Done in 1.11.1.
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Tue, Jun 17
Done in 1.11.1.
Done in 1.11.1.
Fri, Jun 13
Reading https://openssl-library.org/files/blog/Request_to_Extend_IETF_WGLC_for_PQ_Key_Specifications.pdf ,
seed (with "S") is included in the private-key.
The commit rC23543b6c1497: Add mldsa_compute_keygrip and let private-key include "p". works well for me.
To support Dilithium, we need to extend data handling of libgcrypt.
I propose following changes:
- internal flag of PUBKEY_FLAG_BYTE_STRING to ask opaque MPI for data to be signed/verified.
- The format of data as: (data(raw)[(flags no-prefix)](value ...)[(label ...)][(random-override ...)]): message, context, and random. Optional no-prefix flag to ask specific way of signing, controlling the internal, for Known Answer Tests (siggen).
May 27 2025
May 19 2025
Problem noted in T7166
Noet that one file is missing in the released tarball; when building for RISC-V please see T7647#201164
Patch applied.
Looking the FIPS 204 document, using the following functions (API) is good:
May 17 2025
I can confirm this. Here is the build error:
make[2]: Entering directory '/home/collinfunk/libgcrypt-1.11.1/cipher' `echo /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../src -I../src -I../mpi -I../mpi -I/home/collinfunk/tmp/include -g -O2 -fvisibility=hidden -fno-delete-null-pointer-checks -Wall -O2 -march=rv64imafdcv -mstrict-align -c rijndael-vp-riscv.c | sed -e 's/-fsanitize[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' -e 's/-fprofile[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' -e 's/-fcoverage[=,\-][=,a-z,A-Z,0-9,\,,\-]*//g' ` libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../src -I../src -I../mpi -I../mpi -I/home/collinfunk/tmp/include -g -O2 -fvisibility=hidden -fno-delete-null-pointer-checks -Wall -O2 -march=rv64imafdcv -mstrict-align -c rijndael-vp-riscv.c -fPIC -DPIC -o .libs/rijndael-vp-riscv.o rijndael-vp-riscv.c:58:10: fatal error: simd-common-riscv.h: No such file or directory 58 | #include "simd-common-riscv.h" | ^~~~~~~~~~~~~~~~~~~~~ compilation terminated. make[2]: *** [Makefile:1730: rijndael-vp-riscv.lo] Error 1
Patch here: https://lists.gnupg.org/pipermail/gcrypt-devel/2025-May/005854.html
May 15 2025
Also pushed to 1.11
May 13 2025
May 11 2025
It's in 1.11.1.
Included in 1.11.1.
May 9 2025
That is quite possible because we do not have a test system for RISC-V and the make release tarbegt is not abale to verify this.
May 8 2025
May 7 2025
In libgcrypt/cipher/ecc-ecdsa.c, we have:
mpi_mulm (s, k_1, sum, ec->n); /* s = k^(-1)*(hash+(d*r)) mod n */
May 5 2025
May 2 2025
Apr 30 2025
I think you are correct.
Apr 23 2025
Apr 18 2025
IIUC, it's GCC 8 which starts the support of __nonstring__ attribute.
Mar 31 2025
Pushed all changes to master.
Mar 21 2025
I applied some to master (generic improvement parts).
Mar 20 2025
I think that this may be the last update.
Don't use mpi_powm to avoid normalizing (and to be faster).
Mar 18 2025
Here is another update (replacing ecc-no-normalize-2025-03-13.patch).
Further, ec_addm is modified to be less leaky.
Mar 17 2025
There are three (or more) remaining things:
(1) ec_addm can be improved by adding U and V with mpih_add_lli , subtracting P with mpih_sub_n, and adding back P with mpih_add_n_cond
(2) Places with mpi_const for the argument when calling ec_mulm, ec_add or ec_subm should be fixed (it may modify the const MPI)
(3) make sure mpi_resize within ec_addm, ec_mulm, or ec_subm if needed
Mar 13 2025
Here is update (replacing ecc-no-normalize-2025-03-07.patch).
ec_subm and ec_mulm are modified to be less leaky.
Mar 7 2025
I think that major signal sources for K have been killed so far.
