crypto/ec/curve448/eddsa.c

   1 /**
   2  * @file ed448goldilocks/eddsa.c
   3  * @author Mike Hamburg
   4  *
   5  * @copyright
   6  *   Copyright (c) 2015-2016 Cryptography Research, Inc.  \n
   7  *   Released under the MIT License.  See LICENSE.txt for license information.
   8  *
   9  * @cond internal
  10  * @brief EdDSA routines.
  11  *
  12  * @warning This file was automatically generated in Python.
  13  * Please do not edit it.
  14  */
  15 #include <openssl/crypto.h>
  16
  17 #include "word.h"
  18 #include "ed448.h"
  19 #include "shake.h"
  20 #include <string.h>
  21
  22 #define API_NAME "decaf_448"
  23 #define API_NS(_id) decaf_448_##_id
  24
  25 #define hash_ctx_t   decaf_shake256_ctx_t
  26 #define hash_init    decaf_shake256_init
  27 #define hash_update  decaf_shake256_update
  28 #define hash_final   decaf_shake256_final
  29 #define hash_destroy decaf_shake256_destroy
  30 #define hash_hash    decaf_shake256_hash
  31
  32 #define NO_CONTEXT DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS
  33 #define EDDSA_USE_SIGMA_ISOGENY 0
  34 #define COFACTOR 4
  35 #define EDDSA_PREHASH_BYTES 64
  36
  37 #if NO_CONTEXT
  38 const uint8_t NO_CONTEXT_POINTS_HERE = 0;
  39 const uint8_t * const DECAF_ED448_NO_CONTEXT = &NO_CONTEXT_POINTS_HERE;
  40 #endif
  41
  42 /* EDDSA_BASE_POINT_RATIO = 1 or 2
  43  * Because EdDSA25519 is not on E_d but on the isogenous E_sigma_d,
  44  * its base point is twice ours.
  45  */
  46 #define EDDSA_BASE_POINT_RATIO (1+EDDSA_USE_SIGMA_ISOGENY) /* TODO: remove */
  47
  48 static void clamp (
  49     uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]
  50 ) {
  51     /* Blarg */
  52     secret_scalar_ser[0] &= -COFACTOR;
  53     uint8_t hibit = (1<<0)>>1;
  54     if (hibit == 0) {
  55         secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0;
  56         secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
  57     } else {
  58         secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] &= hibit-1;
  59         secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] |= hibit;
  60     }
  61 }
  62
  63 static void hash_init_with_dom(
  64     hash_ctx_t hash,
  65     uint8_t prehashed,
  66     uint8_t for_prehash,
  67     const uint8_t *context,
  68     uint8_t context_len
  69 ) {
  70     hash_init(hash);
  71
  72 #if NO_CONTEXT
  73     if (context_len == 0 && context == DECAF_ED448_NO_CONTEXT) {
  74         (void)prehashed;
  75         (void)for_prehash;
  76         (void)context;
  77         (void)context_len;
  78         return;
  79     }
  80 #endif
  81     const char *dom_s = "SigEd448";
  82     const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
  83     hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
  84     hash_update(hash,dom,2);
  85     hash_update(hash,context,context_len);
  86 }
  87
  88 void decaf_ed448_prehash_init (
  89     hash_ctx_t hash
  90 ) {
  91     hash_init(hash);
  92 }
  93
  94 /* In this file because it uses the hash */
  95 void decaf_ed448_convert_private_key_to_x448 (
  96     uint8_t x[DECAF_X448_PRIVATE_BYTES],
  97     const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES]
  98 ) {
  99     /* pass the private key through hash_hash function */
 100     /* and keep the first DECAF_X448_PRIVATE_BYTES bytes */
 101     hash_hash(
 102         x,
 103         DECAF_X448_PRIVATE_BYTES,
 104         ed,
 105         DECAF_EDDSA_448_PRIVATE_BYTES
 106     );
 107 }
 108
 109 void decaf_ed448_derive_public_key (
 110     uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
 111     const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]
 112 ) {
 113     /* only this much used for keygen */
 114     uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];
 115
 116     hash_hash(
 117         secret_scalar_ser,
 118         sizeof(secret_scalar_ser),
 119         privkey,
 120         DECAF_EDDSA_448_PRIVATE_BYTES
 121     );
 122     clamp(secret_scalar_ser);
 123
 124     API_NS(scalar_t) secret_scalar;
 125     API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));
 126
 127     /* Since we are going to mul_by_cofactor during encoding, divide by it here.
