[sw,cryptolib] Update ECC random scalar gen function header

h-filali · h-filali · commit 2817b23e0712 · 2025-10-30T18:13:00.000+01:00
This commit updates the ECC random secret scalar generation
function header.

I checked the implementation for FIPS 186-5 compliance and
updated the header comment accordingly.

Signed-off-by: Hakim Filali &lt;hfilali@lowrisc.org&gt;
diff --git a/sw/otbn/crypto/p256_base.s b/sw/otbn/crypto/p256_base.s
@@ -1618,10 +1618,10 @@ p256_base_mult:
  *
  * Returns t, a random value that is nonzero mod n, in shares.
  *
- * This follows a modified version of the method in FIPS 186-4 sections B.4.1
- * and B.5.1 for generation of secret scalar values d and k. The computation
- * in FIPS 186-4 is:
- *   seed = RBG(seedlen) // seedlen >= 320
+ * This follows a modified version of the method in FIPS 186-5 sections A.2.2
+ * and A.3.2 for generation of secret scalar values d and k. The computation
+ * in FIPS 186-5 is:
+ *   seed = RBG(seedlen) // seedlen >= 256
  *   return (seed mod (n-1)) + 1
  *
  * The important features here are that (a) the seed is at least 64 bits longer
diff --git a/sw/otbn/crypto/p384_keygen.s b/sw/otbn/crypto/p384_keygen.s
@@ -13,10 +13,10 @@
  *
  * Returns t, a random value that is nonzero mod n, in shares.
  *
- * This follows a modified version of the method in FIPS 186-4 sections B.4.1
- * and B.5.1 for generation of secret scalar values d and k. The computation
- * in FIPS 186-4 is:
- *   seed = RBG(seedlen) // seedlen >= 448
+ * This follows a modified version of the method in FIPS 186-5 sections A.2.2
+ * and A.3.2 for generation of secret scalar values d and k. The computation
+ * in FIPS 186-5 is:
+ *   seed = RBG(seedlen) // seedlen >= 384
  *   return (seed mod (n-1)) + 1
  *
  * The important features here are that (a) the seed is at least 64 bits longer

Original file line number	Diff line number	Diff line change
`@@ -1618,10 +1618,10 @@ p256_base_mult:`
`1618`	`1618`	`*`
`1619`	`1619`	`* Returns t, a random value that is nonzero mod n, in shares.`
`1620`	`1620`	`*`
`1621`		`- * This follows a modified version of the method in FIPS 186-4 sections B.4.1`
`1622`		`- * and B.5.1 for generation of secret scalar values d and k. The computation`
`1623`		`- * in FIPS 186-4 is:`
`1624`		`- * seed = RBG(seedlen) // seedlen >= 320`
	`1621`	`+ * This follows a modified version of the method in FIPS 186-5 sections A.2.2`
	`1622`	`+ * and A.3.2 for generation of secret scalar values d and k. The computation`
	`1623`	`+ * in FIPS 186-5 is:`
	`1624`	`+ * seed = RBG(seedlen) // seedlen >= 256`
`1625`	`1625`	`* return (seed mod (n-1)) + 1`
`1626`	`1626`	`*`
`1627`	`1627`	`* The important features here are that (a) the seed is at least 64 bits longer`
Original file line number	Diff line number	Diff line change
`@@ -13,10 +13,10 @@`
`13`	`13`	`*`
`14`	`14`	`* Returns t, a random value that is nonzero mod n, in shares.`
`15`	`15`	`*`
`16`		`- * This follows a modified version of the method in FIPS 186-4 sections B.4.1`
`17`		`- * and B.5.1 for generation of secret scalar values d and k. The computation`
`18`		`- * in FIPS 186-4 is:`
`19`		`- * seed = RBG(seedlen) // seedlen >= 448`
	`16`	`+ * This follows a modified version of the method in FIPS 186-5 sections A.2.2`
	`17`	`+ * and A.3.2 for generation of secret scalar values d and k. The computation`
	`18`	`+ * in FIPS 186-5 is:`
	`19`	`+ * seed = RBG(seedlen) // seedlen >= 384`
`20`	`20`	`* return (seed mod (n-1)) + 1`
`21`	`21`	`*`
`22`	`22`	`* The important features here are that (a) the seed is at least 64 bits longer`