37.3.6.12 Verifying an ECDSA Signature (Compliant with FIPS186-2)
Purpose
This service is used to verify an ECDSA signature following the FIPS 186-2. It performs the second step of the Signature Verification.
A hash value (HashVal) must be provided as input, it has to be previously computed from the message to be signed using a secure hash algorithm.
As second significant input, the Signature is provided to be checked. This service checks the signature and fills the status accordingly.
How to Use the Service
Description
The operation performed is:
Verify = EcDsaVerifySignature(PtA, HashVal, Signature, CurveParameters, PublicKey)
The points used for this operation are represented in different coordinate systems. In this computation, the following parameters need to be provided:
- A the input point is filled with the affine values (X,Y) and Z = 1 (pointed by{nu1PointABase,3*u2ModLength + 12})
- Cns the working space for the Fast Modular Constant not initialized (pointed by {nu1CnsBase,u2ScalarLength + 8})
- P the modulus filled (pointed by {nu1ModBase,u2ModLength + 4})
- The workspace not initialized (pointed by {nu1WorkSpace, 8*u2ModLength + 44}
- The a parameter relative to the elliptic curve (pointed by {nu1ABase,u2ModLength + 4})
- The order of the Point A on the elliptic curve (pointed by {nu1OrderPointBase,u2ScalarLength + 4})
- HashVal the hash value is generated prior and filled (pointed by {nu1HashBase,u2ScalarLength + 4})
- The Public Key point is filled in “mixed” coordinates (X,Y) with the affine values and Z = 1 (pointed by {nu1PointPublicKeyGen, 3*u2ModLength + 12})
- The input
signature (R,S), even if it is not a Point, is represented
in memory like a point in affine coordinates (X,Y) (pointed
by {nu1PointSignature, 2*u2ScalarLength + 8})Note: For the ECDSA signature verification be sure to follow the directives given for the RNG on the chip you use (particularly initialization, seeding) and compulsorily start the RNG.
- The operation consists in obtaining a V value with all these input parameters and checking that V equals the provided R. If all is correct and the signature is the good one, the status is set to PUKCL_OK. If all is correct and the signature is wrong, the status is set to PUKCL_WRONG_SIGNATURE. If an error occurs, the status is set to the corresponding error value (see Status Returned Values below).
Parameters Definition
Parameter | Type | Direction | Location | Data Length | Before Executing the Service | After Executing the Service |
---|---|---|---|---|---|---|
nu1ModBase | nu1 | I | Crypto RAM | u2ModLength + 4 | Base of modulus P | Base of modulus P |
nu1CnsBase | nu1 | I | Crypto RAM | u2ScalarLength + 12 | Base of Cns | Base of Cns |
u2ModLength | u2 | I | – | – | Length of modulus P | Length of modulus P |
nu1OrderPointBase | nu1 | I | Crypto RAM | u2ScalarLength + 4 | Order of the Point A in the elliptic curve | Unchanged |
nu1PointSignature | nu1 | I | Crypto RAM | 2*u2ScalarLength + 8 | Signature(r, s) | Corrupted |
nu1HashBase(1) | nu1 | I | Crypto RAM | u2ScalarLength + 4 | Base of the hash value resulting from the previous SHA | Corrupted |
u2ScalarLength | u2 | I | – | – | Length of scalar | Length of scalar |
nu1PointABase | nu1 | I/O | Crypto RAM | 3*u2ModLength + 12 | Generator point | Corrupted |
nu1PointPublicKeyGen | nu1 | I/O | Crypto RAM | 3*u2ModLength + 12 | Public point | Corrupted |
nu1ABase | nu1 | I | Crypto RAM | u2ModLength + 4 | Parameter a of the elliptic curve | Unchanged |
nu1Workspace | nu1 | I | Crypto RAM | 8*u2ModLength + 44 | – | Corrupted workspace |
- The hash value calculus is defined by the ECDSA norm and depends on the elliptic curve domain parameters. To construct the input parameter, the 4 Most Significant Bytes must be set to zero.
Code Example
PUKCL_PARAM PUKCLParam;
PPUKCL_PARAM pvPUKCLParam = &PUKCLParam;
// ! The Random Number Generator must be initialized and started
// ! following the directives given for the RNG on the chip
PUKCL(u2Option) = 0;
// Depending on the option specified, not all fields must be filled
PUKCL_ZpEcDsaVerify(nu1ModBase) = <Base of the ram location of P>;
PUKCL_ZpEcDsaVerify(u2ModLength) = <Byte length of P>;
PUKCL_ZpEcDsaVerify(nu1CnsBase) = <Base of the ram location of Cns>;
PUKCL_ZpEcDsaVerify(nu1PointABase) = <Base of the A point>;
PUKCL_ZpEcDsaVerify(nu1PrivateKey) = <Base of the Private Key>;
PUKCL_ZpEcDsaVerify(nu1ScalarNumber) = <Base of the ScalarNumber>;
PUKCL_ZpEcDsaVerify(nu1OrderPointBase) = <Base of the order of A point>;
PUKCL_ZpEcDsaVerify(nu1ABase) = <Base of the a parameter of the curve>;
PUKCL_ZpEcDsaVerify(nu1Workspace) = <Base of the workspace>;
PUKCL_ZpEcDsaVerify(nu1HashBase) = <Base of the SHA resulting hash>;
PUKCL_ZpEcDsaVerify(u2ScalarLength) = < Length of ScalarNumber>;
...
// vPUKCL_Process() is a macro command, which populates the service name
// and then calls the library...
vPUKCL_Process(ZpEcDsaVerifyFast, pvPUKCLParam);
if (PUKCL(u2Status) == PUKCL_OK)
{
...
}ou
else
if(PUKCL(u2Status) == PUKCL_WRONG_SIGNATURE)
{
...
}
else // Manage the error
Constraints
No overlapping between either input and output are allowed. The following conditions must be avoided to ensure that the service works correctly:
- nu1ModBase, nu1CnsBase, nu1PointABase, nu1PointPublicKeyGen, nu1PointSignature, nu1OrderPointBase,nu1ABase, nu1Workspace or nu1HashBase are not aligned on 32-bit boundaries
- {nu1ModBase, u2ModLength + 4}, {nu1CnsBase, u2ModLength + 8}, {nu1PointABase, 3*u2ModLength+ 12}, {nu1PointPublicKeyGen, 3*u2ModLength + 12}, {nu1PointSignature,2*u2ScalarLength + 8}, {nu1OrderPointBase, u2ScalarLength + 4}, {nu1ABase, u2ModLength + 4}, {nu1Workspace, <WorkspaceLength>} or {nu1HashBase, u2ScalarLength + 4} are not in Crypto RAM
- u2ModLength is either: < 12, > 0xffc or not a 32-bit length
- All overlapping between {nu1ModBase, u2ModLength + 4}, {nu1CnsBase, u2ModLength +8}, {nu1PointABase, 3*u2ModLength + 12}, {nu1PointPublicKeyGen, 3*u2ModLength + 12}, {nu1PointSignature, 2*u2ScalarLength + 8}, {nu1OrderPointBase, u2ScalarLength + 4}, {nu1ABase, u2ModLength + 4}, {nu1Workspace, <WorkspaceLength>} and {nu1HashBase, u2ScalarLength + 4}
Status Returned Values
Returned Status | Importance | Meaning |
---|---|---|
PUKCL_OK | – | The computation passed without problem. The signature is the good one. |
PUKCL_WRONG_SIGNATURE | Warning | The signature is wrong. |