package fiat-p256

  1. Overview
  2. Docs
Primitives for Elliptic Curve Cryptography taken from Fiat

Install

Dune Dependency

github.com Readme Changelog Edit opam file Versions (1)

Authors

  1. E
    Etienne Millon <me@emillon.org>
  2. A
    Andres Erbsen <andreser@mit.edu>
  3. G
    Google Inc.
  4. J
    Jade Philipoom <jadep@mit.edu> <jade.philipoom@gmail.com>
  5. M
    Massachusetts Institute of Technology

Maintainers

  1. E
    Etienne Millon <me@emillon.org>

Sources

fiat-p256-v0.2.3.tbz
sha256=c20d1b1395f59b111ca6a75c55b4edfb864215daf7484910bc89c2953474b0e0
sha512=9d679c865820294e87f479a2e46aa6278b5e9e1106776067ce0e71e4263850d4d07b38b7da65c49c4a5f4cedd74af92fcb3f3188065b12b58041a4729b296652

doc/implementation.html

Implementation

The goal of this document is to describe how the library is implemented.

Field operations

These are implemented in Field_element, which is a binding over p256_{32,64}.h. These are files extracted from Coq code in this repository.

This module uses Montgomery Modular Multiplication. Instead of storing a number a, operations are done on aR where R = 2256.

It is possible to check that these files correspond to the extracted ones in the upstream repository by running dune build @check_vendors.

These files are part of the trusted computing base. That is, using this package relies on the fact that they implemented the correct algorithms. To go further, one can re-run the extraction process from Coq sources, see #41.

Point operations

Points (see the Point module) are stored using projective coordinates (X : Y : Z):

  • Z=0 corresponds to the point at infinity
  • for Z≠0, this corresponds to a point with affine coordinates (X/Z2, Y/Z3)

Doubling and addition are implemented as C stubs in p256_stubs.c using code that comes from BoringSSL, Google's fork of OpenSSL. Fiat code has been design in part to be included in BoringSSL, so this does not require any particular glue code.

Some operations are implemented manually, in particular:

  • conversion to affine coordinates, as described above. This relies on a field inversion primitive from BoringSSL, that is exposed in Field_element.
  • point verification (bound checking and making sure that the equation is satisfied).

There is no automated way to check that the BoringSSL part is identical to that in the upstream repository (nor to update it).

Scalar multiplication

Implemented by hand using the Montgomery Powering Ladder.

Instead of branching based on key bits, constant-time selection (as defined in fiat code) is used.

The following references discuss this algorithm:

Key exchange

Key exchange consists in

  • validating the public key as described in RFC 8446 §4.2.8.2;
  • computing scalar multiplication;
  • returning the encoded x coordinate of the result.

This is implemented by hand and checked against common errors using test vectors from project Wycheproof.

OCaml

Innovation. Community. Security.

GitHub Discord Twitter Peertube RSS
About
Changelog Releases Industrial Users Academic Users Why OCaml
Ecosystem
Packages Community Events OCaml Planet Jobs
Resources
Install OCaml Get Started Platform Tools Language Manual Standard Library API Books Exercises Papers OCaml Playground Logo
Policies
Carbon Footprint Governance Privacy Code of Conduct