eddsa.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401
  1. /*
  2. * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright 2015-2016 Cryptography Research, Inc.
  4. *
  5. * Licensed under the Apache License 2.0 (the "License"). You may not use
  6. * this file except in compliance with the License. You can obtain a copy
  7. * in the file LICENSE in the source distribution or at
  8. * https://www.openssl.org/source/license.html
  9. *
  10. * Originally written by Mike Hamburg
  11. */
  12. #include <string.h>
  13. #include <openssl/crypto.h>
  14. #include <openssl/evp.h>
  15. #include "crypto/ecx.h"
  16. #include "curve448_local.h"
  17. #include "word.h"
  18. #include "ed448.h"
  19. #include "internal/numbers.h"
  20. #define COFACTOR 4
  21. static c448_error_t oneshot_hash(OSSL_LIB_CTX *ctx, uint8_t *out, size_t outlen,
  22. const uint8_t *in, size_t inlen,
  23. const char *propq)
  24. {
  25. EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
  26. EVP_MD *shake256 = NULL;
  27. c448_error_t ret = C448_FAILURE;
  28. if (hashctx == NULL)
  29. return C448_FAILURE;
  30. shake256 = EVP_MD_fetch(ctx, "SHAKE256", propq);
  31. if (shake256 == NULL)
  32. goto err;
  33. if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
  34. || !EVP_DigestUpdate(hashctx, in, inlen)
  35. || !EVP_DigestFinalXOF(hashctx, out, outlen))
  36. goto err;
  37. ret = C448_SUCCESS;
  38. err:
  39. EVP_MD_CTX_free(hashctx);
  40. EVP_MD_free(shake256);
  41. return ret;
  42. }
  43. static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
  44. {
  45. secret_scalar_ser[0] &= -COFACTOR;
  46. secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
  47. secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
  48. }
  49. static c448_error_t hash_init_with_dom(OSSL_LIB_CTX *ctx, EVP_MD_CTX *hashctx,
  50. uint8_t prehashed,
  51. uint8_t for_prehash,
  52. const uint8_t *context,
  53. size_t context_len,
  54. const char *propq)
  55. {
  56. /* ASCII: "SigEd448", in hex for EBCDIC compatibility */
  57. const char dom_s[] = "\x53\x69\x67\x45\x64\x34\x34\x38";
  58. uint8_t dom[2];
  59. EVP_MD *shake256 = NULL;
  60. if (context_len > UINT8_MAX)
  61. return C448_FAILURE;
  62. dom[0] = (uint8_t)(2 - (prehashed == 0 ? 1 : 0)
  63. - (for_prehash == 0 ? 1 : 0));
  64. dom[1] = (uint8_t)context_len;
  65. shake256 = EVP_MD_fetch(ctx, "SHAKE256", propq);
  66. if (shake256 == NULL)
  67. return C448_FAILURE;
  68. if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
  69. || !EVP_DigestUpdate(hashctx, dom_s, sizeof(dom_s)-1)
  70. || !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
  71. || !EVP_DigestUpdate(hashctx, context, context_len)) {
  72. EVP_MD_free(shake256);
  73. return C448_FAILURE;
  74. }
  75. EVP_MD_free(shake256);
  76. return C448_SUCCESS;
  77. }
  78. /* In this file because it uses the hash */
  79. c448_error_t
  80. ossl_c448_ed448_convert_private_key_to_x448(
  81. OSSL_LIB_CTX *ctx,
  82. uint8_t x[X448_PRIVATE_BYTES],
  83. const uint8_t ed [EDDSA_448_PRIVATE_BYTES],
  84. const char *propq)
  85. {
  86. /* pass the private key through oneshot_hash function */
  87. /* and keep the first X448_PRIVATE_BYTES bytes */
  88. return oneshot_hash(ctx, x, X448_PRIVATE_BYTES, ed,
  89. EDDSA_448_PRIVATE_BYTES, propq);
  90. }
  91. c448_error_t
  92. ossl_c448_ed448_derive_public_key(
  93. OSSL_LIB_CTX *ctx,
  94. uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
  95. const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
  96. const char *propq)
  97. {
  98. /* only this much used for keygen */
  99. uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
  100. curve448_scalar_t secret_scalar;
  101. unsigned int c;
  102. curve448_point_t p;
  103. if (!oneshot_hash(ctx, secret_scalar_ser, sizeof(secret_scalar_ser),
  104. privkey,
  105. EDDSA_448_PRIVATE_BYTES,
  106. propq))
  107. return C448_FAILURE;
  108. clamp(secret_scalar_ser);
  109. ossl_curve448_scalar_decode_long(secret_scalar, secret_scalar_ser,
  110. sizeof(secret_scalar_ser));
  111. /*
  112. * Since we are going to mul_by_cofactor during encoding, divide by it
  113. * here. However, the EdDSA base point is not the same as the decaf base
  114. * point if the sigma isogeny is in use: the EdDSA base point is on
  115. * Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
  116. * converted it effectively picks up a factor of 2 from the isogenies. So
  117. * we might start at 2 instead of 1.
