Breaking change in ECDSA
152 views
Skip to first unread message
Mike Hamburg
Mar 25, 2013, 1:43:26 AM3/25/13
to sjcl-a...@googlegroups.com, sjcl-d...@googlegroups.com
Hello all,
Commits master:e5d53c75a8a36df54e9e6bac47e04b2b103c62fa and ecc:dc042f62fc32cf8dd7fef5cc4b54476f2a891059 contain correct versions of ECDSA, with tests vectors, thanks to Tom Hughes. (Older versions contain a hacked-up version of ECDSA, returning (r,1/s) instead of (r,s), which is equivalent but requires one fewer division to verify. Hooray for premature optimization.)
The sign and verify functions take a third parameter, fakeLegacyVersion. When set to true, sign will produce (r,1/s) signatures compatible with older versions of sjcl; when left undefined or set to false they will produce (r,s) ECDSA signatures.
In the verify() function, if fakeLegacyVersion is left undefined, the library will try first the correct (r,s) version, and then the legacy (r,1/s) version. If it is set to false, the library will check only (r,s), and if set to true it will check only (r,1/s).
So if you update to the latest version in master or ecc and are using signatures, and need backward compatibility, pass true as a third parameter to sign().
Also, I imported the latest version of the closure compressor, because it didn't work with ECC for some reason. This meant reworking the compression scripts to suppress the hundreds of warnings that resulted from the changes. If you find any problems with this, please report them.
Cheers,
-- Mike Hamburg
Commits master:e5d53c75a8a36df54e9e6bac47e04b2b103c62fa and ecc:dc042f62fc32cf8dd7fef5cc4b54476f2a891059 contain correct versions of ECDSA, with tests vectors, thanks to Tom Hughes. (Older versions contain a hacked-up version of ECDSA, returning (r,1/s) instead of (r,s), which is equivalent but requires one fewer division to verify. Hooray for premature optimization.)
The sign and verify functions take a third parameter, fakeLegacyVersion. When set to true, sign will produce (r,1/s) signatures compatible with older versions of sjcl; when left undefined or set to false they will produce (r,s) ECDSA signatures.
In the verify() function, if fakeLegacyVersion is left undefined, the library will try first the correct (r,s) version, and then the legacy (r,1/s) version. If it is set to false, the library will check only (r,s), and if set to true it will check only (r,1/s).
So if you update to the latest version in master or ecc and are using signatures, and need backward compatibility, pass true as a third parameter to sign().
Also, I imported the latest version of the closure compressor, because it didn't work with ECC for some reason. This meant reworking the compression scripts to suppress the hundreds of warnings that resulted from the changes. If you find any problems with this, please report them.
Cheers,
-- Mike Hamburg
Mike Hamburg
Mar 25, 2013, 3:07:03 AM3/25/13
to sjcl-d...@googlegroups.com, sjcl-a...@googlegroups.com
Sorry for the spam!
I forgot to say before, I don't really see the point in maintaining a separate branch for ECC. As of 28d8573235787113fd60daf9d786418695797824, the ECC branch changes *should* all be in master, so I'm going to stop updating (and eventually delete) the ecc branch itself.
The ECC code itself is still somewhat experimental, even though it's in master. It's not enabled by default, but that's just a ./configure away.
Cheers,
-- Mike
> --
> You received this message because you are subscribed to the Google Groups "SJCL discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to sjcl-discuss...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
I forgot to say before, I don't really see the point in maintaining a separate branch for ECC. As of 28d8573235787113fd60daf9d786418695797824, the ECC branch changes *should* all be in master, so I'm going to stop updating (and eventually delete) the ecc branch itself.
The ECC code itself is still somewhat experimental, even though it's in master. It's not enabled by default, but that's just a ./configure away.
Cheers,
-- Mike
> You received this message because you are subscribed to the Google Groups "SJCL discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to sjcl-discuss...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
Reply all
Reply to author
Forward
0 new messages