37.3.6.13 Quick Verifying an ECDSA Signature (Compliant with FIPS 186-2)

Purpose

This service is used to verify an ECDSA signature following the FIPS 186-2. It performs the second step of the Signature Verification using Quick Dual Multiplying to perform computation.

A hash value (HashVal) must be provided as input, it has to be previously computed from the message whose signature is verified using a secure hash algorithm.

As second significant input, the Signature is provided to be checked.

This service checks the signature and fills the status accordingly.

Important: This service has a quick implementation without additional security.

How to Use the Service

Description

The operation performed is:

Verify = EcDsaVerifySignature(PtA, HashVal, Signature, CurveParameters, PublicKey)

The points used for this operation are represented in different coordinate systems.

In this computation, the following parameters need to be provided (such that u2MaxLength = max(u2ModLength, u2ScalarLength)):

  • A the input point is filled with the affine values (X,Y) and Z = 1 (pointed by {pu1PointABase,(3*(u2ModLength + 4)) * (2(WA-2))})
  • P the modulus filled and Cns the working space for the Fast Modular Constant not initialized (pointed by {pu1ModBase, u2ModLength + u2MaxLength + 16})
  • The a parameter relative to the elliptic curve filled and workspace not initialized (pointed by {pu1AWorkBase,8*u2MaxLength + u2ModLength + 48})
  • The order of the Point A on the elliptic curve (pointed by {pu1OrderPointBase,u2ScalarLength +4})
  • HashVal the hash value beforehand generated and filled (pointed by {pu1HashBase,u2MaxLength +4})
  • The Public Key point is filled in “mixed” coordinates (X,Y) with the affine values and Z = 1 (pointed by {nu1PointPublicKeyGen, (3*(u2ModLength + 4)) * (2(WB-2))})
  • The input signature (R,S), even if it is not a Point, is represented in memory like a point in affine coordinates (X,Y) (pointed by {nu1PointSignature, 2*u2ScalarLength + 8})

The operation consists of obtaining a V value with all input parameters and checks that V equals the provided R. If all is correct and the signature is the good one, the status is set to PUKCL_OK. If all is correct and the signature is wrong, the status is set to PUKCL_WRONG_SIGNATURE. If an error occurs, the status is set to the corresponding error value (see Status Returned Values below).

Parameters Definition

To place the parameters correctly the maximum of u2ModLength and u2ScalarLength must be calculated: u2MaxLength = max(u2ModLength, u2ScalarLength)

WA is the Point A window size and WB is the Point Public Key window size (see Options below for details).

Important: Please calculate precisely the length of areas with the formulas and the max() service which takes the maximum of two values. Ensure that the pu1 type is a pointer on 4 bytes and contains the full address (see Aligned Significant Length for details).
Table 37-89. ZpEcDsaQuickVerify Service Parameters
ParameterTypeDirectionLocationData LengthBefore Executing the ServiceAfter Executing the Service
pu1ModCnsBasepu1ICrypto RAM

u2ModLength + 4 + u2MaxLength + 12

Base of modulus PBase of modulus P
u2Optionu2IOption related to the called service (see below)
u2ModLengthu2ILength of modulus PLength of modulus P
pu1OrderPointBasepu1ICrypto RAMu2ScalarLength + 4Order of the Point A in the elliptic curveUnchanged
pu1PointSignaturepu1IAny RAM2*u2ScalarLength + 8Signature(r, s)Corrupted
pu1HashBase (see Note 1)pu1ICrypto RAMu2MaxLength + 4Base of the hash value resulting from the previous SHACorrupted
u2ScalarLengthu2ILength of scalarLength of scalar
pu1PointABasepu1I/OCrypto RAM

(3*u2ModLength + 12) * (2(WA-2))

Generator pointCorrupted
pu1PointPublicKeyGenpu1

I/O

Crypto RAM

(3*u2ModLength + 12) * (2(WB-2))

Public Key pointCorrupted
pu1AWorkBasepu1ICrypto RAM(u2ModLength + 4) + (8*u2MaxLength + 44)Parameter a of the elliptic curve and WorkspaceCorrupted
Note:
  1. 1. The hash value calculus is defined by the ECDSA norm and depends on the elliptic curve domain parameters. To construct the input parameter, the 4 Most Significant Bytes must be set to zero.

