jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

initialize point/scalar from rng; still needs work

master
Mike Hamburg 9 years ago
parent
172477e76a
commit
ba92a551d4
3 changed files with 149 additions and 68 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +58
    -38
      include/decaf.hxx
  2. +78
    -6
      include/shake.hxx
  3. +13
    -24
      test/test_decaf.cxx

+ 58
- 38
include/decaf.hxx View File

@@ -52,7 +52,7 @@ namespace decaf {
/**
* Securely erase contents of memory.
*/
void really_bzero(void *data, size_t size);
static inline void really_bzero(void *data, size_t size) { decaf_bzero(data,size); }
/**
* @brief Group with prime order.
@@ -61,7 +61,12 @@ void really_bzero(void *data, size_t size);
template<unsigned int bits = 448> struct decaf;

/** @brief Passed to constructors to avoid (conservative) initialization */
static const class NOINIT { public: NOINIT(){} } NI;
struct NOINIT {};

/**@cond internal*/
/** Forward-declare sponge RNG object */
class SpongeRng;
/**@endcond*/

/**
* @brief Ed448-Goldilocks/Decaf instantiation of group.
@@ -86,6 +91,9 @@ class Precomputed;
*/
class Scalar {
public:
/** @brief Size of a serialized element */
static const size_t SER_BYTES = DECAF_448_SCALAR_BYTES;
/** @brief access to the underlying scalar object */
decaf_448_scalar_t s;
@@ -98,6 +106,9 @@ public:
/** @brief Set to a signed word */
inline Scalar(const int w) NOEXCEPT { *this = w; }
/** @brief Construct from RNG */
inline explicit Scalar(SpongeRng &rng);
/** @brief Construct from decaf_scalar_t object. */
inline Scalar(const decaf_448_scalar_t &t = decaf_448_scalar_zero) NOEXCEPT { decaf_448_scalar_copy(s,t); }
@@ -143,7 +154,7 @@ public:
* @return DECAF_FAILURE if the scalar is greater than or equal to the group order q.
*/
static inline decaf_bool_t __attribute__((warn_unused_result)) decode (
Scalar &sc, const unsigned char buffer[DECAF_448_SCALAR_BYTES]
Scalar &sc, const unsigned char buffer[SER_BYTES]
) NOEXCEPT {
return decaf_448_scalar_decode(sc.s,buffer);
}
@@ -152,48 +163,48 @@ public:
static inline decaf_bool_t __attribute__((warn_unused_result)) decode (
Scalar &sc, const std::string buffer
) NOEXCEPT {
if (buffer.size() != DECAF_448_SCALAR_BYTES) return DECAF_FAILURE;
if (buffer.size() != SER_BYTES) return DECAF_FAILURE;
return decaf_448_scalar_decode(sc.s,GET_DATA(buffer));
}
/** @brief Encode to fixed-length string */
inline EXPLICIT_CON operator std::string() const NOEXCEPT {
unsigned char buffer[DECAF_448_SCALAR_BYTES];
unsigned char buffer[SER_BYTES];
decaf_448_scalar_encode(buffer, s);
return std::string((char*)buffer,sizeof(buffer));
}
/** @brief Encode to fixed-length buffer */
inline void encode(unsigned char buffer[DECAF_448_SCALAR_BYTES]) const NOEXCEPT{
inline void encode(unsigned char buffer[SER_BYTES]) const NOEXCEPT{
decaf_448_scalar_encode(buffer, s);
}
/** Add. */
inline Scalar operator+ (const Scalar &q) const NOEXCEPT { Scalar r(NI); decaf_448_scalar_add(r.s,s,q.s); return r; }
inline Scalar operator+ (const Scalar &q) const NOEXCEPT { Scalar r((NOINIT())); decaf_448_scalar_add(r.s,s,q.s); return r; }
/** Add to this. */
inline Scalar &operator+=(const Scalar &q) NOEXCEPT { decaf_448_scalar_add(s,s,q.s); return *this; }
/** Subtract. */
inline Scalar operator- (const Scalar &q) const NOEXCEPT { Scalar r(NI); decaf_448_scalar_sub(r.s,s,q.s); return r; }
inline Scalar operator- (const Scalar &q) const NOEXCEPT { Scalar r((NOINIT())); decaf_448_scalar_sub(r.s,s,q.s); return r; }
/** Subtract from this. */
inline Scalar &operator-=(const Scalar &q) NOEXCEPT { decaf_448_scalar_sub(s,s,q.s); return *this; }
/** Multiply */
inline Scalar operator* (const Scalar &q) const NOEXCEPT { Scalar r(NI); decaf_448_scalar_mul(r.s,s,q.s); return r; }
