/src/serenity/Userland/Libraries/LibCrypto/Curves/Ed25519.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (c) 2022, stelar7 <dudedbz@gmail.com> |
3 | | * |
4 | | * SPDX-License-Identifier: BSD-2-Clause |
5 | | */ |
6 | | |
7 | | #include <AK/Random.h> |
8 | | #include <LibCrypto/Curves/Curve25519.h> |
9 | | #include <LibCrypto/Curves/Ed25519.h> |
10 | | #include <LibCrypto/Hash/SHA2.h> |
11 | | |
12 | | namespace Crypto::Curves { |
13 | | |
14 | | // https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.5 |
15 | | ErrorOr<ByteBuffer> Ed25519::generate_private_key() |
16 | 0 | { |
17 | | // The private key is 32 octets (256 bits, corresponding to b) of |
18 | | // cryptographically secure random data. See [RFC4086] for a discussion |
19 | | // about randomness. |
20 | |
|
21 | 0 | auto buffer = TRY(ByteBuffer::create_uninitialized(key_size())); |
22 | 0 | fill_with_random(buffer); |
23 | 0 | return buffer; |
24 | 0 | } |
25 | | |
26 | | // https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.5 |
27 | | ErrorOr<ByteBuffer> Ed25519::generate_public_key(ReadonlyBytes private_key) |
28 | 0 | { |
29 | | // The 32-byte public key is generated by the following steps. |
30 | | |
31 | | // 1. Hash the 32-byte private key using SHA-512, storing the digest in a 64-octet large buffer, denoted h. |
32 | | // Only the lower 32 bytes are used for generating the public key. |
33 | 0 | auto digest = Crypto::Hash::SHA512::hash(private_key); |
34 | | |
35 | | // NOTE: we do these steps in the opposite order (since its easier to modify s) |
36 | | // 3. Interpret the buffer as the little-endian integer, forming a secret scalar s. |
37 | 0 | memcpy(s, digest.data, 32); |
38 | | |
39 | | // 2. Prune the buffer: |
40 | | // The lowest three bits of the first octet are cleared, |
41 | 0 | s[0] &= 0xF8; |
42 | | // the highest bit of the last octet is cleared, |
43 | 0 | s[31] &= 0x7F; |
44 | | // and the second highest bit of the last octet is set. |
45 | 0 | s[31] |= 0x40; |
46 | | |
47 | | // Perform a fixed-base scalar multiplication [s]B. |
48 | 0 | point_multiply_scalar(&sb, s, &BASE_POINT); |
49 | | |
50 | | // 4. The public key A is the encoding of the point [s]B. |
51 | | // First, encode the y-coordinate (in the range 0 <= y < p) as a little-endian string of 32 octets. |
52 | | // The most significant bit of the final octet is always zero. |
53 | | // To form the encoding of the point [s]B, copy the least significant bit of the x coordinate |
54 | | // to the most significant bit of the final octet. The result is the public key. |
55 | 0 | auto public_key = TRY(ByteBuffer::create_uninitialized(key_size())); |
56 | 0 | encode_point(&sb, public_key.data()); |
57 | |
|
58 | 0 | return public_key; |
59 | 0 | } |
60 | | |
61 | | // https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.6 |
62 | | ErrorOr<ByteBuffer> Ed25519::sign(ReadonlyBytes public_key, ReadonlyBytes private_key, ReadonlyBytes message) |
63 | 0 | { |
64 | | // 1. Hash the private key, 32 octets, using SHA-512. |
65 | | // Let h denote the resulting digest. |
