Dmitry Baryshkov dbaryshkov@gmail.com writes:
From: Dmitry Eremin-Solenikov dbaryshkov@gmail.com
Thanks for the update and explanation.
+/*
- Shared key derivation/key agreement for GOST DSA algorithm.
- It is defined in RFC 4357 Section 5.2 and RFC 7836 Section 4.3.1
- Basically shared key is equal to hash(cofactor * ukm * priv * pub). This
- function does multiplication. Caller should do hashing on his own.
So this could be implemented as a (mod q) multiplication of scalars (there's no public api to do that) and an ecc_point_mul, at least as long as the cofactor is 1.
For the hashing, one could consider pass in a hashing context and a nettle_hash_update_func, instead of the {out, out_length} arguments.
+void +gostdsa_vko(const struct ecc_scalar *priv,
const struct ecc_point *pub,size_t ukm_length, const uint8_t *ukm,size_t out_length, uint8_t *out)+{
- const struct ecc_curve *ecc = priv->ecc;
- unsigned bsize = (ecc_bit_size(ecc) + 7) / 8;
- mp_size_t size = ecc->p.size;
- mp_size_t itch = 4*size + ecc->mul_itch;
- mp_limb_t *scratch;
- if (itch < 5*size + ecc->h_to_a_itch)
itch = 5*size + ecc->h_to_a_itch;- assert (pub->ecc == ecc);
- assert (priv->ecc == ecc);
- assert (out_length == 2 * bsize);
- assert (ukm_length <= bsize);
So the caller must compute bsize (in the same way, from ecc_bit_size), to be able to call this function correctly. That makes the out_length argument a bit redundant.
Not quite sure what to do. If it is essential to get away from access to internal symbols, I could merge as is.
But longer term, I think it would be better if we could add needed primitives, e.g., mod q operations, so that applications can do things like this themselves, using more general primitives. Like there's no Nettle functions specifically for doing non-gost ECC DH for TLS.
Regards, /Niels