inline Scalar operator* (const Scalar &q) const NOEXCEPT { Scalar r((NOINIT())); decaf_448_scalar_mul(r.s,s,q.s); return r; }
/** Multiply into this. */
inline Scalar &operator*=(const Scalar &q) NOEXCEPT { decaf_448_scalar_mul(s,s,q.s); return *this; }
/** Negate */
inline Scalar operator- () const NOEXCEPT { Scalar r(NI); decaf_448_scalar_sub(r.s,decaf_448_scalar_zero,s); return r; }
inline Scalar operator- () const NOEXCEPT { Scalar r((NOINIT())); decaf_448_scalar_sub(r.s,decaf_448_scalar_zero,s); return r; }
/** @brief Invert with Fermat's Little Theorem (slow!). If *this == 0, return 0. */
inline Scalar inverse() const NOEXCEPT { Scalar r; decaf_448_scalar_invert(r.s,s); return r; }
/** @brief Divide by inverting q. If q == 0, return 0. */
inline Scalar operator/ (const Scalar &q) const NOEXCEPT { Scalar r(NI); decaf_448_scalar_mul(r.s,s,q.inverse().s); return r; }
inline Scalar operator/ (const Scalar &q) const NOEXCEPT { Scalar r((NOINIT())); decaf_448_scalar_mul(r.s,s,q.inverse().s); return r; }
/** @brief Divide by inverting q. If q == 0, return 0. */
inline Scalar &operator/=(const Scalar &q) NOEXCEPT { decaf_448_scalar_mul(s,s,q.inverse().s); return *this; }
@@ -214,8 +225,8 @@ public:
* @todo Fix up bools.
*/
inline decaf_bool_t direct_scalarmul(
unsigned char out[DECAF_448_SER_BYTES],
const unsigned char in[DECAF_448_SER_BYTES],
unsigned char out[SER_BYTES],
const unsigned char in[SER_BYTES],
decaf_bool_t allow_identity=DECAF_FALSE,
decaf_bool_t short_circuit=DECAF_TRUE
) const NOEXCEPT {
@@ -230,7 +241,7 @@ public:
decaf_bool_t allow_identity=DECAF_FALSE,
decaf_bool_t short_circuit=DECAF_TRUE
) const NOEXCEPT {
unsigned char out[DECAF_448_SER_BYTES];
unsigned char out[SER_BYTES];
if (decaf_448_direct_scalarmul(out, GET_DATA(in), s, allow_identity, short_circuit)) {
return std::string((char *)out,sizeof(out));
} else {
@@ -244,6 +255,12 @@ public:
*/
class Point {
public:
/** @brief Size of a serialized element */
static const size_t SER_BYTES = DECAF_448_SER_BYTES;
/** @brief Bytes required for hash */
static const size_t HASH_BYTES = DECAF_448_SER_BYTES;
/** The c-level object. */
decaf_448_point_t p;
@@ -262,6 +279,9 @@ public:
/** @brief Destructor securely erases the point. */
inline ~Point() { decaf_448_point_destroy(p); }
/** @brief Construct from RNG */
inline explicit Point(SpongeRng &rng, bool uniform = true);
/**
* @brief Initialize from C++ fixed-length byte string.
* The all-zero string maps to the identity.
@@ -280,7 +300,7 @@ public:
* @throw CryptoException the string was the wrong length, or wasn't the encoding of a point,
* or was the identity and allow_identity was DECAF_FALSE.
*/
inline explicit Point(const unsigned char buffer[DECAF_448_SER_BYTES], decaf_bool_t allow_identity=DECAF_TRUE)
inline explicit Point(const unsigned char buffer[SER_BYTES], decaf_bool_t allow_identity=DECAF_TRUE)
throw(CryptoException) { if (!decode(*this,buffer,allow_identity)) throw CryptoException(); }
/**
@@ -292,7 +312,7 @@ public:
* and allow_identity was DECAF_FALSE. Contents of the buffer are undefined.
*/
static inline decaf_bool_t __attribute__((warn_unused_result)) decode (
Point &p, const unsigned char buffer[DECAF_448_SER_BYTES], decaf_bool_t allow_identity=DECAF_TRUE
Point &p, const unsigned char buffer[SER_BYTES], decaf_bool_t allow_identity=DECAF_TRUE
) NOEXCEPT {
return decaf_448_point_decode(p.p,buffer,allow_identity);
}
@@ -308,7 +328,7 @@ public:
static inline decaf_bool_t __attribute__((warn_unused_result)) decode (
Point &p, const std::string &buffer, decaf_bool_t allow_identity=DECAF_TRUE
) NOEXCEPT {
if (buffer.size() != DECAF_448_SER_BYTES) return DECAF_FAILURE;
if (buffer.size() != SER_BYTES) return DECAF_FAILURE;
return decaf_448_point_decode(p.p,GET_DATA(buffer),allow_identity);
}