66 | 0 | auto h = Crypto::Hash::SHA512::hash(private_key); |
67 | | |
68 | | // Construct the secret scalar s from the first half of the digest, |
69 | 0 | memcpy(s, h.data, 32); |
70 | | // NOTE: This is done later in step 4, but we can also do it here. |
71 | 0 | s[0] &= 0xF8; |
72 | 0 | s[31] &= 0x7F; |
73 | 0 | s[31] |= 0x40; |
74 | | |
75 | | // and the corresponding public key A, as described in the previous section. |
76 | | // NOTE: The public key A is taken as input to this function. |
77 | | |
78 | | // Let prefix denote the second half of the hash digest, h[32],...,h[63]. |
79 | 0 | memcpy(p, h.data + 32, 32); |
80 | | |
81 | | // 2. Compute SHA-512(dom2(F, C) || p || PH(M)), where M is the message to be signed. |
82 | 0 | Crypto::Hash::SHA512 hash; |
83 | | // NOTE: dom2(F, C) is a blank octet string when signing or verifying Ed25519 |
84 | 0 | hash.update(p, 32); |
85 | | // NOTE: PH(M) = M |
86 | 0 | hash.update(message.data(), message.size()); |
87 | | |
88 | | // Interpret the 64-octet digest as a little-endian integer r. |
89 | | // For efficiency, do this by first reducing r modulo L, the group order of B. |
90 | 0 | auto digest = hash.digest(); |
91 | 0 | barrett_reduce(r, digest.data); |
92 | | |
93 | | // 3. Compute the point [r]B. |
94 | 0 | point_multiply_scalar(&rb, r, &BASE_POINT); |
95 | |
|
96 | 0 | auto R = TRY(ByteBuffer::create_uninitialized(32)); |
97 | | // Let the string R be the encoding of this point |
98 | 0 | encode_point(&rb, R.data()); |
99 | | |
100 | | // 4. Compute SHA512(dom2(F, C) || R || A || PH(M)), |
101 | | // NOTE: We can reuse hash here, since digest() calls reset() |
102 | | // NOTE: dom2(F, C) is a blank octet string when signing or verifying Ed25519 |
103 | 0 | hash.update(R.data(), R.size()); |
104 | | // NOTE: A == public_key |
105 | 0 | hash.update(public_key.data(), public_key.size()); |
106 | | // NOTE: PH(M) = M |
107 | 0 | hash.update(message.data(), message.size()); |
108 | |
|
109 | 0 | digest = hash.digest(); |
110 | | // and interpret the 64-octet digest as a little-endian integer k. |
111 | 0 | memcpy(k, digest.data, 64); |
112 | | |
113 | | // 5. Compute S = (r + k * s) mod L. For efficiency, again reduce k modulo L first. |
114 | 0 | barrett_reduce(p, k); |
115 | 0 | multiply(k, k + 32, p, s, 32); |
116 | 0 | barrett_reduce(p, k); |
117 | 0 | add(s, p, r, 32); |
118 | | |
119 | | // modular reduction |
120 | 0 | auto reduced_s = TRY(ByteBuffer::create_uninitialized(32)); |
121 | 0 | auto is_negative = subtract(p, s, Curve25519::BASE_POINT_L_ORDER, 32); |
122 | 0 | select(reduced_s.data(), p, s, is_negative, 32); |
123 | | |
124 | | // 6. Form the signature of the concatenation of R (32 octets) and the little-endian encoding of S |
125 | | // (32 octets; the three most significant bits of the final octet are always zero). |
126 | 0 | auto signature = TRY(ByteBuffer::copy(R)); |
127 | 0 | signature.append(reduced_s); |
128 | |
|
129 | 0 | return signature; |
130 | 0 | } |
131 | | |
132 | | // https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.7 |
