Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hw or Sw opimized ECDSA ? #48

Open
simo5 opened this issue Aug 5, 2020 · 2 comments
Open

Hw or Sw opimized ECDSA ? #48

simo5 opened this issue Aug 5, 2020 · 2 comments

Comments

@simo5
Copy link

simo5 commented Aug 5, 2020

Looking at this code it seems to me this function indicates that some cryptography function here is implemented via CPU provided optimized instructions (CPACF) not an external HW accelerator:

static int ecdsa_sign_cpacf(const ICA_EC_KEY *priv, const unsigned char *hash,

If that is the case it seem here OpenSSL's ECDSA implemenation should be used, and support to utilize CPACF should be contributed to mainline OpenSSL so ECDSA is always as fast as possible.
Is there something preventing regular OpenSSL from using CPACF instructions directly when compiled on S390 ?

@p-steuer
Copy link
Contributor

p-steuer commented Aug 5, 2020

OpenSSL mainline (master) has all relevant CPACF support: ECDSA (P-256/384/521) keygen, sign, verify, EdDSA (ed25519,ed448) keygen, sign, verify, ECDH (P-256/384/521, X25519, X448), all of SHA-2 and SHA3/SHAKE, AES-GCM,CCM,CBC,XTS,ECB,CFB,OFB,CTR plus Vectorized Chacha20 and Poly1305.

That list basically sums up most of my OpenSSL contributions in the last years ..

The 1.1.1. backports should already be included in RHEL's OpenSSL package. I think i provided my branch for that purpose:
https://github.com/p-steuer/openssl/tree/ecc111

The following PR is an effort to get the backports merged to 1.1.1 : openssl/openssl#11188

@simo5
Copy link
Author

simo5 commented Aug 5, 2020

@p-steuer does this mean this code can be dropped and turned into a wrapper around OpenSSL's ECDSA signing/verification code ?
Ideally using EVP_DIgestSign*() interface because ECDSA_do_sign()/ECDSA_do_verify() are deprecated and will eventually go away.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants