof test vectors for it

tarcieri added a commit that referenced this issue Nov 2, 2023
@tarcieri
p521: arithmetic feature
c1c7dbf 
Now that #946, #950, and #951 have landed it seems prudent to add a real
`arithmetic` feature.

This adds a feature similar to the other crates in this repo which
exposes the following types which provide a curve arithmetic
implementation:

- `AffinePoint`
- `ProjectivePoint`
- `Scalar`

The `wip-arithmetic-do-not-use` feature is now removed as well. While
technically SemVer breaking, it wasn't supposed to be used in the first
place!

Closes #947
@tarcieri tarcieri mentioned this issue Nov 2, 2023
Merged
tarcieri added a commit that referenced this issue Nov 2, 2023
@tarcieri
p521: arithmetic feature
a6db83b 
Now that #946, #950, and #951 have landed it seems prudent to add a real
`arithmetic` feature.

This adds a feature similar to the other crates in this repo which
exposes the following types which provide a curve arithmetic
implementation:

- `AffinePoint`
- `ProjectivePoint`
- `Scalar`

The `wip-arithmetic-do-not-use` feature is now removed as well. While
technically SemVer breaking, it wasn't supposed to be used in the first
place!

Closes #947
tarcieri added a commit that referenced this issue Nov 3, 2023
@tarcieri
p521: arithmetic feature (#953)
3a19153 
Now that #946, #950, and #951 have landed it seems prudent to add a real
`arithmetic` feature.

This adds a feature similar to the other crates in this repo which
exposes the following types which provide a curve arithmetic
implementation:

- `AffinePoint`
- `ProjectivePoint`
- `Scalar`

The `wip-arithmetic-do-not-use` feature is now removed as well. While
technically SemVer breaking, it wasn't supposed to be used in the first
place!

Closes #947
@MasterAwesome
Copy link
Contributor

When #951 lands we should basically be there, although I'd also like to wire up an ECDSA feature and add the Wycheproof test vectors for it

I see, are you working on this or should I create a pull request?

@tarcieri
Copy link
Member Author

tarcieri commented Nov 8, 2023
edited
Loading

I'm working on it. It's somewhat involved since the ecdsa crate assumes that the hash function output size is the same as the size of a serialized field element (it gets particularly hairy in the current RFC6979 implementation).

Fixing that will involve breaking changes to the ecdsa crate, but in the meantime I'm adding some newtypes to work around it.

@MasterAwesome
Copy link
Contributor

I'm working on it. It's somewhat involved since the ecdsa crate assumes that the hash function output size is the same as the size of a serialized field element (it gets particularly hairy in the current RFC6979 implementation).

Fixing that will involve breaking changes to the ecdsa crate, but in the meantime I'm adding some newtypes to work around it.

Newtype for the curve's default hashing function that returns field element sized outputsize?

@tarcieri
Copy link
Member Author

tarcieri commented Nov 8, 2023

Newtypes for ecdsa::{SigningKey, VerifyingKey}

@MasterAwesome
Copy link
Contributor

Newtypes for ecdsa::{SigningKey, VerifyingKey}

Ah I see, so this eventually will require a breaking change in ecdsa crate.

@tarcieri
Copy link
Member Author

tarcieri commented Jan 17, 2024
edited
Loading

@MasterAwesome I was able to make the breaking changes in the ecdsa and rfc6979 crates:

However, the rfc6979 crate still can't correctly generate a P-521 test vector for whatever reason:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

p521: arithmetic feature RustCrypto/elliptic-curves
2 participants
@tarcieri @MasterAwesome