133 | | bool Ed25519::verify(ReadonlyBytes public_key, ReadonlyBytes signature, ReadonlyBytes message) |
134 | 0 | { |
135 | 0 | auto not_valid = false; |
136 | | |
137 | | // 1. To verify a signature on a message M using public key A, |
138 | | // with F being 0 for Ed25519ctx, 1 for Ed25519ph, and if Ed25519ctx or Ed25519ph is being used, C being the context |
139 | | // first split the signature into two 32-octet halves. |
140 | | // If any of the decodings fail (including S being out of range), the signature is invalid. |
141 | | |
142 | | // NOTE: We dont care about F, since we dont implement Ed25519ctx or Ed25519PH |
143 | | // NOTE: C is the internal state, so its not a parameter |
144 | |
|
145 | 0 | auto half_signature_size = signature_size() / 2; |
146 | | |
147 | | // Decode the first half as a point R |
148 | 0 | memcpy(r, signature.data(), half_signature_size); |
149 | | |
150 | | // and the second half as an integer S, in the range 0 <= s < L. |
151 | 0 | memcpy(s, signature.data() + half_signature_size, half_signature_size); |
152 | | |
153 | | // NOTE: Ed25519 and Ed448 signatures are not malleable due to the verification check that decoded S is smaller than l. |
154 | | // Without this check, one can add a multiple of l into a scalar part and still pass signature verification, |
155 | | // resulting in malleable signatures. |
156 | 0 | auto is_negative = subtract(p, s, Curve25519::BASE_POINT_L_ORDER, half_signature_size); |
157 | 0 | not_valid |= 1 ^ is_negative; |
158 | | |
159 | | // Decode the public key A as point A'. |
160 | 0 | not_valid |= decode_point(&ka, public_key.data()); |
161 | | |
162 | | // 2. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the 64-octet digest as a little-endian integer k. |
163 | 0 | Crypto::Hash::SHA512 hash; |
164 | | // NOTE: dom2(F, C) is a blank octet string when signing or verifying Ed25519 |
165 | 0 | hash.update(r, half_signature_size); |
166 | | // NOTE: A == public_key |
167 | 0 | hash.update(public_key.data(), key_size()); |
168 | | // NOTE: PH(M) = M |
169 | 0 | hash.update(message.data(), message.size()); |
170 | |
|
171 | 0 | auto digest = hash.digest(); |
172 | 0 | auto k = digest.data; |
173 | | |
174 | | // 3. Check the group equation [8][S]B = [8]R + [8][k]A'. |
175 | | // It's sufficient, but not required, to instead check [S]B = R + [k]A'. |
176 | | // NOTE: For efficiency, do this by first reducing k modulo L. |
177 | 0 | barrett_reduce(k, k); |
178 | | |
179 | | // NOTE: We check [S]B - [k]A' == R |
180 | 0 | Curve25519::modular_subtract(ka.x, Curve25519::ZERO, ka.x); |
181 | 0 | Curve25519::modular_subtract(ka.t, Curve25519::ZERO, ka.t); |
182 | 0 | point_multiply_scalar(&sb, s, &BASE_POINT); |
183 | 0 | point_multiply_scalar(&ka, k, &ka); |
184 | 0 | point_add(&ka, &sb, &ka); |
185 | 0 | encode_point(&ka, p); |
186 | |
|
187 | 0 | not_valid |= compare(p, r, half_signature_size); |
188 | |
|
189 | 0 | return !not_valid; |
190 | 0 | } |
191 | | |
192 | | void Ed25519::point_double(Ed25519Point* result, Ed25519Point const* point) |
193 | 0 | { |
194 | 0 | Curve25519::modular_square(a, point->x); |
195 | 0 | Curve25519::modular_square(b, point->y); |
196 | 0 | Curve25519::modular_square(c, point->z); |
197 | 0 | Curve25519::modular_add(c, c, c); |
198 | 0 | Curve25519::modular_add(e, a, b); |
199 | 0 | Curve25519::modular_add(f, point->x, point->y); |
200 | 0 | Curve25519::modular_square(f, f); |
201 | 0 | Curve25519::modular_subtract(f, e, f); |
202 | 0 | Curve25519::modular_subtract(g, a, b); |
203 | 0 | Curve25519::modular_add(h, c, g); |
204 | 0 | Curve25519::modular_multiply(result->x, f, h); |
205 | 0 | Curve25519::modular_multiply(result->y, e, g); |
206 | 0 | Curve25519::modular_multiply(result->z, g, h); |
207 | 0 | Curve25519::modular_multiply(result->t, e, f); |
208 | 0 | } |
209 | | |
210 | | void Ed25519::point_multiply_scalar(Ed25519Point* result, u8 const* scalar, Ed25519Point const* point) |
211 | 0 | { |
212 | | // Set U to the neutral element (0, 1, 1, 0) |
213 | 0 | Curve25519::set(u.x, 0); |
214 | 0 | Curve25519::set(u.y, 1); |
215 | 0 | Curve25519::set(u.z, 1); |
216 | 0 | Curve25519::set(u.t, 0); |
217 | |
|
218 | 0 | for (i32 i = Curve25519::BITS - 1; i >= 0; i--) { |
219 | 0 | u8 b = (scalar[i / 8] >> (i % 8)) & 1; |
220 | | |
221 | | // Compute U = 2 * U |
222 | 0 | point_double(&u, &u); |
223 | | // Compute V = U + P |
224 | 0 | point_add(&v, &u, point); |
225 | | |
226 | | // If b is set, then U = V |
227 | 0 | Curve25519::select(u.x, u.x, v.x, b); |
228 | 0 | Curve25519::select(u.y, u.y, v.y, b); |
229 | 0 | Curve25519::select(u.z, u.z, v.z, b); |
230 | 0 | Curve25519::select(u.t, u.t, v.t, b); |
231 | 0 | } |
232 | |
|
233 | 0 | Curve25519::copy(result->x, u.x); |
234 | 0 | Curve25519::copy(result->y, u.y); |
235 | 0 | Curve25519::copy(result->z, u.z); |
236 | 0 | Curve25519::copy(result->t, u.t); |
237 | 0 | } |
238 | | |
239 | | // https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.2 |
240 | | void Ed25519::encode_point(Ed25519Point* point, u8* data) |
241 | 0 | { |
242 | | // Retrieve affine representation |
243 | 0 | Curve25519::modular_multiply_inverse(point->z, point->z); |
244 | 0 | Curve25519::modular_multiply(point->x, point->x, point->z); |
245 | 0 | Curve25519::modular_multiply(point->y, point->y, point->z); |
246 | 0 | Curve25519::set(point->z, 1); |
247 | 0 | Curve25519::modular_multiply(point->t, point->x, point->y); |
248 | | |
249 | | // First, encode the y-coordinate (in the range 0 <= y < p) as a little-endian string of 32 octets. |
250 | | // The most significant bit of the final octet is always zero. |
251 | 0 | Curve25519::export_state(point->y, data); |
252 | | |
253 | | // To form the encoding of the point [s]B, |
254 | | // copy the least significant bit of the x coordinate to the most significant bit of the final octet. |
255 | 0 | data[31] |= (point->x[0] & 1) << 7; |
256 | 0 | } |
257 | | |
258 | | void Ed25519::barrett_reduce(u8* result, u8 const* input) |
259 | 0 | { |
260 | | // Barrett reduction b = 2^8 && k = 32 |
261 | 0 | u8 is_negative; |
262 | 0 | u8 u[33]; |
263 | 0 | u8 v[33]; |
264 | |
|