  118. */
  119. for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
  120. ossl_curve448_scalar_halve(secret_scalar, secret_scalar);
  121. ossl_curve448_precomputed_scalarmul(p, ossl_curve448_precomputed_base,
  122. secret_scalar);
  123. ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);
  124. /* Cleanup */
  125. ossl_curve448_scalar_destroy(secret_scalar);
  126. ossl_curve448_point_destroy(p);
  127. OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
  128. return C448_SUCCESS;
  129. }
  130. c448_error_t
  131. ossl_c448_ed448_sign(OSSL_LIB_CTX *ctx,
  132. uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
  133. const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
  134. const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
  135. const uint8_t *message, size_t message_len,
  136. uint8_t prehashed, const uint8_t *context,
  137. size_t context_len, const char *propq)
  138. {
  139. curve448_scalar_t secret_scalar;
  140. EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
  141. c448_error_t ret = C448_FAILURE;
  142. curve448_scalar_t nonce_scalar;
  143. uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
  144. unsigned int c;
  145. curve448_scalar_t challenge_scalar;
  146. if (hashctx == NULL)
  147. return C448_FAILURE;
  148. {
  149. /*
  150. * Schedule the secret key, First EDDSA_448_PRIVATE_BYTES is serialized
  151. * secret scalar,next EDDSA_448_PRIVATE_BYTES bytes is the seed.
  152. */
  153. uint8_t expanded[EDDSA_448_PRIVATE_BYTES * 2];
  154. if (!oneshot_hash(ctx, expanded, sizeof(expanded), privkey,
  155. EDDSA_448_PRIVATE_BYTES, propq))
  156. goto err;
  157. clamp(expanded);
  158. ossl_curve448_scalar_decode_long(secret_scalar, expanded,
  159. EDDSA_448_PRIVATE_BYTES);
  160. /* Hash to create the nonce */
  161. if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
  162. context_len, propq)
  163. || !EVP_DigestUpdate(hashctx,
  164. expanded + EDDSA_448_PRIVATE_BYTES,
  165. EDDSA_448_PRIVATE_BYTES)
  166. || !EVP_DigestUpdate(hashctx, message, message_len)) {
  167. OPENSSL_cleanse(expanded, sizeof(expanded));
  168. goto err;
  169. }
  170. OPENSSL_cleanse(expanded, sizeof(expanded));
  171. }
  172. /* Decode the nonce */
  173. {
  174. uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];
  175. if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
  176. goto err;
  177. ossl_curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
  178. OPENSSL_cleanse(nonce, sizeof(nonce));
  179. }
  180. {
  181. /* Scalarmul to create the nonce-point */
  182. curve448_scalar_t nonce_scalar_2;
  183. curve448_point_t p;
  184. ossl_curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
  185. for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
  186. ossl_curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
  187. ossl_curve448_precomputed_scalarmul(p, ossl_curve448_precomputed_base,
  188. nonce_scalar_2);
  189. ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
  190. ossl_curve448_point_destroy(p);
  191. ossl_curve448_scalar_destroy(nonce_scalar_2);
  192. }
  193. {
  194. uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
  195. /* Compute the challenge */
  196. if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context, context_len,
  197. propq)
  198. || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
  199. || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
  200. || !EVP_DigestUpdate(hashctx, message, message_len)
  201. || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
  202. goto err;
  203. ossl_curve448_scalar_decode_long(challenge_scalar, challenge,
  204. sizeof(challenge));
  205. OPENSSL_cleanse(challenge, sizeof(challenge));
  206. }
  207. ossl_curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
  208. ossl_curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);
  209. OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
  210. memcpy(signature, nonce_point, sizeof(nonce_point));
  211. ossl_curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
  212. challenge_scalar);
  213. ossl_curve448_scalar_destroy(secret_scalar);
  214. ossl_curve448_scalar_destroy(nonce_scalar);
  215. ossl_curve448_scalar_destroy(challenge_scalar);
  216. ret = C448_SUCCESS;
  217. err:
  218. EVP_MD_CTX_free(hashctx);
  219. return ret;
  220. }
  221. c448_error_t
  222. ossl_c448_ed448_sign_prehash(
  223. OSSL_LIB_CTX *ctx,
  224. uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
  225. const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
  226. const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
  227. const uint8_t hash[64], const uint8_t *context,
  228. size_t context_len, const char *propq)
  229. {
  230. return ossl_c448_ed448_sign(ctx, signature, privkey, pubkey, hash, 64, 1,
  231. context, context_len, propq);
  232. }
  233. c448_error_t
  234. ossl_c448_ed448_verify(
  235. OSSL_LIB_CTX *ctx,
  236. const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
  237. const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
  238. const uint8_t *message, size_t message_len,
  239. uint8_t prehashed, const uint8_t *context,
  240. uint8_t context_len, const char *propq)
  241. {
  242. curve448_point_t pk_point, r_point;
  243. c448_error_t error;
  244. curve448_scalar_t challenge_scalar;
  245. curve448_scalar_t response_scalar;
  246. /* Order in little endian format */
  247. static const uint8_t order[] = {
  248. 0xF3, 0x44, 0x58, 0xAB, 0x92, 0xC2, 0x78, 0x23, 0x55, 0x8F, 0xC5, 0x8D,
  249. 0x72, 0xC2, 0x6C, 0x21, 0x90, 0x36, 0xD6, 0xAE, 0x49, 0xDB, 0x4E, 0xC4,
  250. 0xE9, 0x23, 0xCA, 0x7C, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  251. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  252. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x3F, 0x00
  253. };
  254. int i;
  255. /*
  256. * Check that s (second 57 bytes of the sig) is less than the order. Both
  257. * s and the order are in little-endian format. This can be done in
  258. * variable time, since if this is not the case the signature if publicly
  259. * invalid.
