[sw/crypto] Update comments and code for P-256 and P-384 keygen/scalargen to comply with the latest FIPS 186-5 specification

[wettermo]

Description

This issue is a reminder to update comments and code for P-256 and P-384 keygen/scalargen to comply with the latest FIPS 186-5 specification, as objected by @jadephilipoom in #19419 .

The current implementation follows the specifications in FIPS 186-4. The newer FIPS 186-5 specifies basically the same algorithm, with the major difference for P-384 being that the minimum size of seed is now only 384 bits, not 448. Essentially, the curve order for P-384 is so close to 2^384 that the probability of a random 384-bit number being larger than the modulus is less than 2^(-192), and is therefore not a problem for P-384's security.

P-256 needs to be updated as well, since it was written before FIPS 186-5 came out.

• Update P-384 to FIPS 186-5
• Update P-256 to FIPS 186-5

[jadephilipoom]

I'll also add:

• Update RSA to FIPS 186-5

since it's covered by the same doc. The current code for RSA is a bit of a mix. 186-5 had already come out when I wrote keygen, and there aren't any algorithmic changes we need for RSA, but there's at least one reference to a section heading from 186-4 that we should update, and we should also do a close-read to check for anything we might want to change e.g. if the spec got more flexible.

[johannheyszl]

Is the NIST spec 186-5 inconsistent on the P-384 case?

• For the key gen, in A.2.1. it allows to use 384b random values,
• for the per signature secret, it still specifies to use a random number that is '64b longer'.

[johannheyszl]

This is already reflected in the implementation:

• key gen from 384b seed
• random scalar from >448b seed

To me it seems the P-256 and P-384 ECDSA code already complies to 186-5, but some comments could be updated to reference the newer 186-5 instead of 186-4

[jadephilipoom]

To me it seems the P-256 and P-384 ECDSA code already complies to 186-5, but some comments could be updated to reference the newer 186-5 instead of 186-4

Yep, I think this is accurate. The code is compliant, the comments are outdated.

[johannheyszl]

Putting in P3 since it is just re comments

[johannheyszl]

Note we will still keep P-384 keys as (two shares) of 448b for easy blinding (with large multiples of the curve order n), e.g. #27648

cc @h-filali

[johannheyszl]

is closed by #28612