Bug in deterministic nonce generation for ECDSA using P-521 with SHA512

[mcarrickscott]

There seems to be an error in line 23 of

https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/src/crypto/src/NIST.CVP.ACVTS.Libraries.Crypto/DSA.ECC/DeterministicNonceProvider.cs

The code does not appear to follow step 1.2 of the nonce generation process described in A3.3 of fips186-5

The conversion (padding) of the Hash to an octet string should follow the process described in B2.4, which takes the modulus n as an input. However the padding applied in line 23 does not consider n (orderN). Indeed the length of n, required for correct padding, is not considered until line 44.

Note this is only an issue when the length of n does not match the the output length of the hash. However it does affect the case for P-521 using SHA512 (for example).

[livebe01]

Thanks for sharing this. We'll take a look.

By the way, I'm curious how you discovered this. Were you testing an ECDSA implementation and found that some test cases were failing when you expected them to pass?

[mcarrickscott]

That is basically it. Tried 3 independent implementations, couldn't get a match with the test vectors. So finally went poking around your C# source code in a search for an answer.

…

On Fri, Jan 3, 2025 at 10:29 PM livebe01 ***@***.***> wrote: Thanks for sharing this. We'll take a look. By the way, I'm curious how you discovered this. Were you testing an ECDSA implementation and found that some test cases were failing when you expected them to pass? — Reply to this email directly, view it on GitHub <#377 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAU3ZDTON2KFJYNMCWIWJL32I3JKFAVCNFSM6AAAAABT4GUM5OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNRZGY2DSMJUHE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[jbrock24]

Hi @mcarrickscott, I believe I've found the missing steps outside of the method. Within the EccDSA class the Sign method has that step on lines 132 & 136. Please let me know if there are any further questions or concerns.

[mcarrickscott]

Thanks for your response. Considering the 3 lines of code from the sign() function prior to calling Getnonce(), in the context of P-521, basically they result in e=SHA512(message)

Drilling down a bit deeper into Getnonce()... In the line

var seedMaterial = new BitString(privateD).PadToModulusMsb(32).ConcatenateBits(new BitString(hashedMessage).PadToModulusMsb(32));

There are two problems. The first PadToModulus() extends privateD unnecessarily from 528 bits to 544 bits (a 32-bit boundary). The second PadToModulus() is a no-op as the hashedMessage is already on such a boundary – its 512 bits. It actually should be extended to 528 bits by prepending two 0 bytes.

In short doing it the NIST way I get

0x00 0x00 privateD | hashedMessage

and using this I can reproduce the NIST test vectors

Whereas the RFC6979 way is

privateD | 0x00 0x00 hashedMessage

and doing it this way I can reproduce the RFC6979 test vectors.

They can’t both be right!

[mcarrickscott]

Hello,

It would be great if you could fix this. My employer is keen to be able to claim that our cryptographic library matches all of the NIST test vectors, but we are obviously blocked by this outstanding issue.

[livebe01]

@mcarrickscott acknowledged. You mentioned attempting to reproduce the NIST test vectors. The test vectors you're referring to, are these test vectors you've produced by interacting with ACVTS Demo? If so, can you add those files to this issue? Or are they the sample test vectors from here: https://github.com/usnistgov/ACVP-Server/tree/master/gen-val/json-files/DetECDSA-SigGen-FIPS186-5?

[PanchoRH]

Hello,
@livebe01: I've been working with @mcarrickscott on this issue. I can confirm that we have not yet interacted with the ACVTS Demo, nor have we worked with the test vectors you mentioned.

Here is a brief summary of the files where the issue was found:

1. ### Context of the issue found
   a. NIST ACVP KAT Tests. NIST has released a set of KAT tests for different cryptographic primitives which are available here.
   b. One of the primitives included in these tests is Deterministic ECDSA (aka DetECDSA-SigGen-FIPS186-5) as specified
   in the standard FIPS 186-5 published March 2, 2023.

2. ### Issue found by our team.
   a. The KAT tests corresponding to DetECDSA-SigGen-FIPS186-5 can be found
   here. This file includes tests for the following four NIST curves: P-224, P-256, P-384 and P-521.
   b. Our library successfully passes the KAT tests for the supported NIST curves P-256 and P-384 when using the hash
   functions SHA-256 and SHA-384, respectively.
   c. However, our library does not pass the KAT tests for the curve P-521 using SHA-512. These tests can be found in Lines 3045-3132.
   d. Those KAT test vectors are defined as follows:
   Assume that we have selected the NIST elliptic curve P-521 and its associated public parameters such as prime p, order of the curve and generator point. Then, given the private key d and a 1024-bit message m, compute and output the following values:
   The x-coordinate of the public key named qx, with bitlength 521 bits.
   The y-coordinate of the public key named qy, with bitlength 521 bits.
   The signature (r, s), where the bitlength of r and s is 521 bits.
   We were able to reproduce the public key coordinates qx and qy published in Lines 3045-3132 of this file. However, we couldn’t reproduce the signature (r, s).

3. ### Actions taken.
   a. We implemented DetECDSA-SigGen-FIPS186-5 using three different implementations written in C and Sage. All of our implementations unanimously generated the same output values qx, qy and signature (r, s) .
   b. NIST also published the C# code that they used to generate the KAT tests. This code can be found here. We found that the NIST code had a bug as specified in the first comments of this issue: The PadToModulus() function has a couple of technical issues (see previous comments for further details).

[livebe01]

Thanks for your response. Considering the 3 lines of code from the sign() function prior to calling Getnonce(), in the context of P-521, basically they result in e=SHA512(message)

Drilling down a bit deeper into Getnonce()... In the line

var seedMaterial = new BitString(privateD).PadToModulusMsb(32).ConcatenateBits(new BitString(hashedMessage).PadToModulusMsb(32));

There are two problems. The first PadToModulus() extends privateD unnecessarily from 528 bits to 544 bits (a 32-bit boundary). The second PadToModulus() is a no-op as the hashedMessage is already on such a boundary – its 512 bits. It actually should be extended to 528 bits by prepending two 0 bytes.

In short doing it the NIST way I get

0x00 0x00 privateD | hashedMessage

and using this I can reproduce the NIST test vectors

Whereas the RFC6979 way is

privateD | 0x00 0x00 hashedMessage

and doing it this way I can reproduce the RFC6979 test vectors.

They can’t both be right!

Hi @mcarrickscott, I've confirmed both of your points. We'll get this fixed and update this ticket when the fix is available.

Thanks to your pointing this out, we were also able to discover an ambiguity in FIPS 186-5's definition of the k computation. Step 1.1 in A.3.3 instructs to "Convert the private key d to an octet string using the procedure in Appendix B.2.3", but it doesn't provide one of B.2.3's required parameters, L, which is the length of the desired octet string. Step 1.2 instructs to "Convert the Hash H to an octet string using the procedure in Appendix B.2.4 with modulus n." B.2.4 similarly makes use of B.2.3 without providing the required value for L. We've been in touch with the FIPS 186-5 authors and expect that they will address it, possibly by posting an errata for the FIPS.

[livebe01]

The updated and corrected DetECDSA sigGen sample test vectors are available here as of release v1.1.0.39.