bignp256: migrate to LittleEndian, according to specification

Author: makavity

Cargo.lock

@@ -21,19 +21,22 @@ rust-version = "1.85"
 elliptic-curve = { version = "0.14.0-rc.29", features = ["sec1"] }
 
 # optional dependencies
+belt-block = { version = "0.2.0-rc.3", optional = true}
 belt-hash = { version = "0.2.0-rc.5", optional = true, default-features = false }
 der = "0.8"
 digest = { version = "0.11", optional = true }
 hex-literal = { version = "1", optional = true }
 hkdf = { version = "0.13.0-rc.5", optional = true }
 hmac = { version = "0.13.0-rc.5", optional = true }
 rand_core = "0.10"
-rfc6979 = { version = "0.5.0-rc.5", optional = true }
 pkcs8 = { version = "0.11.0-rc.11", optional = true }
 primefield = { version = "0.14.0-rc.8", optional = true }
 primeorder = { version = "0.14.0-rc.8", optional = true }
 sec1 = { version = "0.8.0-rc.13", optional = true }
 signature = { version = "3.0.0-rc.10", optional = true }
+# TODO: Change this when `bign-genk` is released
+bign-genk = { git = "https://github.com/makavity/signatures.git", optional = true }
+#bign-genk = { path = "../../signatures/bign-genk", optional = true }
 
 [dev-dependencies]
 criterion = "0.7"
@@ -49,7 +52,7 @@ std = ["alloc", "elliptic-curve/std", "getrandom"]
 
 arithmetic = ["dep:primefield", "dep:primeorder", "elliptic-curve/arithmetic"]
 bits = ["arithmetic", "elliptic-curve/bits"]
-ecdsa = ["arithmetic", "dep:rfc6979", "dep:signature", "dep:belt-hash"]
+ecdsa = ["arithmetic", "dep:signature", "dep:belt-hash", "dep:bign-genk", "dep:belt-block", "belt-block/cipher", "belt-hash/oid"]
 getrandom = ["elliptic-curve/getrandom"]
 pem = ["pkcs8/pem", "sec1/pem"]
 pkcs8 = ["dep:pkcs8"]

bignp256/Cargo.toml

@@ -35,15 +35,15 @@ impl PrimeCurveParams for BignP256 {
     type FieldElement = FieldElement;
     type PointArithmetic = point_arithmetic::EquationAIsGeneric;
     const EQUATION_A: Self::FieldElement = FieldElement::from_hex_vartime(
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF40",
+        "40FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
     );
     const EQUATION_B: Self::FieldElement = FieldElement::from_hex_vartime(
-        "77CE6C1515F3A8EDD2C13AABE4D8FBBE4CF55069978B9253B22E7D6BD69C03F1",
+        "F1039CD66B7D2EB253928B976950F54CBEFBD8E4AB3AC1D2EDA8F315156CCE77",
     );
     const GENERATOR: (Self::FieldElement, Self::FieldElement) = (
         FieldElement::ZERO,
         FieldElement::from_hex_vartime(
-            "6BF7FC3CFB16D69F5CE4C9A351D6835D78913966C408F6521E29CF1804516A93",
+            "936A510418CF291E52F608C4663991785D83D651A3C9E45C9FD616FB3CFCF76B",
         ),
     );
 }

bignp256/src/arithmetic.rs

@@ -61,7 +61,7 @@ primefield::monty_field_params! {
     name: FieldParams,
     modulus: MODULUS_HEX,
     uint: U256,
-    byte_order: primefield::ByteOrder::BigEndian,
+    byte_order: primefield::ByteOrder::LittleEndian,
     multiplicative_generator: 2,
     doc: "Montgomery parameters for the bign-curve256v1 field modulus p = 2^{256} − 189"
 }

bignp256/src/arithmetic/field.rs

@@ -52,7 +52,7 @@ primefield::monty_field_params! {
     name: ScalarParams,
     modulus: ORDER_HEX,
     uint: U256,
-    byte_order: primefield::ByteOrder::BigEndian,
+    byte_order: primefield::ByteOrder::LittleEndian,
     multiplicative_generator: 3,
     doc: "Montgomery parameters for the bign-curve256v1 scalar modulus"
 }

bignp256/src/arithmetic/scalar.rs

@@ -75,6 +75,7 @@ impl Signature {
     /// Parse an BignP256 signature from a byte array.
     pub fn from_bytes(bytes: &SignatureBytes) -> Result<Self> {
         let (s0, s1) = bytes.split_at(Self::BYTE_SIZE / 3);
+
         let mut s0_bytes: Array<u8, U32> = Default::default();
         s0_bytes[..16].copy_from_slice(s0);
 
