ECDSA: blind signing operation

hannesm · hannesm · commit 94467d8d8afc · 2021-02-11T16:30:45.000+01:00
diff --git a/ec/ecdsa.ml b/ec/ecdsa.ml
@@ -82,7 +82,36 @@ let generate ~rng =
   let q = Scalar_mult.scalar_mult d Point.params_g in
   (d, q)
 
-let sign ~key ?k msg =
+let blind mask =
+  let rec rng g =
+    let r = Mirage_crypto_rng.generate ?g 32 in
+    if not_zero r && smaller_n r then begin
+      let ba = Cstruct.to_bigarray (Cstruct.rev r) in
+      to_montgomery ba ba;
+      ba
+    end else
+      rng g
+  in
+  let a =
+    match mask with
+    | `No ->
+      let o = create () in
+      one o;
+      o
+    | `Yes -> rng None
+    | `Yes_with g -> rng (Some g)
+  in
+  let b = create () in
+  inv b a;
+  to_montgomery b b;
+  a, b
+
+let sign ?(mask = `Yes) ~key ?k msg =
+  (* blinding: literature: s = k^-1 * (m + r * priv_key) mod n
+     we blind, similar to OpenSSL (https://github.com/openssl/openssl/commit/a3e9d5aa980f238805970f420adf5e903d35bf09):
+     s = k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod n
+  *)
+  let b, b' = blind mask in
   let msg = padded msg in
   let e = Cstruct.to_bigarray (Cstruct.rev msg) in
   let g = K_gen_sha256.g ~key msg in
@@ -113,13 +142,17 @@ let sign ~key ?k msg =
       let rd = create () in
       let dmon = create () in
       to_montgomery dmon (Cstruct.to_bigarray (Scalar.to_cstruct key));
-      mul rd r_mon dmon;
+      let dmon' = create () in
+      mul dmon' b dmon;
+      mul rd r_mon dmon';
       let cmon = create () in
       let zmon = create () in
       to_montgomery zmon e;
+      mul zmon b zmon;
       add cmon zmon rd;
       let smon = create () in
       mul smon kmon cmon;
+      mul smon b' smon;
       let s = create () in
       from_montgomery s smon;
       let s = Cstruct.rev (Cstruct.of_bigarray s) in
diff --git a/ec/mirage_crypto_ec.mli b/ec/mirage_crypto_ec.mli
@@ -52,7 +52,8 @@ module Dsa : sig
 
   val generate : rng:(int -> Cstruct.t) -> priv * pub
 
-  val sign : key:priv -> ?k:Cstruct.t -> Cstruct.t -> Cstruct.t * Cstruct.t
+  val sign : ?mask:[ `No | `Yes | `Yes_with of Mirage_crypto_rng.g ] ->
+    key:priv -> ?k:Cstruct.t -> Cstruct.t -> Cstruct.t * Cstruct.t
 
   val pub_of_priv : priv -> pub
 
diff --git a/tests/dune b/tests/dune
@@ -52,7 +52,7 @@
 (test
  (name test_ec)
  (modules test_ec)
- (libraries alcotest mirage-crypto mirage-crypto-ec)
+ (libraries alcotest mirage-crypto mirage-crypto-ec mirage-crypto-rng.unix)
  (package mirage-crypto-ec))
 
 (test
diff --git a/tests/test_ec.ml b/tests/test_ec.ml
@@ -340,6 +340,7 @@ let ecdsa_rfc6979 =
   List.mapi (fun i c -> "RFC 6979 A.2.5 " ^ string_of_int i, `Quick, c) cases
 
 let () =
+  Mirage_crypto_rng_unix.initialize ();
   Alcotest.run "P256 EC"
     [
       ("Key exchange", key_exchange);

Original file line number	Diff line number	Diff line change
`@@ -340,6 +340,7 @@ let ecdsa_rfc6979 =`
`340`	`340`	List.mapi (fun i c -> "RFC 6979 A.2.5 " ^ string_of_int i, `Quick, c) cases
`341`	`341`
`342`	`342`	`let () =`
	`343`	`+ Mirage_crypto_rng_unix.initialize ();`
`343`	`344`	`Alcotest.run "P256 EC"`
`344`	`345`	`[`
`345`	`346`	`("Key exchange", key_exchange);`