Each entry in blockAlignedPersonalizationString is written to the HMAC at a
block boundary, as specified in draft-irtf-cfrg-det-sigs-with-noise-04,
Section 4.( blockAlignedPersonalizationString) isPersonalizationString()
blockAlignedPersonalizationString : personalizationString
hmacDRBG is an SP 800-90A Rev. 1 HMAC_DRBG.
It is only intended to be used to generate ECDSA nonces. Since it will be
instantiated ex-novo for each signature, its Generate function will only be
invoked once or twice (only for P-256, with probability 2⁻³²).
Per Table 2, it has a reseed interval of 2^48 requests, and a maximum request
size of 2^19 bits (2^16 bytes, 64 KiB).V[]bytehK*hmac.HMACnewHMACfunc(key []byte) *hmac.HMACreseedCounteruint64 Generate produces at most maxRequestSize bytes of random data in out.
func TestingOnlyNewDRBG(hash func() fips140.Hash, entropy, nonce []byte, s []byte) *hmacDRBG
func newDRBG[H](hash func() H, entropy, nonce []byte, s personalizationString) *hmacDRBG
func sign[P](c *Curve[P], priv *PrivateKey, drbg *hmacDRBG, hash []byte) (*Signature, error)
func signGeneric[P](c *Curve[P], priv *PrivateKey, drbg *hmacDRBG, hash []byte) (*Signature, error)
Type Parameters:
P: Point[P]
H: fips140.Hash Sign signs a hash (which shall be the result of hashing a larger message with
the hash function H) using the private key, priv. If the hash is longer than
the bit-length of the private key's curve order, the hash will be truncated
to that length.
Type Parameters:
P: Point[P]
H: fips140.Hash SignDeterministic signs a hash (which shall be the result of hashing a
larger message with the hash function H) using the private key, priv. If the
hash is longer than the bit-length of the private key's curve order, the hash
will be truncated to that length. This applies Deterministic ECDSA as
specified in FIPS 186-5 and RFC 6979.
TestingOnlyNewDRBG creates an SP 800-90A Rev. 1 HMAC_DRBG with a plain
personalization string.
This should only be used for ACVP testing. hmacDRBG is not intended to be
used directly.
Type Parameters:
P: Point[P]
Verify verifies the signature, sig, of hash (which should be the result of
hashing a larger message) using the public key, pub. If the hash is longer
than the bit-length of the private key's curve order, the hash will be
truncated to that length.
The inputs are not considered confidential, and may leak through timing side
channels, or if an attacker has control of part of the inputs.
Type Parameters:
P: Point[P]
bits2octets as specified in FIPS 186-5, Appendix B.2.4 or RFC 6979,
Section 2.3.4. See RFC 6979, Section 3.5 for the rationale.
Type Parameters:
P: Point[P]
hashToNat sets e to the left-most bits of hash, according to
FIPS 186-5, Section 6.4.1, point 2 and Section 6.4.2, point 3.
Type Parameters:
P: Point[P]
inverse sets kInv to the inverse of k modulo the order of the curve.
Type Parameters:
P: Point[P]
randomPoint returns a random scalar and the corresponding point using a
procedure equivalent to FIPS 186-5, Appendix A.2.2 (ECDSA Key Pair Generation
by Rejection Sampling) and to Appendix A.3.2 (Per-Message Secret Number
Generation of Private Keys by Rejection Sampling) or Appendix A.3.3
(Per-Message Secret Number Generation for Deterministic ECDSA) followed by
Step 5 of Section 6.4.1.
rightShift implements the right shift necessary for bits2int, which takes the
leftmost bits of either the hash or HMAC_DRBG output.
Note how taking the rightmost bits would have been as easy as masking the
first byte, but we can't have nice things.