265 | 0 | multiply(NULL, u, input + 31, Curve25519::BARRETT_REDUCTION_QUOTIENT, 33); |
266 | 0 | multiply(v, NULL, u, Curve25519::BASE_POINT_L_ORDER, 33); |
267 | |
|
268 | 0 | subtract(u, input, v, 33); |
269 | |
|
270 | 0 | is_negative = subtract(v, u, Curve25519::BASE_POINT_L_ORDER, 33); |
271 | 0 | select(u, v, u, is_negative, 33); |
272 | 0 | is_negative = subtract(v, u, Curve25519::BASE_POINT_L_ORDER, 33); |
273 | 0 | select(u, v, u, is_negative, 33); |
274 | |
|
275 | 0 | copy(result, u, 32); |
276 | 0 | } |
277 | | |
278 | | void Ed25519::multiply(u8* result_low, u8* result_high, u8 const* a, u8 const* b, u8 n) |
279 | 0 | { |
280 | | // Comba's algorithm |
281 | 0 | u32 temp = 0; |
282 | 0 | for (u32 i = 0; i < n; i++) { |
283 | 0 | for (u32 j = 0; j <= i; j++) { |
284 | 0 | temp += (uint16_t)a[j] * b[i - j]; |
285 | 0 | } |
286 | |
|
287 | 0 | if (result_low != NULL) { |
288 | 0 | result_low[i] = temp & 0xFF; |
289 | 0 | } |
290 | |
|
291 | 0 | temp >>= 8; |
292 | 0 | } |
293 | |
|
294 | 0 | if (result_high != NULL) { |
295 | 0 | for (u32 i = n; i < (2 * n); i++) { |
296 | 0 | for (u32 j = i + 1 - n; j < n; j++) { |
297 | 0 | temp += (uint16_t)a[j] * b[i - j]; |
298 | 0 | } |
299 | |
|
300 | 0 | result_high[i - n] = temp & 0xFF; |
301 | 0 | temp >>= 8; |
302 | 0 | } |
303 | 0 | } |
304 | 0 | } |
305 | | |
306 | | void Ed25519::add(u8* result, u8 const* a, u8 const* b, u8 n) |
307 | 0 | { |
308 | | // Compute R = A + B |
309 | 0 | u16 temp = 0; |
310 | 0 | for (u8 i = 0; i < n; i++) { |
311 | 0 | temp += a[i]; |
312 | 0 | temp += b[i]; |
313 | 0 | result[i] = temp & 0xFF; |
314 | 0 | temp >>= 8; |
315 | 0 | } |
316 | 0 | } |
317 | | |
318 | | u8 Ed25519::subtract(u8* result, u8 const* a, u8 const* b, u8 n) |
319 | 0 | { |
320 | 0 | i16 temp = 0; |
321 | | |
322 | | // Compute R = A - B |
323 | 0 | for (i8 i = 0; i < n; i++) { |
324 | 0 | temp += a[i]; |
325 | 0 | temp -= b[i]; |
326 | 0 | result[i] = temp & 0xFF; |
327 | 0 | temp >>= 8; |
328 | 0 | } |
329 | | |
330 | | // Return 1 if the result of the subtraction is negative |
331 | 0 | return temp & 1; |
332 | 0 | } |
333 | | |
334 | | void Ed25519::select(u8* r, u8 const* a, u8 const* b, u8 c, u8 n) |
335 | 0 | { |
336 | 0 | u8 mask = c - 1; |
337 | 0 | for (u8 i = 0; i < n; i++) { |
338 | 0 | r[i] = (a[i] & mask) | (b[i] & ~mask); |
339 | 0 | } |
340 | 0 | } |
341 | | |
342 | | // https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.3 |
343 | | u32 Ed25519::decode_point(Ed25519Point* point, u8 const* data) |
344 | 0 | { |
345 | 0 | u32 u[8]; |
346 | 0 | u32 v[8]; |
347 | 0 | u32 ret; |
348 | 0 | u64 temp = 19; |
349 | | |
350 | | // 1. First, interpret the string as an integer in little-endian representation. |
351 | | // Bit 255 of this number is the least significant bit of the x-coordinate and denote this value x_0. |
352 | 0 | u8 x0 = data[31] >> 7; |
353 | | |
354 | | // The y-coordinate is recovered simply by clearing this bit. |
355 | 0 | Curve25519::import_state(point->y, data); |
356 | 0 | point->y[7] &= 0x7FFFFFFF; |
357 | | |
358 | | // Compute U = Y + 19 |
