anil.recoil.org / ocaml-crypto
forked from gazagnaire.org/ocaml-crypto
upstream: https://github.com/mirage/mirage-crypto
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge pull request #106 from hannesm/ec2

mirage-crypto-ec: remove blinding for sign

authored by

Hannes Mehnert and committed by
GitHub 5277e7d0 14a306e8

+7 -36
+2 -28
ec/mirage_crypto_ec.ml
··· 40 40 41 41 val generate : rng:(int -> Cstruct.t) -> priv * pub 42 42 43 - val sign : ?mask:[ `No | `Yes | `Yes_with of Mirage_crypto_rng.g ] -> 44 - key:priv -> ?k:Cstruct.t -> Cstruct.t -> Cstruct.t * Cstruct.t 43 + val sign : key:priv -> ?k:Cstruct.t -> Cstruct.t -> Cstruct.t * Cstruct.t 45 44 46 45 val verify : key:pub -> Cstruct.t * Cstruct.t -> Cstruct.t -> bool 47 46 ··· 467 466 let q = S.scalar_mult d P.params_g in 468 467 (d, q) 469 468 470 - let blind mask = 471 - let inv a = 472 - let b = create () in 473 - F.inv b a; 474 - F.to_montgomery b b; 475 - b 476 - in 477 - let rec rng g = 478 - let r = Mirage_crypto_rng.generate ?g Param.byte_length in 479 - if not_zero r && smaller_n r then begin 480 - let ba = from_be_cstruct r in 481 - F.to_montgomery ba ba; 482 - Some (ba, inv ba) 483 - end else 484 - rng g 485 - in 486 - match mask with 487 - | `No -> None 488 - | `Yes -> rng None 489 - | `Yes_with g -> rng (Some g) 490 - 491 - let sign ?(mask = `Yes) ~key ?k msg = 469 + let sign ~key ?k msg = 492 470 (* blinding: literature: s = k^-1 * (m + r * priv_key) mod n 493 471 we blind, similar to OpenSSL (https://github.com/openssl/openssl/commit/a3e9d5aa980f238805970f420adf5e903d35bf09): 494 472 s = k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod n 495 473 *) 496 - let b = blind mask in 497 474 let msg = padded msg in 498 475 let e = from_be_cstruct msg in 499 476 let g = K_gen_default.g ~key msg in ··· 524 501 let rd = create () in 525 502 let dmon = from_be_cstruct (S.to_cstruct key) in 526 503 F.to_montgomery dmon dmon; 527 - (match b with None -> () | Some (b, _) -> F.mul dmon b dmon); 528 504 F.mul rd r_mon dmon; 529 505 let cmon = create () in 530 506 let zmon = create () in 531 507 F.to_montgomery zmon e; 532 - (match b with None -> () | Some (b, _) -> F.mul zmon b zmon); 533 508 F.add cmon zmon rd; 534 509 let smon = create () in 535 510 F.mul smon kmon cmon; 536 - (match b with None -> () | Some (_, b') -> F.mul smon b' smon); 537 511 let s = create () in 538 512 F.from_montgomery s smon; 539 513 let s = to_be_cstruct s in
+5 -8
ec/mirage_crypto_ec.mli
··· 100 100 101 101 (** {2 Cryptographic operations} *) 102 102 103 - val sign : ?mask:[ `No | `Yes | `Yes_with of Mirage_crypto_rng.g ] -> 104 - key:priv -> ?k:Cstruct.t -> Cstruct.t -> Cstruct.t * Cstruct.t 105 - (** [sign ~mask ~key ~k digest] signs the message [digest] using the private 106 - [key]. Only the leftmost bits within the curve order are considered. If 107 - [mask] is provided, the computation is blinded to protect the private 108 - key operation. If [k] is not provided, it is computed using the 109 - deterministic construction from RFC 6979. The result is a pair of 110 - [r] and [s]. *) 103 + val sign : key:priv -> ?k:Cstruct.t -> Cstruct.t -> Cstruct.t * Cstruct.t 104 + (** [sign ~key ~k digest] signs the message [digest] using the private 105 + [key]. Only the leftmost bits within the curve order are considered. 106 + If [k] is not provided, it is computed using the deterministic 107 + construction from RFC 6979. The result is a pair of [r] and [s]. *) 111 108 112 109 val verify : key:pub -> Cstruct.t * Cstruct.t -> Cstruct.t -> bool 113 110 (** [verify ~key (r, s) digest] verifies the signature [r, s] on the message