A suggested parameters placement in Crypto RAM is:

  • ModCnsBase
  • OrderPointBase
  • Signature may be placed here or in Classical RAM
  • HashBase
  • PointABase
  • PointPublicKeyGen
  • AWorkBase

Options

The options are set by the u2Options input parameter, which is composed of:

  • the mandatory windows sizes WA (window for Point A) and WB (window for Point Public Key)
  • the indication of the presence of the Point Signature in system RAM
Important: Please check precisely if the Point Signature is in Crypto RAM. If this is the case the PUKCL_ZPECCMUL_SCAL_IN_CLASSIC_RAM must not be used.

The u2Options number is calculated by an “Inclusive OR” of the options. Some Examples in C language are:

  • // Point Signature in system RAM

    // The Point A window size is 3

    // The Point Public Key window size is 4

    PUKCL(u2Options) = PUKCL_ZPECCMUL_SCAL_IN_CLASSIC_RAM |

    PUKCL_ZPECCMUL_WINSIZE_A_VAL_TO_OPT(3) |

    PUKCL_ZPECCMUL_WINSIZE_B_VAL_TO_OPT(4);

  • // Point Signature in the Cryptographic RAM

    // The Point A window size is 2

    // The Point Public Key window size is 5

    PUKCL(u2Options) = PUKCL_ZPECCMUL_WINSIZE_A_VAL_TO_OPT(2) |

    PUKCL_ZPECCMUL_WINSIZE_B_VAL_TO_OPT(5);

For this service, many window sizes are possible. The window sizes in bits are those of the windowing method used for the scalar multiplying.

The choice of the window sizes is a balance between the size of the parameters and the computation time:

  • Increasing the window size increases the precomputation table size.
  • Increasing the window size to the optimum reduces the computation time.

The following table details the estimated windows WA and WB optimum and possible for some curves.

Table 37-90. ZpEcDsaQuickVerify Service Estimated WA and WB Window Size
Curve Size (bits)Optimum Window sizePossible Window Sizes (WA, WB) or (WB, WA)
19255, 5
25655, 5
38465, 5
52164, 5

The following table details the size of the point and the precomputation table, depending on the chosen window size option.

Table 37-91. ZpEcDsaQuickVerify Service Window Size and Precomputation Table Size Options
Option SpecifiedPoint and Precomputation Table Size
PUKCL_ZPECCMUL_WINSIZE_A_VAL_TO_OPT(WA) WA in [2, 15](3*(u2ModLength + 4)) * (2(WA-2))
PUKCL_ZPECCMUL_WINSIZE_B_VAL_TO_OPT(WB) WB in [2, 15](3*(u2ModLength + 4)) * (2(WB-2))

The Point Signature can be located in PUKCC RAM or in system RAM. If the Point Signature is entirely in system RAM with no part in PUKCC RAM this can be signaled by us ing the option PUKCL_ZPECCMUL_SCAL_IN_CLASSIC_RAM. In all other cases this option must not be used.

The following table describes this option.

Table 37-92. ZpEcDsaQuickVerify Service Point Signature in Classical RAM Option
OptionPurpose

PUKCL_ZPECCMUL_SCAL_IN_CLASSIC_RAM

The Point Signature can be located in Crypto RAM or in system RAM. If the Point Signature is entirely in system RAM with no part in PUKCC RAM this can be signaled by using this option. In all other cases this option must not be used.

