mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-02-23 14:42:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
a822a0cb3c
openssl/crypto
History
James Muir a822a0cb3c Simpler square-root computation for Ed25519 
Description:
Mark Wooden and Franck Rondepierre noted that the square-root-mod-p
operations used in the EdDSA RFC (RFC 8032) can be simplified.  For
Ed25519, instead of computing u*v^3 * (u * v^7)^((p-5)/8), we can
compute u * (u*v)^((p-5)/8).  This saves 3 multiplications and 2
squarings.  For more details (including a proof), see the following
message from the CFRG mailing list:

  https://mailarchive.ietf.org/arch/msg/cfrg/qlKpMBqxXZYmDpXXIx6LO3Oznv4/

Note that the Ed448 implementation (see
ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio() in
./crypto/ec/curve448/curve448.c) appears to already use this simpler
method (i.e. it does not follow the method suggested in RFC 8032).

Testing:
Build and then run the test suite:

  ./Configure -Werror --strict-warnings
  make update
  make
  make test

Numerical testing of the square-root computation can be done using the
following sage script:

  def legendre(x,p):
      return kronecker(x,p)

  # Ed25519
  p = 2**255-19
  # -1 is a square
  if legendre(-1,p)==1:
      print("-1 is a square")

  # suppose u/v is a square.
  # to compute one of its square roots, find x such that
  #    x**4 == (u/v)**2 .
  # this implies
  #    x**2 ==  u/v, or
  #    x**2 == -(u/v) ,
  # which implies either x or i*x is a square-root of u/v (where i is a square root of -1).
  # we can take x equal to u * (u*v)**((p-5)/8).

  # 2 is a generator
  # this can be checked by factoring p-1
  # and then showing 2**((p-1)/q) != 1 (mod p)
  # for all primes q dividing p-1.
  g = 2
  s = p>>2  # s = (p-1)/4
  i = power_mod(g, s, p)

  t = p>>3  # t = (p-5)/8
  COUNT = 1<<18
  while COUNT > 0:
      COUNT -= 1

      r = randint(0,p-1)   # r = u/v
      v = randint(1,p-1)
      u = mod(r*v,p)

      # compute x = u * (u*v)**((p-5)/8)
      w = mod(u*v,p)
      x = mod(u*power_mod(w, t, p), p)

      # check that x**2 == r, or (i*x)**2 == r, or r is not a square
      rr = power_mod(x, 2, p)
      if rr==r:
          continue

      rr = power_mod(mod(i*x,p), 2, p)
      if rr==r:
          continue

      if legendre(r,p) != 1:
          continue

      print("failure!")
      exit()

  print("passed!")

