Closed mojtaba-bisheh closed 1 year ago
The fix has been implemented as follows, and a set of test vectors (with message greater than q) has been added to ecc testbench to verify this.
//transformed msg into modulo q
always_ff @(posedge clk or negedge reset_n)
begin : reduced_msg
if (!reset_n)
msg_reduced_reg <= '0;
else if (zeroize_reg)
msg_reduced_reg <= '0;
else begin
if (msg_reg >= GROUP_ORDER)
msg_reduced_reg <= msg_reg - GROUP_ORDER;
else
msg_reduced_reg <= msg_reg;
end
end
https://github.com/chipsalliance/caliptra-rtl/pull/240 sync fixed this.
To sign or verify a message, the input hash must be reduced modulo q, as specified in RFC6979 page 9. This step was missing in the ECC implementation and caused a discrepancy with the HMAC_DRBG output. This error was not detected by our random tests because the chance of getting a random number larger than q is very low. We need to add a new test vector with a message that exceeds q to verify this step.