]>
Commit | Line | Data |
---|---|---|
1308e022 MC |
1 | /* |
2 | * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * Copyright 2015-2016 Cryptography Research, Inc. | |
7324473f | 4 | * |
1308e022 MC |
5 | * Licensed under the OpenSSL license (the "License"). You may not use |
6 | * this file except in compliance with the License. You can obtain a copy | |
7 | * in the file LICENSE in the source distribution or at | |
8 | * https://www.openssl.org/source/license.html | |
7324473f | 9 | * |
1308e022 | 10 | * Originally written by Mike Hamburg |
7324473f | 11 | */ |
b6e388ba | 12 | #include <openssl/crypto.h> |
a242839f | 13 | #include <openssl/evp.h> |
b6e388ba | 14 | |
4ea41daa | 15 | #include "curve448_lcl.h" |
7324473f | 16 | #include "word.h" |
a2039c87 | 17 | #include "ed448.h" |
7324473f | 18 | #include <string.h> |
a242839f | 19 | #include "internal/numbers.h" |
7324473f | 20 | |
7324473f | 21 | #define COFACTOR 4 |
7324473f | 22 | |
aeeef83c MC |
23 | static c448_error_t oneshot_hash(uint8_t *out, size_t outlen, |
24 | const uint8_t *in, size_t inlen) | |
a242839f MC |
25 | { |
26 | EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); | |
27 | ||
28 | if (hashctx == NULL) | |
aeeef83c | 29 | return C448_FAILURE; |
a242839f MC |
30 | |
31 | if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) | |
205fd638 MC |
32 | || !EVP_DigestUpdate(hashctx, in, inlen) |
33 | || !EVP_DigestFinalXOF(hashctx, out, outlen)) { | |
a242839f | 34 | EVP_MD_CTX_free(hashctx); |
aeeef83c | 35 | return C448_FAILURE; |
a242839f MC |
36 | } |
37 | ||
38 | EVP_MD_CTX_free(hashctx); | |
aeeef83c | 39 | return C448_SUCCESS; |
a242839f MC |
40 | } |
41 | ||
db90b274 | 42 | static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES]) |
205fd638 MC |
43 | { |
44 | uint8_t hibit = (1 << 0) >> 1; | |
094c071c | 45 | |
7324473f MC |
46 | /* Blarg */ |
47 | secret_scalar_ser[0] &= -COFACTOR; | |
7324473f | 48 | if (hibit == 0) { |
db90b274 MC |
49 | secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0; |
50 | secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80; | |
7324473f | 51 | } else { |
db90b274 MC |
52 | secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1; |
53 | secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] |= hibit; | |
7324473f MC |
54 | } |
55 | } | |
56 | ||
aeeef83c MC |
57 | static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed, |
58 | uint8_t for_prehash, | |
59 | const uint8_t *context, | |
60 | size_t context_len) | |
205fd638 | 61 | { |
a242839f | 62 | const char *dom_s = "SigEd448"; |
094c071c MC |
63 | uint8_t dom[2]; |
64 | ||
65 | dom[0] = 2 + word_is_zero(prehashed) + word_is_zero(for_prehash); | |
66 | dom[1] = (uint8_t)context_len; | |
a242839f MC |
67 | |
68 | if (context_len > UINT8_MAX) | |
aeeef83c | 69 | return C448_FAILURE; |
7324473f | 70 | |
a242839f | 71 | if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) |
205fd638 MC |
72 | || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s)) |
73 | || !EVP_DigestUpdate(hashctx, dom, sizeof(dom)) | |
74 | || !EVP_DigestUpdate(hashctx, context, context_len)) | |
aeeef83c | 75 | return C448_FAILURE; |
a242839f | 76 | |
aeeef83c | 77 | return C448_SUCCESS; |
7324473f MC |
78 | } |
79 | ||
7324473f | 80 | /* In this file because it uses the hash */ |
aeeef83c | 81 | c448_error_t c448_ed448_convert_private_key_to_x448( |
db90b274 MC |
82 | uint8_t x[X448_PRIVATE_BYTES], |
83 | const uint8_t ed [EDDSA_448_PRIVATE_BYTES]) | |
205fd638 | 84 | { |
a242839f | 85 | /* pass the private key through oneshot_hash function */ |
db90b274 MC |
86 | /* and keep the first X448_PRIVATE_BYTES bytes */ |
87 | return oneshot_hash(x, X448_PRIVATE_BYTES, ed, | |
88 | EDDSA_448_PRIVATE_BYTES); | |
7324473f | 89 | } |
205fd638 | 90 | |
aeeef83c | 91 | c448_error_t c448_ed448_derive_public_key( |
db90b274 MC |
92 | uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], |
93 | const uint8_t privkey[EDDSA_448_PRIVATE_BYTES]) | |
205fd638 | 94 | { |
7324473f | 95 | /* only this much used for keygen */ |
db90b274 | 96 | uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES]; |
