Code tidy up
[openssl.git] / crypto / ec / curve448 / eddsa.c
1 /*
2  * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright 2015-2016 Cryptography Research, Inc.
4  *
5  * Licensed under the OpenSSL license (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  *
10  * Originally written by Mike Hamburg
11  */
12 #include <openssl/crypto.h>
13 #include <openssl/evp.h>
14
15 #include "curve448_lcl.h"
16 #include "word.h"
17 #include "ed448.h"
18 #include <string.h>
19 #include "internal/numbers.h"
20
21 #define COFACTOR 4
22
23 static c448_error_t oneshot_hash(uint8_t *out, size_t outlen,
24                                  const uint8_t *in, size_t inlen)
25 {
26     EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
27
28     if (hashctx == NULL)
29         return C448_FAILURE;
30
31     if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
32         || !EVP_DigestUpdate(hashctx, in, inlen)
33         || !EVP_DigestFinalXOF(hashctx, out, outlen)) {
34         EVP_MD_CTX_free(hashctx);
35         return C448_FAILURE;
36     }
37
38     EVP_MD_CTX_free(hashctx);
39     return C448_SUCCESS;
40 }
41
42 static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
43 {
44     uint8_t hibit = (1 << 0) >> 1;
45
46     /* Blarg */
47     secret_scalar_ser[0] &= -COFACTOR;
48     if (hibit == 0) {
49         secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
50         secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
51     } else {
52         secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;
53         secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] |= hibit;
54     }
55 }
56
57 static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed,
58                                        uint8_t for_prehash,
59                                        const uint8_t *context,
60                                        size_t context_len)
61 {
62     const char *dom_s = "SigEd448";
63     uint8_t dom[2];
64
65     dom[0] = 2 + word_is_zero(prehashed) + word_is_zero(for_prehash);
66     dom[1] = (uint8_t)context_len;
67
68     if (context_len > UINT8_MAX)
69         return C448_FAILURE;
70
71     if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
72         || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s))
73         || !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
74         || !EVP_DigestUpdate(hashctx, context, context_len))
75         return C448_FAILURE;
76
77     return C448_SUCCESS;
78 }
79
80 /* In this file because it uses the hash */
81 c448_error_t c448_ed448_convert_private_key_to_x448(
82                             uint8_t x[X448_PRIVATE_BYTES],
83                             const uint8_t ed [EDDSA_448_PRIVATE_BYTES])
84 {
85     /* pass the private key through oneshot_hash function */
86     /* and keep the first X448_PRIVATE_BYTES bytes */
87     return oneshot_hash(x, X448_PRIVATE_BYTES, ed,
88                         EDDSA_448_PRIVATE_BYTES);
89 }
90
91 c448_error_t c448_ed448_derive_public_key(
92                         uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
93                         const uint8_t privkey[EDDSA_448_PRIVATE_BYTES])
94 {
95     /* only this much used for keygen */
96     uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
97     curve448_scalar_t secret_scalar;
98     unsigned int c;
99     curve448_point_t p;
100
101     if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey,
102                       EDDSA_448_PRIVATE_BYTES))
103         return C448_FAILURE;
104
105     clamp(secret_scalar_ser);
106
107     curve448_scalar_decode_long(secret_scalar, secret_scalar_ser,
108                                 sizeof(secret_scalar_ser));
109
110     /*
111      * Since we are going to mul_by_cofactor during encoding, divide by it
112      * here. However, the EdDSA base point is not the same as the decaf base
113      * point if the sigma isogeny is in use: the EdDSA base point is on
114      * Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
115      * converted it effectively picks up a factor of 2 from the isogenies.  So
116      * we might start at 2 instead of 1.
117      */
118     for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
119         curve448_scalar_halve(secret_scalar, secret_scalar);
120
121     curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar);
122
123     curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);
124
125     /* Cleanup */
126     curve448_scalar_destroy(secret_scalar);
127     curve448_point_destroy(p);
128     OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
129
130     return C448_SUCCESS;
131 }
132
133 c448_error_t c448_ed448_sign(
134                         uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
135                         const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
136                         const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
137                         const uint8_t *message, size_t message_len,
138                         uint8_t prehashed, const uint8_t *context,
139                         size_t context_len)
140 {
141     curve448_scalar_t secret_scalar;
142     EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
143     c448_error_t ret = C448_FAILURE;
144     curve448_scalar_t nonce_scalar;
145     uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
146     unsigned int c;
147     curve448_scalar_t challenge_scalar;
148
149     if (hashctx == NULL)
150         return C448_FAILURE;
151
152     {
153         /*
154          * Schedule the secret key, First EDDSA_448_PRIVATE_BYTES is serialised
155          * secret scalar,next EDDSA_448_PRIVATE_BYTES bytes is the seed.
