(HW) ECDH (curve25519) from SDK vs. (external) libsodium: shared secret problem

6 posts / 0 new
Last post
nhan.ngodinh
Offline
Last seen: 1 week 4 days ago
Joined: 2017-03-21 10:20
(HW) ECDH (curve25519) from SDK vs. (external) libsodium: shared secret problem

Hi,
I am developing an ecdh-curve25519 crypto application which should be based on your HW accellerator on my dev board.
At the moment I am able to generate a [Shared Secret] by using as from your guide (DA1468x_DA15xxx_SDK_1.0.14.1081/doc/html/group___e_c_d_h.html).
Checking flags and resources buffer it seems all OK!

This "shared secret" should be shared with another generated with the same curve25519 on another external device (think about a linux-pc) using "libsodium library" (again, same ecdh-curve).

Now, at this point something wrong happens: the two shared secret are completely different.

Did you have any idea or even experienced such a problem?
Did you ever tested the algorithm for compatibility with other shared secret generators?

Thank you in advance

[SDK-used]:: DA1468x_DA15xxx_SDK_1.0.14.1081
[PC-linux]:: libsodium+linux ubuntu 18

Device: 
PM_Dialog
Offline
Last seen: 7 hours 35 min ago
Staff
Joined: 2018-02-08 11:03
Hi nhan.ngodinh,

Hi nhan.ngodinh,

Let me check your issue and I will get back to you as soon as I have an answer for you.

Thanks, PM_Dialog

nhan.ngodinh
Offline
Last seen: 1 week 4 days ago
Joined: 2017-03-21 10:20
Hi,

Hi,
in order to give some points for discussion today I tested your [SDK code] with "test vector" as from [https://tools.ietf.org/html/rfc7748#page-14].
The result is wrong respect to the expected [shared-secret].
Instead, making the same test on [linux-pc] with [ubuntu+libsodium] it is returning the correct [shared-secret].

Now, if I did not make any error I guess you probably do not comply with that (informal) standard RFC 7748.

thanks, nn

PM_Dialog
Offline
Last seen: 7 hours 35 min ago
Staff
Joined: 2018-02-08 11:03
Hi nhan.ngodinh,

Hi nhan.ngodinh,

Could you please clarify the [SDK code] and which test vector are you using? You should not take different results, but I will try to replicate your issue. Also, any input/code snippet that you are using it would be very helpful.

Thanks, PM_Dialog

nhan.ngodinh
Offline
Last seen: 1 week 4 days ago
Joined: 2017-03-21 10:20
Hi,

Hi,
as I specified in my previous comment, test vectors are taken as from [https://tools.ietf.org/html/rfc7748#page-14] -> pag 13.
For simplicity I'm attaching below the keys and resulting shared secret:

# Alice's private key, a:
77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a

# Alice's public key, X25519(a, 9):
8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a

# Bob's public key, X25519(b, 9):
de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f

#Their shared secret, K:
4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742

[SDK CODE]:
# REFERENCE SRC:
DA1468x_DA15xxx_SDK_1.0.14.1081/sdk/interfaces/crypto/src/crypto_ecdh.c

# CODE SNIPPET:
/* forcing to use only curve25519 into crypto_ecdh.h */
#define CRYPTO_ECDH_USE_ONLY_CURVE25519 (1)

/* initializing curve structure */
INITIALISED_PRIVILEGED_DATA crypto_ecdh_context_t c_ctx = CRYPTO_ECDH_INIT_CTX(CRYPTO_EC_PARAMS_CURVE25519);

/* copying Alice's private key into the "d" filed */
memcpy(&(c_ctx.d[0]), Alice_priv, 32);
/* setting correspoding flag */
c_ctx.flags |= CRYPTO_ECDH_CTX_d;
/* copying Alice's pub key into the "X coordinate" filed, the only one used for curve25519 */
memcpy(&(c_ctx.Ql[0][0]), Alice_pubk, 32);
/* setting correspoding flag */
c_ctx.flags |= CRYPTO_ECDH_CTX_Ql;
/* copying Bob's pub key into the "X coordinate" filed, the only one used for curve25519 */
memcpy(&(c_ctx.Qp[0][0]), Bob_pubk, 32);
/* setting correspoding flag */
c_ctx.flags |= CRYPTO_ECDH_CTX_Qp;

/* calling crypto_ecdh_compute for generating shared key (flags should be ok at this point) */
crypto_ecdh_compute(&c_ctx, c_ctx_timeout);
/* printing shared secret and flags (flags=15 as it should but shared secret wrong)*/
printf("SHARED SECRET [flags->%d]\n", c_ctx.flags);
for(uint32_t i = 0; i < 32; i++)
printf("\"%x\",", c_ctx.s[i]);

let me know if you need something more.

thanks, nn

PM_Dialog
Offline
Last seen: 7 hours 35 min ago
Staff
Joined: 2018-02-08 11:03
Hi nhan.ngodinh,,

Hi nhan.ngodinh,,

I will try to replicate your issue and I will get back to you with my feedback as soon as possible.

Thanks, PM_Dialog