Add formulas from GECC.

author: J08nY 2023-11-16 16:19:53 +0100
committer: J08nY 2023-11-16 16:19:53 +0100
commit: 9b43fe0664ef8c5ba7fee8e9bd4a4fceac664b63 (patch)
tree: 7f3a8b5d2b67223bafd13c8f68c6c0689c6be924
parent: 67261d0235cd816bd51b0716fb4541579ea2dea8 (diff)
download: pyecsca-9b43fe0664ef8c5ba7fee8e9bd4a4fceac664b63.tar.gz
pyecsca-9b43fe0664ef8c5ba7fee8e9bd4a4fceac664b63.tar.zst
pyecsca-9b43fe0664ef8c5ba7fee8e9bd4a4fceac664b63.zip
6 files changed, 61 insertions, 12 deletions
diff --git a/docs/libraries.rst b/docs/libraries.rst
index fdddda4..9f48ed0 100644
--- a/docs/libraries.rst
+++ b/docs/libraries.rst
@@ -591,16 +591,8 @@ KeyGen:
  - Ladder via ``kmethod.keygen -> ec_key_gen -> EC_POINT_mul -> method.mul_generator_ct -> ec_GFp_simple_mul_generator_ct -> ec_GFp_simple_mul_ct``.
    Also does coordinate blinding and fixes scalar bit-length.
  - Jacobian coordinates.
- - `add-1998-hnm <https://github.com/libressl/openbsd/blob/libressl-v3.8.2/src/lib/libcrypto/ec/ecp_smpl.c#L472>`__ likely, due to the division by 2.
-
-Dbl::
-
-    n1 = 3 * X_a^2 + a_curve * Z_a^4
-    Z_r = 2 * Y_a * Z_a
-    n2 = 4 * X_a * Y_a^2
-    X_r = n1^2 - 2 * n2
-    n3 = 8 * Y_a^4
-    Y_r = n1 * (n2 - X_r) - n3
+ - Unknown formulas: `add-libressl-v382 <https://github.com/J08nY/pyecsca/blob/master/test/data/formulas/add-libressl-v382.op3>`__,
+   `dbl-libressl-v382 <https://github.com/J08nY/pyecsca/blob/master/test/data/formulas/dbl-libressl-v382.op3>`__
 
 Derive:
  - Short-Weierstrass
@@ -884,7 +876,8 @@ KeyGen:
  - Montgomery
  - Montgomery ladder via ``-> ec_Curve25519_pt_mul -> ec_Curve25519_mul``.
  - xz coords
- - Unknown ladder and double formula.
+ - Unknown formulas: `ladd-hacl-x25519 <https://github.com/J08nY/pyecsca/blob/master/test/data/formulas/ladd-hacl-x25519.op3>`__,
+   `dbl-hacl-x25519 <https://github.com/J08nY/pyecsca/blob/master/test/data/formulas/dbl-hacl-x25519.op3>`__
 
 Derive:
  - Same as KeyGen.
@@ -1047,7 +1040,7 @@ KeyGen:
  - `Comb <https://github.com/Mbed-TLS/mbedtls/blob/v3.5.1/library/ecp.c#L2299>`__ via ``mbedtls_ecdh_gen_public -> ecdh_gen_public_restartable -> mbedtls_ecp_mul_restartable -> ecp_mul_restartable_internal -> ecp_mul_comb``.
    w = 5 for curves < 384 bits, then w = 6.
  - `Jacobian <https://github.com/Mbed-TLS/mbedtls/blob/v3.5.1/library/ecp.c#L1313>`__ coords with coordinate randomization.
- - `[GECC]_ algorithm 3.22 <https://github.com/Mbed-TLS/mbedtls/blob/v3.5.1/library/ecp.c#L1593>`__ `dbl-1998-cmo-2 <https://github.com/Mbed-TLS/mbedtls/blob/v3.5.1/library/ecp.c#L1496>`__. Also has alternative impl (``_ALT``).
+ - `add-gecc-322 [GECC]_ algorithm 3.22 <https://github.com/Mbed-TLS/mbedtls/blob/v3.5.1/library/ecp.c#L1593>`__, `dbl-1998-cmo-2 <https://github.com/Mbed-TLS/mbedtls/blob/v3.5.1/library/ecp.c#L1496>`__. Also has alternative impl (``_ALT``).
 
