[otbn] add more ECC tests
Adds tests for:
- P-256 base point multiplication
- P-384 base point multiplication
- P-384 curve point test
Signed-off-by: Felix Miller <felix.miller@gi-de.com>
diff --git a/sw/otbn/code-snippets/p256_base_mult_test.s b/sw/otbn/code-snippets/p256_base_mult_test.s
new file mode 100644
index 0000000..3d97012
--- /dev/null
+++ b/sw/otbn/code-snippets/p256_base_mult_test.s
@@ -0,0 +1,89 @@
+/* Copyright lowRISC contributors. */
+/* Licensed under the Apache License, Version 2.0, see LICENSE for details. */
+/* SPDX-License-Identifier: Apache-2.0 */
+/*
+ * Standalone test for P-256 scalar multiplication with base point.
+ *
+ * Performs multiplication of the base point of P-256 by a scalar. This
+ * resembles computing the public key for a given private key. The scalar
+ * (private key) is contained in the .data section below.
+ *
+ * See comment at the end of the file for expected values of coordinates
+ * of resulting point.
+ */
+
+.text
+
+p256_base_mult_test:
+
+ /* set dmem pointer to point to scalar (private key) d */
+ la x2, scalar
+ la x3, dptr_d
+ sw x2, 0(x3)
+
+ /* set dmem pointer to point to blinding parameter */
+ la x2, blinding_param
+ la x3, dptr_rnd
+ sw x2, 0(x3)
+
+ /* set dmem pointer to point to x-coordinate */
+ la x2, p1_x
+ la x3, dptr_x
+ sw x2, 0(x3)
+
+ /* set dmem pointer to point to y-coordinate */
+ la x2, p1_y
+ la x3, dptr_y
+ sw x2, 0(x3)
+
+ /* call base point multiplication routine in P-256 lib */
+ jal x1, p256_base_mult
+
+ /* load result to WDRs for comparison with reference */
+ li x2, 0
+ la x3, p1_x
+ bn.lid x2++, 0(x3)
+ la x3, p1_y
+ bn.lid x2, 0(x3)
+
+ ecall
+
+
+.data
+
+/* scalar d */
+scalar:
+ .word 0xc7df1a56
+ .word 0xfbd94efe
+ .word 0xaa847f52
+ .word 0x2d869bf4
+ .word 0x543b963b
+ .word 0xe5f2cbee
+ .word 0x9144233d
+ .word 0xc0fbe256
+
+ /* blinding parameter rnd */
+ blinding_param:
+ .word 0x7ab203c3
+ .word 0xd6ee4951
+ .word 0xd5b89b43
+ .word 0x409d2b56
+ .word 0x8e9d2186
+ .word 0x1de0f8ec
+ .word 0x0fa0bf9a
+ .word 0xa21c2147
+
+/* result buffer x-coordinate */
+p1_x:
+ .zero 32
+
+/* result buffer y-coordinate */
+p1_y:
+ .zero 32
+
+/* Expected values in wide register file (x- and y-coordinates of result):
+ w0 is affine x-coordinate of resulting point,
+ w1 is affine y-coordinate of resulting point.
+ w0 = 0xb5511a6afacdc5461628ce58db6c8bf36ec0c0b2f36b06899773b7b3bfa8c334
+ w1 = 0x42a1c6971f31c14343dd09eab53a17fa7f7a11d0ab9c6924a87070589e008c2e
+*/
diff --git a/sw/otbn/code-snippets/p256_proj_add_test.s b/sw/otbn/code-snippets/p256_proj_add_test.s
index 65dbead..5c3b07e 100644
--- a/sw/otbn/code-snippets/p256_proj_add_test.s
+++ b/sw/otbn/code-snippets/p256_proj_add_test.s
@@ -1,14 +1,15 @@
/* Copyright lowRISC contributors. */
/* Licensed under the Apache License, Version 2.0, see LICENSE for details. */
/* SPDX-License-Identifier: Apache-2.0 */
-/*
- * Standalone test for P-256 point addition in projective space
+
+/**
+ * Standalone test for P-256 point addition in projective space
*
- * Performs addition of two valid P-256 points in projective space.
- * Constant coordinates for the two points contained in the .data section.
+ * Performs addition of two valid P-256 points in projective space.
+ * Constant coordinates for the two points contained in the .data section.
*
- * See comment at the end of the file for expected values of coordinates
- * of resulting point.