094c071c MC |
97 | curve448_scalar_t secret_scalar; |
98 | unsigned int c; | |
99 | curve448_point_t p; | |
100 | ||
a242839f | 101 | if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey, |
db90b274 | 102 | EDDSA_448_PRIVATE_BYTES)) |
aeeef83c | 103 | return C448_FAILURE; |
8d55f844 | 104 | |
7324473f | 105 | clamp(secret_scalar_ser); |
094c071c | 106 | |
205fd638 MC |
107 | curve448_scalar_decode_long(secret_scalar, secret_scalar_ser, |
108 | sizeof(secret_scalar_ser)); | |
109 | ||
110 | /* | |
111 | * Since we are going to mul_by_cofactor during encoding, divide by it | |
112 | * here. However, the EdDSA base point is not the same as the decaf base | |
113 | * point if the sigma isogeny is in use: the EdDSA base point is on | |
114 | * Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when | |
115 | * converted it effectively picks up a factor of 2 from the isogenies. So | |
116 | * we might start at 2 instead of 1. | |
7324473f | 117 | */ |
db90b274 | 118 | for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) |
205fd638 | 119 | curve448_scalar_halve(secret_scalar, secret_scalar); |
205fd638 MC |
120 | |
121 | curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar); | |
122 | ||
e7772577 | 123 | curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p); |
205fd638 | 124 | |
7324473f | 125 | /* Cleanup */ |
e7772577 MC |
126 | curve448_scalar_destroy(secret_scalar); |
127 | curve448_point_destroy(p); | |
b6e388ba | 128 | OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser)); |
a242839f | 129 | |
aeeef83c | 130 | return C448_SUCCESS; |
7324473f MC |
131 | } |
132 | ||
aeeef83c | 133 | c448_error_t c448_ed448_sign( |
db90b274 MC |
134 | uint8_t signature[EDDSA_448_SIGNATURE_BYTES], |
135 | const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], | |
136 | const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], | |
8d55f844 MC |
137 | const uint8_t *message, size_t message_len, |
138 | uint8_t prehashed, const uint8_t *context, | |
139 | size_t context_len) | |
205fd638 | 140 | { |
e7772577 | 141 | curve448_scalar_t secret_scalar; |
a242839f | 142 | EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); |
aeeef83c | 143 | c448_error_t ret = C448_FAILURE; |
094c071c | 144 | curve448_scalar_t nonce_scalar; |
db90b274 | 145 | uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 }; |
094c071c MC |
146 | unsigned int c; |
147 | curve448_scalar_t challenge_scalar; | |
a242839f MC |
148 | |
149 | if (hashctx == NULL) | |
aeeef83c | 150 | return C448_FAILURE; |
a242839f | 151 | |
7324473f MC |
152 | { |
153 | /* Schedule the secret key */ | |
154 | struct { | |
db90b274 MC |
155 | uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES]; |
156 | uint8_t seed[EDDSA_448_PRIVATE_BYTES]; | |
205fd638 | 157 | } __attribute__ ((packed)) expanded; |
a242839f MC |
158 | |
159 | if (!oneshot_hash((uint8_t *)&expanded, sizeof(expanded), privkey, | |
db90b274 | 160 | EDDSA_448_PRIVATE_BYTES)) |
a242839f | 161 | goto err; |
205fd638 MC |
162 | clamp(expanded.secret_scalar_ser); |
163 | curve448_scalar_decode_long(secret_scalar, expanded.secret_scalar_ser, | |
164 | sizeof(expanded.secret_scalar_ser)); | |
165 | ||
7324473f | 166 | /* Hash to create the nonce */ |
a242839f | 167 | if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len) |
205fd638 MC |
168 | || !EVP_DigestUpdate(hashctx, expanded.seed, sizeof(expanded.seed)) |
169 | || !EVP_DigestUpdate(hashctx, message, message_len)) { | |
a242839f MC |
170 | OPENSSL_cleanse(&expanded, sizeof(expanded)); |
171 | goto err; | |
172 | } | |
b6e388ba | 173 | OPENSSL_cleanse(&expanded, sizeof(expanded)); |
7324473f | 174 | } |
205fd638 | 175 | |
7324473f | 176 | /* Decode the nonce */ |
7324473f | 177 | { |
db90b274 | 178 | uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES]; |
a242839f MC |
179 | |
180 | if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce))) | |
181 | goto err; | |
e7772577 | 182 | curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce)); |
b6e388ba | 183 | OPENSSL_cleanse(nonce, sizeof(nonce)); |
