/src/openssl/crypto/ec/curve448/eddsa.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * Copyright 2015-2016 Cryptography Research, Inc. |
4 | | * |
5 | | * Licensed under the OpenSSL license (the "License"). You may not use |
6 | | * this file except in compliance with the License. You can obtain a copy |
7 | | * in the file LICENSE in the source distribution or at |
8 | | * https://www.openssl.org/source/license.html |
9 | | * |
10 | | * Originally written by Mike Hamburg |
11 | | */ |
12 | | #include <string.h> |
13 | | #include <openssl/crypto.h> |
14 | | #include <openssl/evp.h> |
15 | | #include "curve448_lcl.h" |
16 | | #include "word.h" |
17 | | #include "ed448.h" |
18 | | #include "internal/numbers.h" |
19 | | |
20 | 0 | #define COFACTOR 4 |
21 | | |
22 | | static c448_error_t oneshot_hash(uint8_t *out, size_t outlen, |
23 | | const uint8_t *in, size_t inlen) |
24 | 0 | { |
25 | 0 | EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); |
26 | 0 |
|
27 | 0 | if (hashctx == NULL) |
28 | 0 | return C448_FAILURE; |
29 | 0 | |
30 | 0 | if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) |
31 | 0 | || !EVP_DigestUpdate(hashctx, in, inlen) |
32 | 0 | || !EVP_DigestFinalXOF(hashctx, out, outlen)) { |
33 | 0 | EVP_MD_CTX_free(hashctx); |
34 | 0 | return C448_FAILURE; |
35 | 0 | } |
36 | 0 | |
37 | 0 | EVP_MD_CTX_free(hashctx); |
38 | 0 | return C448_SUCCESS; |
39 | 0 | } |
40 | | |
41 | | static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES]) |
42 | 0 | { |
43 | 0 | secret_scalar_ser[0] &= -COFACTOR; |
44 | 0 | secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0; |
45 | 0 | secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80; |
46 | 0 | } |
47 | | |
48 | | static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed, |
49 | | uint8_t for_prehash, |
50 | | const uint8_t *context, |
51 | | size_t context_len) |
52 | 0 | { |
53 | 0 | const char *dom_s = "SigEd448"; |
54 | 0 | uint8_t dom[2]; |
55 | 0 |
|
56 | 0 | if (context_len > UINT8_MAX) |
57 | 0 | return C448_FAILURE; |
58 | 0 | |
59 | 0 | dom[0] = (uint8_t)(2 - (prehashed == 0 ? 1 : 0) |
60 | 0 | - (for_prehash == 0 ? 1 : 0)); |
61 | 0 | dom[1] = (uint8_t)context_len; |
62 | 0 |
|
63 | 0 | if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) |
64 | 0 | || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s)) |
65 | 0 | || !EVP_DigestUpdate(hashctx, dom, sizeof(dom)) |
66 | 0 | || !EVP_DigestUpdate(hashctx, context, context_len)) |
67 | 0 | return C448_FAILURE; |
68 | 0 | |
69 | 0 | return C448_SUCCESS; |
70 | 0 | } |
71 | | |
72 | | /* In this file because it uses the hash */ |
73 | | c448_error_t c448_ed448_convert_private_key_to_x448( |
74 | | uint8_t x[X448_PRIVATE_BYTES], |
75 | | const uint8_t ed [EDDSA_448_PRIVATE_BYTES]) |
76 | 0 | { |
77 | 0 | /* pass the private key through oneshot_hash function */ |
78 | 0 | /* and keep the first X448_PRIVATE_BYTES bytes */ |
79 | 0 | return oneshot_hash(x, X448_PRIVATE_BYTES, ed, |
80 | 0 | EDDSA_448_PRIVATE_BYTES); |
81 | 0 | } |
82 | | |
83 | | c448_error_t c448_ed448_derive_public_key( |
84 | | uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], |
85 | | const uint8_t privkey[EDDSA_448_PRIVATE_BYTES]) |
86 | 0 | { |
87 | 0 | /* only this much used for keygen */ |
88 | 0 | uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES]; |
89 | 0 | curve448_scalar_t secret_scalar; |
90 | 0 | unsigned int c; |
91 | 0 | curve448_point_t p; |
92 | 0 |
|
93 | 0 | if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey, |
94 | 0 | EDDSA_448_PRIVATE_BYTES)) |
95 | 0 | return C448_FAILURE; |
96 | 0 | |
97 | 0 | clamp(secret_scalar_ser); |
98 | 0 |
|
99 | 0 | curve448_scalar_decode_long(secret_scalar, secret_scalar_ser, |
100 | 0 | sizeof(secret_scalar_ser)); |
101 | 0 |
|
102 | 0 | /* |
103 | 0 | * Since we are going to mul_by_cofactor during encoding, divide by it |
104 | 0 | * here. However, the EdDSA base point is not the same as the decaf base |
105 | 0 | * point if the sigma isogeny is in use: the EdDSA base point is on |
106 | 0 | * Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when |
107 | 0 | * converted it effectively picks up a factor of 2 from the isogenies. So |
108 | 0 | * we might start at 2 instead of 1. |
109 | 0 | */ |
110 | 0 | for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) |
111 | 0 | curve448_scalar_halve(secret_scalar, secret_scalar); |
112 | 0 |
|
113 | 0 | curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar); |
114 | 0 |
|
115 | 0 | curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p); |
116 | 0 |
|
117 | 0 | /* Cleanup */ |
118 | 0 | curve448_scalar_destroy(secret_scalar); |
119 | 0 | curve448_point_destroy(p); |
120 | 0 | OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser)); |
121 | 0 |
|
122 | 0 | return C448_SUCCESS; |
123 | 0 | } |
124 | | |
125 | | c448_error_t c448_ed448_sign( |
126 | | uint8_t signature[EDDSA_448_SIGNATURE_BYTES], |
127 | | const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], |
128 | | const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], |
129 | | const uint8_t *message, size_t message_len, |
130 | | uint8_t prehashed, const uint8_t *context, |
131 | | size_t context_len) |
132 | 0 | { |
133 | 0 | curve448_scalar_t secret_scalar; |
134 | 0 | EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); |
135 | 0 | c448_error_t ret = C448_FAILURE; |
136 | 0 | curve448_scalar_t nonce_scalar; |
137 | 0 | uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 }; |
138 | 0 | unsigned int c; |
139 | 0 | curve448_scalar_t challenge_scalar; |
140 | 0 |
|
141 | 0 | if (hashctx == NULL) |
142 | 0 | return C448_FAILURE; |
143 | 0 | |
144 | 0 | { |
145 | 0 | /* |
146 | 0 | * Schedule the secret key, First EDDSA_448_PRIVATE_BYTES is serialised |
147 | 0 | * secret scalar,next EDDSA_448_PRIVATE_BYTES bytes is the seed. |
148 | 0 | */ |
149 | 0 | uint8_t expanded[EDDSA_448_PRIVATE_BYTES * 2]; |
150 | 0 |
|
151 | 0 | if (!oneshot_hash(expanded, sizeof(expanded), privkey, |
152 | 0 | EDDSA_448_PRIVATE_BYTES)) |
153 | 0 | goto err; |
154 | 0 | clamp(expanded); |
155 | 0 | curve448_scalar_decode_long(secret_scalar, expanded, |
156 | 0 | EDDSA_448_PRIVATE_BYTES); |
157 | 0 |
|
158 | 0 | /* Hash to create the nonce */ |
159 | 0 | if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len) |
160 | 0 | || !EVP_DigestUpdate(hashctx, |
161 | 0 | expanded + EDDSA_448_PRIVATE_BYTES, |
162 | 0 | EDDSA_448_PRIVATE_BYTES) |
163 | 0 | || !EVP_DigestUpdate(hashctx, message, message_len)) { |
164 | 0 | OPENSSL_cleanse(expanded, sizeof(expanded)); |
165 | 0 | goto err; |
166 | 0 | } |
167 | 0 | OPENSSL_cleanse(expanded, sizeof(expanded)); |
168 | 0 | } |
169 | 0 |
|
170 | 0 | /* Decode the nonce */ |
171 | 0 | { |
172 | 0 | uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES]; |
173 | 0 |
|
174 | 0 | if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce))) |
175 | 0 | goto err; |
176 | 0 | curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce)); |
177 | 0 | OPENSSL_cleanse(nonce, sizeof(nonce)); |
178 | 0 | } |
179 | 0 |
|
180 | 0 | { |
181 | 0 | /* Scalarmul to create the nonce-point */ |
182 | 0 | curve448_scalar_t nonce_scalar_2; |
183 | 0 | curve448_point_t p; |
184 | 0 |
|
185 | 0 | curve448_scalar_halve(nonce_scalar_2, nonce_scalar); |
186 | 0 | for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) |
187 | 0 | curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2); |
188 | 0 |
|
189 | 0 | curve448_precomputed_scalarmul(p, curve448_precomputed_base, |
190 | 0 | nonce_scalar_2); |
191 | 0 | curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p); |
192 | 0 | curve448_point_destroy(p); |
193 | 0 | curve448_scalar_destroy(nonce_scalar_2); |
194 | 0 | } |
195 | 0 |
|
196 | 0 | { |
197 | 0 | uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES]; |
198 | 0 |
|
199 | 0 | /* Compute the challenge */ |
200 | 0 | if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len) |
201 | 0 | || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point)) |
202 | 0 | || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES) |
203 | 0 | || !EVP_DigestUpdate(hashctx, message, message_len) |
204 | 0 | || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) |
205 | 0 | goto err; |
206 | 0 | |
207 | 0 | curve448_scalar_decode_long(challenge_scalar, challenge, |
208 | 0 | sizeof(challenge)); |
209 | 0 | OPENSSL_cleanse(challenge, sizeof(challenge)); |
210 | 0 | } |
211 | 0 |
|
212 | 0 | curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar); |
213 | 0 | curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar); |
214 | 0 |
|
215 | 0 | OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES); |
216 | 0 | memcpy(signature, nonce_point, sizeof(nonce_point)); |
217 | 0 | curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES], |
218 | 0 | challenge_scalar); |
219 | 0 |
|
220 | 0 | curve448_scalar_destroy(secret_scalar); |
221 | 0 | curve448_scalar_destroy(nonce_scalar); |
222 | 0 | curve448_scalar_destroy(challenge_scalar); |
223 | 0 |
|
224 | 0 | ret = C448_SUCCESS; |
225 | 0 | err: |
226 | 0 | EVP_MD_CTX_free(hashctx); |
227 | 0 | return ret; |
228 | 0 | } |
229 | | |
230 | | c448_error_t c448_ed448_sign_prehash( |
231 | | uint8_t signature[EDDSA_448_SIGNATURE_BYTES], |
232 | | const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], |
233 | | const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], |
234 | | const uint8_t hash[64], const uint8_t *context, |
235 | | size_t context_len) |
236 | 0 | { |
237 | 0 | return c448_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context, |
238 | 0 | context_len); |
239 | 0 | } |
240 | | |
241 | | c448_error_t c448_ed448_verify( |
242 | | const uint8_t signature[EDDSA_448_SIGNATURE_BYTES], |
243 | | const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], |
244 | | const uint8_t *message, size_t message_len, |
245 | | uint8_t prehashed, const uint8_t *context, |
246 | | uint8_t context_len) |
247 | 0 | { |
248 | 0 | curve448_point_t pk_point, r_point; |
249 | 0 | c448_error_t error = |
250 | 0 | curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey); |
251 | 0 | curve448_scalar_t challenge_scalar; |
252 | 0 | curve448_scalar_t response_scalar; |
253 | 0 |
|
254 | 0 | if (C448_SUCCESS != error) |
255 | 0 | return error; |
256 | 0 | |
257 | 0 | error = |
258 | 0 | curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature); |
259 | 0 | if (C448_SUCCESS != error) |
260 | 0 | return error; |
261 | 0 | |
262 | 0 | { |
263 | 0 | /* Compute the challenge */ |
264 | 0 | EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); |