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17544)
2022-01-20 11:03:31 +01:00
..
aes Don't use __ARMEL__/__ARMEB__ in aarch64 assembly 2022-01-09 07:40:44 +01:00
aria fix some code with obvious wrong coding style 2021-10-28 13:10:46 +10:00
asn1 Fix malloc failure handling of X509_ALGOR_set0() 2022-01-14 18:47:20 +01:00
async Use USE_SWAPCONTEXT on IA64. 2022-01-04 12:14:19 +01:00
bf
bio crypto/bio: fix build on UEFI 2022-01-09 22:17:14 +11:00
bn bn_ppc.c: Fix build failure on AIX with XLC/XLCLANG 2022-01-17 18:16:26 +01:00
buffer Update copyright year 2021-06-17 13:24:59 +01:00
camellia Update copyright year 2021-07-29 15:41:35 +01:00
cast
chacha aarch64: support BTI and pointer authentication in assembly 2021-10-01 09:35:38 +02:00
cmac EVP_Cipher: fix the incomplete return check 2021-11-16 17:28:23 +01:00
cmp asn1/x_algor.c: add internal ossl_X509_ALGOR_from_nid() simplifying code 2022-01-07 10:42:44 +01:00
cms Fix malloc failure handling of X509_ALGOR_set0() 2022-01-14 18:47:20 +01:00
comp Fix coverity 1493364 & 1493375: unchecked return value 2021-11-08 08:55:32 +10:00
conf Fix copyright year issues 2022-01-06 09:27:02 +01:00
crmf Fix the return check of OBJ_obj2txt 2021-11-22 11:17:48 +01:00
ct Update copyright year 2021-06-17 13:24:59 +01:00
des Convert the weak key and key parity tests to be constant time. 2021-11-05 09:25:28 +10:00
dh Fix the return check of OBJ_obj2txt 2021-11-22 11:17:48 +01:00
dsa add checks for the return values of BN_new(), sk_RSA_PRIME_INFO_new_reserve(), 2021-10-27 08:36:55 +10:00
dso Fix data race setting default_DSO_meth 2021-11-08 08:58:38 +10:00
ec Simpler square-root computation for Ed25519 2022-01-20 11:03:31 +01:00
encode_decode Fix Decoder, Encoder and Store loader fetching 2022-01-12 10:55:15 +11:00
engine Avoid loading of a dynamic engine twice 2021-11-23 06:08:16 +01:00
err err: add additional errors 2022-01-12 20:10:21 +11:00
ess err: rename err_load_xxx_strings_int functions 2021-05-26 13:01:47 +10:00
evp Add context dup functions for digests and ciphers 2022-01-19 21:50:22 +11:00
ffc Do not call ossl_ffc_name_to_dh_named_group with NULL argument 2022-01-17 16:20:57 +01:00
hmac Adapt other parts of the source to the changed EVP_Q_digest() and EVP_Q_mac() 2021-06-23 23:00:36 +02:00
http HTTP client: Work around HTTPS proxy use bug due to callback design flaw 2022-01-04 15:05:32 +01:00
idea Update copyright year 2021-04-08 13:04:41 +01:00
kdf
lhash lhash: use lock when TSAN not available for statistics gathering 2022-01-13 21:46:34 +11:00
md2
md4
md5 Update copyright year 2021-07-29 15:41:35 +01:00
mdc2
modes Don't use __ARMEL__/__ARMEB__ in aarch64 assembly 2022-01-09 07:40:44 +01:00
objects object: use updated tsan lock detection capabilities 2022-01-13 21:46:34 +11:00
ocsp add OSSL_STACK_OF_X509_free() for commonly used pattern 2021-12-21 12:11:49 +01:00
pem Add and use HAS_PREFIX() and CHECK_AND_SKIP_PREFIX() for checking if string has literal prefix 2021-11-17 15:48:34 +01:00
perlasm perlasm/ppc-xlate.pl: Fix build on OS X 2021-11-18 13:24:17 +01:00
pkcs7 Fix malloc failure handling of X509_ALGOR_set0() 2022-01-14 18:47:20 +01:00
pkcs12 add OSSL_STACK_OF_X509_free() for commonly used pattern 2021-12-21 12:11:49 +01:00
poly1305 Don't use __ARMEL__/__ARMEB__ in aarch64 assembly 2022-01-09 07:40:44 +01:00
property property: reduce memory consumption when OPENSSL_SMALL_FOOTPRINT is defined. 2022-01-15 11:16:32 +11:00
rand Fix typos 2022-01-05 12:37:20 +01:00
rc2 Update copyright year 2021-05-06 13:03:23 +01:00
rc4
rc5
ripemd Drop libimplementations.a 2021-05-07 10:17:23 +02:00
rsa replace ;; with ; as statement separator 2022-01-18 15:10:38 +11:00
seed Update copyright year 2021-06-17 13:24:59 +01:00
sha sha/asm/keccak1600-ppc64.pl: Load data in 8 byte chunks on little endian 2021-11-11 10:58:46 +01:00
siphash
sm2 Add missing check according to SM2 Digital Signature generation algorithm 2021-11-02 12:02:56 +01:00
sm3 Fix sm3ss1 translation issue in sm3-armv8.pl 2022-01-20 12:50:20 +11:00
sm4 SM4 optimization for ARM by HW instruction 2022-01-18 11:52:14 +01:00
srp fix some code with obvious wrong coding style 2021-10-28 13:10:46 +10:00
stack Fix Coverity 1493746: constant expression result 2021-11-17 08:15:35 +10:00
store Fix Decoder, Encoder and Store loader fetching 2022-01-12 10:55:15 +11:00
ts add OSSL_STACK_OF_X509_free() for commonly used pattern 2021-12-21 12:11:49 +01:00
txt_db