 128      * However, the EdDSA base point is not the same as the decaf base point if
 129      * the sigma isogeny is in use: the EdDSA base point is on Etwist_d/(1-d) and
 130      * the decaf base point is on Etwist_d, and when converted it effectively
 131      * picks up a factor of 2 from the isogenies.  So we might start at 2 instead of 1.
 132      */
 133     for (unsigned int c=1; c<DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
 134         API_NS(scalar_halve)(secret_scalar,secret_scalar);
 135     }
 136
 137     API_NS(point_t) p;
 138     API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),secret_scalar);
 139
 140     API_NS(point_mul_by_ratio_and_encode_like_eddsa)(pubkey, p);
 141
 142     /* Cleanup */
 143     API_NS(scalar_destroy)(secret_scalar);
 144     API_NS(point_destroy)(p);
 145     OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
 146 }
 147
 148 void decaf_ed448_sign (
 149     uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
 150     const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
 151     const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
 152     const uint8_t *message,
 153     size_t message_len,
 154     uint8_t prehashed,
 155     const uint8_t *context,
 156     uint8_t context_len
 157 ) {
 158     API_NS(scalar_t) secret_scalar;
 159     hash_ctx_t hash;
 160     {
 161         /* Schedule the secret key */
 162         struct {
 163             uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];
 164             uint8_t seed[DECAF_EDDSA_448_PRIVATE_BYTES];
 165         } __attribute__((packed)) expanded;
 166         hash_hash(
 167             (uint8_t *)&expanded,
 168             sizeof(expanded),
 169             privkey,
 170             DECAF_EDDSA_448_PRIVATE_BYTES
 171         );
 172         clamp(expanded.secret_scalar_ser);
 173         API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
 174
 175         /* Hash to create the nonce */
 176         hash_init_with_dom(hash,prehashed,0,context,context_len);
 177         hash_update(hash,expanded.seed,sizeof(expanded.seed));
 178         hash_update(hash,message,message_len);
 179         OPENSSL_cleanse(&expanded, sizeof(expanded));
 180     }
 181
 182     /* Decode the nonce */
 183     API_NS(scalar_t) nonce_scalar;
 184     {
 185         uint8_t nonce[2*DECAF_EDDSA_448_PRIVATE_BYTES];
 186         hash_final(hash,nonce,sizeof(nonce));
 187         API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce));
 188         OPENSSL_cleanse(nonce, sizeof(nonce));
 189     }
 190
 191     uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = {0};
 192     {
 193         /* Scalarmul to create the nonce-point */
 194         API_NS(scalar_t) nonce_scalar_2;
 195         API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar);
 196         for (unsigned int c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
 197             API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2);
 198         }
 199
 200         API_NS(point_t) p;
 201         API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),nonce_scalar_2);
 202         API_NS(point_mul_by_ratio_and_encode_like_eddsa)(nonce_point, p);
 203         API_NS(point_destroy)(p);
 204         API_NS(scalar_destroy)(nonce_scalar_2);
 205     }
 206
 207     API_NS(scalar_t) challenge_scalar;
 208     {
 209         /* Compute the challenge */
 210         hash_init_with_dom(hash,prehashed,0,context,context_len);
 211         hash_update(hash,nonce_point,sizeof(nonce_point));
 212         hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
 213         hash_update(hash,message,message_len);
 214         uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];
 215         hash_final(hash,challenge,sizeof(challenge));
 216         hash_destroy(hash);
 217         API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
 218         OPENSSL_cleanse(challenge,sizeof(challenge));
 219     }
 220
 221     API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar);
 222     API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar);