@@ -99,11 +100,8 @@ impl Signature {
     /// which comprise the signature.
     #[inline]
     pub fn from_scalars(s0: impl Into<FieldBytes>, s1: impl Into<FieldBytes>) -> Result<Self> {
-        let s0 = &mut s0.into()[16..];
-        let mut s1 = s1.into();
-
-        s0.reverse();
-        s1.reverse();
+        let s0 = &mut s0.into()[..16];
+        let s1 = s1.into();
 
         let mut s: Array<u8, U48> = Default::default();
         s[..Self::BYTE_SIZE / 3].copy_from_slice(s0);
@@ -142,15 +140,13 @@ impl Signature {
 impl Signature {
     /// Get the `s0` word component of this signature
     pub fn s0(&self) -> NonZeroScalar {
-        let mut s0 = self.s0.to_bytes();
-        s0.reverse();
+        let s0 = self.s0.to_bytes();
         NonZeroScalar::new(Scalar::from_bytes(&s0).unwrap()).unwrap()
     }
 
     /// Get the `s1` word component of this signature
     pub fn s1(&self) -> NonZeroScalar {
-        let mut s1 = self.s1.to_bytes();
-        s1.reverse();
+        let s1 = self.s1.to_bytes();
         NonZeroScalar::new(Scalar::from_bytes(&s1).unwrap()).unwrap()
     }
 

bignp256/src/ecdsa.rs

@@ -19,7 +19,7 @@ use crate::{BignP256, FieldBytes, NonZeroScalar, ProjectivePoint, PublicKey, Sca
 use belt_hash::{BeltHash, Digest};
 use core::fmt::{self, Debug};
 use elliptic_curve::{
-    Curve, Field, FieldBytesEncoding, Generate, Group, PrimeField,
+    Curve, Field, FieldBytesEncoding, Generate, Group,
     array::{Array, sizes::U32, typenum::Unsigned},
     ops::Reduce,
     point::AffineCoordinates,
@@ -109,39 +109,38 @@ impl PrehashSigner<Signature> for SigningKey {
         if prehash.len() != <BignP256 as Curve>::FieldBytesSize::USIZE {
             return Err(Error::new());
         }
-        let mut h_word: Array<u8, U32> = Array::try_from(prehash).map_err(|_| Error::new())?;
-        h_word.reverse();
+        let h_word: Array<u8, U32> = Array::try_from(prehash).map_err(|_| Error::new())?;
 
         let h = Scalar::reduce(&h_word);
 
-        //2. Generate 𝑘 ← rand(1,..,𝑞-1)
-        let k = Scalar::from_repr(rfc6979::generate_k::<BeltHash, _>(
-            &self.secret_scalar.to_repr(),
+        // //2. Generate 𝑘 ← rand(1,..,𝑞-1)
+        let k = bign_genk::generate_k::<BeltHash, belt_block::BeltBlock, _>(
+            &self.secret_scalar.to_bytes(),
             &FieldBytesEncoding::<BignP256>::encode_field_bytes(BignP256::ORDER.as_ref()),
             &h.to_bytes(),
             &[],
-        ))
-        .unwrap();
+        );
+
+        let k = Scalar::from_bytes(&k).unwrap();
 
         // 3. Set 𝑅 ← 𝑘𝐺.
-        let mut R: Array<u8, _> = ProjectivePoint::mul_by_generator(&k).to_affine().x();
-        R.reverse();
+        let R = ProjectivePoint::mul_by_generator(&k).to_affine();
+        let Rx = R.x();
 
         // 4. Set 𝑆0 ← ⟨︀belt-hash(OID(ℎ) ‖ ⟨𝑅⟩2𝑙 ‖ 𝐻)⟩︀_𝑙.
         let mut hasher = BeltHash::new();
         hasher.update(BELT_OID);
-        hasher.update(R);
+        hasher.update(Rx);
         hasher.update(prehash);
 
         let mut s0 = hasher.finalize();
         s0[16..].fill(0x00);
-        s0.reverse();
 
         let s0_scalar = Scalar::from_slice(&s0).ok_or_else(Error::new)?;
 
         let right = s0_scalar
             .add(&Scalar::from_u64(2).pow([128, 0, 0, 0]))
-            .multiply(self.as_nonzero_scalar());
+            .multiply(&self.secret_scalar);
 
