2 * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright 2015-2016 Cryptography Research, Inc.
5 * Licensed under the OpenSSL license (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
10 * Originally written by Mike Hamburg
12 #include <openssl/crypto.h>
13 #include <openssl/evp.h>
15 #include "curve448_lcl.h"
19 #include "internal/numbers.h"
23 static c448_error_t
oneshot_hash(uint8_t *out
, size_t outlen
,
24 const uint8_t *in
, size_t inlen
)
26 EVP_MD_CTX
*hashctx
= EVP_MD_CTX_new();
31 if (!EVP_DigestInit_ex(hashctx
, EVP_shake256(), NULL
)
32 || !EVP_DigestUpdate(hashctx
, in
, inlen
)
33 || !EVP_DigestFinalXOF(hashctx
, out
, outlen
)) {
34 EVP_MD_CTX_free(hashctx
);
38 EVP_MD_CTX_free(hashctx
);
42 static void clamp(uint8_t secret_scalar_ser
[EDDSA_448_PRIVATE_BYTES
])
44 uint8_t hibit
= (1 << 0) >> 1;
47 secret_scalar_ser
[0] &= -COFACTOR
;
49 secret_scalar_ser
[EDDSA_448_PRIVATE_BYTES
- 1] = 0;
50 secret_scalar_ser
[EDDSA_448_PRIVATE_BYTES
- 2] |= 0x80;
52 secret_scalar_ser
[EDDSA_448_PRIVATE_BYTES
- 1] &= hibit
- 1;
53 secret_scalar_ser
[EDDSA_448_PRIVATE_BYTES
- 1] |= hibit
;
57 static c448_error_t
hash_init_with_dom(EVP_MD_CTX
*hashctx
, uint8_t prehashed
,
59 const uint8_t *context
,
62 const char *dom_s
= "SigEd448";
65 dom
[0] = 2 + word_is_zero(prehashed
) + word_is_zero(for_prehash
);
66 dom
[1] = (uint8_t)context_len
;
68 if (context_len
> UINT8_MAX
)
71 if (!EVP_DigestInit_ex(hashctx
, EVP_shake256(), NULL
)
72 || !EVP_DigestUpdate(hashctx
, dom_s
, strlen(dom_s
))
73 || !EVP_DigestUpdate(hashctx
, dom
, sizeof(dom
))
74 || !EVP_DigestUpdate(hashctx
, context
, context_len
))
80 /* In this file because it uses the hash */
81 c448_error_t
c448_ed448_convert_private_key_to_x448(
82 uint8_t x
[X448_PRIVATE_BYTES
],
83 const uint8_t ed
[EDDSA_448_PRIVATE_BYTES
])
85 /* pass the private key through oneshot_hash function */
86 /* and keep the first X448_PRIVATE_BYTES bytes */
87 return oneshot_hash(x
, X448_PRIVATE_BYTES
, ed
,
88 EDDSA_448_PRIVATE_BYTES
);
91 c448_error_t
c448_ed448_derive_public_key(
92 uint8_t pubkey
[EDDSA_448_PUBLIC_BYTES
],
93 const uint8_t privkey
[EDDSA_448_PRIVATE_BYTES
])
95 /* only this much used for keygen */
96 uint8_t secret_scalar_ser
[EDDSA_448_PRIVATE_BYTES
];
97 curve448_scalar_t secret_scalar
;
101 if (!oneshot_hash(secret_scalar_ser
, sizeof(secret_scalar_ser
), privkey
,
102 EDDSA_448_PRIVATE_BYTES
))
105 clamp(secret_scalar_ser
);
107 curve448_scalar_decode_long(secret_scalar
, secret_scalar_ser
,
108 sizeof(secret_scalar_ser
));
111 * Since we are going to mul_by_cofactor during encoding, divide by it
112 * here. However, the EdDSA base point is not the same as the decaf base
113 * point if the sigma isogeny is in use: the EdDSA base point is on
114 * Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
115 * converted it effectively picks up a factor of 2 from the isogenies. So
116 * we might start at 2 instead of 1.
