2 * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright 2015-2016 Cryptography Research, Inc.
5 * Licensed under the OpenSSL license (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
10 * Originally written by Mike Hamburg
12 #include <openssl/crypto.h>
13 #include <openssl/evp.h>
15 #include "curve448_lcl.h"
19 #include "internal/numbers.h"
23 static decaf_error_t oneshot_hash(uint8_t *out, size_t outlen,
24 const uint8_t *in, size_t inlen)
26 EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
31 if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
32 || !EVP_DigestUpdate(hashctx, in, inlen)
33 || !EVP_DigestFinalXOF(hashctx, out, outlen)) {
34 EVP_MD_CTX_free(hashctx);
38 EVP_MD_CTX_free(hashctx);
42 static void clamp(uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES])
44 uint8_t hibit = (1 << 0) >> 1;
47 secret_scalar_ser[0] &= -COFACTOR;
49 secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0;
50 secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
52 secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;
53 secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] |= hibit;
57 static decaf_error_t hash_init_with_dom(EVP_MD_CTX *hashctx,
60 const uint8_t *context,
63 const char *dom_s = "SigEd448";
66 dom[0] = 2 + word_is_zero(prehashed) + word_is_zero(for_prehash);
67 dom[1] = (uint8_t)context_len;
69 if (context_len > UINT8_MAX)
72 if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
73 || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s))
74 || !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
75 || !EVP_DigestUpdate(hashctx, context, context_len))
81 /* In this file because it uses the hash */
82 decaf_error_t decaf_ed448_convert_private_key_to_x448(
83 uint8_t x[DECAF_X448_PRIVATE_BYTES],
84 const uint8_t ed [DECAF_EDDSA_448_PRIVATE_BYTES])
86 /* pass the private key through oneshot_hash function */
87 /* and keep the first DECAF_X448_PRIVATE_BYTES bytes */
88 return oneshot_hash(x,
89 DECAF_X448_PRIVATE_BYTES,
90 ed, DECAF_EDDSA_448_PRIVATE_BYTES);
93 decaf_error_t decaf_ed448_derive_public_key(
94 uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
95 const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES])
97 /* only this much used for keygen */
98 uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];
99 curve448_scalar_t secret_scalar;
103 if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey,
104 DECAF_EDDSA_448_PRIVATE_BYTES))
105 return DECAF_FAILURE;
107 clamp(secret_scalar_ser);
109 curve448_scalar_decode_long(secret_scalar, secret_scalar_ser,
110 sizeof(secret_scalar_ser));
113 * Since we are going to mul_by_cofactor during encoding, divide by it
114 * here. However, the EdDSA base point is not the same as the decaf base
115 * point if the sigma isogeny is in use: the EdDSA base point is on
116 * Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
117 * converted it effectively picks up a factor of 2 from the isogenies. So
118 * we might start at 2 instead of 1.
120 for (c = 1; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1)
121 curve448_scalar_halve(secret_scalar, secret_scalar);
123 curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar);
125 curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);
128 curve448_scalar_destroy(secret_scalar);
129 curve448_point_destroy(p);
130 OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
132 return DECAF_SUCCESS;
135 decaf_error_t decaf_ed448_sign(
136 uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
137 const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
138 const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
139 const uint8_t *message, size_t message_len,
140 uint8_t prehashed, const uint8_t *context,
143 curve448_scalar_t secret_scalar;
144 EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
145 decaf_error_t ret = DECAF_FAILURE;
146 curve448_scalar_t nonce_scalar;
147 uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = { 0 };
149 curve448_scalar_t challenge_scalar;
152 return DECAF_FAILURE;
155 /* Schedule the secret key */
157 uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES];
158 uint8_t seed[DECAF_EDDSA_448_PRIVATE_BYTES];
159 } __attribute__ ((packed)) expanded;
161 if (!oneshot_hash((uint8_t *)&expanded, sizeof(expanded), privkey,
162 DECAF_EDDSA_448_PRIVATE_BYTES))
164 clamp(expanded.secret_scalar_ser);
165 curve448_scalar_decode_long(secret_scalar, expanded.secret_scalar_ser,
166 sizeof(expanded.secret_scalar_ser));
168 /* Hash to create the nonce */
169 if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
170 || !EVP_DigestUpdate(hashctx, expanded.seed, sizeof(expanded.seed))
171 || !EVP_DigestUpdate(hashctx, message, message_len)) {
172 OPENSSL_cleanse(&expanded, sizeof(expanded));
175 OPENSSL_cleanse(&expanded, sizeof(expanded));
178 /* Decode the nonce */
180 uint8_t nonce[2 * DECAF_EDDSA_448_PRIVATE_BYTES];
182 if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
184 curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
185 OPENSSL_cleanse(nonce, sizeof(nonce));
189 /* Scalarmul to create the nonce-point */
190 curve448_scalar_t nonce_scalar_2;
