]>
Commit | Line | Data |
---|---|---|
1308e022 | 1 | /* |
f53c7764 | 2 | * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. |
1308e022 | 3 | * Copyright 2015-2016 Cryptography Research, Inc. |
7324473f | 4 | * |
1308e022 MC |
5 | * Licensed under the OpenSSL license (the "License"). You may not use |
6 | * this file except in compliance with the License. You can obtain a copy | |
7 | * in the file LICENSE in the source distribution or at | |
8 | * https://www.openssl.org/source/license.html | |
7324473f | 9 | * |
1308e022 | 10 | * Originally written by Mike Hamburg |
7324473f | 11 | */ |
b6e388ba | 12 | #include <openssl/crypto.h> |
a242839f | 13 | #include <openssl/evp.h> |
b6e388ba | 14 | |
4ea41daa | 15 | #include "curve448_lcl.h" |
7324473f | 16 | #include "word.h" |
a2039c87 | 17 | #include "ed448.h" |
7324473f | 18 | #include <string.h> |
a242839f | 19 | #include "internal/numbers.h" |
7324473f | 20 | |
7324473f | 21 | #define COFACTOR 4 |
7324473f | 22 | |
aeeef83c MC |
23 | static c448_error_t oneshot_hash(uint8_t *out, size_t outlen, |
24 | const uint8_t *in, size_t inlen) | |
a242839f MC |
25 | { |
26 | EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); | |
27 | ||
28 | if (hashctx == NULL) | |
aeeef83c | 29 | return C448_FAILURE; |
a242839f MC |
30 | |
31 | if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) | |
205fd638 MC |
32 | || !EVP_DigestUpdate(hashctx, in, inlen) |
33 | || !EVP_DigestFinalXOF(hashctx, out, outlen)) { | |
a242839f | 34 | EVP_MD_CTX_free(hashctx); |
aeeef83c | 35 | return C448_FAILURE; |
a242839f MC |
36 | } |
37 | ||
38 | EVP_MD_CTX_free(hashctx); | |
aeeef83c | 39 | return C448_SUCCESS; |
a242839f MC |
40 | } |
41 | ||
db90b274 | 42 | static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES]) |
205fd638 MC |
43 | { |
44 | uint8_t hibit = (1 << 0) >> 1; | |
094c071c | 45 | |
7324473f MC |
46 | /* Blarg */ |
47 | secret_scalar_ser[0] &= -COFACTOR; | |
7324473f | 48 | if (hibit == 0) { |
db90b274 MC |
49 | secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0; |
50 | secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80; | |
7324473f | 51 | } else { |
db90b274 MC |
52 | secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1; |
53 | secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] |= hibit; | |
7324473f MC |
54 | } |
55 | } | |
56 | ||
aeeef83c MC |
57 | static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed, |
58 | uint8_t for_prehash, | |
59 | const uint8_t *context, | |
60 | size_t context_len) | |
205fd638 | 61 | { |
a242839f | 62 | const char *dom_s = "SigEd448"; |
094c071c MC |
63 | uint8_t dom[2]; |
64 | ||
65 | dom[0] = 2 + word_is_zero(prehashed) + word_is_zero(for_prehash); | |
66 | dom[1] = (uint8_t)context_len; | |
a242839f MC |
67 | |
68 | if (context_len > UINT8_MAX) | |
aeeef83c | 69 | return C448_FAILURE; |
7324473f | 70 | |
a242839f | 71 | if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) |
205fd638 MC |
72 | || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s)) |
73 | || !EVP_DigestUpdate(hashctx, dom, sizeof(dom)) | |
74 | || !EVP_DigestUpdate(hashctx, context, context_len)) | |
aeeef83c | 75 | return C448_FAILURE; |
a242839f | 76 | |
aeeef83c | 77 | return C448_SUCCESS; |
7324473f MC |
78 | } |
79 | ||
7324473f | 80 | /* In this file because it uses the hash */ |
aeeef83c | 81 | c448_error_t c448_ed448_convert_private_key_to_x448( |
db90b274 MC |
82 | uint8_t x[X448_PRIVATE_BYTES], |
83 | const uint8_t ed [EDDSA_448_PRIVATE_BYTES]) | |
205fd638 | 84 | { |
a242839f | 85 | /* pass the private key through oneshot_hash function */ |
db90b274 MC |
86 | /* and keep the first X448_PRIVATE_BYTES bytes */ |
87 | return oneshot_hash(x, X448_PRIVATE_BYTES, ed, | |
88 | EDDSA_448_PRIVATE_BYTES); | |
7324473f | 89 | } |
205fd638 | 90 | |
aeeef83c | 91 | c448_error_t c448_ed448_derive_public_key( |
db90b274 MC |
92 | uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], |
93 | const uint8_t privkey[EDDSA_448_PRIVATE_BYTES]) | |
205fd638 | 94 | { |
7324473f | 95 | /* only this much used for keygen */ |
