Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rfc6979: add K-163 test vector; fix nonaligned use #781

Merged
merged 1 commit into from
Jan 17, 2024
Merged

rfc6979: add K-163 test vector; fix nonaligned use #781

merged 1 commit into from
Jan 17, 2024

Conversation

tarcieri
Copy link
Member

@tarcieri tarcieri commented Jan 17, 2024
edited
Loading

RFC6979 Appendix A.1. provides a "Detailed Example" which exercises several edge cases in the protocol:

  • bits2int for an input which is not byte-aligned
  • Rejecting inputs which exceed the modulus

This PR adds what was missing from the previous implementation which assumed inputs were always aligned to the size of the digest output: a constant-time right shift by the number of bits by which the modulus is smaller than a byte-aligned value.

@tarcieri
Copy link
Member Author

The first HMAC-DRBG output appears correct (albeit truncated to the byte size of the modulus):

0x9305a46de7ff8eb107194debd3fd48aa20d5e7656c

However, RFC6979 suggests the correct candidate value is this:

k1 = 0x4982D236F3FFC758838CA6F5E9FEA455106AF3B2B

The problem is that our candidate value is 168-bits, and our modulus is 163-bits. So, we need to add a right shift with the difference:

>> hex(0x9305a46de7ff8eb107194debd3fd48aa20d5e7656c >> 5)
0x4982d236f3ffc758838ca6f5e9fea455106af3b2b

...so we need our implementation to count the bit length of the modulus first, then perform a right shift if necessary.

@tarcieri tarcieri mentioned this pull request Jan 17, 2024
Merged
@tarcieri
rfc6979: add K-163 test vector; fix nonaligned use
c021851 
RFC6979 Appendix A.1. provides a "Detailed Example" which exercises
several edge cases in the protocol:

- `bits2int` for an input which is not byte-aligned
- Rejecting inputs which exceed the modulus

This commit adds what was missing from the previous implementation which
assumed inputs were always aligned to the size of the digest output: a
constant-time right shift by the number of bits by which the modulus is
smaller than a byte-aligned value.
@tarcieri tarcieri changed the title [WIP] rfc6979: add K-163 test vector rfc6979: add K-163 test vector; fix nonaligned use Jan 17, 2024
@tarcieri tarcieri marked this pull request as ready for review January 17, 2024 04:24
@tarcieri tarcieri merged commit f6426cf into master Jan 17, 2024
14 checks passed
@tarcieri tarcieri deleted the rfc6979/K-163-test-vector branch January 17, 2024 04:25
tarcieri added a commit that referenced this pull request Jan 17, 2024
@tarcieri
rfc6979: add P-521 + SHA-512 test vectors
605fdd3 
These now work after #781
tarcieri added a commit that referenced this pull request Jan 17, 2024
@tarcieri
rfc6979: add P-521 + SHA-512 test vectors (#775)
55e4450 
These now work after #781
This was referenced Jan 17, 2024
Merged
Closed
Closed
@tarcieri tarcieri mentioned this pull request Jul 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tarcieri