7324473f | 184 | } |
094c071c | 185 | |
7324473f MC |
186 | { |
187 | /* Scalarmul to create the nonce-point */ | |
e7772577 | 188 | curve448_scalar_t nonce_scalar_2; |
094c071c MC |
189 | curve448_point_t p; |
190 | ||
205fd638 | 191 | curve448_scalar_halve(nonce_scalar_2, nonce_scalar); |
db90b274 | 192 | for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) { |
205fd638 | 193 | curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2); |
7324473f | 194 | } |
094c071c | 195 | |
205fd638 MC |
196 | curve448_precomputed_scalarmul(p, curve448_precomputed_base, |
197 | nonce_scalar_2); | |
e7772577 MC |
198 | curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p); |
199 | curve448_point_destroy(p); | |
200 | curve448_scalar_destroy(nonce_scalar_2); | |
7324473f | 201 | } |
094c071c | 202 | |
7324473f | 203 | { |
db90b274 | 204 | uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES]; |
a242839f MC |
205 | |
206 | /* Compute the challenge */ | |
207 | if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len) | |
205fd638 | 208 | || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point)) |
db90b274 | 209 | || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES) |
205fd638 MC |
210 | || !EVP_DigestUpdate(hashctx, message, message_len) |
211 | || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) | |
a242839f MC |
212 | goto err; |
213 | ||
205fd638 MC |
214 | curve448_scalar_decode_long(challenge_scalar, challenge, |
215 | sizeof(challenge)); | |
216 | OPENSSL_cleanse(challenge, sizeof(challenge)); | |
7324473f | 217 | } |
205fd638 MC |
218 | |
219 | curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar); | |
220 | curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar); | |
221 | ||
db90b274 | 222 | OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES); |
205fd638 | 223 | memcpy(signature, nonce_point, sizeof(nonce_point)); |
db90b274 | 224 | curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES], |
205fd638 MC |
225 | challenge_scalar); |
226 | ||
e7772577 MC |
227 | curve448_scalar_destroy(secret_scalar); |
228 | curve448_scalar_destroy(nonce_scalar); | |
229 | curve448_scalar_destroy(challenge_scalar); | |
a242839f | 230 | |
aeeef83c | 231 | ret = C448_SUCCESS; |
a242839f MC |
232 | err: |
233 | EVP_MD_CTX_free(hashctx); | |
234 | return ret; | |
7324473f MC |
235 | } |
236 | ||
aeeef83c | 237 | c448_error_t c448_ed448_sign_prehash( |
db90b274 MC |
238 | uint8_t signature[EDDSA_448_SIGNATURE_BYTES], |
239 | const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], | |
240 | const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], | |
aeeef83c MC |
241 | const uint8_t hash[64], const uint8_t *context, |
242 | size_t context_len) | |
205fd638 | 243 | { |
aeeef83c MC |
244 | return c448_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context, |
245 | context_len); | |
7324473f MC |
246 | } |
247 | ||
aeeef83c | 248 | c448_error_t c448_ed448_verify( |
db90b274 MC |
249 | const uint8_t signature[EDDSA_448_SIGNATURE_BYTES], |
250 | const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], | |
aeeef83c MC |
251 | const uint8_t *message, size_t message_len, |
252 | uint8_t prehashed, const uint8_t *context, | |
253 | uint8_t context_len) | |
205fd638 | 254 | { |
e7772577 | 255 | curve448_point_t pk_point, r_point; |
aeeef83c | 256 | c448_error_t error = |
205fd638 | 257 | curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey); |
094c071c MC |
258 | curve448_scalar_t challenge_scalar; |
259 | curve448_scalar_t response_scalar; | |
260 | unsigned int c; | |
261 | ||
aeeef83c | 262 | if (C448_SUCCESS != error) |
205fd638 | 263 | return error; |
205fd638 MC |
264 | |
265 | error = | |
266 | curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature); | |
aeeef83c | 267 | if (C448_SUCCESS != error) |
205fd638 | 268 | return error; |
205fd638 | 269 | |
7324473f MC |
270 | { |
271 | /* Compute the challenge */ | |
a242839f | 272 | EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); |
db90b274 | 273 | uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES]; |
a242839f MC |
