[crypto/tests] Use randomness in ecdsa functests

siemen11 · nasahlpa · commit 297f7c14bcf5 · 2026-04-28T11:58:52.000+02:00
Use the hardened_memshred and hardened_sub_mod functions in order to
provide the p256 and p384 ecdsa functions with fresh randomness in order
to help the user give an example and test with randomness.

Signed-off-by: Siemen Dhooghe &lt;sdhooghe@google.com&gt;
diff --git a/sw/device/lib/base/hardened_memory.h b/sw/device/lib/base/hardened_memory.h
@@ -227,6 +227,10 @@ status_t hardened_sub(const uint32_t *OT_RESTRICT x,
  * guaranteed. The function is hardened against fault injections and is
  * constant time in the value being reduced.
  *
+ * In order to have this function constant time, it conditionally adds n only
+ * once.
+ * This function mimics OTBN's subm.
+ *
  * @param x Pointer to the first operand.
  * @param y Pointer to the second operand.
  * @param n Pointer to the multi-word modulus.
@@ -249,6 +253,10 @@ status_t hardened_sub_mod(const uint32_t *OT_RESTRICT x,
  * guaranteed. The function is hardened against fault injections and is
  * constant time in the value being reduced.
  *
+ * In order to have this function constant time, it conditionally subtracts n
+ * only once.
+ * This function mimics OTBN's addm.
+ *
  * @param x Pointer to the first operand.
  * @param y Pointer to the second operand.
  * @param n Pointer to the multi-word modulus.
diff --git a/sw/device/tests/crypto/BUILD b/sw/device/tests/crypto/BUILD
@@ -594,6 +594,7 @@ opentitan_test(
         timeout = "long",
     ),
     deps = [
+        "//sw/device/lib/base:hardened_memory",
         "//sw/device/lib/crypto/drivers:otbn",
         "//sw/device/lib/crypto/impl:config",
         "//sw/device/lib/crypto/impl:ecc_p256",
@@ -617,6 +618,7 @@ opentitan_test(
         tags = ["manual"],
     ),
     deps = [
+        "//sw/device/lib/base:hardened_memory",
         "//sw/device/lib/crypto/drivers:otbn",
         "//sw/device/lib/crypto/impl:config",
         "//sw/device/lib/crypto/impl:ecc_p384",
diff --git a/sw/device/tests/crypto/ecdsa_p256_functest.c b/sw/device/tests/crypto/ecdsa_p256_functest.c
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 
+#include "sw/device/lib/base/hardened_memory.h"
 #include "sw/device/lib/crypto/drivers/otbn.h"
 #include "sw/device/lib/crypto/impl/keyblob.h"
 #include "sw/device/lib/crypto/include/config.h"
@@ -124,29 +125,71 @@ static status_t sign_then_verify_test(void) {
   return OK_STATUS();
 }
 
+/**
+ * A test where a known input is signed and is compared to the expected output.
+ * In addition, it draws randomness to share the known input using
+ * hardened_memshred. The input is shared using the hardened_sub_mod function
+ * using the P-256 curve order n.
+ */
 static status_t sign_kat(void) {
   uint32_t keyblob_len = 2 * kP256SecretScalarWords;
 
+  // P-256 curve order n, padded to 320 bits (10 words) for our math operations.
+  static const uint32_t kP256Order[kP256SecretScalarWords] = {
+      0xFC632551, 0xF3B9CAC2, 0xA7179E84, 0xBCE6FAAD, 0xFFFFFFFF,
+      0xFFFFFFFF, 0x00000000, 0xFFFFFFFF, 0x00000000, 0x00000000};
+
+  uint32_t unmasked_val[kP256SecretScalarWords];
+  uint32_t share1_rand[kP256SecretScalarWords];
+  uint32_t share0[kP256SecretScalarWords];
+  uint32_t share1[kP256SecretScalarWords];
+
+  memset(unmasked_val, 0, kP256SecretScalarBytes);
+  memcpy(unmasked_val, kKATSecretScalar, kP256TestVectorScalarInpBytes);
+
+  // Generate a random value and reduce it modulo n to get a valid share1
+  TRY(hardened_memshred(share1_rand, kP256SecretScalarWords));
+  TRY(hardened_mod_reduce(share1_rand, kP256Order, kP256SecretScalarWords,
+                          share1));
+
+  // Calculate share0 = (unmasked_val - share1) mod n
+  TRY(hardened_sub_mod(unmasked_val, share1, kP256Order, kP256SecretScalarWords,
+                       share0));
+
   // Allocate space for a masked secret scalar.
   uint32_t keyblob_scalar[keyblob_len];
   otcrypto_blinded_key_t secret_scalar = {
       .config = kPrivateKeyConfig,
       .keyblob_length = sizeof(keyblob_scalar),
       .keyblob = keyblob_scalar,
   };
-  memset(keyblob_scalar, 0, 2 * kP256SecretScalarBytes);
-  memcpy(keyblob_scalar, kKATSecretScalar, kP256TestVectorScalarInpBytes);
+  memcpy(keyblob_scalar, share0, kP256SecretScalarBytes);
+  // We copy over the full 320 random bits
+  memcpy(keyblob_scalar + kP256SecretScalarWords, share1_rand,
+         kP256SecretScalarBytes);
   secret_scalar.checksum = integrity_blinded_checksum(&secret_scalar);
 