118 for (c
= 1; c
< C448_EDDSA_ENCODE_RATIO
; c
<<= 1)
119 curve448_scalar_halve(secret_scalar
, secret_scalar
);
121 curve448_precomputed_scalarmul(p
, curve448_precomputed_base
, secret_scalar
);
123 curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey
, p
);
126 curve448_scalar_destroy(secret_scalar
);
127 curve448_point_destroy(p
);
128 OPENSSL_cleanse(secret_scalar_ser
, sizeof(secret_scalar_ser
));
133 c448_error_t
c448_ed448_sign(
134 uint8_t signature
[EDDSA_448_SIGNATURE_BYTES
],
135 const uint8_t privkey
[EDDSA_448_PRIVATE_BYTES
],
136 const uint8_t pubkey
[EDDSA_448_PUBLIC_BYTES
],
137 const uint8_t *message
, size_t message_len
,
138 uint8_t prehashed
, const uint8_t *context
,
141 curve448_scalar_t secret_scalar
;
142 EVP_MD_CTX
*hashctx
= EVP_MD_CTX_new();
143 c448_error_t ret
= C448_FAILURE
;
144 curve448_scalar_t nonce_scalar
;
145 uint8_t nonce_point
[EDDSA_448_PUBLIC_BYTES
] = { 0 };
147 curve448_scalar_t challenge_scalar
;
154 * Schedule the secret key, First EDDSA_448_PRIVATE_BYTES is serialised
155 * secret scalar,next EDDSA_448_PRIVATE_BYTES bytes is the seed.
157 uint8_t expanded
[EDDSA_448_PRIVATE_BYTES
* 2];
159 if (!oneshot_hash(expanded
, sizeof(expanded
), privkey
,
160 EDDSA_448_PRIVATE_BYTES
))
163 curve448_scalar_decode_long(secret_scalar
, expanded
,
164 EDDSA_448_PRIVATE_BYTES
);
166 /* Hash to create the nonce */
167 if (!hash_init_with_dom(hashctx
, prehashed
, 0, context
, context_len
)
168 || !EVP_DigestUpdate(hashctx
,
169 expanded
+ EDDSA_448_PRIVATE_BYTES
,
170 EDDSA_448_PRIVATE_BYTES
)
171 || !EVP_DigestUpdate(hashctx
, message
, message_len
)) {
172 OPENSSL_cleanse(expanded
, sizeof(expanded
));
175 OPENSSL_cleanse(expanded
, sizeof(expanded
));
178 /* Decode the nonce */
180 uint8_t nonce
[2 * EDDSA_448_PRIVATE_BYTES
];
182 if (!EVP_DigestFinalXOF(hashctx
, nonce
, sizeof(nonce
)))
184 curve448_scalar_decode_long(nonce_scalar
, nonce
, sizeof(nonce
));
185 OPENSSL_cleanse(nonce
, sizeof(nonce
));
189 /* Scalarmul to create the nonce-point */
190 curve448_scalar_t nonce_scalar_2
;
193 curve448_scalar_halve(nonce_scalar_2
, nonce_scalar
);
194 for (c
= 2; c
< C448_EDDSA_ENCODE_RATIO
; c
<<= 1)
195 curve448_scalar_halve(nonce_scalar_2
, nonce_scalar_2
);
197 curve448_precomputed_scalarmul(p
, curve448_precomputed_base
,
199 curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point
, p
);
200 curve448_point_destroy(p
);
201 curve448_scalar_destroy(nonce_scalar_2
);
205 uint8_t challenge
[2 * EDDSA_448_PRIVATE_BYTES
];
207 /* Compute the challenge */
208 if (!hash_init_with_dom(hashctx
, prehashed
, 0, context
, context_len
)
209 || !EVP_DigestUpdate(hashctx
, nonce_point
, sizeof(nonce_point
))
210 || !EVP_DigestUpdate(hashctx
, pubkey
, EDDSA_448_PUBLIC_BYTES
)
211 || !EVP_DigestUpdate(hashctx
, message
, message_len
)
212 || !EVP_DigestFinalXOF(hashctx
, challenge
, sizeof(challenge
)))
215 curve448_scalar_decode_long(challenge_scalar
, challenge
,
217 OPENSSL_cleanse(challenge
, sizeof(challenge
));
220 curve448_scalar_mul(challenge_scalar
, challenge_scalar
, secret_scalar
);
221 curve448_scalar_add(challenge_scalar
, challenge_scalar
, nonce_scalar
);
223 OPENSSL_cleanse(signature
, EDDSA_448_SIGNATURE_BYTES
);
224 memcpy(signature
, nonce_point
, sizeof(nonce_point
));
225 curve448_scalar_encode(&signature
[EDDSA_448_PUBLIC_BYTES
],
228 curve448_scalar_destroy(secret_scalar
);
229 curve448_scalar_destroy(nonce_scalar
);
230 curve448_scalar_destroy(challenge_scalar
);
234 EVP_MD_CTX_free(hashctx
);
238 c448_error_t
c448_ed448_sign_prehash(
239 uint8_t signature
[EDDSA_448_SIGNATURE_BYTES
],
240 const uint8_t privkey