359 | 0 | for (u32 i = 0; i < 8; i++) { |
360 | 0 | temp += point->y[i]; |
361 | 0 | u[i] = temp & 0xFFFFFFFF; |
362 | 0 | temp >>= 32; |
363 | 0 | } |
364 | | |
365 | | // If the resulting value is >= p, decoding fails. |
366 | 0 | ret = (u[7] >> 31) & 1; |
367 | | |
368 | | // 2. To recover the x-coordinate, the curve equation implies x^2 = (y^2 - 1) / (d y^2 + 1) (mod p). |
369 | | // The denominator is always non-zero mod p. |
370 | | // Let u = y^2 - 1 and v = d * y^2 + 1 |
371 | 0 | Curve25519::modular_square(v, point->y); |
372 | 0 | Curve25519::modular_subtract_single(u, v, 1); |
373 | 0 | Curve25519::modular_multiply(v, v, Curve25519::CURVE_D); |
374 | 0 | Curve25519::modular_add_single(v, v, 1); |
375 | | |
376 | | // 3. Compute u = sqrt(u / v) |
377 | 0 | ret |= Curve25519::modular_square_root(u, u, v); |
378 | | |
379 | | // If x = 0, and x_0 = 1, decoding fails. |
380 | 0 | ret |= (Curve25519::compare(u, Curve25519::ZERO) ^ 1) & x0; |
381 | | |
382 | | // 4. Finally, use the x_0 bit to select the right square root. |
383 | 0 | Curve25519::modular_subtract(v, Curve25519::ZERO, u); |
384 | 0 | Curve25519::select(point->x, u, v, (x0 ^ u[0]) & 1); |
385 | 0 | Curve25519::set(point->z, 1); |
386 | 0 | Curve25519::modular_multiply(point->t, point->x, point->y); |
387 | | |
388 | | // Return 0 if the point has been successfully decoded, else 1 |
389 | 0 | return ret; |
390 | 0 | } |
391 | | |
392 | | void Ed25519::point_add(Ed25519Point* result, Ed25519Point const* p, Ed25519Point const* q) |
393 | 0 | { |
394 | | // Compute R = P + Q |
395 | 0 | Curve25519::modular_add(c, p->y, p->x); |
396 | 0 | Curve25519::modular_add(d, q->y, q->x); |
397 | 0 | Curve25519::modular_multiply(a, c, d); |
398 | 0 | Curve25519::modular_subtract(c, p->y, p->x); |
399 | 0 | Curve25519::modular_subtract(d, q->y, q->x); |
400 | 0 | Curve25519::modular_multiply(b, c, d); |
401 | 0 | Curve25519::modular_multiply(c, p->z, q->z); |
402 | 0 | Curve25519::modular_add(c, c, c); |
403 | 0 | Curve25519::modular_multiply(d, p->t, q->t); |
404 | 0 | Curve25519::modular_multiply(d, d, Curve25519::CURVE_D_2); |
405 | 0 | Curve25519::modular_add(e, a, b); |
406 | 0 | Curve25519::modular_subtract(f, a, b); |
407 | 0 | Curve25519::modular_add(g, c, d); |
408 | 0 | Curve25519::modular_subtract(h, c, d); |
409 | 0 | Curve25519::modular_multiply(result->x, f, h); |
410 | 0 | Curve25519::modular_multiply(result->y, e, g); |
411 | 0 | Curve25519::modular_multiply(result->z, g, h); |
412 | 0 | Curve25519::modular_multiply(result->t, e, f); |
413 | 0 | } |
414 | | |
415 | | u8 Ed25519::compare(u8 const* a, u8 const* b, u8 n) |
416 | 0 | { |
417 | 0 | u8 mask = 0; |
418 | 0 | for (u32 i = 0; i < n; i++) { |
419 | 0 | mask |= a[i] ^ b[i]; |
420 | 0 | } |
421 | | |
422 | | // Return 0 if A = B, else 1 |
423 | 0 | return ((u8)(mask | (~mask + 1))) >> 7; |
424 | 0 | } |
425 | | |
426 | | void Ed25519::copy(u8* a, u8 const* b, u32 n) |
427 | 0 | { |
428 | 0 | for (u32 i = 0; i < n; i++) { |
429 | 0 | a[i] = b[i]; |
430 | 0 | } |
431 | 0 | } |
432 | | |
433 | | } |