         // 5. Set 𝑆1 ← ⟨︀(𝑘 − 𝐻 − (𝑆0 + 2^𝑙)𝑑) mod 𝑞⟩︀_2𝑙.
         let s1 = k.sub(&h).sub(&right);

bignp256/src/ecdsa/signing.rs

@@ -28,13 +28,12 @@ use belt_hash::{
 use elliptic_curve::{
     Curve, Field, Group,
     array::{Array, sizes::U32, typenum::Unsigned},
-    group::GroupEncoding,
     ops::{LinearCombination, Reduce},
+    point::AffineCoordinates,
+    sec1::ToSec1Point,
 };
 use signature::{Error, MultipartVerifier, Result, Verifier, hazmat::PrehashVerifier};
 
-use elliptic_curve::sec1::ToSec1Point;
-
 /// Bign256 public key used for verifying signatures are valid for a given
 /// message.
 ///
@@ -114,8 +113,7 @@ impl PrehashVerifier<Signature> for VerifyingKey {
         // 3. If 𝑆1 ⩾ 𝑞, return NO.
         let s1 = signature.s1();
 
-        let mut hash: Array<u8, U32> = Array::clone_from_slice(prehash);
-        hash.reverse();
+        let hash: Array<u8, U32> = Array::clone_from_slice(prehash);
 
         let hw = Scalar::reduce(FieldBytes::from_slice(&hash));
         let left = s1.add(&hw);
@@ -133,19 +131,18 @@ impl PrehashVerifier<Signature> for VerifyingKey {
             return Err(Error::new());
         }
 
-        let mut r_bytes = r.to_bytes();
-        r_bytes.reverse();
+        let r = r.to_affine();
+        let rx = r.x();
 
         let mut hasher = BeltHash::new();
         hasher.update(BELT_OID);
-        hasher.update(&r_bytes[0..32]);
+        hasher.update(rx);
         hasher.update(prehash);
 
         // 7. Set 𝑡 ← ⟨︀belt-hash(OID(ℎ) ‖ ⟨𝑅⟩^2𝑙 ‖ 𝐻) ⟩︀^𝑙.
         let t = hasher.finalize();
 
-        let s0 = &mut s0.to_bytes()[16..];
-        s0.reverse();
+        let s0 = &mut s0.to_bytes()[..16];
 
         // 8. If 𝑆0 != 𝑡, return NO.
         if s0 == &t.as_slice()[..16] {

bignp256/src/ecdsa/verifying.rs

@@ -128,22 +128,18 @@ pub type Sec1Point = elliptic_curve::sec1::Sec1Point<BignP256>;
 
 impl FieldBytesEncoding<BignP256> for U256 {
     fn decode_field_bytes(field_bytes: &FieldBytes) -> Self {
-        U256::from_be_byte_array(*field_bytes)
+        U256::from_le_byte_array(*field_bytes)
     }
 
     fn encode_field_bytes(&self) -> FieldBytes {
-        self.to_be_byte_array()
+        self.to_le_byte_array()
     }
 }
 
 /// Non-zero scalar field element.
 #[cfg(feature = "arithmetic")]
 pub type NonZeroScalar = elliptic_curve::NonZeroScalar<BignP256>;
 
-// /// BIGN P-256 public key.
-// #[cfg(feature = "arithmetic")]
-// pub type PublicKey = elliptic_curve::PublicKey<BignP256>;
-
 /// Generic scalar type with primitive functionality.#
 #[cfg(feature = "arithmetic")]
 pub type ScalarValue = elliptic_curve::ScalarValue<BignP256>;

bignp256/src/lib.rs

@@ -64,11 +64,7 @@ impl PublicKey {
 
     /// Get [`PublicKey`] from bytes
     pub fn from_bytes(bytes: &[u8]) -> Result<Self, Error> {
-        let mut bytes = Array::try_from(bytes).map_err(|_| Error)?;
-
-        // It is because public_key in little endian
-        bytes[..32].reverse();
-        bytes[32..].reverse();
+        let bytes = Array::try_from(bytes).map_err(|_| Error)?;
 
         let point = Sec1Point::from_untagged_bytes(&bytes);
         let affine = AffinePoint::from_sec1_point(&point);
@@ -96,9 +92,7 @@ impl PublicKey {
     #[cfg(feature = "alloc")]
     /// Get bytes from [`PublicKey`]
     pub fn to_bytes(&self) -> Box<[u8]> {
-        let mut bytes = self.point.to_sec1_point(false).to_bytes();
-        bytes[1..32 + 1].reverse();
-        bytes[33..].reverse();
+        let bytes = self.point.to_sec1_point(false).to_bytes();
         bytes[1..].to_vec().into_boxed_slice()
     }