193 curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
194 for (c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) {
195 curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
198 curve448_precomputed_scalarmul(p, curve448_precomputed_base,
200 curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
201 curve448_point_destroy(p);
202 curve448_scalar_destroy(nonce_scalar_2);
206 uint8_t challenge[2 * DECAF_EDDSA_448_PRIVATE_BYTES];
208 /* Compute the challenge */
209 if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
210 || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
211 || !EVP_DigestUpdate(hashctx, pubkey, DECAF_EDDSA_448_PUBLIC_BYTES)
212 || !EVP_DigestUpdate(hashctx, message, message_len)
213 || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
216 curve448_scalar_decode_long(challenge_scalar, challenge,
218 OPENSSL_cleanse(challenge, sizeof(challenge));
221 curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
222 curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);
224 OPENSSL_cleanse(signature, DECAF_EDDSA_448_SIGNATURE_BYTES);
225 memcpy(signature, nonce_point, sizeof(nonce_point));
226 curve448_scalar_encode(&signature[DECAF_EDDSA_448_PUBLIC_BYTES],
229 curve448_scalar_destroy(secret_scalar);
230 curve448_scalar_destroy(nonce_scalar);
231 curve448_scalar_destroy(challenge_scalar);
235 EVP_MD_CTX_free(hashctx);
239 decaf_error_t decaf_ed448_sign_prehash(uint8_t
241 [DECAF_EDDSA_448_SIGNATURE_BYTES],
243 privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
245 pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
246 const uint8_t hash[64],
247 const uint8_t *context,
250 return decaf_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context,
254 decaf_error_t decaf_ed448_verify(const uint8_t
255 signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
257 pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
258 const uint8_t *message, size_t message_len,
259 uint8_t prehashed, const uint8_t *context,
262 curve448_point_t pk_point, r_point;
263 decaf_error_t error =
264 curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
265 curve448_scalar_t challenge_scalar;
266 curve448_scalar_t response_scalar;
269 if (DECAF_SUCCESS != error)
273 curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
274 if (DECAF_SUCCESS != error)
278 /* Compute the challenge */
279 EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
280 uint8_t challenge[2 * DECAF_EDDSA_448_PRIVATE_BYTES];
283 || !hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
284 || !EVP_DigestUpdate(hashctx, signature,
285 DECAF_EDDSA_448_PUBLIC_BYTES)
286 || !EVP_DigestUpdate(hashctx, pubkey, DECAF_EDDSA_448_PUBLIC_BYTES)
287 || !EVP_DigestUpdate(hashctx, message, message_len)
288 || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
289 EVP_MD_CTX_free(hashctx);
290 return DECAF_FAILURE;
293 EVP_MD_CTX_free(hashctx);
294 curve448_scalar_decode_long(challenge_scalar, challenge,
296 OPENSSL_cleanse(challenge, sizeof(challenge));
298 curve448_scalar_sub(challenge_scalar, curve448_scalar_zero,
301 curve448_scalar_decode_long(response_scalar,
302 &signature[DECAF_EDDSA_448_PUBLIC_BYTES],
303 DECAF_EDDSA_448_PRIVATE_BYTES);
305 for (c = 1; c < DECAF_448_EDDSA_DECODE_RATIO; c <<= 1)
306 curve448_scalar_add(response_scalar, response_scalar, response_scalar);
308 /* pk_point = -c(x(P)) + (cx + k)G = kG */
309 curve448_base_double_scalarmul_non_secret(pk_point,
311 pk_point, challenge_scalar);
312 return decaf_succeed_if(curve448_point_eq(pk_point, r_point));
315 decaf_error_t decaf_ed448_verify_prehash(
316 const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
317 const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
318 const uint8_t hash[64], const uint8_t *context,
323 ret = decaf_ed448_verify(signature, pubkey, hash, 64, 1, context,
329 int ED448_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
330 const uint8_t public_key[57], const uint8_t private_key[57],
331 const uint8_t *context, size_t context_len)
334 return decaf_ed448_sign(out_sig, private_key, public_key, message,
335 message_len, 0, context, context_len)
339 int ED448_verify(const uint8_t *message, size_t message_len,
340 const uint8_t signature[114], const uint8_t public_key[57],
341 const uint8_t *context, size_t context_len)
343 return decaf_ed448_verify(signature, public_key, message, message_len, 0,
344 context, context_len) == DECAF_SUCCESS;
347 int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64],
348 const uint8_t public_key[57], const uint8_t private_key[57],
349 const uint8_t *context, size_t context_len)
351 return decaf_ed448_sign_prehash(out_sig, private_key, public_key, hash,
352 context, context_len) == DECAF_SUCCESS;
356 int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114],
357 const uint8_t public_key[57], const uint8_t *context,
360 return decaf_ed448_verify_prehash(signature, public_key, hash, context,
361 context_len) == DECAF_SUCCESS;
364 int ED448_public_from_private(uint8_t out_public_key[57],
365 const uint8_t private_key[57])
367 return decaf_ed448_derive_public_key(out_public_key, private_key)