Get ECC Public key from Private key

[kisvegabor]

Hi,

I have a specific private key and I would like calculate it's public key. I'm using 3.0.4 OS and secp256k1 algorithm. Is there any built-in merhod for this?
I succesfully used the KeyPair and KeyBuilder class but it always uses randomly generated private keys.

[DaHuFa]

In JavaCardAPI, the description of genKeyPair() is "For the EC case, if the Field, A, B, G and R parameters of the public key object are pre-initialized, then they will be retained. Otherwise default pre-specified values MAY be used (e.g. WAP predefined curves), since computation of random generic EC keys is infeasible on the smart card platform." It only assign parameters of key. It is nothing in public key...

[BirdKing]

public key = private key * base point

[kisvegabor]

Thank you for the answers. I know the "public key = private key * base point" equation but I don't know whether I should do this multiplication or there is built-in methods for this? It's important because my implementation of EC operations might be vulnerable to side-channel attacks. (https://en.wikipedia.org/wiki/Side-channel_attack)

[jennyvenus]

first

the code like this

Code: Select all

#define _P  "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF"

#define _a  "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC"

#define _b  "28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93"

#define _n  "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123"

#define _Gx "32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7"

#define _Gy "BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0"

#include <openssl/bn.h>
#include <openssl/ec.h>
#include <openssl/ebcdic.h>
#include <openssl/ecdsa.h>

/* chinese Sm2 parameters y2 = x3 + ax + b curve */
#define _P  "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF"

#define _a  "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC"

#define _b  "28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93"

#define _n  "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123"

#define _Gx "32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7"

#define _Gy "BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0"
....


int sm2_gen_key(PSM2_KEY sm2key)
{
    int ret = -1;
    EC_KEY* key = NULL;
    BN_CTX *ctx = NULL;
    EC_GROUP* group = NULL;
    EC_POINT* point_p = NULL;
    const EC_POINT *point_q = NULL;
    BIGNUM *p, *a, *b, *gx, *gy, *z;

    assert(sm2key);

    p = BN_new();  
    a = BN_new();  
    b = BN_new();  

    gx = BN_new();
    gy = BN_new();
    z = BN_new();

    // init a NULL algoritim group
    group = EC_GROUP_new(EC_GFp_mont_method());  

    // convert SM2 para with bignum
    BN_hex2bn(&p, _P);  
    BN_hex2bn(&a, _a);  
    BN_hex2bn(&b, _b);
    BN_hex2bn(&gx, _Gx);
    BN_hex2bn(&gy, _Gy);
    BN_hex2bn(&z, _n);

    ctx = BN_CTX_new();

    if (!EC_GROUP_set_curve_GFp(group, p, a, b,ctx))  
    {  
        goto err_process;  
    }  

    point_p = EC_POINT_new(group);   

    if (!EC_POINT_set_affine_coordinates_GFp(group, point_p, gx, gy, ctx))
    {
        goto err_process;
    }

    //// check p on curve
    if (!EC_POINT_is_on_curve(group, point_p, ctx))
    {
        ret = -2;
        goto err_process;
    }

    //base poing G
    if(!EC_GROUP_set_generator(group, point_p, z, BN_value_one()))  
    {  
        ret = -3;
        goto err_process;  
    }  

    // generate key
    key = EC_KEY_new();
    if (!EC_KEY_set_group(key, group))
    {
        ret = -4;
        goto err_process;
    }

    if(!EC_KEY_generate_key(key))
    {
        ret = -5;
        goto err_process;
    }

    printf("gen key success:\n the prv is %s\n", 
        BN_bn2hex(EC_KEY_get0_private_key(key)));
    sm2key->prv_key.bytes = BN_bn2bin(EC_KEY_get0_private_key(key), sm2key->prv_key.k);

    point_q = EC_KEY_get0_public_key(key);
    if(!EC_POINT_get_affine_coordinates_GFp(group, point_q, gx, gy , NULL))
    {
        goto err_process;
    }

    sm2key->pub_key.bytes = BN_bn2bin(gx, sm2key->pub_key.x);
    BN_bn2bin(gy, sm2key->pub_key.y);
    ret = 0;

err_process:

    if (point_p != NULL)
    {
        EC_POINT_free(point_p);
    }

    if (group != NULL)
    {
        EC_GROUP_free(group);
    }

    if (ctx != NULL)
    {
        BN_CTX_free(ctx);
    }

    if (key != NULL)
    {
        EC_KEY_free(key);
    }

    return ret;
}

second

modify EC_KEY_generate_key with new EC_KEY_generate_key_by_prikey (EC_KEY *eckey, unsigned char *prikey, int prilen )

this function only change random prikey with input prikey

[BirdKing]

Thank you for the answers. I know the "public key = private key * base point" equation but I don't know whether I should do this multiplication or there is built-in methods for this? It's important because my implementation of EC operations might be vulnerable to side-channel attacks. (https://en.wikipedia.org/wiki/Side-channel_attack)

Do you want protect signature from side-channel attacks with public key? How it work? In my impression, side-channel attacks is collect information and try to analyze your private key. How the public key resist side-channel attacks ?

[kisvegabor]

As the public key is created using the private key, the executed instructions and branches can depend on the private key too. This way an attacker can guess the private key by analysing the power consumption of the device and deduce the executed instruction.

That's why I would prefer a built-in, certificated method for this.

[BirdKing]

Maybe you can calculate public key when you set private key. In general, set private key must be in secure environment.