cryptography - Java - Elliptic Curve Field Element Arithmetic in Bouncy Castle -
i have been under impression more proper perform arithmetic operations on exponents using ecfieldelement objects instead of bigintegers, according tests, doing yields incorrect results.
test routines (junit):
class arithmetictest { @test public void testmultdistributativity_biginteger() { ecpoint g = getg(); (int i=0; i<100; i++) { biginteger a, b, c; = randomintinfield(false); b = randomintinfield(false); c = a.add(b); ecpoint ga = g.multiply(a); ecpoint gb = g.multiply(b); ecpoint gc = g.multiply(c); ecpoint sum = ga.add(gb); assertequals(gc, sum); } } @test public void testmultdistributativity_ecfieldelement_smallvalues() { asserttrue(checkmultdistributativity_ecfieldelement(biginteger.one, biginteger.ten)); } @test public void testmultdistributativity_ecfieldelement_randomvalues() { biginteger a, b; int failurecount=0; (int i=0; i<1000; i++) { = randomintinfield(false); b = randomintinfield(false); if (!checkmultdistributativity_ecfieldelement(a, b)) failurecount++; } asserttrue(failurecount==0, "failed on " + integer.tostring(failurecount) + " out of 1000 runs."); } private boolean checkmultdistributativity_ecfieldelement(biginteger a, biginteger b) { ecfieldelement fa, fb, fc; ecpoint ga, gb, gc, sum; fa = getfieldelement(a); fb = getfieldelement(b); fc = fa.add(fb); ga = getg().multiply(a); gb = getg().multiply(b); gc = getg().multiply(fc.tobiginteger()); sum = ga.add(gb); return gc.equals(sum); } testmultdistributativity_biginteger , testmultdistributativity_ecfieldelement_smallvalues succeed, testmultdistributativity_ecfieldelement_randomvalues fails on half of test cases.
incidentally, 1/2 probability of 2 random field elements adding number larger field order. don't understand how can mess things though.
loading curve:
private java.security.spec.ellipticcurve curve; private org.bouncycastle.math.ec.eccurve bccurve; private ecnamedcurveparameterspec spec; private final biginteger fieldorder; private static final int field_element_bit_size = 256; static { security.insertproviderat(new bouncycastleprovider(), 1); } public arithmetictest() { spec= ecnamedcurvetable.getparameterspec("secp256r1"); bccurve = spec.getcurve(); ecnamedcurvespec conversionspec = new ecnamedcurvespec(spec.getname(), spec.getcurve(), spec.getg(), spec.getn()); curve = conversionspec.getcurve(); fieldorder = new biginteger ("ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", 16); } and these helper functions:
private ecpoint getg() { return spec.getg(); } private ecfieldelement getfieldelement(biginteger i) { return bccurve.frombiginteger(i); } private randomintinfield(boolean nonzero) { final int argument_is_larger = -1; securerandom rand = new securerandom(); biginteger result; int watchdog = 1000; { result = new biginteger(field_element_bit_size, rand); if (--watchdog == 0) throw new runtimeexception("damn odds?"); } while ( nonzero && result.equals(biginteger.zero) || result.compareto(fieldorder)!= argument_is_larger); return result; } } can problem randomization somehow?
i have been under impression more proper perform arithmetic operations on exponents using ecfieldelement objects instead of bigintegers, according tests, doing yields incorrect results.
no! exponents (the scalar arguments ecpoint.multiply) not handled using ecfieldelement. scalars should added each other modulo group order, available via eccurve.getorder.
your test therefore fails time sum fc gets reduced against field modulus (~50% say).
Comments
Post a Comment