Code Example

PUKCL_PARAM PUKCLParam;
PPUKCL_PARAM pvPUKCLParam = &PUKCLParam;
PUKCL(u2Option) = <Point Signature location and windows sizes>;
PUKCL_ZpEcDsaQuickVerify(pu1ModCnsBase) = <Base of the ram location of P and Cns>;
PUKCL_ZpEcDsaQuickVerify(u2ModLength) = <Byte length of P>;
PUKCL_ZpEcDsaQuickVerify(pu1PointABase) = <Base of the ram location of the A point>;
PUKCL_ZpEcDsaQuickVerify(pu1PointPublicKeyGen) = <Base of the Public Key>;
PUKCL_ZpEcDsaQuickVerify(pu1PointSignature) = <Base of the Signature (r, s)>;
PUKCL_ZpEcDsaQuickVerify(pu1OrderPointBase) = <Base of the order of the A point>;
PUKCL_ZpEcDsaQuickVerify(pu1AWorkBase) = <Base of the ram location of the parameter A of the elliptic curve and workspace>;
PUKCL_ZpEcDsaQuickVerify(pu1HashBase) = <Base of the SHA resulting hash>;
PUKCL_ZpEcDsaQuickVerify(u2ScalarLength) = <Byte length of R and S in Point Signature>;
. . .
// vPUKCL_Process() is a macro command, which populates the service name
// and then calls the library...
vPUKCL_Process(ZpEcDsaQuickVerify, pvPUKCLParam);
if (PUKCL(u2Status) == PUKCL_OK)
               {
               ...
               }
else
               if ( PUKCL(u2Status) = PUKCL_WRONG_SIGNATURE )
                              {
                              ...
                              }
               else // Manage the error

Constraints

No overlapping between either input and output are allowed. The following conditions must be avoided to ensure that the service works correctly:

  • pu1ModCnsBase, pu1PointABase, pu1PointPublicKeyGen, pu1PointSignature,pu1OrderPointBase, pu1AWorkBase or pu1HashBase are not aligned on 32-bit boundaries
  • {pu1ModCnsBase, u2ModLength + 4 + u2MaxLength + 12}, {pu1PointABase, (3 * u2ModLength + 12)* (2(WA-2))}, {pu1PointPublicKeyGen, (3 * u2ModLength + 12) * (2(WPub-2))}, {pu1OrderPointBase, u2ScalarLength + 4}, {nu1ABase, u2ModLength + 4}, {pu1AWorkBase, (u2ModLength + 4) + (8 * u2MaxLength + 44)} or {nu1HashBase, u2ScalarLength + 4} are not in Crypto RAM
  • u2ModLength is either: < 12, > 0xffc or not a 32-bit length
  • All overlapping between {pu1ModCnsBase, u2ModLength + 4 + u2MaxLength + 12},{pu1PointABase, (3 * u2ModLength + 12) * (2(WA-2))}, {pu1PointPublicKeyGen, (3 * u2ModLength + 12) *(2(WPub-2))}, {pu1OrderPointBase, u2ScalarLength + 4}, {pu1PointSignature, 2 * u2ScalarLength + 8}, {nu1ABase, u2ModLength + 4}, {pu1AWorkBase, (u2ModLength + 4) + (8 * u2MaxLength + 44)} and {nu1HashBase, u2ScalarLength + 4}

Status Returned Values

Table 37-93. ZpEcDsaQuickVerify Service Return Codes
Returned StatusImportanceMeaning
PUKCL_OKThe computation passed without problem. The signature is the good one.
PUKCL_WRONG_SIGNATUREWarningThe signature is wrong.

Parameter Placement

The parameters’ placement is described in detail in the following figures.

Figure 37-11. Modulus P and Cns{pu1ModCnsBase, u2ModLength + 4 + u2MaxLength + 12}
Figure 37-12. Points A {pu1PointABase, (3*(u2ModLength + 4)) * (2(WA-2))} and Public Key Gen {pu1PointPublicKeyGen, (3*(u2ModLength + 4)) * (2(WB-2))}
Figure 37-13. PointSignature {pu1PointSignature, 2 * u2ScalarLength + 8}
Figure 37-14. The a parameter and Workspace {pu1AWorkBase, 9*u2ModLength + 48}