2
0

eddsa.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423
  1. /*
  2. * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright 2015-2016 Cryptography Research, Inc.
  4. *
  5. * Licensed under the Apache License 2.0 (the "License"). You may not use
  6. * this file except in compliance with the License. You can obtain a copy
  7. * in the file LICENSE in the source distribution or at
  8. * https://www.openssl.org/source/license.html
  9. *
  10. * Originally written by Mike Hamburg
  11. */
  12. #include <string.h>
  13. #include <openssl/crypto.h>
  14. #include <openssl/evp.h>
  15. #include "crypto/ecx.h"
  16. #include "curve448_local.h"
  17. #include "word.h"
  18. #include "ed448.h"
  19. #include "internal/numbers.h"
  20. #define COFACTOR 4
  21. static c448_error_t oneshot_hash(OSSL_LIB_CTX *ctx, uint8_t *out, size_t outlen,
  22. const uint8_t *in, size_t inlen,
  23. const char *propq)
  24. {
  25. EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
  26. EVP_MD *shake256 = NULL;
  27. c448_error_t ret = C448_FAILURE;
  28. if (hashctx == NULL)
  29. return C448_FAILURE;
  30. shake256 = EVP_MD_fetch(ctx, "SHAKE256", propq);
  31. if (shake256 == NULL)
  32. goto err;
  33. if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
  34. || !EVP_DigestUpdate(hashctx, in, inlen)
  35. || !EVP_DigestFinalXOF(hashctx, out, outlen))
  36. goto err;
  37. ret = C448_SUCCESS;
  38. err:
  39. EVP_MD_CTX_free(hashctx);
  40. EVP_MD_free(shake256);
  41. return ret;
  42. }
  43. static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
  44. {
  45. secret_scalar_ser[0] &= -COFACTOR;
  46. secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
  47. secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
  48. }
  49. static c448_error_t hash_init_with_dom(OSSL_LIB_CTX *ctx, EVP_MD_CTX *hashctx,
  50. uint8_t prehashed,
  51. uint8_t for_prehash,
  52. const uint8_t *context,
  53. size_t context_len,
  54. const char *propq)
  55. {
  56. #ifdef CHARSET_EBCDIC
  57. const char dom_s[] = {0x53, 0x69, 0x67, 0x45,
  58. 0x64, 0x34, 0x34, 0x38, 0x00};
  59. #else
  60. const char dom_s[] = "SigEd448";
  61. #endif
  62. uint8_t dom[2];
  63. EVP_MD *shake256 = NULL;
  64. if (context_len > UINT8_MAX)
  65. return C448_FAILURE;
  66. dom[0] = (uint8_t)(2 - (prehashed == 0 ? 1 : 0)
  67. - (for_prehash == 0 ? 1 : 0));
  68. dom[1] = (uint8_t)context_len;
  69. shake256 = EVP_MD_fetch(ctx, "SHAKE256", propq);
  70. if (shake256 == NULL)
  71. return C448_FAILURE;
  72. if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
  73. || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s))
  74. || !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
  75. || !EVP_DigestUpdate(hashctx, context, context_len)) {
  76. EVP_MD_free(shake256);
  77. return C448_FAILURE;
  78. }
  79. EVP_MD_free(shake256);
  80. return C448_SUCCESS;
  81. }
  82. /* In this file because it uses the hash */
  83. c448_error_t
  84. ossl_c448_ed448_convert_private_key_to_x448(
  85. OSSL_LIB_CTX *ctx,
  86. uint8_t x[X448_PRIVATE_BYTES],
  87. const uint8_t ed [EDDSA_448_PRIVATE_BYTES],
  88. const char *propq)
  89. {
  90. /* pass the private key through oneshot_hash function */
  91. /* and keep the first X448_PRIVATE_BYTES bytes */
  92. return oneshot_hash(ctx, x, X448_PRIVATE_BYTES, ed,
  93. EDDSA_448_PRIVATE_BYTES, propq);
  94. }
  95. c448_error_t
  96. ossl_c448_ed448_derive_public_key(
  97. OSSL_LIB_CTX *ctx,
  98. uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
  99. const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
  100. const char *propq)
  101. {
  102. /* only this much used for keygen */
  103. uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
  104. curve448_scalar_t secret_scalar;
  105. unsigned int c;
  106. curve448_point_t p;
  107. if (!oneshot_hash(ctx, secret_scalar_ser, sizeof(secret_scalar_ser),
  108. privkey,
  109. EDDSA_448_PRIVATE_BYTES,
  110. propq))
  111. return C448_FAILURE;
  112. clamp(secret_scalar_ser);
  113. ossl_curve448_scalar_decode_long(secret_scalar, secret_scalar_ser,
  114. sizeof(secret_scalar_ser));
  115. /*
  116. * Since we are going to mul_by_cofactor during encoding, divide by it
  117. * here. However, the EdDSA base point is not the same as the decaf base
  118. * point if the sigma isogeny is in use: the EdDSA base point is on
  119. * Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
  120. * converted it effectively picks up a factor of 2 from the isogenies. So
  121. * we might start at 2 instead of 1.