+ * See comment at the end of the file for expected values of coordinates
+ * of resulting point.
*/
.section .text
diff --git a/sw/otbn/code-snippets/p384_base_mult_test.s b/sw/otbn/code-snippets/p384_base_mult_test.s
new file mode 100644
index 0000000..887f76c
--- /dev/null
+++ b/sw/otbn/code-snippets/p384_base_mult_test.s
@@ -0,0 +1,103 @@
+/* Copyright lowRISC contributors. */
+/* Licensed under the Apache License, Version 2.0, see LICENSE for details. */
+/* SPDX-License-Identifier: Apache-2.0 */
+/*
+ * Standalone test for P-384 scalar multiplication with base point.
+ *
+ * Performs multiplication of the base point of P-384 by a scalar. This
+ * resembles computing the public key for a given private key. The scalar
+ * (private key) is contained in the .data section below.
+ *
+ * See comment at the end of the file for expected values of coordinates
+ * of resulting point.
+ */
+
+.section .text
+
+p384_base_mult_test:
+
+ /* set dmem pointer to point to scalar (private key) d */
+ la x2, scalar
+ la x3, dptr_d
+ sw x2, 0(x3)
+
+ /* set dmem pointer to point to blinding parameter */
+ la x2, blinding_param
+ la x3, dptr_rnd
+ sw x2, 0(x3)
+
+ /* set dmem pointer to point to x-coordinate */
+ la x2, p1_x
+ la x3, dptr_x
+ sw x2, 0(x3)
+
+ /* set dmem pointer to point to y-coordinate */
+ la x2, p1_y
+ la x3, dptr_y
+ sw x2, 0(x3)
+
+ /* call base point multiplication routine in P-384 lib */
+ jal x1, p384_base_mult
+
+ /* load result to WDRs for comparison with reference */
+ li x2, 0
+ la x3, p1_x
+ bn.lid x2++, 0(x3)
+ bn.lid x2++, 32(x3)
+ la x3, p1_y
+ bn.lid x2++, 0(x3)
+ bn.lid x2, 32(x3)
+
+ ecall
+
+
+.section .data
+
+/* scalar d */
+scalar:
+ .word 0xe8791ba3
+ .word 0xf549e1f7
+ .word 0x893be358
+ .word 0x100794fe
+ .word 0xbc9db95d
+ .word 0xfd7ed624
+ .word 0xc60ebab6
+ .word 0x97ba9586
+ .word 0xa026b431
+ .word 0x37112316
+ .word 0x8b26eef1
+ .word 0xc1a0cf66
+ .zero 16
+
+ /* blinding parameter rnd */
+ blinding_param:
+ .word 0xa82c85b0
+ .word 0x163ce1c8
+ .word 0x32518fd7
+ .word 0xf8a428cd
+ .word 0xf5b9d867
+ .word 0x00906f5f
+ .word 0x7387b4f2
+ .word 0xa2d3da7a
+ .word 0xebe0a647
+ .word 0xfb2ef7ca
+ .word 0x74249432
+ .word 0x230e5ff6
+ .zero 16
+
+/* result buffer x-coordinate */
+p1_x:
+ .zero 64
+
+/* result buffer y-coordinate */
+p1_y:
+ .zero 64
+
+/* Expected values in wide register file (x- and y-coordinates of result):
+ [w1, w0] is affine x-coordinate of resulting point,
+ [w3, w2] is affine y-coordinate of resulting point.
+ w0 = 0x394d8b7047e806616c30f2d8ee0e2beb5869de54b1cac6097b8294604877f3d1
+ w1 = 0x00000000000000000000000000000000ca230836b439d7011a9ea916cf60d89e
+ w2 = 0x82b63bf3928c3e92cea028a9ec18818cc7e55880bf3aff6ec31ef079c181f90f
+ w3 = 0x00000000000000000000000000000000aaafcad203afe2c268eef2d1d65e905d
+*/
diff --git a/sw/otbn/code-snippets/p384_ecdsa_sign_test.s b/sw/otbn/code-snippets/p384_ecdsa_sign_test.s
index 672c994..6b1afed 100644
--- a/sw/otbn/code-snippets/p384_ecdsa_sign_test.s
+++ b/sw/otbn/code-snippets/p384_ecdsa_sign_test.s
@@ -1,13 +1,14 @@
/* Copyright lowRISC contributors. */
/* Licensed under the Apache License, Version 2.0, see LICENSE for details. */
/* SPDX-License-Identifier: Apache-2.0 */
-/*
- * Standalone test for P-384 ECDSA signature generation
+
+/**
+ * Standalone test for P-384 ECDSA signature generation
*
- * Computes P-384 ECDSA signature for message, nonce and private key
- * contained in the .data section.