+  memset(unmasked_val, 0, kP256SecretScalarBytes);
+  memcpy(unmasked_val, kKATKey, kP256TestVectorScalarInpBytes);
+
+  // Generate a random svalue and reduce it modulo n
+  TRY(hardened_memshred(share1_rand, kP256SecretScalarWords));
+  TRY(hardened_mod_reduce(share1_rand, kP256Order, kP256SecretScalarWords,
+                          share1));
+
+  // Calculate share0 = (unmasked_val - share1) mod n
+  TRY(hardened_sub_mod(unmasked_val, share1, kP256Order, kP256SecretScalarWords,
+                       share0));
+
   // Allocate space for a masked private key.
   uint32_t keyblob_sk[keyblob_len];
   otcrypto_blinded_key_t private_key = {
       .config = kPrivateKeyConfig,
       .keyblob_length = sizeof(keyblob_sk),
       .keyblob = keyblob_sk,
   };
-  memset(keyblob_sk, 0, 2 * kP256SecretScalarBytes);
-  memcpy(keyblob_sk, kKATKey, kP256TestVectorScalarInpBytes);
+  memcpy(keyblob_sk, share0, kP256SecretScalarBytes);
+  memcpy(keyblob_sk + kP256SecretScalarWords, share1, kP256SecretScalarBytes);
   private_key.checksum = integrity_blinded_checksum(&private_key);
 
   // Hash the message.
diff --git a/sw/device/tests/crypto/ecdsa_p384_functest.c b/sw/device/tests/crypto/ecdsa_p384_functest.c
@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 
+#include "sw/device/lib/base/hardened_memory.h"
 #include "sw/device/lib/crypto/drivers/otbn.h"
 #include "sw/device/lib/crypto/impl/keyblob.h"
 #include "sw/device/lib/crypto/include/config.h"
@@ -128,29 +129,72 @@ static status_t sign_then_verify_test(void) {
 
 OTTF_DEFINE_TEST_CONFIG();
 
+/**
+ * A test where a known input is signed and is compared to the expected output.
+ * In addition, it draws randomness to share the known input using
+ * hardened_memshred. The input is shared using the hardened_sub_mod function
+ * using the P-384 curve order n.
+ */
 static status_t sign_kat(void) {
   uint32_t keyblob_len = 2 * kP384SecretScalarWords;
 
+  // P-384 curve order n, padded to 448 bits (14 words) for our math operations.
+  static const uint32_t kP384Order[kP384SecretScalarWords] = {
+      0xCCC52973, 0xECEC196A, 0x48B0A77A, 0x581A0DB2, 0xF4372DDF,
+      0xC7634D81, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
+      0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000000};
+
+  uint32_t unmasked_val[kP384SecretScalarWords];
+  uint32_t share1_rand[kP384SecretScalarWords];
+  uint32_t share0[kP384SecretScalarWords];
+  uint32_t share1[kP384SecretScalarWords];
+
+  memset(unmasked_val, 0, kP384SecretScalarBytes);
+  memcpy(unmasked_val, kKATSecretScalar, kP384TestVectorScalarInpBytes);
+
+  // Generate a random value and reduce it modulo n to get a valid share1
+  TRY(hardened_memshred(share1_rand, kP384SecretScalarWords));
+  TRY(hardened_mod_reduce(share1_rand, kP384Order, kP384SecretScalarWords,
+                          share1));
+
+  // Calculate share0 = (unmasked_val - share1) mod n
+  TRY(hardened_sub_mod(unmasked_val, share1, kP384Order, kP384SecretScalarWords,
+                       share0));
+
   // Allocate space for a masked secret scalar.
   uint32_t keyblob_scalar[keyblob_len];
   otcrypto_blinded_key_t secret_scalar = {
       .config = kPrivateKeyConfig,
       .keyblob_length = sizeof(keyblob_scalar),
       .keyblob = keyblob_scalar,
   };
-  memset(keyblob_scalar, 0, 2 * kP384SecretScalarBytes);
-  memcpy(keyblob_scalar, kKATSecretScalar, kP384TestVectorScalarInpBytes);
+  memcpy(keyblob_scalar, share0, kP384SecretScalarBytes);
+  // We copy over the full random bits
+  memcpy(keyblob_scalar + kP384SecretScalarWords, share1,
+         kP384SecretScalarBytes);
   secret_scalar.checksum = integrity_blinded_checksum(&secret_scalar);
 
+  memset(unmasked_val, 0, kP384SecretScalarBytes);
+  memcpy(unmasked_val, kKATKey, kP384TestVectorScalarInpBytes);
+
+  // Generate new random noise and reduce it modulo n
+  TRY(hardened_memshred(share1_rand, kP384SecretScalarWords));
+  TRY(hardened_mod_reduce(share1_rand, kP384Order, kP384SecretScalarWords,
+                          share1));
+
+  // Calculate share0 = (unmasked_val - share1) mod n
+  TRY(hardened_sub_mod(unmasked_val, share1, kP384Order, kP384SecretScalarWords,
+                       share0));
+
   // Allocate space for a masked private key.
   uint32_t keyblob_sk[keyblob_len];
   otcrypto_blinded_key_t private_key = {
       .config = kPrivateKeyConfig,
       .keyblob_length = sizeof(keyblob_sk),
       .keyblob = keyblob_sk,
   };
-  memset(keyblob_sk, 0, 2 * kP384SecretScalarBytes);
-  memcpy(keyblob_sk, kKATKey, kP384TestVectorScalarInpBytes);
+  memcpy(keyblob_sk, share0, kP384SecretScalarBytes);
+  memcpy(keyblob_sk + kP384SecretScalarWords, share1, kP384SecretScalarBytes);
   private_key.checksum = integrity_blinded_checksum(&private_key);
 
   // Hash the message.