  122. */
  123. for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
  124. ossl_curve448_scalar_halve(secret_scalar, secret_scalar);
  125. ossl_curve448_precomputed_scalarmul(p, ossl_curve448_precomputed_base,
  126. secret_scalar);
  127. ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);
  128. /* Cleanup */
  129. ossl_curve448_scalar_destroy(secret_scalar);
  130. ossl_curve448_point_destroy(p);
  131. OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
  132. return C448_SUCCESS;
  133. }
  134. c448_error_t
  135. ossl_c448_ed448_sign(OSSL_LIB_CTX *ctx,
  136. uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
  137. const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
  138. const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
  139. const uint8_t *message, size_t message_len,
  140. uint8_t prehashed, const uint8_t *context,
  141. size_t context_len, const char *propq)
  142. {
  143. curve448_scalar_t secret_scalar;
  144. EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
  145. c448_error_t ret = C448_FAILURE;
  146. curve448_scalar_t nonce_scalar;
  147. uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
  148. unsigned int c;
  149. curve448_scalar_t challenge_scalar;
  150. if (hashctx == NULL)
  151. return C448_FAILURE;
  152. {
  153. /*
  154. * Schedule the secret key, First EDDSA_448_PRIVATE_BYTES is serialized
  155. * secret scalar,next EDDSA_448_PRIVATE_BYTES bytes is the seed.
  156. */
  157. uint8_t expanded[EDDSA_448_PRIVATE_BYTES * 2];
  158. if (!oneshot_hash(ctx, expanded, sizeof(expanded), privkey,
  159. EDDSA_448_PRIVATE_BYTES, propq))
  160. goto err;
  161. clamp(expanded);
  162. ossl_curve448_scalar_decode_long(secret_scalar, expanded,
  163. EDDSA_448_PRIVATE_BYTES);
  164. /* Hash to create the nonce */
  165. if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
  166. context_len, propq)
  167. || !EVP_DigestUpdate(hashctx,
  168. expanded + EDDSA_448_PRIVATE_BYTES,
  169. EDDSA_448_PRIVATE_BYTES)
  170. || !EVP_DigestUpdate(hashctx, message, message_len)) {
  171. OPENSSL_cleanse(expanded, sizeof(expanded));
  172. goto err;
  173. }
  174. OPENSSL_cleanse(expanded, sizeof(expanded));
  175. }
  176. /* Decode the nonce */
  177. {
  178. uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];
  179. if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
  180. goto err;
  181. ossl_curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
  182. OPENSSL_cleanse(nonce, sizeof(nonce));
  183. }
  184. {
  185. /* Scalarmul to create the nonce-point */
  186. curve448_scalar_t nonce_scalar_2;
  187. curve448_point_t p;
  188. ossl_curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
  189. for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
  190. ossl_curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
  191. ossl_curve448_precomputed_scalarmul(p, ossl_curve448_precomputed_base,
  192. nonce_scalar_2);
  193. ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
  194. ossl_curve448_point_destroy(p);
  195. ossl_curve448_scalar_destroy(nonce_scalar_2);
  196. }
  197. {
  198. uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
  199. /* Compute the challenge */
  200. if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context, context_len,
  201. propq)
  202. || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
  203. || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
  204. || !EVP_DigestUpdate(hashctx, message, message_len)
  205. || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
  206. goto err;
  207. ossl_curve448_scalar_decode_long(challenge_scalar, challenge,
  208. sizeof(challenge));
  209. OPENSSL_cleanse(challenge, sizeof(challenge));
  210. }
  211. ossl_curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
  212. ossl_curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);
  213. OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
  214. memcpy(signature, nonce_point, sizeof(nonce_point));
  215. ossl_curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
  216. challenge_scalar);
  217. ossl_curve448_scalar_destroy(secret_scalar);
  218. ossl_curve448_scalar_destroy(nonce_scalar);
  219. ossl_curve448_scalar_destroy(challenge_scalar);
  220. ret = C448_SUCCESS;
  221. err:
  222. EVP_MD_CTX_free(hashctx);
  223. return ret;
  224. }
  225. c448_error_t
  226. ossl_c448_ed448_sign_prehash(
  227. OSSL_LIB_CTX *ctx,
  228. uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
  229. const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
  230. const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
  231. const uint8_t hash[64], const uint8_t *context,
  232. size_t context_len, const char *propq)
  233. {
  234. return ossl_c448_ed448_sign(ctx, signature, privkey, pubkey, hash, 64, 1,
  235. context, context_len, propq);
  236. }
  237. c448_error_t
  238. ossl_c448_ed448_verify(
  239. OSSL_LIB_CTX *ctx,
  240. const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
  241. const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
  242. const uint8_t *message, size_t message_len,
  243. uint8_t prehashed, const uint8_t *context,
  244. uint8_t context_len, const char *propq)
  245. {
  246. curve448_point_t pk_point, r_point;
  247. c448_error_t error;
  248. curve448_scalar_t challenge_scalar;
  249. curve448_scalar_t response_scalar;
  250. /* Order in little endian format */
  251. static const uint8_t order[] = {
  252. 0xF3, 0x44, 0x58, 0xAB, 0x92, 0xC2, 0x78, 0x23, 0x55, 0x8F, 0xC5, 0x8D,
  253. 0x72, 0xC2, 0x6C, 0x21, 0x90, 0x36, 0xD6, 0xAE, 0x49, 0xDB, 0x4E, 0xC4,
  254. 0xE9, 0x23, 0xCA, 0x7C, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  255. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  256. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x3F, 0x00
  257. };
  258. int i;
  259. /*
  260. * Check that s (second 57 bytes of the sig) is less than the order. Both
  261. * s and the order are in little-endian format. This can be done in
  262. * variable time, since if this is not the case the signature if publicly
  263. * invalid.