@@ -316,19 +336,19 @@ public:
* @brief Map to the curve from a C buffer.
* The all-zero buffer maps to the identity, as does the buffer {1,0...}
*/
static inline Point from_hash_nonuniform ( const unsigned char buffer[DECAF_448_SER_BYTES] ) NOEXCEPT {
Point p(NI); decaf_448_point_from_hash_nonuniform(p.p,buffer); return p;
static inline Point from_hash_nonuniform ( const unsigned char buffer[SER_BYTES] ) NOEXCEPT {
Point p((NOINIT())); decaf_448_point_from_hash_nonuniform(p.p,buffer); return p;
}
/**
* @brief Map to the curve from a C++ string buffer.
* The empty or all-zero string maps to the identity, as does the string "\x01".
* If the buffer is shorter than (TODO) DECAF_448_SER_BYTES, it will be zero-padded on the right.
* If the buffer is shorter than (TODO) SER_BYTES, it will be zero-padded on the right.
*/
static inline Point from_hash_nonuniform ( const std::string &s ) NOEXCEPT {
std::string t = s;
if (t.size() < DECAF_448_SER_BYTES) t.insert(t.size(),DECAF_448_SER_BYTES-t.size(),0);
Point p(NI); decaf_448_point_from_hash_nonuniform(p.p,GET_DATA(t)); return p;
if (t.size() < SER_BYTES) t.insert(t.size(),SER_BYTES-t.size(),0);
Point p((NOINIT())); decaf_448_point_from_hash_nonuniform(p.p,GET_DATA(t)); return p;
}
@@ -336,28 +356,28 @@ public:
* @brief Map uniformly to the curve from a C buffer.
* The all-zero buffer maps to the identity, as does the buffer {1,0...}.
*/
static inline Point from_hash ( const unsigned char buffer[2*DECAF_448_SER_BYTES] ) NOEXCEPT {
Point p(NI); decaf_448_point_from_hash_uniform(p.p,buffer); return p;
static inline Point from_hash ( const unsigned char buffer[2*SER_BYTES] ) NOEXCEPT {
Point p((NOINIT())); decaf_448_point_from_hash_uniform(p.p,buffer); return p;
}
/**
* @brief Map uniformly to the curve from a C++ buffer.
* The empty or all-zero string maps to the identity, as does the string "\x01".
* If the buffer is shorter than (TODO) 2*DECAF_448_SER_BYTES, well, it won't be as uniform,
* If the buffer is shorter than (TODO) 2*SER_BYTES, well, it won't be as uniform,
* but the buffer will be zero-padded on the right.
*/
static inline Point from_hash ( const std::string &s ) NOEXCEPT {
std::string t = s;
if (t.size() <= DECAF_448_SER_BYTES) return from_hash_nonuniform(s);
if (t.size() < 2*DECAF_448_SER_BYTES) t.insert(t.size(),2*DECAF_448_SER_BYTES-t.size(),0);
Point p(NI); decaf_448_point_from_hash_uniform(p.p,GET_DATA(t)); return p;
if (t.size() <= SER_BYTES) return from_hash_nonuniform(s);
if (t.size() < 2*SER_BYTES) t.insert(t.size(),2*SER_BYTES-t.size(),0);
Point p((NOINIT())); decaf_448_point_from_hash_uniform(p.p,GET_DATA(t)); return p;
}
/**
* @brief Encode to string. The identity encodes to the all-zero string.
*/
inline EXPLICIT_CON operator std::string() const NOEXCEPT {
unsigned char buffer[DECAF_448_SER_BYTES];
unsigned char buffer[SER_BYTES];
decaf_448_point_encode(buffer, p);
return std::string((char*)buffer,sizeof(buffer));
}
@@ -365,27 +385,27 @@ public:
/**
* @brief Encode to a C buffer. The identity encodes to all zeros.
*/