[EDDSA_448_PRIVATE_BYTES
],
241 const uint8_t pubkey
[EDDSA_448_PUBLIC_BYTES
],
242 const uint8_t hash
[64], const uint8_t *context
,
245 return c448_ed448_sign(signature
, privkey
, pubkey
, hash
, 64, 1, context
,
249 c448_error_t
c448_ed448_verify(
250 const uint8_t signature
[EDDSA_448_SIGNATURE_BYTES
],
251 const uint8_t pubkey
[EDDSA_448_PUBLIC_BYTES
],
252 const uint8_t *message
, size_t message_len
,
253 uint8_t prehashed
, const uint8_t *context
,
256 curve448_point_t pk_point
, r_point
;
258 curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point
, pubkey
);
259 curve448_scalar_t challenge_scalar
;
260 curve448_scalar_t response_scalar
;
263 if (C448_SUCCESS
!= error
)
267 curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point
, signature
);
268 if (C448_SUCCESS
!= error
)
272 /* Compute the challenge */
273 EVP_MD_CTX
*hashctx
= EVP_MD_CTX_new();
274 uint8_t challenge
[2 * EDDSA_448_PRIVATE_BYTES
];
277 || !hash_init_with_dom(hashctx
, prehashed
, 0, context
,
279 || !EVP_DigestUpdate(hashctx
, signature
, EDDSA_448_PUBLIC_BYTES
)
280 || !EVP_DigestUpdate(hashctx
, pubkey
, EDDSA_448_PUBLIC_BYTES
)
281 || !EVP_DigestUpdate(hashctx
, message
, message_len
)
282 || !EVP_DigestFinalXOF(hashctx
, challenge
, sizeof(challenge
))) {
283 EVP_MD_CTX_free(hashctx
);
287 EVP_MD_CTX_free(hashctx
);
288 curve448_scalar_decode_long(challenge_scalar
, challenge
,
290 OPENSSL_cleanse(challenge
, sizeof(challenge
));
292 curve448_scalar_sub(challenge_scalar
, curve448_scalar_zero
,
295 curve448_scalar_decode_long(response_scalar
,
296 &signature
[EDDSA_448_PUBLIC_BYTES
],
297 EDDSA_448_PRIVATE_BYTES
);
299 for (c
= 1; c
< C448_EDDSA_DECODE_RATIO
; c
<<= 1)
300 curve448_scalar_add(response_scalar
, response_scalar
, response_scalar
);
302 /* pk_point = -c(x(P)) + (cx + k)G = kG */
303 curve448_base_double_scalarmul_non_secret(pk_point
,
305 pk_point
, challenge_scalar
);
306 return c448_succeed_if(curve448_point_eq(pk_point
, r_point
));
309 c448_error_t
c448_ed448_verify_prehash(
310 const uint8_t signature
[EDDSA_448_SIGNATURE_BYTES
],
311 const uint8_t pubkey
[EDDSA_448_PUBLIC_BYTES
],
312 const uint8_t hash
[64], const uint8_t *context
,
315 return c448_ed448_verify(signature
, pubkey
, hash
, 64, 1, context
,
319 int ED448_sign(uint8_t *out_sig
, const uint8_t *message
, size_t message_len
,
320 const uint8_t public_key
[57], const uint8_t private_key
[57],
321 const uint8_t *context
, size_t context_len
)
324 return c448_ed448_sign(out_sig
, private_key
, public_key
, message
,
325 message_len
, 0, context
, context_len
)
329 int ED448_verify(const uint8_t *message
, size_t message_len
,
330 const uint8_t signature
[114], const uint8_t public_key
[57],
331 const uint8_t *context
, size_t context_len
)
333 return c448_ed448_verify(signature
, public_key
, message
, message_len
, 0,
334 context
, (uint8_t)context_len
) == C448_SUCCESS
;
337 int ED448ph_sign(uint8_t *out_sig
, const uint8_t hash
[64],
338 const uint8_t public_key
[57], const uint8_t private_key
[57],
339 const uint8_t *context
, size_t context_len
)
341 return c448_ed448_sign_prehash(out_sig
, private_key
, public_key
, hash
,
342 context
, context_len
) == C448_SUCCESS
;
346 int ED448ph_verify(const uint8_t hash
[64], const uint8_t signature
[114],
347 const uint8_t public_key
[57], const uint8_t *context
,
350 return c448_ed448_verify_prehash(signature
, public_key
, hash
, context
,
351 (uint8_t)context_len
) == C448_SUCCESS
;
354 int ED448_public_from_private(uint8_t out_public_key
[57],
355 const uint8_t private_key
[57])
357 return c448_ed448_derive_public_key(out_public_key
, private_key
)