 Derive:
  - Short-Weierstrass
diff --git a/test/data/formulas/add-gecc-322 b/test/data/formulas/add-gecc-322
new file mode 100644
index 0000000..e174e1c
--- /dev/null
+++ b/test/data/formulas/add-gecc-322
@@ -0,0 +1,3 @@
+source GECC Algorithm 3.22
+coords jacobian-3
+assume Z2 = 1
diff --git a/test/data/formulas/add-gecc-322.op3 b/test/data/formulas/add-gecc-322.op3
new file mode 100644
index 0000000..731bcda
--- /dev/null
+++ b/test/data/formulas/add-gecc-322.op3
@@ -0,0 +1,18 @@
+T1 = Z1^2
+T2 = T1 * Z1
+T1 = T1 * X2
+T2 = T2 * Y2
+T1 = T1 - X1
+T2 = T2 - Y1
+Z3 = Z1 * T1
+T3 = T1^2
+T4 = T3 * T1
+T3 = T3 * X1
+T1 = 2 * T3
+X3 = T2^2
+X3 = X3 - T1
+X3 = X3 - T4
+T3 = T3 - X3
+T3 = T3 * T2
+T4 = T4 * Y1
+Y3 = T3 - T4
diff --git a/test/data/formulas/dbl-gecc-321 b/test/data/formulas/dbl-gecc-321
new file mode 100644
index 0000000..33c3b85
--- /dev/null
+++ b/test/data/formulas/dbl-gecc-321
@@ -0,0 +1,4 @@
+source GECC Algorithm 3.21
+parameter half
+assume half = 1/2
+coords jacobian-3
diff --git a/test/data/formulas/dbl-gecc-321.op3 b/test/data/formulas/dbl-gecc-321.op3
new file mode 100644
index 0000000..b9e7697
--- /dev/null
+++ b/test/data/formulas/dbl-gecc-321.op3
@@ -0,0 +1,17 @@
+T1 = Z1^2
+T2 = X1 - T1
+T1 = X1 + T1
+T2 = T2 * T1
+T2 = 3 * T2
+Y3 = 2 * Y1
+Z3 = Y3 * Z1
+Y3 = Y3^2
+T3 = Y3 * X1
+Y3 = Y3^2
+Y3 = Y3 * half
+X3 = T2^2
+T1 = 2 * T3
+X3 = X3 - T1
+T1 = T3 - X3
+T1 = T1 * T2
+Y3 = T1 - Y3
diff --git a/test/sca/test_structural.py b/test/sca/test_structural.py
index 83a568c..bf93a20 100644
--- a/test/sca/test_structural.py
+++ b/test/sca/test_structural.py
@@ -210,6 +210,20 @@ def test_formula_similarity(secp128r1):
             ("other", "Curve25519"),
             LadderEFDFormula,
         ],
+        [
+            "add-gecc-322",
+            ShortWeierstrassModel,
+            "jacobian-3",
+            ("secg", "secp256r1"),
+            AdditionEFDFormula,
+        ],
+        [
+            "dbl-gecc-321",
+            ShortWeierstrassModel,
+            "jacobian-3",
+            ("secg", "secp256r1"),
+            DoublingEFDFormula,
+        ],
     ],
 )
 def test_formula_correctness(name, model, coords, param_spec, formula_type):
author	J08nY	2023-11-16 16:19:53 +0100
committer	J08nY	2023-11-16 16:19:53 +0100
commit	9b43fe0664ef8c5ba7fee8e9bd4a4fceac664b63 (patch)
tree	7f3a8b5d2b67223bafd13c8f68c6c0689c6be924
parent	67261d0235cd816bd51b0716fb4541579ea2dea8 (diff)
download	pyecsca-9b43fe0664ef8c5ba7fee8e9bd4a4fceac664b63.tar.gz pyecsca-9b43fe0664ef8c5ba7fee8e9bd4a4fceac664b63.tar.zst pyecsca-9b43fe0664ef8c5ba7fee8e9bd4a4fceac664b63.zip