On 25/05/12 18:35, Khuc, Chuong D. wrote:
Hi,
Does anyone knows there is a way to implement accelerated verification
of ECDSA like in this paper:
http://www.mathnet.or.kr/mathnet/preprint_file/cacr/2005/cacr2005-28.pdf
Specifically instead of generating ECDSA signature with (r,s), I have
to generate (R, s). Now R in this case is not the public key. I don't
know if OpenSSL currently support this?
AFAIK, I don't think OpenSSL exposes R directly. However you can
probably recalculate it. Basically R is a random point selected by first
choosing a random integer (k) and multiplying by the generator point,
i.e. R= k*g
Instead of just calling ECDSA_do_sign, you could call:
int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
BIGNUM **rp)
after the call you will then have the value of k inverse and r. You then
have to use these in a call to ECDSA_do_sign_ex to actually do the signing:
ECDSA_SIG *ECDSA_do_sign_ex(const unsigned char *dgst, int dlen,
const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey)
Now that you have k inverse you can calculate k:
/* Obviously missing lots of error handling etc */
EC_GROUP_get_order(group, order, ctx);
BN_mod_inverse(k, kinv, order, ctx);
From k you can calculate R (create R first using EC_POINT_new):
EC_POINT_mul(group, R, k, NULL, NULL, ctx);
You can get s from the previously calculated ECDSA_SIG object.
All of the above just an idea and supplied totally without warranty!! :-)
Matt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