+ * Computes P-384 ECDSA signature for message, nonce and private key
+ * contained in the .data section.
*
- * See comment at the end of the file for expected values of signature.
+ * See comment at the end of the file for expected values of signature.
*/
.section .text
diff --git a/sw/otbn/code-snippets/p384_ecdsa_verify_test.s b/sw/otbn/code-snippets/p384_ecdsa_verify_test.s
index 1b34756..62155fe 100644
--- a/sw/otbn/code-snippets/p384_ecdsa_verify_test.s
+++ b/sw/otbn/code-snippets/p384_ecdsa_verify_test.s
@@ -1,13 +1,14 @@
/* Copyright lowRISC contributors. */
/* Licensed under the Apache License, Version 2.0, see LICENSE for details. */
/* SPDX-License-Identifier: Apache-2.0 */
-/*
- * Standalone test for P-384 ECDSA signature verification
+
+/**
+ * Standalone test for P-384 ECDSA signature verification
*
- * Runs the P-384 ECDSA signature verification algorithm for message, nonce
- * and private key contained in the .data section below.
+ * Runs the P-384 ECDSA signature verification algorithm for message, nonce
+ * and private key contained in the .data section below.
*
- * See comment at the end of the file for expected values of result.
+ * See comment at the end of the file for expected values of result.
*/
.section .text
diff --git a/sw/otbn/code-snippets/p384_isoncurve_test.s b/sw/otbn/code-snippets/p384_isoncurve_test.s
new file mode 100644
index 0000000..4e738a9
--- /dev/null
+++ b/sw/otbn/code-snippets/p384_isoncurve_test.s
@@ -0,0 +1,98 @@
+/* Copyright lowRISC contributors. */
+/* Licensed under the Apache License, Version 2.0, see LICENSE for details. */
+/* SPDX-License-Identifier: Apache-2.0 */
+
+/**
+ * Standalone test for P-384 curve point test
+ *
+ * Runs the P-384 curve point test to check whether a point (given in affine
+ * space) is a valid P-384 curve point.
+ * See comment at the end of the file for expected values of result.
+ */
+
+.section .text
+
+p384_oncurve_test:
+
+ /* set dmem to result */
+ la x2, res_r
+ la x3, dptr_r
+ sw x2, 0(x3)
+ la x2, res_l
+ la x3, dptr_s
+ sw x2, 0(x3)
+
+ /* set dmem pointer to point to cuve point */
+ la x2, point_x
+ la x3, dptr_x
+ sw x2, 0(x3)
+ la x2, point_y
+ la x3, dptr_y
+ sw x2, 0(x3)
+
+ /* call curve point test routine in P-384 lib */
+ jal x1, p384_isoncurve
+
+ /* load result to WDRs for comparison with reference */
+ li x2, 0
+ la x3, res_r
+ bn.lid x2++, 0(x3)
+ bn.lid x2++, 32(x3)
+ la x3, res_l
+ bn.lid x2++, 0(x3)
+ bn.lid x2++, 32(x3)
+
+ ecall
+
+
+.data
+
+/* buffer for right side result of Weierstrass equation */
+res_r:
+ .zero 64
+
+/* buffer for left side result of Weierstrass equation */
+res_l:
+ .zero 64
+
+/* point affine x-coordinate */
+point_x:
+ .word 0x4877f3d1
+ .word 0x7b829460
+ .word 0xb1cac609
+ .word 0x5869de54
+ .word 0xee0e2beb
+ .word 0x6c30f2d8
+ .word 0x47e80661
+ .word 0x394d8b70
+ .word 0xcf60d89e
+ .word 0x1a9ea916
+ .word 0xb439d701
+ .word 0xca230836
+ .zero 16
+
+/* point affine y-coordinate */
+point_y:
+ .word 0xc181f90f
+ .word 0xc31ef079
+ .word 0xbf3aff6e
+ .word 0xc7e55880
+ .word 0xec18818c
+ .word 0xcea028a9
+ .word 0x928c3e92
+ .word 0x82b63bf3
+ .word 0xd65e905d
+ .word 0x68eef2d1
+ .word 0x03afe2c2
+ .word 0xaaafcad2
+ .zero 16
+
+/* Expected values in wide register file:
+ [w1, w0] is right side result of Weierstrass equation,
+ [w3, w2] is right side result of Weierstrass equation.