156          */
157         uint8_t expanded[EDDSA_448_PRIVATE_BYTES * 2];
158
159         if (!oneshot_hash(expanded, sizeof(expanded), privkey,
160                           EDDSA_448_PRIVATE_BYTES))
161             goto err;
162         clamp(expanded);
163         curve448_scalar_decode_long(secret_scalar, expanded,
164                                     EDDSA_448_PRIVATE_BYTES);
165
166         /* Hash to create the nonce */
167         if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
168             || !EVP_DigestUpdate(hashctx, expanded + EDDSA_448_PRIVATE_BYTES,
169                                  EDDSA_448_PRIVATE_BYTES)
170             || !EVP_DigestUpdate(hashctx, message, message_len)) {
171             OPENSSL_cleanse(expanded, sizeof(expanded));
172             goto err;
173         }
174         OPENSSL_cleanse(expanded, sizeof(expanded));
175     }
176
177     /* Decode the nonce */
178     {
179         uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];
180
181         if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
182             goto err;
183         curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
184         OPENSSL_cleanse(nonce, sizeof(nonce));
185     }
186
187     {
188         /* Scalarmul to create the nonce-point */
189         curve448_scalar_t nonce_scalar_2;
190         curve448_point_t p;
191
192         curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
193         for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) {
194             curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
195         }
196
197         curve448_precomputed_scalarmul(p, curve448_precomputed_base,
198                                        nonce_scalar_2);
199         curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
200         curve448_point_destroy(p);
201         curve448_scalar_destroy(nonce_scalar_2);
202     }
203
204     {
205         uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
206
207         /* Compute the challenge */
208         if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
209             || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
210             || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
211             || !EVP_DigestUpdate(hashctx, message, message_len)
212             || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
213             goto err;
214
215         curve448_scalar_decode_long(challenge_scalar, challenge,
216                                     sizeof(challenge));
217         OPENSSL_cleanse(challenge, sizeof(challenge));
218     }
219
220     curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
221     curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);
222
223     OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
224     memcpy(signature, nonce_point, sizeof(nonce_point));
225     curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
226                            challenge_scalar);
227
228     curve448_scalar_destroy(secret_scalar);
229     curve448_scalar_destroy(nonce_scalar);
230     curve448_scalar_destroy(challenge_scalar);
231
232     ret = C448_SUCCESS;
233  err:
234     EVP_MD_CTX_free(hashctx);
235     return ret;
236 }
237
238 c448_error_t c448_ed448_sign_prehash(
239                         uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
240                         const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
241                         const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
242                         const uint8_t hash[64], const uint8_t *context,
243                         size_t context_len)
244 {
245     return c448_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context,
246                            context_len);
247 }
248
249 c448_error_t c448_ed448_verify(
250                     const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
251                     const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
252                     const uint8_t *message, size_t message_len,
253                     uint8_t prehashed, const uint8_t *context,
254                     uint8_t context_len)
255 {
256     curve448_point_t pk_point, r_point;
257     c448_error_t error =
258         curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
259     curve448_scalar_t challenge_scalar;
260     curve448_scalar_t response_scalar;
261     unsigned int c;
262
263     if (C448_SUCCESS != error)
264         return error;
265
266     error =
267         curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
268     if (C448_SUCCESS != error)
269         return error;
270
271     {
272         /* Compute the challenge */
273         EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
274         uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
275
276         if (hashctx == NULL
277             || !hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
278             || !EVP_DigestUpdate(hashctx, signature,
279                                  EDDSA_448_PUBLIC_BYTES)
280             || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
281             || !EVP_DigestUpdate(hashctx, message, message_len)
282             || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
283             EVP_MD_CTX_free(hashctx);
284             return C448_FAILURE;
285         }
286
287         EVP_MD_CTX_free(hashctx);
288         curve448_scalar_decode_long(challenge_scalar, challenge,
289                                     sizeof(challenge));
290         OPENSSL_cleanse(challenge, sizeof(challenge));
291     }
292     curve448_scalar_sub(challenge_scalar, curve448_scalar_zero,
293                         challenge_scalar);
294
295     curve448_scalar_decode_long(response_scalar,
296                                 &signature[EDDSA_448_PUBLIC_BYTES],
297                                 EDDSA_448_PRIVATE_BYTES);
298
299     for (c = 1; c < C448_EDDSA_DECODE_RATIO; c <<= 1)
300         curve448_scalar_add(response_scalar, response_scalar, response_scalar);
301
302     /* pk_point = -c(x(P)) + (cx + k)G = kG */
303     curve448_base_double_scalarmul_non_secret(pk_point,
304                                               response_scalar,
305                                               pk_point, challenge_scalar);
306     return c448_succeed_if(curve448_point_eq(pk_point, r_point));
307 }
308
309 c448_error_t c448_ed448_verify_prehash(
310                     const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
311                     const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
312                     const uint8_t hash[64], const uint8_t *context,
313                     uint8_t context_len)
314 {
315     c448_error_t ret;
316
317     ret = c448_ed448_verify(signature, pubkey, hash, 64, 1, context,
318                             context_len);
319
320     return ret;
321 }
322
323 int ED448_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
324                const uint8_t public_key[57], const uint8_t private_key[57],
325                const uint8_t *context, size_t context_len)
326 {
327
328     return c448_ed448_sign(out_sig, private_key, public_key, message,
329                            message_len, 0, context, context_len)
330         == C448_SUCCESS;
331 }
332
333 int ED448_verify(const uint8_t *message, size_t message_len,
334                  const uint8_t signature[114], const uint8_t public_key[57],
335                  const uint8_t *context, size_t context_len)
336 {
337     return c448_ed448_verify(signature, public_key, message, message_len, 0,
338                              context, context_len) == C448_SUCCESS;
339 }
340
341 int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64],
342                  const uint8_t public_key[57], const uint8_t private_key[57],
343                  const uint8_t *context, size_t context_len)
344 {
345     return c448_ed448_sign_prehash(out_sig, private_key, public_key, hash,
346                                    context, context_len) == C448_SUCCESS;
347
348 }
349
350 int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114],
351                    const uint8_t public_key[57], const uint8_t *context,
352                    size_t context_len)
353 {
354     return c448_ed448_verify_prehash(signature, public_key, hash, context,
355                                      context_len) == C448_SUCCESS;
356 }
357
358 int ED448_public_from_private(uint8_t out_public_key[57],
359                               const uint8_t private_key[57])
360 {
361     return c448_ed448_derive_public_key(out_public_key, private_key)
362         == C448_SUCCESS;
363 }