inline void encode(unsigned char buffer[DECAF_448_SER_BYTES]) const NOEXCEPT{
inline void encode(unsigned char buffer[SER_BYTES]) const NOEXCEPT{
decaf_448_point_encode(buffer, p);
}
/** @brief Point add. */
inline Point operator+ (const Point &q) const NOEXCEPT { Point r(NI); decaf_448_point_add(r.p,p,q.p); return r; }
inline Point operator+ (const Point &q) const NOEXCEPT { Point r((NOINIT())); decaf_448_point_add(r.p,p,q.p); return r; }
/** @brief Point add. */
inline Point &operator+=(const Point &q) NOEXCEPT { decaf_448_point_add(p,p,q.p); return *this; }
/** @brief Point subtract. */
inline Point operator- (const Point &q) const NOEXCEPT { Point r(NI); decaf_448_point_sub(r.p,p,q.p); return r; }
inline Point operator- (const Point &q) const NOEXCEPT { Point r((NOINIT())); decaf_448_point_sub(r.p,p,q.p); return r; }
/** @brief Point subtract. */
inline Point &operator-=(const Point &q) NOEXCEPT { decaf_448_point_sub(p,p,q.p); return *this; }
/** @brief Point negate. */
inline Point operator- () const NOEXCEPT { Point r(NI); decaf_448_point_negate(r.p,p); return r; }
inline Point operator- () const NOEXCEPT { Point r((NOINIT())); decaf_448_point_negate(r.p,p); return r; }
/** @brief Double the point out of place. */
inline Point times_two () const NOEXCEPT { Point r(NI); decaf_448_point_double(r.p,p); return r; }
inline Point times_two () const NOEXCEPT { Point r((NOINIT())); decaf_448_point_double(r.p,p); return r; }
/** @brief Double the point in place. */
inline Point &double_in_place() NOEXCEPT { decaf_448_point_double(p,p); return *this; }
@@ -397,7 +417,7 @@ public:
inline bool operator==(const Point &q) const NOEXCEPT { return !!decaf_448_point_eq(p,q.p); }
/** @brief Scalar multiply. */
inline Point operator* (const Scalar &s) const NOEXCEPT { Point r(NI); decaf_448_point_scalarmul(r.p,p,s.s); return r; }
inline Point operator* (const Scalar &s) const NOEXCEPT { Point r((NOINIT())); decaf_448_point_scalarmul(r.p,p,s.s); return r; }
/** @brief Scalar multiply in place. */
inline Point &operator*=(const Scalar &s) NOEXCEPT { decaf_448_point_scalarmul(p,p,s.s); return *this; }
@@ -415,7 +435,7 @@ public:
static inline Point double_scalarmul (
const Point &q, const Scalar &qs, const Point &r, const Scalar &rs
) NOEXCEPT {
Point p(NI); decaf_448_point_double_scalarmul(p.p,q.p,qs.s,r.p,rs.s); return p;
Point p((NOINIT())); decaf_448_point_double_scalarmul(p.p,q.p,qs.s,r.p,rs.s); return p;
}
/**
@@ -425,7 +445,7 @@ public:
static inline Point double_scalarmul (
const Scalar &qs, const Point &q, const Scalar &rs, const Point &r
) NOEXCEPT {
Point p(NI); decaf_448_point_double_scalarmul(p.p,q.p,qs.s,r.p,rs.s); return p;
Point p((NOINIT())); decaf_448_point_double_scalarmul(p.p,q.p,qs.s,r.p,rs.s); return p;
}
/**
@@ -434,7 +454,7 @@ public:
* it doesn't).
*/
inline Point non_secret_combo_with_base(const Scalar &s, const Scalar &s_base) {
Point r(NI); decaf_448_base_double_scalarmul_non_secret(r.p,s_base.s,p,s.s); return r;
Point r((NOINIT())); decaf_448_base_double_scalarmul_non_secret(r.p,s_base.s,p,s.s); return r;
}
/** @brief Return the base point */