274 | |
275 | if (hashctx == NULL | |
205fd638 MC |
276 | || !hash_init_with_dom(hashctx, prehashed, 0, context, context_len) |
277 | || !EVP_DigestUpdate(hashctx, signature, | |
db90b274 MC |
278 | EDDSA_448_PUBLIC_BYTES) |
279 | || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES) | |
205fd638 MC |
280 | || !EVP_DigestUpdate(hashctx, message, message_len) |
281 | || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) { | |
a242839f | 282 | EVP_MD_CTX_free(hashctx); |
aeeef83c | 283 | return C448_FAILURE; |
a242839f MC |
284 | } |
285 | ||
286 | EVP_MD_CTX_free(hashctx); | |
205fd638 MC |
287 | curve448_scalar_decode_long(challenge_scalar, challenge, |
288 | sizeof(challenge)); | |
289 | OPENSSL_cleanse(challenge, sizeof(challenge)); | |
7324473f | 290 | } |
205fd638 MC |
291 | curve448_scalar_sub(challenge_scalar, curve448_scalar_zero, |
292 | challenge_scalar); | |
293 | ||
294 | curve448_scalar_decode_long(response_scalar, | |
db90b274 MC |
295 | &signature[EDDSA_448_PUBLIC_BYTES], |
296 | EDDSA_448_PRIVATE_BYTES); | |
205fd638 | 297 | |
db90b274 | 298 | for (c = 1; c < C448_EDDSA_DECODE_RATIO; c <<= 1) |
205fd638 | 299 | curve448_scalar_add(response_scalar, response_scalar, response_scalar); |
205fd638 | 300 | |
7324473f | 301 | /* pk_point = -c(x(P)) + (cx + k)G = kG */ |
205fd638 MC |
302 | curve448_base_double_scalarmul_non_secret(pk_point, |
303 | response_scalar, | |
304 | pk_point, challenge_scalar); | |
aeeef83c | 305 | return c448_succeed_if(curve448_point_eq(pk_point, r_point)); |
7324473f MC |
306 | } |
307 | ||
aeeef83c | 308 | c448_error_t c448_ed448_verify_prehash( |
db90b274 MC |
309 | const uint8_t signature[EDDSA_448_SIGNATURE_BYTES], |
310 | const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], | |
8d55f844 MC |
311 | const uint8_t hash[64], const uint8_t *context, |
312 | uint8_t context_len) | |
205fd638 | 313 | { |
aeeef83c | 314 | c448_error_t ret; |
205fd638 | 315 | |
aeeef83c MC |
316 | ret = c448_ed448_verify(signature, pubkey, hash, 64, 1, context, |
317 | context_len); | |
205fd638 | 318 | |
7324473f MC |
319 | return ret; |
320 | } | |
4ea41daa MC |
321 | |
322 | int ED448_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, | |
22bcc9cb | 323 | const uint8_t public_key[57], const uint8_t private_key[57], |
6ea71cba MC |
324 | const uint8_t *context, size_t context_len) |
325 | { | |
4ea41daa | 326 | |
aeeef83c MC |
327 | return c448_ed448_sign(out_sig, private_key, public_key, message, |
328 | message_len, 0, context, context_len) | |
329 | == C448_SUCCESS; | |
4ea41daa MC |
330 | } |
331 | ||
4ea41daa | 332 | int ED448_verify(const uint8_t *message, size_t message_len, |
22bcc9cb | 333 | const uint8_t signature[114], const uint8_t public_key[57], |
6ea71cba MC |
334 | const uint8_t *context, size_t context_len) |
335 | { | |
aeeef83c MC |
336 | return c448_ed448_verify(signature, public_key, message, message_len, 0, |
337 | context, context_len) == C448_SUCCESS; | |
4ea41daa MC |
338 | } |
339 | ||
6ea71cba | 340 | int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64], |
22bcc9cb | 341 | const uint8_t public_key[57], const uint8_t private_key[57], |
6ea71cba MC |
342 | const uint8_t *context, size_t context_len) |
343 | { | |
aeeef83c MC |
344 | return c448_ed448_sign_prehash(out_sig, private_key, public_key, hash, |
345 | context, context_len) == C448_SUCCESS; | |
4ea41daa | 346 | |
6ea71cba | 347 | } |
4ea41daa | 348 | |
22bcc9cb MC |
349 | int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114], |
350 | const uint8_t public_key[57], const uint8_t *context, | |
6ea71cba MC |
351 | size_t context_len) |
352 | { | |
aeeef83c MC |
353 | return c448_ed448_verify_prehash(signature, public_key, hash, context, |
354 | context_len) == C448_SUCCESS; | |
4ea41daa MC |
355 | } |
356 | ||
22bcc9cb | 357 | int ED448_public_from_private(uint8_t out_public_key[57], |
205fd638 | 358 | const uint8_t private_key[57]) |
6ea71cba | 359 | { |
aeeef83c MC |
360 | return c448_ed448_derive_public_key(out_public_key, private_key) |
361 | == C448_SUCCESS; | |
4ea41daa | 362 | } |