db90b274 | 96 | uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES]; |
094c071c MC |
97 | curve448_scalar_t secret_scalar; |
98 | unsigned int c; | |
99 | curve448_point_t p; | |
100 | ||
a242839f | 101 | if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey, |
db90b274 | 102 | EDDSA_448_PRIVATE_BYTES)) |
aeeef83c | 103 | return C448_FAILURE; |
8d55f844 | 104 | |
7324473f | 105 | clamp(secret_scalar_ser); |
094c071c | 106 | |
205fd638 MC |
107 | curve448_scalar_decode_long(secret_scalar, secret_scalar_ser, |
108 | sizeof(secret_scalar_ser)); | |
109 | ||
110 | /* | |
111 | * Since we are going to mul_by_cofactor during encoding, divide by it | |
112 | * here. However, the EdDSA base point is not the same as the decaf base | |
113 | * point if the sigma isogeny is in use: the EdDSA base point is on | |
114 | * Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when | |
115 | * converted it effectively picks up a factor of 2 from the isogenies. So | |
116 | * we might start at 2 instead of 1. | |
7324473f | 117 | */ |
db90b274 | 118 | for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) |
205fd638 | 119 | curve448_scalar_halve(secret_scalar, secret_scalar); |
205fd638 MC |
120 | |
121 | curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar); | |
122 | ||
e7772577 | 123 | curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p); |
205fd638 | 124 | |
7324473f | 125 | /* Cleanup */ |
e7772577 MC |
126 | curve448_scalar_destroy(secret_scalar); |
127 | curve448_point_destroy(p); | |
b6e388ba | 128 | OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser)); |
a242839f | 129 | |
aeeef83c | 130 | return C448_SUCCESS; |
7324473f MC |
131 | } |
132 | ||
aeeef83c | 133 | c448_error_t c448_ed448_sign( |
db90b274 MC |
134 | uint8_t signature[EDDSA_448_SIGNATURE_BYTES], |
135 | const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], | |
136 | const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], | |
8d55f844 MC |
137 | const uint8_t *message, size_t message_len, |
138 | uint8_t prehashed, const uint8_t *context, | |
139 | size_t context_len) | |
205fd638 | 140 | { |
e7772577 | 141 | curve448_scalar_t secret_scalar; |
a242839f | 142 | EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); |
aeeef83c | 143 | c448_error_t ret = C448_FAILURE; |
094c071c | 144 | curve448_scalar_t nonce_scalar; |
db90b274 | 145 | uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 }; |
094c071c MC |
146 | unsigned int c; |
147 | curve448_scalar_t challenge_scalar; | |
a242839f MC |
148 | |
149 | if (hashctx == NULL) | |
aeeef83c | 150 | return C448_FAILURE; |
a242839f | 151 | |
7324473f | 152 | { |
52a9587c MC |
153 | /* |
154 | * Schedule the secret key, First EDDSA_448_PRIVATE_BYTES is serialised | |
155 | * secret scalar,next EDDSA_448_PRIVATE_BYTES bytes is the seed. | |
156 | */ | |
157 | uint8_t expanded[EDDSA_448_PRIVATE_BYTES * 2]; | |
a242839f | 158 | |
52a9587c | 159 | if (!oneshot_hash(expanded, sizeof(expanded), privkey, |
db90b274 | 160 | EDDSA_448_PRIVATE_BYTES)) |
a242839f | 161 | goto err; |
52a9587c MC |
162 | clamp(expanded); |
163 | curve448_scalar_decode_long(secret_scalar, expanded, | |
164 | EDDSA_448_PRIVATE_BYTES); | |
205fd638 | 165 | |
7324473f | 166 | /* Hash to create the nonce */ |
a242839f | 167 | if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len) |
52a9587c MC |
168 | || !EVP_DigestUpdate(hashctx, expanded + EDDSA_448_PRIVATE_BYTES, |
169 | EDDSA_448_PRIVATE_BYTES) | |
205fd638 | 170 | || !EVP_DigestUpdate(hashctx, message, message_len)) { |
52a9587c | 171 | OPENSSL_cleanse(expanded, sizeof(expanded)); |
a242839f MC |
172 | goto err; |
173 | } | |
52a9587c | 174 | OPENSSL_cleanse(expanded, sizeof(expanded)); |
7324473f | 175 | } |
205fd638 | 176 | |
7324473f | 177 | /* Decode the nonce */ |
7324473f | 178 | { |
db90b274 | 179 | uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES]; |
a242839f MC |
180 | |
181 | if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce))) | |
182 | goto err; | |
e7772577 | 183 | curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce)); |
b6e388ba | 184 | OPENSSL_cleanse(nonce, sizeof(nonce)); |