  260. */
  261. for (i = EDDSA_448_PUBLIC_BYTES - 1; i >= 0; i--) {
  262. if (signature[i + EDDSA_448_PUBLIC_BYTES] > order[i])
  263. return C448_FAILURE;
  264. if (signature[i + EDDSA_448_PUBLIC_BYTES] < order[i])
  265. break;
  266. }
  267. if (i < 0)
  268. return C448_FAILURE;
  269. error =
  270. ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
  271. if (C448_SUCCESS != error)
  272. return error;
  273. error =
  274. ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
  275. if (C448_SUCCESS != error)
  276. return error;
  277. {
  278. /* Compute the challenge */
  279. EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
  280. uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
  281. if (hashctx == NULL
  282. || !hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
  283. context_len, propq)
  284. || !EVP_DigestUpdate(hashctx, signature, EDDSA_448_PUBLIC_BYTES)
  285. || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
  286. || !EVP_DigestUpdate(hashctx, message, message_len)
  287. || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
  288. EVP_MD_CTX_free(hashctx);
  289. return C448_FAILURE;
  290. }
  291. EVP_MD_CTX_free(hashctx);
  292. ossl_curve448_scalar_decode_long(challenge_scalar, challenge,
  293. sizeof(challenge));
  294. OPENSSL_cleanse(challenge, sizeof(challenge));
  295. }
  296. ossl_curve448_scalar_sub(challenge_scalar, ossl_curve448_scalar_zero,
  297. challenge_scalar);
  298. ossl_curve448_scalar_decode_long(response_scalar,
  299. &signature[EDDSA_448_PUBLIC_BYTES],
  300. EDDSA_448_PRIVATE_BYTES);
  301. /* pk_point = -c(x(P)) + (cx + k)G = kG */
  302. ossl_curve448_base_double_scalarmul_non_secret(pk_point,
  303. response_scalar,
  304. pk_point, challenge_scalar);
  305. return c448_succeed_if(ossl_curve448_point_eq(pk_point, r_point));
  306. }
  307. c448_error_t
  308. ossl_c448_ed448_verify_prehash(
  309. OSSL_LIB_CTX *ctx,
  310. const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
  311. const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
  312. const uint8_t hash[64], const uint8_t *context,
  313. uint8_t context_len, const char *propq)
  314. {
  315. return ossl_c448_ed448_verify(ctx, signature, pubkey, hash, 64, 1, context,
  316. context_len, propq);
  317. }
  318. int
  319. ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig,
  320. const uint8_t *message, size_t message_len,
  321. const uint8_t public_key[57], const uint8_t private_key[57],
  322. const uint8_t *context, size_t context_len,
  323. const uint8_t phflag, const char *propq)
  324. {
  325. return ossl_c448_ed448_sign(ctx, out_sig, private_key, public_key, message,
  326. message_len, phflag, context, context_len,
  327. propq) == C448_SUCCESS;
  328. }
  329. int
  330. ossl_ed448_verify(OSSL_LIB_CTX *ctx,
  331. const uint8_t *message, size_t message_len,
  332. const uint8_t signature[114], const uint8_t public_key[57],
  333. const uint8_t *context, size_t context_len,
  334. const uint8_t phflag, const char *propq)
  335. {
  336. return ossl_c448_ed448_verify(ctx, signature, public_key, message,
  337. message_len, phflag, context, (uint8_t)context_len,
  338. propq) == C448_SUCCESS;
  339. }
  340. int
  341. ossl_ed448_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[57],
  342. const uint8_t private_key[57], const char *propq)
  343. {
  344. return ossl_c448_ed448_derive_public_key(ctx, out_public_key, private_key,
  345. propq) == C448_SUCCESS;
  346. }