ui close_console: Always unlock as the lock is always held 2022-01-03 10:57:39 +01:00
whrlpool A few cleanups of the provider build.infos 2021-05-12 13:23:33 +02:00
x509 replace ;; with ; as statement separator 2022-01-18 15:10:38 +11:00
alphacpuid.pl
arm64cpuid.pl SM4 optimization for ARM by HW instruction 2022-01-18 11:52:14 +01:00
arm_arch.h SM4 optimization for ARM by HW instruction 2022-01-18 11:52:14 +01:00
armcap.c SM4 optimization for ARM by HW instruction 2022-01-18 11:52:14 +01:00
armv4cpuid.pl
asn1_dsa.c Update copyright year 2021-04-08 13:04:41 +01:00
bsearch.c
build.info Statically link the legacy provider to endecode_test 2022-01-11 11:00:21 +00:00
c64xpluscpuid.pl
context.c Fix typos 2022-01-05 12:37:20 +01:00
core_algorithm.c CORE: add a provider argument to ossl_method_construct() 2021-10-27 12:41:10 +02:00
core_fetch.c CORE: Encure that cached fetches can be done per provider 2021-10-27 12:41:15 +02:00
core_namemap.c core namemap: use updated tsan lock detection capabilities 2022-01-13 21:46:34 +11:00
cpt_err.c err: add additional errors 2022-01-12 20:10:21 +11:00
cpuid.c fix some code with obvious wrong coding style 2021-10-28 13:10:46 +10:00
cryptlib.c crypto: remove TODOs 2021-06-02 16:30:15 +10:00
ctype.c Use <> for #include openssl/xxx 2021-05-27 09:56:41 +10:00
cversion.c
der_writer.c
dllmain.c
ebcdic.c
ex_data.c Add the ability for ex_data to have a priority 2021-05-11 14:56:55 +01:00
getenv.c
ia64cpuid.S
info.c Add support for RNDRRS Provider 2021-12-16 12:38:09 +01:00
init.c Prevent recursive call of OPENSSL_INIT_LOAD_CONFIG 2021-08-05 09:21:00 +10:00
initthread.c Avoid a race in init_thread_stop() 2021-11-12 17:16:14 +00:00
LPdir_nyi.c
LPdir_unix.c fix some code with obvious wrong coding style 2021-10-28 13:10:46 +10:00
LPdir_vms.c
LPdir_win32.c
LPdir_win.c
LPdir_wince.c
mem_clr.c
mem_sec.c Update copyright year 2021-04-08 13:04:41 +01:00
mem.c mem: do not produce usage counts when tsan is unavailable. 2022-01-13 21:46:34 +11:00
mips_arch.h
o_dir.c
o_fopen.c
o_init.c
o_str.c Update copyright year 2021-04-08 13:04:41 +01:00
o_time.c
packet.c Update copyright year 2021-06-17 13:24:59 +01:00
param_build_set.c param build set: add errors to failure returns 2022-01-12 20:10:21 +11:00
param_build.c param build: add errors to failure returns 2022-01-12 20:10:21 +11:00
params_dup.c param dup: add errors to failure returns 2022-01-12 20:10:21 +11:00
params_from_text.c Allow sign extension in OSSL_PARAM_allocate_from_text() 2021-11-24 19:18:19 +01:00
params.c params: add error messages for built in param conversions 2022-01-12 20:10:21 +11:00
pariscid.pl
passphrase.c Compensate for UI method always adding NUL termination 2022-01-03 10:35:36 +01:00
ppccap.c Add support for BSD-ppc, BSD-ppc64 and BSD-ppc64le configurations 2021-12-09 16:07:14 +11:00
ppccpuid.pl
provider_child.c Stop receiving child callbacks in a child libctx when appropriate 2021-11-12 17:16:14 +00:00
provider_conf.c Refactor: a separate func for provider activation from config 2021-12-01 15:49:38 +01:00
provider_core.c ossl_provider_add_to_store: Avoid use-after-free 2021-12-17 17:33:49 +01:00
provider_local.h make struct provider_info_st a full type 2021-06-24 14:48:15 +01:00
provider_predefined.c make struct provider_info_st a full type 2021-06-24 14:48:15 +01:00
provider.c Correctly activate the provider in OSSL_PROVIDER_try_load 2021-11-12 17:16:14 +00:00
punycode.c Move more general parts of internal/cryptlib.h to new internal/common.h 2021-11-17 15:48:37 +01:00
README-sparse_array.md
s390x_arch.h Add default provider support for Keccak 224, 256, 384 and 512 2021-09-23 12:07:57 +10:00
s390xcap.c
s390xcpuid.pl
self_test_core.c Update copyright year 2021-05-20 14:22:33 +01:00
sparccpuid.S
sparcv9cap.c Split bignum code out of the sparcv9cap.c 2021-07-15 09:33:04 +02:00
sparse_array.c Update copyright year 2021-04-08 13:04:41 +01:00
threads_lib.c
threads_none.c Update copyright year 2021-04-08 13:04:41 +01:00
threads_pthread.c Defined out MUTEX attributes not available on NonStop SPT Threads. 2021-07-02 12:33:45 +10:00
threads_win.c Explicitly #include <synchapi.h> is unnecessary 2021-09-23 14:07:18 +02:00
trace.c trace.c: Add missing trace category entry 2022-01-05 09:57:39 +01:00
uid.c Openssl fails to compile on Debian with kfreebsd kernels 2021-09-02 10:02:32 +10:00
vms_rms.h
x86_64cpuid.pl Update copyright year 2021-04-08 13:04:41 +01:00
x86cpuid.pl