eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

PSA PAKE: Clarify the documentation of NIZKP steps

Browse source 
The expression "the masking is omitted" assumes familiarity with
Montgomery curve private key format and even then can be confusing and
ambiguous or confusing.

Describe directly what format we mean and add some more background
information and reference to the standard as well.

Signed-off-by: Janos Follath <janos.follath@arm.com>
This commit is contained in:
Janos Follath 2021-06-03 15:51:09 +01:00
parent b384ec19d1
commit 55dd5dc355
1 changed files with 11 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

19
include/psa/crypto_extra.h
View file

@ -1108,6 +1108,9 @@ typedef uint32_t psa_pake_primitive_t;
#define PSA_PAKE_STEP_KEY_SHARE ((psa_pake_step_t)0x01) #define PSA_PAKE_STEP_KEY_SHARE ((psa_pake_step_t)0x01)
/** A Schnorr NIZKP public key. /** A Schnorr NIZKP public key.
*
* This is the ephemeral public key in the Schnorr Non-Interactive
* Zero-Knowledge Proof (the value denoted by the letter 'V' in RFC 8235).
* *
* The format for both input and output at this step is the same as for public * The format for both input and output at this step is the same as for public
* keys on the group determined by the primitive (::psa_pake_primitive_t) would * keys on the group determined by the primitive (::psa_pake_primitive_t) would
@ -1123,16 +1126,16 @@ typedef uint32_t psa_pake_primitive_t;
/** A Schnorr NIZKP proof. /** A Schnorr NIZKP proof.
* *
* The format for both input and output at this step is the same as for private * This is the proof in the Schnorr Non-Interactive Zero-Knowledge Proof (the
* keys on the group determined by the primitive (::psa_pake_primitive_t) would * value denoted by the letter 'r' in RFC 8235).
* be.
* *
* Some public key algorithms mask the private keys and this might be reflected * Both input and output at this step is an integer less than the group
* in the export format. Even if this is the case the masking is omitted at * selected in the cipher suite. The format depends on the group as well:
* this step.
* *
* For more information on the format, consult the documentation of * - For Montgomery curves, the encoding is little endian (see decoding of
* psa_export_key(). * scalars in Section 5 of RFC 7748).
* - For everything else the encoding is big endian (see Section 2.3.8 of
* _SEC 1: Elliptic Curve Cryptography_ at https://www.secg.org/sec1-v2.pdf).
* *
* For information regarding how the group is determined, consult the * For information regarding how the group is determined, consult the
* documentation #PSA_PAKE_PRIMITIVE. * documentation #PSA_PAKE_PRIMITIVE.