Enhance ecp and pk module
#344
Conversation
Taowyoo
force-pushed
the
yx/enhance_ecp
branch
from
bfc61d9 to
77909e5
Compare
- Add a function to access `Z` field of `EcPoint`. - Add a newer version of `EcPoint::mul` with RNG for blinding. - Also marked old version one as deprecated. - Add a newer version of `Pk::private_from_ec_components` with RNG for blinding. - Also marked old version one as deprecated. - Update tests to use above new functions. - Add a function for performing const time comparison of `EcPoint`.
Taowyoo
force-pushed
the
yx/enhance_ecp
branch
from
77909e5 to
c7a596b
Compare
Taowyoo
force-pushed
the
yx/enhance_ecp
branch
from
07e92f3 to
afeb644
Compare
mbedtls/benches/ecp_eq_test.rs
Outdated
There was a problem hiding this comment.
Are these benches conclusive?
There was a problem hiding this comment.
I am confused. How to determine they are conclusive or not?
| @@ -309,6 +309,10 @@ impl EcPoint { | |||
| Mpi::copy(&self.inner.Y) | |||
| } | |||
|
|
|||
| pub fn z(&self) -> Result<Mpi> { | |||
There was a problem hiding this comment.
Why do we want to expose z? Use of Jacobian coordinates is normally internal for efficiency, and APIs should speak Cartesian
There was a problem hiding this comment.
MbedTLS uses Z as an internal value and it ensures that every function accepts/returns Z=0 (infinity point) or Z=1. But we should not expose this function at all.
| /// | ||
| /// This function will return an error if: | ||
| /// | ||
| /// * `k` is not a valid private key, or `self` is not a valid public key. |
There was a problem hiding this comment.
There is no notion of "private key" or "public key", just scalars and elliptic curve points. Also, documentation should be a bit more precise (what is "invalid"?)
| @@ -379,6 +433,16 @@ impl EcPoint { | |||
| } | |||
| } | |||
|
|
|||
| /// This function compares two points in const time. | |||
| pub fn eq_const_time(&self, other: &EcPoint) -> bool { | |||
There was a problem hiding this comment.
Can you confirm this is really constant time?
There was a problem hiding this comment.
I addedbench for ensure fn eq_const_time works, see mbedtls/benches/ecp_eq_test.rs.
Is the result in the PR description enough?
There was a problem hiding this comment.
You could checkout the result from GitHub Action: https://github.com/fortanix/rust-mbedtls/actions/runs/7823284568/job/21343954890
There was a problem hiding this comment.
are these conclusive? Timing difference can be as few as some cycles. Instead, it would be preferable to reference MbedTLS C demonstrating constant-time implementation
| /// * Fails to genearte `EcPoint` from given EcGroup in `curve`. | ||
| /// * The underlying C `mbedtls_pk_setup` function fails to set up the `Pk` context. | ||
| /// * The `EcPoint::mul` function fails to generate the public key point. | ||
| pub fn private_from_ec_components_with_rng<F: Random>(mut curve: EcGroup, private_key: Mpi, rng: &mut F) -> Result<Pk> { |
There was a problem hiding this comment.
Should be called private_from_ec_scalar_with_rng .
There was a problem hiding this comment.
Ok I will create another PR for update these
What's New
Add functionalities for
EcPointandPk:Zfield ofEcPoint.EcPoint::mulwith RNG for blinding.Pk::private_from_ec_componentswith RNG for blinding.EcPoint.Test
fn eq_const_timefn eq_const_timeworks, see mbedtls/benches/ecp_eq_test.rs: