2
0

eddsa.c 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377
  1. /*
  2. * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright 2015-2016 Cryptography Research, Inc.
  4. *
  5. * Licensed under the OpenSSL license (the "License"). You may not use
  6. * this file except in compliance with the License. You can obtain a copy
  7. * in the file LICENSE in the source distribution or at
  8. * https://www.openssl.org/source/license.html
  9. *
  10. * Originally written by Mike Hamburg
  11. */
  12. #include <string.h>
  13. #include <openssl/crypto.h>
  14. #include <openssl/evp.h>
  15. #include "curve448_local.h"
  16. #include "word.h"
  17. #include "ed448.h"
  18. #include "internal/numbers.h"
  19. #define COFACTOR 4
  20. static c448_error_t oneshot_hash(uint8_t *out, size_t outlen,
  21. const uint8_t *in, size_t inlen)
  22. {
  23. EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
  24. if (hashctx == NULL)
  25. return C448_FAILURE;
  26. if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
  27. || !EVP_DigestUpdate(hashctx, in, inlen)
  28. || !EVP_DigestFinalXOF(hashctx, out, outlen)) {
  29. EVP_MD_CTX_free(hashctx);
  30. return C448_FAILURE;
  31. }
  32. EVP_MD_CTX_free(hashctx);
  33. return C448_SUCCESS;
  34. }
  35. static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
  36. {
  37. secret_scalar_ser[0] &= -COFACTOR;
  38. secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
  39. secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
  40. }
  41. static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed,
  42. uint8_t for_prehash,
  43. const uint8_t *context,
  44. size_t context_len)
  45. {
  46. #ifdef CHARSET_EBCDIC
  47. const char dom_s[] = {0x53, 0x69, 0x67, 0x45,
  48. 0x64, 0x34, 0x34, 0x38, 0x00};
  49. #else
  50. const char dom_s[] = "SigEd448";
  51. #endif
  52. uint8_t dom[2];
  53. if (context_len > UINT8_MAX)
  54. return C448_FAILURE;
  55. dom[0] = (uint8_t)(2 - (prehashed == 0 ? 1 : 0)
  56. - (for_prehash == 0 ? 1 : 0));
  57. dom[1] = (uint8_t)context_len;
  58. if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
  59. || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s))
  60. || !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
  61. || !EVP_DigestUpdate(hashctx, context, context_len))
  62. return C448_FAILURE;
  63. return C448_SUCCESS;
  64. }
  65. /* In this file because it uses the hash */
  66. c448_error_t c448_ed448_convert_private_key_to_x448(
  67. uint8_t x[X448_PRIVATE_BYTES],
  68. const uint8_t ed [EDDSA_448_PRIVATE_BYTES])
  69. {
  70. /* pass the private key through oneshot_hash function */
  71. /* and keep the first X448_PRIVATE_BYTES bytes */
  72. return oneshot_hash(x, X448_PRIVATE_BYTES, ed,
  73. EDDSA_448_PRIVATE_BYTES);
  74. }
  75. c448_error_t c448_ed448_derive_public_key(
  76. uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
  77. const uint8_t privkey[EDDSA_448_PRIVATE_BYTES])
  78. {
  79. /* only this much used for keygen */
  80. uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
  81. curve448_scalar_t secret_scalar;
  82. unsigned int c;
  83. curve448_point_t p;
  84. if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey,
  85. EDDSA_448_PRIVATE_BYTES))
  86. return C448_FAILURE;
  87. clamp(secret_scalar_ser);
  88. curve448_scalar_decode_long(secret_scalar, secret_scalar_ser,
  89. sizeof(secret_scalar_ser));
  90. /*
  91. * Since we are going to mul_by_cofactor during encoding, divide by it
  92. * here. However, the EdDSA base point is not the same as the decaf base
  93. * point if the sigma isogeny is in use: the EdDSA base point is on
  94. * Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
  95. * converted it effectively picks up a factor of 2 from the isogenies. So
  96. * we might start at 2 instead of 1.
  97. */
  98. for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
  99. curve448_scalar_halve(secret_scalar, secret_scalar);
  100. curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar);
  101. curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);
  102. /* Cleanup */
  103. curve448_scalar_destroy(secret_scalar);
  104. curve448_point_destroy(p);
  105. OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
  106. return C448_SUCCESS;
  107. }
  108. c448_error_t c448_ed448_sign(
  109. uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
  110. const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
  111. const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
  112. const uint8_t *message, size_t message_len,
  113. uint8_t prehashed, const uint8_t *context,
  114. size_t context_len)
  115. {
  116. curve448_scalar_t secret_scalar;
  117. EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
  118. c448_error_t ret = C448_FAILURE;
  119. curve448_scalar_t nonce_scalar;
  120. uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
  121. unsigned int c;
  122. curve448_scalar_t challenge_scalar;
  123. if (hashctx == NULL)
  124. return C448_FAILURE;
  125. {
  126. /*
  127. * Schedule the secret key, First EDDSA_448_PRIVATE_BYTES is serialised
  128. * secret scalar,next EDDSA_448_PRIVATE_BYTES bytes is the seed.
  129. */
  130. uint8_t expanded[EDDSA_448_PRIVATE_BYTES * 2];
  131. if (!oneshot_hash(expanded, sizeof(expanded), privkey,
  132. EDDSA_448_PRIVATE_BYTES))
  133. goto err;
  134. clamp(expanded);
  135. curve448_scalar_decode_long(secret_scalar, expanded,
  136. EDDSA_448_PRIVATE_BYTES);
  137. /* Hash to create the nonce */
  138. if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
  139. || !EVP_DigestUpdate(hashctx,
  140. expanded + EDDSA_448_PRIVATE_BYTES,
  141. EDDSA_448_PRIVATE_BYTES)
  142. || !EVP_DigestUpdate(hashctx, message, message_len)) {
  143. OPENSSL_cleanse(expanded, sizeof(expanded));
  144. goto err;
  145. }
  146. OPENSSL_cleanse(expanded, sizeof(expanded));
  147. }
  148. /* Decode the nonce */
  149. {
  150. uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];
  151. if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
  152. goto err;
  153. curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
  154. OPENSSL_cleanse(nonce, sizeof(nonce));
  155. }
  156. {
  157. /* Scalarmul to create the nonce-point */
  158. curve448_scalar_t nonce_scalar_2;
  159. curve448_point_t p;
  160. curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
  161. for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
  162. curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
  163. curve448_precomputed_scalarmul(p, curve448_precomputed_base,
  164. nonce_scalar_2);
  165. curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
  166. curve448_point_destroy(p);
  167. curve448_scalar_destroy(nonce_scalar_2);
  168. }
  169. {
  170. uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
  171. /* Compute the challenge */
  172. if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
  173. || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
  174. || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
  175. || !EVP_DigestUpdate(hashctx, message, message_len)
  176. || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
  177. goto err;
  178. curve448_scalar_decode_long(challenge_scalar, challenge,
  179. sizeof(challenge));
  180. OPENSSL_cleanse(challenge, sizeof(challenge));
  181. }
  182. curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
  183. curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);
  184. OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
  185. memcpy(signature, nonce_point, sizeof(nonce_point));
  186. curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
  187. challenge_scalar);
  188. curve448_scalar_destroy(secret_scalar);
  189. curve448_scalar_destroy(nonce_scalar);
  190. curve448_scalar_destroy(challenge_scalar);
  191. ret = C448_SUCCESS;
  192. err:
  193. EVP_MD_CTX_free(hashctx);
  194. return ret;
  195. }
  196. c448_error_t c448_ed448_sign_prehash(
  197. uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
  198. const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
  199. const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
  200. const uint8_t hash[64], const uint8_t *context,
  201. size_t context_len)
  202. {
  203. return c448_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context,
  204. context_len);
  205. }
  206. c448_error_t c448_ed448_verify(
  207. const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
  208. const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
  209. const uint8_t *message, size_t message_len,
  210. uint8_t prehashed, const uint8_t *context,
  211. uint8_t context_len)
  212. {
  213. curve448_point_t pk_point, r_point;
  214. c448_error_t error;
  215. curve448_scalar_t challenge_scalar;
  216. curve448_scalar_t response_scalar;
  217. /* Order in little endian format */
  218. static const uint8_t order[] = {
  219. 0xF3, 0x44, 0x58, 0xAB, 0x92, 0xC2, 0x78, 0x23, 0x55, 0x8F, 0xC5, 0x8D,
  220. 0x72, 0xC2, 0x6C, 0x21, 0x90, 0x36, 0xD6, 0xAE, 0x49, 0xDB, 0x4E, 0xC4,
  221. 0xE9, 0x23, 0xCA, 0x7C, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  222. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  223. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x3F, 0x00
  224. };
  225. int i;
  226. /*
  227. * Check that s (second 57 bytes of the sig) is less than the order. Both
  228. * s and the order are in little-endian format. This can be done in
  229. * variable time, since if this is not the case the signature if publicly
  230. * invalid.
  231. */
  232. for (i = EDDSA_448_PUBLIC_BYTES - 1; i >= 0; i--) {
  233. if (signature[i + EDDSA_448_PUBLIC_BYTES] > order[i])
  234. return C448_FAILURE;
  235. if (signature[i + EDDSA_448_PUBLIC_BYTES] < order[i])
  236. break;
  237. }
  238. if (i < 0)
  239. return C448_FAILURE;
  240. error =
  241. curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
  242. if (C448_SUCCESS != error)
  243. return error;
  244. error =
  245. curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
  246. if (C448_SUCCESS != error)
  247. return error;
  248. {
  249. /* Compute the challenge */
  250. EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
  251. uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
  252. if (hashctx == NULL
  253. || !hash_init_with_dom(hashctx, prehashed, 0, context,
  254. context_len)
  255. || !EVP_DigestUpdate(hashctx, signature, EDDSA_448_PUBLIC_BYTES)
  256. || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
  257. || !EVP_DigestUpdate(hashctx, message, message_len)
  258. || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
  259. EVP_MD_CTX_free(hashctx);
  260. return C448_FAILURE;
  261. }
  262. EVP_MD_CTX_free(hashctx);
  263. curve448_scalar_decode_long(challenge_scalar, challenge,
  264. sizeof(challenge));
  265. OPENSSL_cleanse(challenge, sizeof(challenge));
  266. }
  267. curve448_scalar_sub(challenge_scalar, curve448_scalar_zero,
  268. challenge_scalar);
  269. curve448_scalar_decode_long(response_scalar,
  270. &signature[EDDSA_448_PUBLIC_BYTES],
  271. EDDSA_448_PRIVATE_BYTES);
  272. /* pk_point = -c(x(P)) + (cx + k)G = kG */
  273. curve448_base_double_scalarmul_non_secret(pk_point,
  274. response_scalar,
  275. pk_point, challenge_scalar);
  276. return c448_succeed_if(curve448_point_eq(pk_point, r_point));
  277. }
  278. c448_error_t c448_ed448_verify_prehash(
  279. const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
  280. const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
  281. const uint8_t hash[64], const uint8_t *context,
  282. uint8_t context_len)
  283. {
  284. return c448_ed448_verify(signature, pubkey, hash, 64, 1, context,
  285. context_len);
  286. }
  287. int ED448_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
  288. const uint8_t public_key[57], const uint8_t private_key[57],
  289. const uint8_t *context, size_t context_len)
  290. {
  291. return c448_ed448_sign(out_sig, private_key, public_key, message,
  292. message_len, 0, context, context_len)
  293. == C448_SUCCESS;
  294. }
  295. int ED448_verify(const uint8_t *message, size_t message_len,
  296. const uint8_t signature[114], const uint8_t public_key[57],
  297. const uint8_t *context, size_t context_len)
  298. {
  299. return c448_ed448_verify(signature, public_key, message, message_len, 0,
  300. context, (uint8_t)context_len) == C448_SUCCESS;
  301. }
  302. int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64],
  303. const uint8_t public_key[57], const uint8_t private_key[57],
  304. const uint8_t *context, size_t context_len)
  305. {
  306. return c448_ed448_sign_prehash(out_sig, private_key, public_key, hash,
  307. context, context_len) == C448_SUCCESS;
  308. }
  309. int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114],
  310. const uint8_t public_key[57], const uint8_t *context,
  311. size_t context_len)
  312. {
  313. return c448_ed448_verify_prehash(signature, public_key, hash, context,
  314. (uint8_t)context_len) == C448_SUCCESS;
  315. }
  316. int ED448_public_from_private(uint8_t out_public_key[57],
  317. const uint8_t private_key[57])
  318. {
  319. return c448_ed448_derive_public_key(out_public_key, private_key)
  320. == C448_SUCCESS;
  321. }