  264. */
  265. for (i = EDDSA_448_PUBLIC_BYTES - 1; i >= 0; i--) {
  266. if (signature[i + EDDSA_448_PUBLIC_BYTES] > order[i])
  267. return C448_FAILURE;
  268. if (signature[i + EDDSA_448_PUBLIC_BYTES] < order[i])
  269. break;
  270. }
  271. if (i < 0)
  272. return C448_FAILURE;
  273. error =
  274. ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
  275. if (C448_SUCCESS != error)
  276. return error;
  277. error =
  278. ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
  279. if (C448_SUCCESS != error)
  280. return error;
  281. {
  282. /* Compute the challenge */
  283. EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
  284. uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
  285. if (hashctx == NULL
  286. || !hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
  287. context_len, propq)
  288. || !EVP_DigestUpdate(hashctx, signature, EDDSA_448_PUBLIC_BYTES)
  289. || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
  290. || !EVP_DigestUpdate(hashctx, message, message_len)
  291. || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
  292. EVP_MD_CTX_free(hashctx);
  293. return C448_FAILURE;
  294. }
  295. EVP_MD_CTX_free(hashctx);
  296. ossl_curve448_scalar_decode_long(challenge_scalar, challenge,
  297. sizeof(challenge));
  298. OPENSSL_cleanse(challenge, sizeof(challenge));
  299. }
  300. ossl_curve448_scalar_sub(challenge_scalar, ossl_curve448_scalar_zero,
  301. challenge_scalar);
  302. ossl_curve448_scalar_decode_long(response_scalar,
  303. &signature[EDDSA_448_PUBLIC_BYTES],
  304. EDDSA_448_PRIVATE_BYTES);
  305. /* pk_point = -c(x(P)) + (cx + k)G = kG */
  306. ossl_curve448_base_double_scalarmul_non_secret(pk_point,
  307. response_scalar,
  308. pk_point, challenge_scalar);
  309. return c448_succeed_if(ossl_curve448_point_eq(pk_point, r_point));
  310. }
  311. c448_error_t
  312. ossl_c448_ed448_verify_prehash(
  313. OSSL_LIB_CTX *ctx,
  314. const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
  315. const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
  316. const uint8_t hash[64], const uint8_t *context,
  317. uint8_t context_len, const char *propq)
  318. {
  319. return ossl_c448_ed448_verify(ctx, signature, pubkey, hash, 64, 1, context,
  320. context_len, propq);
  321. }
  322. int
  323. ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t *message,
  324. size_t message_len, const uint8_t public_key[57],
  325. const uint8_t private_key[57], const uint8_t *context,
  326. size_t context_len, const char *propq)
  327. {
  328. return ossl_c448_ed448_sign(ctx, out_sig, private_key, public_key, message,
  329. message_len, 0, context, context_len,
  330. propq) == C448_SUCCESS;
  331. }
  332. int
  333. ossl_ed448_verify(OSSL_LIB_CTX *ctx, const uint8_t *message, size_t message_len,
  334. const uint8_t signature[114], const uint8_t public_key[57],
  335. const uint8_t *context, size_t context_len, const char *propq)
  336. {
  337. return ossl_c448_ed448_verify(ctx, signature, public_key, message,
  338. message_len, 0, context, (uint8_t)context_len,
  339. propq) == C448_SUCCESS;
  340. }
  341. int
  342. ossl_ed448ph_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t hash[64],
  343. const uint8_t public_key[57], const uint8_t private_key[57],
  344. const uint8_t *context, size_t context_len, const char *propq)
  345. {
  346. return ossl_c448_ed448_sign_prehash(ctx, out_sig, private_key, public_key,
  347. hash, context, context_len,
  348. propq) == C448_SUCCESS;
  349. }
  350. int
  351. ossl_ed448ph_verify(OSSL_LIB_CTX *ctx, const uint8_t hash[64],
  352. const uint8_t signature[114], const uint8_t public_key[57],
  353. const uint8_t *context, size_t context_len,
  354. const char *propq)
  355. {
  356. return ossl_c448_ed448_verify_prehash(ctx, signature, public_key, hash,
  357. context, (uint8_t)context_len,
  358. propq) == C448_SUCCESS;
  359. }
  360. int
  361. ossl_ed448_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[57],
  362. const uint8_t private_key[57], const char *propq)
  363. {
  364. return ossl_c448_ed448_derive_public_key(ctx, out_public_key, private_key,
  365. propq) == C448_SUCCESS;
  366. }