7324473f | 185 | } |
094c071c | 186 | |
7324473f MC |
187 | { |
188 | /* Scalarmul to create the nonce-point */ | |
e7772577 | 189 | curve448_scalar_t nonce_scalar_2; |
094c071c MC |
190 | curve448_point_t p; |
191 | ||
205fd638 | 192 | curve448_scalar_halve(nonce_scalar_2, nonce_scalar); |
db90b274 | 193 | for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) { |
205fd638 | 194 | curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2); |
7324473f | 195 | } |
094c071c | 196 | |
205fd638 MC |
197 | curve448_precomputed_scalarmul(p, curve448_precomputed_base, |
198 | nonce_scalar_2); | |
e7772577 MC |
199 | curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p); |
200 | curve448_point_destroy(p); | |
201 | curve448_scalar_destroy(nonce_scalar_2); | |
7324473f | 202 | } |
094c071c | 203 | |
7324473f | 204 | { |
db90b274 | 205 | uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES]; |
a242839f MC |
206 | |
207 | /* Compute the challenge */ | |
208 | if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len) | |
205fd638 | 209 | || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point)) |
db90b274 | 210 | || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES) |
205fd638 MC |
211 | || !EVP_DigestUpdate(hashctx, message, message_len) |
212 | || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) | |
a242839f MC |
213 | goto err; |
214 | ||
205fd638 MC |
215 | curve448_scalar_decode_long(challenge_scalar, challenge, |
216 | sizeof(challenge)); | |
217 | OPENSSL_cleanse(challenge, sizeof(challenge)); | |
7324473f | 218 | } |
205fd638 MC |
219 | |
220 | curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar); | |
221 | curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar); | |
222 | ||
db90b274 | 223 | OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES); |
205fd638 | 224 | memcpy(signature, nonce_point, sizeof(nonce_point)); |
db90b274 | 225 | curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES], |
205fd638 MC |
226 | challenge_scalar); |
227 | ||
e7772577 MC |
228 | curve448_scalar_destroy(secret_scalar); |
229 | curve448_scalar_destroy(nonce_scalar); | |
230 | curve448_scalar_destroy(challenge_scalar); | |
a242839f | 231 | |
aeeef83c | 232 | ret = C448_SUCCESS; |
a242839f MC |
233 | err: |
234 | EVP_MD_CTX_free(hashctx); | |
235 | return ret; | |
7324473f MC |
236 | } |
237 | ||
aeeef83c | 238 | c448_error_t c448_ed448_sign_prehash( |
db90b274 MC |
239 | uint8_t signature[EDDSA_448_SIGNATURE_BYTES], |
240 | const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], | |
241 | const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], | |
aeeef83c MC |
242 | const uint8_t hash[64], const uint8_t *context, |
243 | size_t context_len) | |
205fd638 | 244 | { |
aeeef83c MC |
245 | return c448_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context, |
246 | context_len); | |
7324473f MC |
247 | } |
248 | ||
aeeef83c | 249 | c448_error_t c448_ed448_verify( |
db90b274 MC |
250 | const uint8_t signature[EDDSA_448_SIGNATURE_BYTES], |
251 | const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], | |
aeeef83c MC |
252 | const uint8_t *message, size_t message_len, |
253 | uint8_t prehashed, const uint8_t *context, | |
254 | uint8_t context_len) | |
205fd638 | 255 | { |
e7772577 | 256 | curve448_point_t pk_point, r_point; |
aeeef83c | 257 | c448_error_t error = |
205fd638 | 258 | curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey); |
094c071c MC |
259 | curve448_scalar_t challenge_scalar; |
260 | curve448_scalar_t response_scalar; | |
261 | unsigned int c; | |
262 | ||
aeeef83c | 263 | if (C448_SUCCESS != error) |
205fd638 | 264 | return error; |
205fd638 MC |
265 | |
266 | error = | |
267 | curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature); | |
aeeef83c | 268 | if (C448_SUCCESS != error) |
205fd638 | 269 | return error; |
205fd638 | 270 | |
7324473f MC |
271 | { |
272 | /* Compute the challenge */ | |
a242839f | 273 | EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); |
db90b274 | 274 | uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES]; |
