[sw,cryptolib] Update ECC random scalar gen function header

h-filali · h-filali · commit 012d8ae6a5b3 · 2025-10-31T11:51:57.000+01:00
This commit updates the ECC random secret scalar generation
function header.

I checked the implementation for FIPS 186-5 compliance and
updated the header comment accordingly.

Signed-off-by: Hakim Filali &lt;hfilali@lowrisc.org&gt;
diff --git a/sw/otbn/crypto/p256_base.s b/sw/otbn/crypto/p256_base.s
@@ -1611,10 +1611,10 @@ p256_base_mult:
  *
  * Returns t, a random value that is nonzero mod n, in shares.
  *
- * This follows a modified version of the method in FIPS 186-4 sections B.4.1
- * and B.5.1 for generation of secret scalar values d and k. The computation
- * in FIPS 186-4 is:
- *   seed = RBG(seedlen) // seedlen >= 320
+ * This follows a modified version of the method in FIPS 186-5 sections A.2.2
+ * and A.3.2 for generation of secret scalar values d and k. The computation
+ * in FIPS 186-5 is:
+ *   seed = RBG(seedlen) // seedlen >= 256
  *   return (seed mod (n-1)) + 1
  *
  * The important features here are that (a) the seed is at least 64 bits longer
@@ -1924,7 +1924,7 @@ boolean_to_arithmetic:
  *    d = (d0 + d1) mod n
  * ...where n is the curve order.
  *
- * This implementation follows FIPS 186-4 section B.4.1, where we
+ * This implementation follows FIPS 186-5 section A.2.2, where we
  * generate d using N+64 random bits (320 bits in this case) as a seed. But
  * while FIPS computes d = (seed mod (n-1)) + 1 to ensure a nonzero key, we
  * instead just compute d = seed mod n. The caller MUST ensure that if this
diff --git a/sw/otbn/crypto/p384_keygen.s b/sw/otbn/crypto/p384_keygen.s
@@ -13,10 +13,10 @@
  *
  * Returns t, a random value that is nonzero mod n, in shares.
  *
- * This follows a modified version of the method in FIPS 186-4 sections B.4.1
- * and B.5.1 for generation of secret scalar values d and k. The computation
- * in FIPS 186-4 is:
- *   seed = RBG(seedlen) // seedlen >= 448
+ * This follows a modified version of the method in FIPS 186-5 sections A.2.2
+ * and A.3.2 for generation of secret scalar values d and k. The computation
+ * in FIPS 186-5 is:
+ *   seed = RBG(seedlen) // seedlen >= 384
  *   return (seed mod (n-1)) + 1
  *
  * The important features here are that (a) the seed is at least 64 bits longer

Original file line number	Diff line number	Diff line change
`@@ -1611,10 +1611,10 @@ p256_base_mult:`
`1611`	`1611`	`*`
`1612`	`1612`	`* Returns t, a random value that is nonzero mod n, in shares.`
`1613`	`1613`	`*`
`1614`		`- * This follows a modified version of the method in FIPS 186-4 sections B.4.1`
`1615`		`- * and B.5.1 for generation of secret scalar values d and k. The computation`
`1616`		`- * in FIPS 186-4 is:`
`1617`		`- * seed = RBG(seedlen) // seedlen >= 320`
	`1614`	`+ * This follows a modified version of the method in FIPS 186-5 sections A.2.2`
	`1615`	`+ * and A.3.2 for generation of secret scalar values d and k. The computation`
	`1616`	`+ * in FIPS 186-5 is:`
	`1617`	`+ * seed = RBG(seedlen) // seedlen >= 256`
`1618`	`1618`	`* return (seed mod (n-1)) + 1`
`1619`	`1619`	`*`
`1620`	`1620`	`* The important features here are that (a) the seed is at least 64 bits longer`
`@@ -1924,7 +1924,7 @@ boolean_to_arithmetic:`
`1924`	`1924`	`* d = (d0 + d1) mod n`
`1925`	`1925`	`* ...where n is the curve order.`
`1926`	`1926`	`*`
`1927`		`- * This implementation follows FIPS 186-4 section B.4.1, where we`
	`1927`	`+ * This implementation follows FIPS 186-5 section A.2.2, where we`
`1928`	`1928`	`* generate d using N+64 random bits (320 bits in this case) as a seed. But`
`1929`	`1929`	`* while FIPS computes d = (seed mod (n-1)) + 1 to ensure a nonzero key, we`
`1930`	`1930`	`* instead just compute d = seed mod n. The caller MUST ensure that if this`
Original file line number	Diff line number	Diff line change
`@@ -13,10 +13,10 @@`
`13`	`13`	`*`
`14`	`14`	`* Returns t, a random value that is nonzero mod n, in shares.`
`15`	`15`	`*`
`16`		`- * This follows a modified version of the method in FIPS 186-4 sections B.4.1`
`17`		`- * and B.5.1 for generation of secret scalar values d and k. The computation`
`18`		`- * in FIPS 186-4 is:`
`19`		`- * seed = RBG(seedlen) // seedlen >= 448`
	`16`	`+ * This follows a modified version of the method in FIPS 186-5 sections A.2.2`
	`17`	`+ * and A.3.2 for generation of secret scalar values d and k. The computation`
	`18`	`+ * in FIPS 186-5 is:`
	`19`	`+ * seed = RBG(seedlen) // seedlen >= 384`
`20`	`20`	`* return (seed mod (n-1)) + 1`
`21`	`21`	`*`
`22`	`22`	`* The important features here are that (a) the seed is at least 64 bits longer`