+ 78
- 6
include/shake.hxx View File

@@ -9,6 +9,8 @@
* @warning EXPERIMENTAL! The names, parameter orders etc are likely to change.
*/

/** TODO: Crypto++ style secure auto-erasing strings?? */

#ifndef __SHAKE_HXX__
#define __SHAKE_HXX__

@@ -18,10 +20,12 @@

/** @cond internal */
#if __cplusplus >= 201103L
#define DELETE = delete
#define NOEXCEPT noexcept
#define EXPLICIT_CON explicit
#define GET_DATA(str) ((const unsigned char *)&(str)[0])
#else
#define DELETE
#define NOEXCEPT throw()
#define EXPLICIT_CON
#define GET_DATA(str) ((const unsigned char *)((str).data()))
@@ -126,27 +130,95 @@ template<> const struct kparams_s *SHA3<256>::get_params() { return &SHA3_256_pa
template<> const struct kparams_s *SHA3<384>::get_params() { return &SHA3_384_params_s; }
template<> const struct kparams_s *SHA3<512>::get_params() { return &SHA3_512_params_s; }
/** @endcond */
/** Sponge-based random-number generator */
class SpongeRng : public KeccakSponge {
class SpongeRng : private KeccakSponge {
public:
class RngException : public std::exception {
private:
const char *const what_;
public:
const int err_code;
const char *what() const NOEXCEPT { return what_; }
RngException(int err_code, const char *what_) NOEXCEPT : what_(what_), err_code(err_code) {}
};
struct FROM_BUFFER {};
struct FROM_FILE {};
/** Initialize, deterministically by default, from C buffer */
inline SpongeRng( const uint8_t *in, size_t len, bool deterministic = true ) NOEXCEPT
: KeccakSponge(NI) {
inline SpongeRng( const FROM_BUFFER &, const uint8_t *in, size_t len, bool deterministic = true ) NOEXCEPT
: KeccakSponge((NOINIT())) {
spongerng_init_from_buffer(sp,in,len,deterministic);
}
/** Initialize, deterministically by default, from C++ string */
inline SpongeRng( const std::string &in, bool deterministic = true ) NOEXCEPT
: KeccakSponge(NI) {
inline SpongeRng( const FROM_BUFFER &, const std::string &in, bool deterministic = true )
: KeccakSponge((NOINIT())) {
spongerng_init_from_buffer(sp,GET_DATA(in),in.size(),deterministic);
}
/** Initialize, non-deterministically by default, from C/C++ filename */
inline SpongeRng( const FROM_FILE &, const std::string &in = "/dev/urandom", size_t len = 32, bool deterministic = false )
throw(RngException)
: KeccakSponge((NOINIT())) {
int ret = spongerng_init_from_file(sp,in.c_str(),len,deterministic);
if (ret) {
throw RngException(ret, "Couldn't load from file");
}
}
/** Read data to a C buffer.
* @warning TODO Future versions of this function may throw RngException if a
* nondeterministic RNG fails a reseed.
*/
inline void read(uint8_t *buffer, size_t length) {
spongerng_next(sp,buffer,length);
}
/** Read data to a C++ string
* @warning TODO Future versions of this function may throw RngException if a
* nondeterministic RNG fails a reseed.
*/
inline std::string read(size_t length) throw(std::bad_alloc) {
uint8_t *buffer = new uint8_t[length];
spongerng_next(sp,buffer,length);
std::string out((const char *)buffer, length);
delete[] buffer;
return out;
}
private:
SpongeRng(const SpongeRng &) DELETE;
SpongeRng &operator=(const SpongeRng &) DELETE;
};

