Elliptic Curve Digital Signature Algorithm (ECDSA)
[ECC over binary field]

Elliptic Curve Digital Signature Algorithm (ECDSA). More...

Functions
C4eSysStatus	c4e_ecc2n_dsa_sign (C4eEcDomain C4E_RESTRICT dom, C4E_CONST C4eElement C4E_RESTRICT d, C4eHashId hid, C4E_CONST C4eArchUint8 C4E_RESTRICT digest, C4eArchDigit tmp[C4E_RESTRICT], C4eArchUint8 C4E_RESTRICT signature)
	ECDSA over $\mathbb{F}_{2^n}$ signature of a digest, according to ANSI X9.62 and FIPS 186-4, with binary encoded signature.
C4eSysStatus	c4e_ecc2n_dsa_verify (C4eEcDomain C4E_RESTRICT dom, C4E_CONST C4eEcPoint C4E_RESTRICT q, C4eHashId hid, C4E_CONST C4eArchUint8 C4E_RESTRICT digest, C4E_CONST C4eArchUint8 C4E_RESTRICT signature, C4eArchSize len, C4eArchDigit tmp[C4E_RESTRICT])
	ECDSA over $\mathbb{F}_{2^n}$ signature verification, according to ANSI X9.62 and FIPS 186-4, with binary encoded signature.

Detailed Description

Elliptic Curve Digital Signature Algorithm (ECDSA).

Function Documentation

C4eSysStatus c4e_ecc2n_dsa_sign	(	C4eEcDomain *C4E_RESTRICT	dom,
		C4E_CONST C4eElement *C4E_RESTRICT	d,
		C4eHashId	hid,
		C4E_CONST C4eArchUint8 *C4E_RESTRICT	digest,
		C4eArchDigit	tmp[C4E_RESTRICT],
		C4eArchUint8 *C4E_RESTRICT	signature
	)

ECDSA over $\mathbb{F}_{2^n}$ signature of a digest, according to ANSI X9.62 and FIPS 186-4, with binary encoded signature.

The Elliptic Curve Digital Signature Algorithm (ECDSA) is based on the following formulas for calculating the signature (r,s):

$\begin{align*} r &= kG \bmod q \\ s &= k^{-1}(z + xr) \bmod q \end{align*}$

with z the (partial) digest, G the base point, k the (random) one-time private key, d the private key and q the order of base point G in binary field $\mathbb{F}_{2^n}$ .

Note:: The first signature part r is also called one-time public key.; Because of the randomness of the one-time private key k each signature differs from another, also if private key d and digest are the same as in the previous one.

Attention:: The domain parameter dom->q is temporary modified - so it must be writable. After function return it holds the same values as at function entry.

Precondition:

The validity of the EC domain parameters in dom must be assured by the caller, either implicit or by using function c4e_ecc2n_domchk().

The validity of the private key d must be assured by the caller, either implicit or by using function c4e_ecc2n_keychk_prv().

The caller must provide the following digits space in array tmp[]:

for nearly all well-known elliptic curves (satisfying dom->q.val.size <= dom->m.val.size), by using macro C4E_ECC2N_TMP_NUM() in conjunction with temp. space qualifier C4E_ECC2N_DSA_TMPID_SIGN;

for special (very uncommon/rare) elliptic curves with dom->q.val.size > dom->m.val.size using the exact value:

                        8U * C4E_GF2N_INV_SPACE(dom->m.val.size) +
                        C4E_GFP_INV_SPACE(dom->q.val.size)

or worst-case:

                        8U * C4E_GF2N_INV_SPACE(dom->m.val.size) +
                        C4E_GFP_INV_SPACE(C4E_EC_FIELD_DIGITS_MAX(dom->m.val.size))

Recommendation: Simply use C4E_ECC2N_DSA_TMPID_SIGN, but test (as sanity check) the elliptic curve for:

                  dom->q.val.size <= dom->m.val.size

The Random Number Generator (RNG) must be initialized at user side, then installed via function c4e_rng_install().

Bibliography:: Digitale Signature Standard (DSS). FIPS Publication 186-4, National Institute of Standards and Technology, 2013.

Bibliography:: Public Key Cryptography For The Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA). ANSI X9.62, 1998.

Bibliography:: Standard Specifications For Public-Key Cryptography. Std 1363-2000, IEEE, 2000.

Parameters:

`[in]`	dom	Pointer to EC domain parameters.
`[in]`	d	Pointer to private key `d` < `dom->q`.
`[in]`	hid	Hash algorithm identifier associated with `digest` and it's length.
`[in]`	digest	Digest calculated by the caller using a hash function.
	tmp	Array of temporary space elements (see preconditions for details on size).
`[out]`	signature	Signature buffer, with implicit length of (2U * `dom->q.len`) bytes. It is binary encoded according to IEEE Std 1363, annex E.3.1.

Returns:: Status

Return values:

	C4E_STATUS_OK	If the operation was successful.
	other	If the operation has failed.

See also:: c4e_ecc2n_dsa_verify(), c4e_ecc2n_keychk_prv(), c4e_ecc2n_domchk(), C4E_ECC2N_TMP_NUM(), C4E_EC_FIELD_DIGITS_MAX()

C4eSysStatus c4e_ecc2n_dsa_verify	(	C4eEcDomain *C4E_RESTRICT	dom,
		C4E_CONST C4eEcPoint *C4E_RESTRICT	q,
		C4eHashId	hid,
		C4E_CONST C4eArchUint8 *C4E_RESTRICT	digest,
		C4E_CONST C4eArchUint8 *C4E_RESTRICT	signature,
		C4eArchSize	len,
		C4eArchDigit	tmp[C4E_RESTRICT]
	)

ECDSA over $\mathbb{F}_{2^n}$ signature verification, according to ANSI X9.62 and FIPS 186-4, with binary encoded signature.

The Elliptic Curve Digital Signature Algorithm (ECDSA) is based on the following formulas for verification of the signature (r,s):

$\begin{align*} w &= s^{-1} \bmod q \\ u_1 &= z w \bmod q \\ u_2 &= r w \bmod q \\ v &= x(u_1 G + u_2 Q) \end{align*}$

with z the (partial) digest, G the generator, Q the public key and q the order of base point G in binary field $\mathbb{F}_{2^n}$ . The condition for a correct signature is: $ v = r $ .

Attention:: The domain parameter dom->q is temporary modified - so it must be writable. After function return it holds the same values as at function entry.