+ Point is on curve if [w3,w2] == [w1,w0].
+ w0 = 0xfb192142f51950228765c0f69371a6a63aaff417aacdf679abcbea36b6c505b8
+ w1 = 0x000000000000000000000000000000008075470ebf2179fe3a1f1fdf4b445503
+ w2 = 0xfb192142f51950228765c0f69371a6a63aaff417aacdf679abcbea36b6c505b8
+ w3 = 0x000000000000000000000000000000008075470ebf2179fe3a1f1fdf4b445503
+*/
diff --git a/sw/otbn/code-snippets/p384_scalar_mult_test.s b/sw/otbn/code-snippets/p384_scalar_mult_test.s
index d1cfbfa..da2416e 100644
--- a/sw/otbn/code-snippets/p384_scalar_mult_test.s
+++ b/sw/otbn/code-snippets/p384_scalar_mult_test.s
@@ -1,15 +1,16 @@
/* Copyright lowRISC contributors. */
/* Licensed under the Apache License, Version 2.0, see LICENSE for details. */
/* SPDX-License-Identifier: Apache-2.0 */
-/*
- * Standalone test for P-384 scalar multiplication
+
+/**
+ * Standalone test for P-384 scalar multiplication
*
- * Performs multiplication of a P-384 curve point by a scalar. Both, the
- * scalar and the affine coordinates of the point are contained in the
- * .data section below.
+ * Performs multiplication of a P-384 curve point by a scalar. Both, the
+ * scalar and the affine coordinates of the point are contained in the
+ * .data section below.
*
- * See comment at the end of the file for expected values of coordinates
- * of resulting point.
+ * See comment at the end of the file for expected values of coordinates
+ * of resulting point.
*/
.section .text
@@ -36,8 +37,18 @@
la x3, dptr_rnd
sw x2, 0(x3)
+ /* call scalar point multiplication routine in P-384 lib */
jal x1, scalar_mult_p384
+ /* load result to WDRs for comparison with reference */
+ li x2, 0
+ la x3, p1_x
+ bn.lid x2++, 0(x3)
+ bn.lid x2++, 32(x3)
+ la x3, p1_y
+ bn.lid x2++, 0(x3)
+ bn.lid x2, 32(x3)
+
ecall
@@ -109,10 +120,10 @@
/* Expected values in wide register file (x- and y-coordinates of result):
- [w26, w25] is affine x-coordinate of resulting point,
- [w28, w27] is affine y-coordinate of resulting point.
- w25 = 0x6c5d59dbafa8ecbaf0b2d3c1e818325403634e3b86956e6ead6739217b702c4a
- w26 = 0x00000000000000000000000000000000d177aa22a7c535a28cae00d420c4cd27
- w27 = 0x607c6c698fc5c15cbfadf94e322fa2fa5ff6cf915fe9ad62f538701f1add78ec
- w28 = 0x000000000000000000000000000000009e18fa893348fb1d44f40dbedcb5e36c
+ [w1, w0] is affine x-coordinate of resulting point,
+ [w3, w2] is affine y-coordinate of resulting point.
+ w0 = 0x6c5d59dbafa8ecbaf0b2d3c1e818325403634e3b86956e6ead6739217b702c4a
+ w1 = 0x00000000000000000000000000000000d177aa22a7c535a28cae00d420c4cd27
+ w2 = 0x607c6c698fc5c15cbfadf94e322fa2fa5ff6cf915fe9ad62f538701f1add78ec
+ w3 = 0x000000000000000000000000000000009e18fa893348fb1d44f40dbedcb5e36c
*/
diff --git a/sw/otbn/code-snippets/p384_sign.s b/sw/otbn/code-snippets/p384_sign.s
index 769c91c..39ab7ae 100644
--- a/sw/otbn/code-snippets/p384_sign.s
+++ b/sw/otbn/code-snippets/p384_sign.s
@@ -714,6 +714,13 @@
jal x1, scalar_mult_int_p384
+ /* store result in dmem */
+ li x2, 25
+ bn.sid x2++, 0(x20)
+ bn.sid x2++, 32(x20)
+ bn.sid x2++, 0(x21)
+ bn.sid x2++, 32(x21)
+
ret
/**
@@ -730,6 +737,8 @@
*
* @param[in] dmem[0]: dptr_d, pointer to location in dmem containing
* scalar d.