/**@cond internal*/
/* FIXME: MAGIC; should use buffer or erase temporary string */
/* FIXME: multiple sizes */
decaf<448>::Scalar::Scalar(SpongeRng &rng) {
uint8_t buffer[SER_BYTES];
rng.read(buffer, sizeof(buffer));
decaf_448_scalar_decode_long(s,buffer,sizeof(buffer));
really_bzero(buffer, sizeof(buffer));
}

decaf<448>::Point::Point(SpongeRng &rng, bool uniform) {
uint8_t buffer[2*HASH_BYTES];
rng.read(buffer, (uniform ? 2 : 1) * HASH_BYTES);
if (uniform) {
decaf_448_point_from_hash_uniform(p,buffer);
} else {
decaf_448_point_from_hash_nonuniform(p,buffer);
}
really_bzero(buffer, sizeof(buffer));
}
/**@endcond*/
} /* namespace decaf */

#undef NOEXCEPT
#undef EXPLICIT_CON
#undef GET_DATA
#undef DELETE

#endif /* __SHAKE_HXX__ */

+ 13
- 24
test/test_decaf.cxx View File

@@ -115,9 +115,7 @@ static bool point_check(
}

static void test_arithmetic() {
keccak_sponge_t sponge;
unsigned char buffer[DECAF_448_SCALAR_BYTES+8];
spongerng_init_from_buffer(sponge, (const uint8_t *)"test_arithmetic", 16, 1);
decaf::SpongeRng rng(decaf::SpongeRng::FROM_BUFFER(), "test_arithmetic");
Test test("Arithmetic");
Scalar x(0),y(0),z(0);
@@ -126,13 +124,10 @@ static void test_arithmetic() {
for (int i=0; i<NTESTS*10 && test.passing_now; i++) {
/* TODO: pathological cases */
size_t sob = sizeof(buffer) - (i%16);
spongerng_next(sponge, buffer, sob);
Scalar x(buffer, sob);
spongerng_next(sponge, buffer, sob);
Scalar y(buffer, sob);
spongerng_next(sponge, buffer, sob);
Scalar z(buffer, sob);
size_t sob = DECAF_448_SCALAR_BYTES + 8 - (i%16);
Scalar x(rng.read(sob));
Scalar y(rng.read(sob));
Scalar z(rng.read(sob));

arith_check(test,x,y,z,x+y,y+x,"commute add");
@@ -156,12 +151,10 @@ static void test_arithmetic() {


static void test_ec() {
keccak_sponge_t sponge;
unsigned char buffer[2*DECAF_448_SCALAR_BYTES];
spongerng_init_from_buffer(sponge, (const uint8_t *)"test_ec", 8, 1);
decaf::SpongeRng rng(decaf::SpongeRng::FROM_BUFFER(), "test_ec");
unsigned char buffer[2*DECAF_448_SER_BYTES];
Test test("EC");

Point id = Point::identity(), base = Point::base();
point_check(test,id,id,id,0,0,Point::from_hash(std::string("")),id,"fh0");
@@ -169,16 +162,12 @@ static void test_ec() {
for (int i=0; i<NTESTS && test.passing_now; i++) {
/* TODO: pathological cases */
size_t sob = sizeof(buffer);
spongerng_next(sponge, buffer, sob);
Scalar x(buffer, sob);
spongerng_next(sponge, buffer, sob);
Scalar y(buffer, sob);
spongerng_next(sponge, buffer, sob);
Point p = Point::from_hash(buffer);
spongerng_next(sponge, buffer, sob);
Point q = Point::from_hash(buffer);
spongerng_next(sponge, buffer, sob);
Scalar x(rng);
Scalar y(rng);
Point p(rng);
Point q(rng);
rng.read(buffer, 2*DECAF_448_SER_BYTES);
Point r = Point::from_hash(buffer);
point_check(test,p,q,r,0,0,p,Point((std::string)p),"round-trip");


Write Preview
Loading…
Cancel
Save