265 | 0 | uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES]; |
266 | 0 |
|
267 | 0 | if (hashctx == NULL |
268 | 0 | || !hash_init_with_dom(hashctx, prehashed, 0, context, |
269 | 0 | context_len) |
270 | 0 | || !EVP_DigestUpdate(hashctx, signature, EDDSA_448_PUBLIC_BYTES) |
271 | 0 | || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES) |
272 | 0 | || !EVP_DigestUpdate(hashctx, message, message_len) |
273 | 0 | || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) { |
274 | 0 | EVP_MD_CTX_free(hashctx); |
275 | 0 | return C448_FAILURE; |
276 | 0 | } |
277 | 0 | |
278 | 0 | EVP_MD_CTX_free(hashctx); |
279 | 0 | curve448_scalar_decode_long(challenge_scalar, challenge, |
280 | 0 | sizeof(challenge)); |
281 | 0 | OPENSSL_cleanse(challenge, sizeof(challenge)); |
282 | 0 | } |
283 | 0 | curve448_scalar_sub(challenge_scalar, curve448_scalar_zero, |
284 | 0 | challenge_scalar); |
285 | 0 |
|
286 | 0 | curve448_scalar_decode_long(response_scalar, |
287 | 0 | &signature[EDDSA_448_PUBLIC_BYTES], |
288 | 0 | EDDSA_448_PRIVATE_BYTES); |
289 | 0 |
|
290 | 0 | /* pk_point = -c(x(P)) + (cx + k)G = kG */ |
291 | 0 | curve448_base_double_scalarmul_non_secret(pk_point, |
292 | 0 | response_scalar, |
293 | 0 | pk_point, challenge_scalar); |
294 | 0 | return c448_succeed_if(curve448_point_eq(pk_point, r_point)); |
295 | 0 | } |
296 | | |
297 | | c448_error_t c448_ed448_verify_prehash( |
298 | | const uint8_t signature[EDDSA_448_SIGNATURE_BYTES], |
299 | | const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], |
300 | | const uint8_t hash[64], const uint8_t *context, |
301 | | uint8_t context_len) |
302 | 0 | { |
303 | 0 | return c448_ed448_verify(signature, pubkey, hash, 64, 1, context, |
304 | 0 | context_len); |
305 | 0 | } |
306 | | |
307 | | int ED448_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, |
308 | | const uint8_t public_key[57], const uint8_t private_key[57], |
309 | | const uint8_t *context, size_t context_len) |
310 | 0 | { |
311 | 0 | return c448_ed448_sign(out_sig, private_key, public_key, message, |
312 | 0 | message_len, 0, context, context_len) |
313 | 0 | == C448_SUCCESS; |
314 | 0 | } |
315 | | |
316 | | int ED448_verify(const uint8_t *message, size_t message_len, |
317 | | const uint8_t signature[114], const uint8_t public_key[57], |
318 | | const uint8_t *context, size_t context_len) |
319 | 0 | { |
320 | 0 | return c448_ed448_verify(signature, public_key, message, message_len, 0, |
321 | 0 | context, (uint8_t)context_len) == C448_SUCCESS; |
322 | 0 | } |
323 | | |
324 | | int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64], |
325 | | const uint8_t public_key[57], const uint8_t private_key[57], |
326 | | const uint8_t *context, size_t context_len) |
327 | 0 | { |
328 | 0 | return c448_ed448_sign_prehash(out_sig, private_key, public_key, hash, |
329 | 0 | context, context_len) == C448_SUCCESS; |
330 | 0 |
|
331 | 0 | } |
332 | | |
333 | | int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114], |
334 | | const uint8_t public_key[57], const uint8_t *context, |
335 | | size_t context_len) |
336 | 0 | { |
337 | 0 | return c448_ed448_verify_prehash(signature, public_key, hash, context, |
338 | 0 | (uint8_t)context_len) == C448_SUCCESS; |
339 | 0 | } |
340 | | |
341 | | int ED448_public_from_private(uint8_t out_public_key[57], |
342 | | const uint8_t private_key[57]) |
343 | 0 | { |
344 | 0 | return c448_ed448_derive_public_key(out_public_key, private_key) |
345 | 0 | == C448_SUCCESS; |
346 | 0 | } |