文章详细介绍了ECDSA(椭圆曲线数字签名算法)的核心概念,包括域参数、私钥/公钥生成、每消息秘密数的生成以及签名的生成和验证过程。讨论了安全性问题,如侧信道攻击,并提到了NIST推荐的曲线。此外,还涵盖了确定性ECDSA的随机数生成,使用HMAC_DRBG和RFC6979。
文章目录
主要参考文档FIPS 186-5
简介
ECDSA,Elliptic Curve Digital Signature Algorithm.
DSA and ECDSA are U.S. federal standards for digital signatures, specified in FIPS PUB 186.
Their security relies on the discrete logarithm problem in a prime finite field (the original DSA, now deprecated) or in an elliptic curve field (ECDSA, faster and with smaller keys, to be used in new applications).
the discrete logarithm problem in a prime finite field
素数有限域中的离散对数问题
相关重要文档还有 SP 800-186:
- Specifications for the generation of the domain parameters used during the generation and verification of digital signatures
- NIST-recommended curves for ECDSA
A cryptographic device may leak critical information with side-channel(侧信道) analysis or attacks that allow internal data or keying material to be extracted without breaking the cryptographic primitives.
It is also important to verify the correctness of group arithmetic computations for ECC implementations.
These types of attacks may be of particular concern for hardware implementations of deterministic signature schemes, as well as embedded or IoT devices and smartcards.
6.1 ECDSA Domain Parameters
Domain parameters for ECDSA and deterministic ECDSA:
- q,EC上点的数量
- FR
- h, the cofactor (which is equal to the order of the curve divided by n).
- n, the order(阶) of the point G
- Type,一般是Weierstrass curve,其它曲线模型详见SP 800 186。
- a, b EC参数
- G(xg, yg),基点/生成元
- {domain_parameter_seed}, an optional bit string
6.1.1 Domain Parameter Generation
4 ranges for the bit length of n:
- 224 - 255
- 256 - 383
- 384 - 511
- >= 512
对应的安全强度为len(n)/2
所使用的hash算法强度应该不小于n的强度
NIST-recommended curves for ECDSA are provided in SP 800-186, Recommendations for
Discrete Logarithm-Based Cryptography: Elliptic Curve Domain Parameters.
| Specified Curves | Allowed Usage |
|---|---|
| K-233, B-233 K-283, B-283 K-409, B-409 K-571, B-571 | Deprecated |
| P-224 P-256 P-384 P-521 | ECDSA, EC key establishment (see [SP_800-56A]) |
| Edwards25519 Edwards448 | EdDSA |
| Curve25519, W-25519 Curve448, E448, W-448 | Alternative representations included for implementation flexibility. Not to be used for ECDSA or EdDSA directly |
6.2 Private/Public Keys
An ECDSA or deterministic ECDSA key pair consists of
- a private key d
- a public key Q
6.2.1 Key Pair Generation
A digital signature key pair d and Q is generated for a set of domain parameters
流程见Appendix A.2
6.3 ECDSA Per-Message Secret Number Generation
A new secret random number k, 0 < k < n, shall be generated prior to the generation of each digital signature for use during the signature generation process.
The secret number k may be generated either randomly (see Section 6.3.1) or in a deterministic way (see Section 6.3.2).
k-1, 0 < k-1 < n
This inverse k is required for the signature generation process. A technique is provided in Appendix B.1 for deriving k-1 mod n from k.
对ECDSA来说,k和k的逆都是事先计算的,借助miracl接口即可:
xgcd(x, p, x, x, x,); // x = 1/x mod p (p is prime)
6.3.1 Generation of Per-Message Secret Number for ECDSA
Appendix
- A.3.1
- A.3.2
6.3.2 Generation of the Per-Message Secret Number for Deterministic ECDSA
Deterministic ECDSA (Section 6.3.2) is a variant of ECDSA, where a per-message secret number is a function of the message that is signed, thereby resulting in a deterministic mapping of messages to signatures.
This protects against attacks arising from generating signatures with insufficient randomness in the per-message secret number that would reveal a private key.
The use of deterministic ECDSA may be desirable for devices that do not have a good source of quality random numbers.
