mojtaba-bisheh
commented
1 year ago The fix has been implemented as follows, and a set of test vectors (with message greater than q) has been added to ecc testbench to verify this.
//transformed msg into modulo q
always_ff @(posedge clk or negedge reset_n)
begin : reduced_msg
if (!reset_n)
msg_reduced_reg <= '0;
else if (zeroize_reg)
msg_reduced_reg <= '0;
else begin
if (msg_reg >= GROUP_ORDER)
msg_reduced_reg <= msg_reg - GROUP_ORDER;
else
msg_reduced_reg <= msg_reg;
end
end
To sign or verify a message, the input hash must be reduced modulo q, as specified in RFC6979 page 9. This step was missing in the ECC implementation and caused a discrepancy with the HMAC_DRBG output. This error was not detected by our random tests because the chance of getting a random number larger than q is very low. We need to add a new test vector with a message that exceeds q to verify this step.