Clarify PSA_PAKE_STEP_ZK_PROOF format

Removing reference to RFC 7748 as it is more confusing than helpful. (It
decodes the scalars after masking which is not part of the encoding we
want to specify. Also, it has the explanation what it means by little
endian in a preceding section that is not trivial to find.)

We also explicitly specify constraint on leading zeroes.

Signed-off-by: Janos Follath <janos.follath@arm.com>
This commit is contained in:
Janos Follath 2021-06-08 15:30:48 +01:00
parent 46c02375b7
commit 1f0131844c

View file

@ -1130,14 +1130,17 @@ typedef uint32_t psa_pake_primitive_t;
* This is the proof in the Schnorr Non-Interactive Zero-Knowledge Proof (the
* value denoted by the letter 'r' in RFC 8235).
*
* Both input and output at this step is an integer less than the group
* selected in the cipher suite. The format depends on the group as well:
* Both for input and output, the value at this step is an integer less than
* the order of the group selected in the cipher suite. The format depends on
* the group as well:
*
* - For Montgomery curves, the encoding is little endian (see decoding of
* scalars in Section 5 of RFC 7748).
* - For Montgomery curves, the encoding is little endian.
* - For everything else the encoding is big endian (see Section 2.3.8 of
* _SEC 1: Elliptic Curve Cryptography_ at https://www.secg.org/sec1-v2.pdf).
*
* In both cases leading zeroes are allowed as long as the length in bytes does
* not exceed the byte length of the group order.
*
* For information regarding how the group is determined, consult the
* documentation #PSA_PAKE_PRIMITIVE.
*/