https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826147#M5189 Hello Ricardo<BR /><BR />Look at similar thread:<BR /><A href="http://software.intel.com/en-us/forums/showthread.php?t=58862" target="_blank">http://software.intel.com/en-us/forums/showthread.php?t=58862</A><BR /><BR />(The answers 2),3) are not recommended<BR />for security reasons) <BR /><BR />I'm not representing Intel's developers but I'm accepting their assumption<BR />that the curve order is larger than the hash value<BR />It is natural for me (although more restrictive than that in FIPS)<BR /><BR />Andrzej Chrzeszczyk Sun, 22 May 2011 11:20:14 GMT Andrzej_Chrzeszczyk 2011-05-22T11:20:14Z https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826145#M5187 <P>Hello,<BR /><BR />It seems there is a problem in the ECCPSignDSA function. It fails with <EM>ippStsMessageErr</EM> when the message digest value is greater than the EC group order value, even if both have the same bit length. That should not happen according to the standards (IEEE1363-2000/10.2.2 or FIPS186-3/6.4), which define that the message digest shall be at most the same length in bits of the group order, but not itsvalue. Similarly, the Nyberg-Rueppel version shall accept messages of at most (n-1) bits of the group order.<BR /><BR />Also, the IPP documentation states, incorrectly, for both schemes:</P><BLOCKQUOTE><P>ippStsMessageErr</P><P>Indicates an error condition if the value of msg pointed by pMsgDigest falls outside the range of [1, 1-n] where n is the order of the elliptic curve base point G. </P></BLOCKQUOTE><BR />I believe there is a typo, it should read "n-1" instead of "1-n" for the NR version and just "n" for the DSA version, and "n" would be the bit length of the values instead of the values themselves.<BR /><BR />I have attached a modifiedsample from the documentationto demonstrate the problem (see ecc.cpp). A 256-bit message digest with all bits set to1 should be fine forthe 256-bit EC, but ippsECCPSignDSA rejects it, because the order value is smaller. If the digest is set to be less than the order value, no error occurs.<BR /><BR />Using the latest IPP 7.0.3.<BR /><BR />Regards,<BR />Ricardo. Tue, 10 May 2011 23:43:53 GMT https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826145#M5187 Ricardo_Costa 2011-05-10T23:43:53Z https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826146#M5188 Hi Recardo,<BR />I have contacted engineering to ask that they review the issue and will get back to you with their response. Thanks for the report.<BR /><BR />Walt Fri, 20 May 2011 18:44:54 GMT https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826146#M5188 Joseph_S_Intel 2011-05-20T18:44:54Z https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826147#M5189 Hello Ricardo<BR /><BR />Look at similar thread:<BR /><A href="http://software.intel.com/en-us/forums/showthread.php?t=58862" target="_blank">http://software.intel.com/en-us/forums/showthread.php?t=58862</A><BR /><BR />(The answers 2),3) are not recommended<BR />for security reasons) <BR /><BR />I'm not representing Intel's developers but I'm accepting their assumption<BR />that the curve order is larger than the hash value<BR />It is natural for me (although more restrictive than that in FIPS)<BR /><BR />Andrzej Chrzeszczyk Sun, 22 May 2011 11:20:14 GMT https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826147#M5189 Andrzej_Chrzeszczyk 2011-05-22T11:20:14Z https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826148#M5190 Thanks for pointing it out, that explains the problem. However the documentation refers to the standards but do not implement them exactly, so it's still an error.<BR /><BR />Also, I don't know if the signature offers the same bits of security when using (hash % n) instead of the full length. Is it guaranteed to keep the same security properties?<BR /><BR />Ricardo Sun, 22 May 2011 20:06:33 GMT https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826148#M5190 Ricardo_Costa 2011-05-22T20:06:33Z https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826149#M5191 The signature computations are performed modulo n<BR />so the reduction modulo n of the hash does not change the result<BR /><BR />(assuming that the appropriate bit lengths are OK <BR />FIPS186-3 p.30:<BR />"It is recommended that the security strength associated with the bit length of n <BR />and the security strength of the hash function be the same unless ...") <BR /><BR />Andrzej Chrzeszczyk<BR /> Mon, 23 May 2011 02:12:19 GMT https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826149#M5191 Andrzej_Chrzeszczyk 2011-05-23T02:12:19Z https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826150#M5192 Hi Andrzej, Ricardo, <BR /><BR />Thanks for the informative discussions. <BR />Here is some comments forour engineers, <P align="left"><BR />Definitely, the ippCP manual has typo in "Return Values" description. Namely in ippStsMessageErr explanation.</P><P align="left">The legal range of message to be signed is [1,<B>n-1</B>]. Exactly this range is used in the ippsSignDSA check stage.</P><P align="left">In attached code (ecc.cpp) the value being signed is (2^256) -1 and goes beyond the order of used EC.</P><P align="left">That is why error the code is returned by ippsSignDSA.<BR /><BR />Thanks<BR />Ying H.</P> Wed, 25 May 2011 04:25:53 GMT https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826150#M5192 Ying_H_Intel 2011-05-25T04:25:53Z https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826151#M5193 Hello Ying<BR />Thanks<BR /><BR />You mean of course ippsECCPSignDSA check stage<BR /><BR />Andrzej Chrzeszczyk Wed, 25 May 2011 09:18:03 GMT https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826151#M5193 Andrzej_Chrzeszczyk 2011-05-25T09:18:03Z https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826152#M5194 <P>Dear all, <BR /><BR />Just let you knowthat IPP 7.0.5 released in Intel registration center &lt;&lt;<A href="https://registrationcenter.intel.com/">https://registrationcenter.intel.com/</A>&gt;&gt;. The documentation typo was supposed fixed the version. You are welcomed to try it. </P><P>Best Wishes, <BR />Ying</P> Thu, 08 Sep 2011 08:55:02 GMT https://community.intel.com/t5/Intel-Integrated-Performance/Problem-in-Elliptic-Curve-Cryptography-DSA/m-p/826152#M5194 Ying_H_Intel 2011-09-08T08:55:02Z