a242839f MC |
275 | |
276 | if (hashctx == NULL | |
e4118223 MC |
277 | || !hash_init_with_dom(hashctx, prehashed, 0, context, |
278 | context_len) | |
279 | || !EVP_DigestUpdate(hashctx, signature, EDDSA_448_PUBLIC_BYTES) | |
280 | || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES) | |
281 | || !EVP_DigestUpdate(hashctx, message, message_len) | |
282 | || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) { | |
a242839f | 283 | EVP_MD_CTX_free(hashctx); |
aeeef83c | 284 | return C448_FAILURE; |
a242839f MC |
285 | } |
286 | ||
287 | EVP_MD_CTX_free(hashctx); | |
205fd638 MC |
288 | curve448_scalar_decode_long(challenge_scalar, challenge, |
289 | sizeof(challenge)); | |
290 | OPENSSL_cleanse(challenge, sizeof(challenge)); | |
7324473f | 291 | } |
205fd638 MC |
292 | curve448_scalar_sub(challenge_scalar, curve448_scalar_zero, |
293 | challenge_scalar); | |
294 | ||
295 | curve448_scalar_decode_long(response_scalar, | |
db90b274 MC |
296 | &signature[EDDSA_448_PUBLIC_BYTES], |
297 | EDDSA_448_PRIVATE_BYTES); | |
205fd638 | 298 | |
db90b274 | 299 | for (c = 1; c < C448_EDDSA_DECODE_RATIO; c <<= 1) |
205fd638 | 300 | curve448_scalar_add(response_scalar, response_scalar, response_scalar); |
205fd638 | 301 | |
7324473f | 302 | /* pk_point = -c(x(P)) + (cx + k)G = kG */ |
205fd638 MC |
303 | curve448_base_double_scalarmul_non_secret(pk_point, |
304 | response_scalar, | |
305 | pk_point, challenge_scalar); | |
aeeef83c | 306 | return c448_succeed_if(curve448_point_eq(pk_point, r_point)); |
7324473f MC |
307 | } |
308 | ||
aeeef83c | 309 | c448_error_t c448_ed448_verify_prehash( |
db90b274 MC |
310 | const uint8_t signature[EDDSA_448_SIGNATURE_BYTES], |
311 | const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], | |
8d55f844 MC |
312 | const uint8_t hash[64], const uint8_t *context, |
313 | uint8_t context_len) | |
205fd638 | 314 | { |
aeeef83c | 315 | c448_error_t ret; |
205fd638 | 316 | |
aeeef83c MC |
317 | ret = c448_ed448_verify(signature, pubkey, hash, 64, 1, context, |
318 | context_len); | |
205fd638 | 319 | |
7324473f MC |
320 | return ret; |
321 | } | |
4ea41daa MC |
322 | |
323 | int ED448_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, | |
22bcc9cb | 324 | const uint8_t public_key[57], const uint8_t private_key[57], |
6ea71cba MC |
325 | const uint8_t *context, size_t context_len) |
326 | { | |
4ea41daa | 327 | |
aeeef83c MC |
328 | return c448_ed448_sign(out_sig, private_key, public_key, message, |
329 | message_len, 0, context, context_len) | |
330 | == C448_SUCCESS; | |
4ea41daa MC |
331 | } |
332 | ||
4ea41daa | 333 | int ED448_verify(const uint8_t *message, size_t message_len, |
22bcc9cb | 334 | const uint8_t signature[114], const uint8_t public_key[57], |
6ea71cba MC |
335 | const uint8_t *context, size_t context_len) |
336 | { | |
aeeef83c | 337 | return c448_ed448_verify(signature, public_key, message, message_len, 0, |
0cdcdacc | 338 | context, (uint8_t)context_len) == C448_SUCCESS; |
4ea41daa MC |
339 | } |
340 | ||
6ea71cba | 341 | int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64], |
22bcc9cb | 342 | const uint8_t public_key[57], const uint8_t private_key[57], |
6ea71cba MC |
343 | const uint8_t *context, size_t context_len) |
344 | { | |
aeeef83c MC |
345 | return c448_ed448_sign_prehash(out_sig, private_key, public_key, hash, |
346 | context, context_len) == C448_SUCCESS; | |
4ea41daa | 347 | |
6ea71cba | 348 | } |
4ea41daa | 349 | |
22bcc9cb MC |
350 | int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114], |
351 | const uint8_t public_key[57], const uint8_t *context, | |
6ea71cba MC |
352 | size_t context_len) |
353 | { | |
aeeef83c | 354 | return c448_ed448_verify_prehash(signature, public_key, hash, context, |
0cdcdacc | 355 | (uint8_t)context_len) == C448_SUCCESS; |
4ea41daa MC |
356 | } |
357 | ||
22bcc9cb | 358 | int ED448_public_from_private(uint8_t out_public_key[57], |
205fd638 | 359 | const uint8_t private_key[57]) |
6ea71cba | 360 | { |
aeeef83c MC |
361 | return c448_ed448_derive_public_key(out_public_key, private_key) |
362 | == C448_SUCCESS; | |
4ea41daa | 363 | } |