Mar 6 2025
We should only enable least leak implementation for 64-bit, as it's not as fast on 32-bit architecture.
We should only enable least leak implementation for 64-bit, as it's not as fast on 32-bit architecture.
Feb 25 2025
One more change for _gcry_dsa_gen_k in rC54caef02afa9: cipher:(EC)DSA: Simply use mpi_clear_highbit in _gcry_dsa_gen_k.
One more change for mpi_invm in rCc1da86e45a6e: mpi: Avoid normalizing MPI in _gcry_mpi_invm.
Feb 19 2025
All changes are pushed to master.
Pushed the changes by the commit rC2039d93289db: mpi: Add MPI helper modular exponentiation, Least Leak Intended.
Feb 14 2025
Use of mpi_cmp is now being fixed, by providing _gcry_mpih_cmp_lli function.
Along with that, we need to fix use of mpi_cmp_ui, since it's skips earlier depending its limbs.
diff --git a/cipher/dsa-common.c b/cipher/dsa-common.c index 170dce12..e010e182 100644 --- a/cipher/dsa-common.c +++ b/cipher/dsa-common.c @@ -25,6 +25,7 @@
Feb 10 2025
And then, we need to use less leaky version of mpi_cmp (because mpi_cmp calls mpi_normalize, it's not good).
And this is for less leak for _gcry_dsa_modify_k:
This is needed before we remove leaks by mpi_add in _gcry_dsa_modify_k :
Commit rC35a6a6feb9dc: Fix _gcry_dsa_modify_k. is related, but it doesn't matter for usual compilers (it's an issue for MSVC).
Feb 7 2025
This is needed for RFC6979 flag support.
Jan 31 2025
The commit rC58c11aa8 is the improved version by k-ary exponentiation (while rC6dffd105e2e2 is 1-bit at a time) and using heap.
Jan 25 2025
I created https://dev.gnupg.org/source/libgcrypt/history/gniibe%252Ft7490/
The commit rC6dffd105e2e2 works for me.
It is a bit of exponent at time Montgomery exponentiation.
I don't put an optimization for the reduction as I don't know if it's OK for patent-wise (looks like expired, though).
Jan 22 2025
Jan 21 2025
Jan 17 2025
Re-open, so that I can pursue constant-time modular exponentiation.
Jan 15 2025
Dec 12 2024
Here are changes for gcry_md_open and its friends.
My idea in https://dev.gnupg.org/T7338#195529 doesn't work well when a function call is done multiple times.
Assuming SUCCESS, and marking all non-compliant places in the code works, and it would be good because libgcrypt so far maintains non-compliant path with rejection.
Dec 9 2024
Pushed the change for adding hash tests in rC7faf542f1573: fips,tests: Add t-digest.
Dec 6 2024
It seems that the internal API (as of 2024-12-06) is not enough.
Now, we have _gcry_md_hash_buffer function with the new FIPS service indicator.
It's used for public key crypto, too.
The compliance for hash function is a part of public key crypto, but not all.
A change for gcry_md_hash_* functions are pushed by rC3478caac62c7: fips,md: Implement new FIPS service indicator for gcry_md_hash_*..
It doesn't have tests with FIPS service indicator yet.
Dec 5 2024
New external API is by GCRYCTL_FIPS_SERVICE_INDICATOR and/or the new macro gcry_get_fips_service_indicator.
This change is pushed by rCf51f4e98930e: fips: Introduce GCRYCTL_FIPS_SERVICE_INDICATOR and the macro.
New internal API is introduced with T7340 by the commit rCe1cf31232825: fips: Introduce an internal API for FIPS service indicator.
Change is pushed by rCe1cf31232825: fips: Introduce an internal API for FIPS service indicator.
Dec 4 2024
Nov 14 2024
Nov 4 2024
Oct 24 2024
I created a branch: https://dev.gnupg.org/source/libgcrypt/history/gniibe%252Ft7340/
Oct 16 2024
Autoconf archive has AX_TLS: https://www.gnu.org/software/autoconf-archive/ax_tls.html
Also, AX_GCC_VAR_ATTRIBUTE(tls_model) could be used: https://www.gnu.org/software/autoconf-archive/ax_gcc_var_attribute.html