 223
 224     OPENSSL_cleanse(signature,DECAF_EDDSA_448_SIGNATURE_BYTES);
 225     memcpy(signature,nonce_point,sizeof(nonce_point));
 226     API_NS(scalar_encode)(&signature[DECAF_EDDSA_448_PUBLIC_BYTES],challenge_scalar);
 227
 228     API_NS(scalar_destroy)(secret_scalar);
 229     API_NS(scalar_destroy)(nonce_scalar);
 230     API_NS(scalar_destroy)(challenge_scalar);
 231 }
 232
 233
 234 void decaf_ed448_sign_prehash (
 235     uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
 236     const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
 237     const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
 238     const decaf_ed448_prehash_ctx_t hash,
 239     const uint8_t *context,
 240     uint8_t context_len
 241 ) {
 242     uint8_t hash_output[EDDSA_PREHASH_BYTES];
 243     {
 244         decaf_ed448_prehash_ctx_t hash_too;
 245         memcpy(hash_too,hash,sizeof(hash_too));
 246         hash_final(hash_too,hash_output,sizeof(hash_output));
 247         hash_destroy(hash_too);
 248     }
 249
 250     decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
 251     OPENSSL_cleanse(hash_output,sizeof(hash_output));
 252 }
 253
 254 decaf_error_t decaf_ed448_verify (
 255     const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
 256     const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
 257     const uint8_t *message,
 258     size_t message_len,
 259     uint8_t prehashed,
 260     const uint8_t *context,
 261     uint8_t context_len
 262 ) {
 263     API_NS(point_t) pk_point, r_point;
 264     decaf_error_t error = API_NS(point_decode_like_eddsa_and_mul_by_ratio)(pk_point,pubkey);
 265     if (DECAF_SUCCESS != error) { return error; }
 266
 267     error = API_NS(point_decode_like_eddsa_and_mul_by_ratio)(r_point,signature);
 268     if (DECAF_SUCCESS != error) { return error; }
 269
 270     API_NS(scalar_t) challenge_scalar;
 271     {
 272         /* Compute the challenge */
 273         hash_ctx_t hash;
 274         hash_init_with_dom(hash,prehashed,0,context,context_len);
 275         hash_update(hash,signature,DECAF_EDDSA_448_PUBLIC_BYTES);
 276         hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
 277         hash_update(hash,message,message_len);
 278         uint8_t challenge[2*DECAF_EDDSA_448_PRIVATE_BYTES];
 279         hash_final(hash,challenge,sizeof(challenge));
 280         hash_destroy(hash);
 281         API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
 282         OPENSSL_cleanse(challenge,sizeof(challenge));
 283     }
 284     API_NS(scalar_sub)(challenge_scalar, API_NS(scalar_zero), challenge_scalar);
 285
 286     API_NS(scalar_t) response_scalar;
 287     API_NS(scalar_decode_long)(
 288         response_scalar,
 289         &signature[DECAF_EDDSA_448_PUBLIC_BYTES],
 290         DECAF_EDDSA_448_PRIVATE_BYTES
 291     );
 292
 293     for (unsigned c=1; c<DECAF_448_EDDSA_DECODE_RATIO; c<<=1) {
 294         API_NS(scalar_add)(response_scalar,response_scalar,response_scalar);
 295     }
 296
 297
 298     /* pk_point = -c(x(P)) + (cx + k)G = kG */
 299     API_NS(base_double_scalarmul_non_secret)(
 300         pk_point,
 301         response_scalar,
 302         pk_point,
 303         challenge_scalar
 304     );
 305     return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));
 306 }
 307
 308
 309 decaf_error_t decaf_ed448_verify_prehash (
 310     const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
 311     const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
 312     const decaf_ed448_prehash_ctx_t hash,
 313     const uint8_t *context,
 314     uint8_t context_len
 315 ) {
 316     decaf_error_t ret;
 317
 318     uint8_t hash_output[EDDSA_PREHASH_BYTES];
 319     {
 320         decaf_ed448_prehash_ctx_t hash_too;
 321         memcpy(hash_too,hash,sizeof(hash_too));
 322         hash_final(hash_too,hash_output,sizeof(hash_output));
 323         hash_destroy(hash_too);
 324     }
 325
 326     ret = decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
 327
 328     return ret;
 329 }