+ * @param[in] dmem[20]: dptr_x, pointer to result buffer for x-coordinate
+ * @param[in] dmem[24]: dptr_y, pointer to result buffer for y-coordinate
* @param[in] dmem[28]: dptr_rnd, pointer to location in dmem containing
* random number for blinding.
*
@@ -792,6 +801,21 @@
jal x1, scalar_mult_int_p384
+ /* set dmem pointer to point x-coordinate */
+ la x20, dptr_x
+ lw x20, 0(x20)
+
+ /* set dmem pointer to point y-coordinate */
+ la x21, dptr_y
+ lw x21, 0(x21)
+
+ /* store result in dmem */
+ li x2, 25
+ bn.sid x2++, 0(x20)
+ bn.sid x2++, 32(x20)
+ bn.sid x2++, 0(x21)
+ bn.sid x2++, 32(x21)
+
ret
diff --git a/sw/otbn/code-snippets/rules.mk b/sw/otbn/code-snippets/rules.mk
index 3051204..912c3b1 100644
--- a/sw/otbn/code-snippets/rules.mk
+++ b/sw/otbn/code-snippets/rules.mk
@@ -107,31 +107,37 @@
$(otbn-code-snippets-bin-dir)/rsa_verify_test_exp3.elf: \
otbn-libs += $(otbn-code-snippets-obj-dir)/rsa_verify.o
-# p256 curve point test depends on p256init, p256isoncurve, defined in p256.s
-$(otbn-code-snippets-bin-dir)/p256_curve_point_test.elf: \
+# p256 curve point test depends on p256isoncurve defined in p256.s
+$(otbn-code-snippets-bin-dir)/p256_isoncurve_test.elf: \
$(otbn-code-snippets-obj-dir)/p256.o
-$(otbn-code-snippets-bin-dir)/p256_curve_point_test.elf: \
+$(otbn-code-snippets-bin-dir)/p256_isoncurve_test.elf: \
otbn-libs += $(otbn-code-snippets-obj-dir)/p256.o
-# p256 scalar mult test depends on p256init, p256scalarmult, defined in p256.s
+# p256 scalar mult test depends on p256_scalar_mult defined in p256.s
$(otbn-code-snippets-bin-dir)/p256_scalar_mult_test.elf: \
$(otbn-code-snippets-obj-dir)/p256.o
$(otbn-code-snippets-bin-dir)/p256_scalar_mult_test.elf: \
otbn-libs += $(otbn-code-snippets-obj-dir)/p256.o
-# p256 ECDSA sign test depends on p256init, p256sign, defined in p256.s
+# p256 base mult test depends on p256_base_mult defined in p256.s
+$(otbn-code-snippets-bin-dir)/p256_base_mult_test.elf: \
+ $(otbn-code-snippets-obj-dir)/p256.o
+$(otbn-code-snippets-bin-dir)/p256_base_mult_test.elf: \
+ otbn-libs += $(otbn-code-snippets-obj-dir)/p256.o
+
+# p256 ECDSA sign test depends on p256_sign defined in p256.s
$(otbn-code-snippets-bin-dir)/p256_ecdsa_sign_test.elf: \
$(otbn-code-snippets-obj-dir)/p256.o
$(otbn-code-snippets-bin-dir)/p256_ecdsa_sign_test.elf: \
otbn-libs += $(otbn-code-snippets-obj-dir)/p256.o
-# p256 ECDSA verify test depends on p256init, p256verify, defined in p256.s
+# p256 ECDSA verify test depends on p256_verify defined in p256.s
$(otbn-code-snippets-bin-dir)/p256_ecdsa_verify_test.elf: \
$(otbn-code-snippets-obj-dir)/p256.o
$(otbn-code-snippets-bin-dir)/p256_ecdsa_verify_test.elf: \
otbn-libs += $(otbn-code-snippets-obj-dir)/p256.o
-# p256_ecdsa depends on p256init, p256verify, p256sign, defined in p256.s
+# p256_ecdsa depends on p256_verify, p256_sign, defined in p256.s
$(otbn-code-snippets-bin-dir)/p256_ecdsa.elf: \
$(otbn-code-snippets-obj-dir)/p256.o
$(otbn-code-snippets-bin-dir)/p256_ecdsa.elf: \