Appendix A.3.3
这里随机数的产生依赖于 HMAC_DRBG , SP 800-90A。这种随机源使用的hash函数应与签名中使用的hash函数一致,RFC 6979 Section 3.2也提到这种随机源。
def HMAC_DRBG(
d:bytes, # private key
H:bytes, # hash(msg)
n:int # the order of G
):
seed = d + H
key = b'\x00' * 8
v = b'\x01' * 8
key = HMAC(key, v + b'\x00' + seed)
v = HMAC(key, v)
key = HMAC(key, v + b'\x01' + seed)
v = HMAC(key, v)
nLen = len(n) * 8
k = 0
while( (k == 0) or (k >= n)):
temp = b""
while (len (temp) < nLen):
v = HMAC(key, v)
temp = temp + v
k = bytes_to_long(temp)
if( 0 < k < n):
return k
key = HMAC(key, v + b"\x00")
v = HMAC(key, v)
return k # secret number
6.4 ECDSA Digital Signature Generation and Verification
前置条件
- 6.1.1 各种参数
- 6.2.1 生成密钥对
- 6.3 A per-message secret number k
- An approved hash function or XOF (extendable-output function)
- SHAKE128 and SHAKE256, which are specified in FIPS 202,
- An approved random bit generator (not needed for deterministic ECDSA)
6.4.1 ECDSA Signature Generation Algorithm
# bool isDeterministicECDSA;
def sign(
m:bytes, # message
d:bytes, # private key in the interval [1, n−1]
hash, # hash function or XOF
):
# step 1
hMsg = hash(m)
# step 2
if(len(n) > len(hMsg)):
e = bytes_to_long(hMsg);
else:
nBits = math.ceil(math.log(n, 2))
e = bytes_to_long(hMsg);
# 最左边nBits位
e = e >> (len(hMsg)*8 - nBits)
r = 0
s = 0
while(not isDeterministicECDSA &&
((r == 0) or (s == 0))
):
# step 3
# k and k_inv may be pre-computed if randomly generated
k = GenerateSecreteNum() // 0 < k < n
# step 4
k_inv = CalcInv(k, n)
# step 5
R = ecurve_mult(k, G);
# step 6
epoint_get(R, xr, yr);
# step 7
# SP 800-186, Appendix F.1.
r1 = xr
# step 8
r = r1 % n
# step 9
s = k_inv * (e + r*d) % n
del k
del k_inv
return (r, s)
推导:
uG + vQ
= (e/s)G + (r/s)dG
= ((e+dr)/s)G # s = (e + r*d)/k
= kG
示例代码:https://github.com/miracl/MIRACL/blob/master/source/ecsign.c
6.4.2 ECDSA Signature Verification Algorithm
def verify(
m:bytes, # message
hash, # hash function or XOF
sig:tuple, #(r,s),
Q, # public key dG
):
# step 1 check sig length
(r,s) = sig
if (not 0 < r < n) or (not 0 < s < n):
return False
# step 2
hMsg = hash(m)
# step 3
nBits = math.ceil(math.log(n, 2))
if(nBits >= len(hMsg)):
e = bytes_to_long(hMsg)
else:
e = bytes_to_long(hMsg);
# 最左边nBits位
e = e >> (len(hMsg)*8 - nBits)
# step 4
s_inv = CalcInv(s, n)
# step 5
u = e * s_inv % n
v = r * s_inv % n
# step 6
R1 = ecurve_add(
ecurve_mult(u, G),
ecurve_mult(v, Q)
)
if( epoint_comp(R1, O)):
return False
# step 7
epoint_get(R1, xr, yr);
# step 8
# SP 800-186, Appendix F.1.
r1 = xr
# step 9
return r == (r1 % n)
示例代码:https://github.com/miracl/MIRACL/blob/master/source/ecsver.c
APPENDIX A: Key Pair Generation
A.2.1 ECDSA Key Pair Generation using Extra Random Bits
要确保n的长度符合6.1.1的安全长度要求。
生成私钥的随机比特流长度如下:
| Prime P | Minimum output-size l (Required) | Minimum output-size l (Recommended) |
|---|---|---|
| p224 | 224 | 224 |
| p256 | 288 | 352 |
| p384 | 384 | 384 |
| p521 | 521 | 521 |
| p255 | 252 | 252 |
| p448 | 446 | 446 |
def eckeygen(
(q, FR, a, b {, domain_parameter_seed}, G, n, h) # domain parameters
):
N = len(n) # bit length
if(N <= 224):
return (False, (0,0));
irand(seed);
bigrand(n,d); # d is in the interval [1, n−1]
if(!point_at_infinity(n*G)):
return (False, (0,0));
bigrand(n,d);
示例代码:https://github.com/miracl/MIRACL/blob/master/source/ecsgen.c
实现
https://github.com/C0deStarr/CryptoImp/tree/main/pubkey/ecc
- ecdsa.c
- ecdsa.h
参考资料
FIPS 186-5, Digital Signature Standard (DSS) | CSRC (nist.gov)
SP 800-186, Discrete Logarithm-Based Crypto: Elliptic Curve Parameters | CSRC (nist.gov)
Digital Signature Algorithm (DSA and ECDSA) — PyCryptodome 3.17.0 documentation
Elliptic Curve Cryptography: a gentle introduction - Andrea Corbellini
SP 800-57 Part 1 Rev. 5, Recommendation for Key Management: Part 1 – General | CSRC (nist.gov)
SP 800-90A Rev. 1, Random Number Generation Using Deterministic RBGs | CSRC
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
