jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
380 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 4adb584654
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4adb584654'
${ noResults }
ed448goldilocks/src/per_curve/eddsa.tmpl.hxx

472 lines
14 KiB
Raw Blame History 

  1. 

  2. /*

  3.  * Example Decaf cyrpto routines, C++ wrapper.

  4.  * @warning These are merely examples, though they ought to be secure.  But real

  5.  * protocols will decide differently on magic numbers, formats, which items to

  6.  * hash, etc.

  7.  * @warning Experimental!  The names, parameter orders etc are likely to change.

  8.  */

  9. 

  10. #include <decaf/decaf_$(gf_bits).hxx>

  11. #include <decaf/eddsa_$(gf_bits).h>

  12. 

  13. #include <decaf/shake.hxx>

  14. #include <decaf/sha512.hxx>

  15. 

  16. /** @cond internal */

  17. #if __cplusplus >= 201103L

  18. #define NOEXCEPT noexcept

  19. #else

  20. #define NOEXCEPT throw()

  21. #endif

  22. /** @endcond */

  23. 

  24. namespace decaf {

  25. 

  26. /** A public key for crypto over some Group */

  27. template <typename Group> struct EdDSA;

  28. 

  29. /** A public key for crypto over $(name) */

  30. template<> struct EdDSA<$(cxx_ns)> {

  31.     

  32. enum Prehashed { PURE, PREHASHED };

  33. 

  34. /** @cond internal */

  35. template<class CRTP, Prehashed> class Signing;

  36. template<class CRTP, Prehashed> class Verification;

  37. $("""

  38. class PublicKeyBase;

  39. class PrivateKeyBase;

  40. typedef class PrivateKeyBase PrivateKey, PrivateKeyPure, PrivateKeyPh;

  41. typedef class PublicKeyBase PublicKey, PublicKeyPure, PublicKeyPh;

  42.   """ if eddsa_supports_contexts else """

  43. template<Prehashed=PURE> class PublicKeyBase;

  44. template<Prehashed=PURE> class PrivateKeyBase;

  45. typedef class PublicKeyBase<PURE> PublicKey, PublicKeyPure;

  46. typedef class PublicKeyBase<PREHASHED> PublicKeyPh;

  47. typedef class PrivateKeyBase<PURE> PrivateKey, PrivateKeyPure;

  48. typedef class PrivateKeyBase<PREHASHED> PrivateKeyPh;

  49. """)

  50. /** @endcond */

  51. 

  52. /** Prehash context for EdDSA.  TODO: test me! */

  53. class Prehash : public $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) {

  54. public:

  55.     /** Do we support contexts for signatures?  If not, they must always be NULL */

  56.     static const bool SUPPORTS_CONTEXTS = $(C_NS)_EDDSA_SUPPORTS_CONTEXTS;

  57.     

  58. private:

  59.     typedef $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) Super;

  60.     SecureBuffer context_;

  61.     template<class T, Prehashed Ph> friend class Signing;

  62.     template<class T, Prehashed Ph> friend class Verification;

  63.     

  64.     void init() throw(LengthException) {

  65.         Super::reset();

  66.         

  67.         if (context_.size() > 255

  68.             || (context_.size() != 0 && !SUPPORTS_CONTEXTS)

  69.         ) {

  70.             throw LengthException();

  71.         }

  72.         

  73.         if (SUPPORTS_CONTEXTS) {

  74.             uint8_t dom[2] = {2, context_.size() };

  75.             update(dom,2);

  76.             update(context_);

  77.         }

  78.     }

  79.     

  80. public:

  81.     /** Number of output bytes in prehash */

  82.     static const size_t OUTPUT_BYTES = Super::DEFAULT_OUTPUT_BYTES;

  83.     

  84.     /** Create the prehash */

  85.     Prehash(Block context = Block(NULL,0)) throw(LengthException) {

  86.         context_ = context;

  87.         init();

  88.     }

  89. 

  90.     /** Reset this hash */

  91.     void reset() NOEXCEPT { init(); }

  92.     

  93.     /** Output from this hash */

  94.     SecureBuffer final() throw(std::bad_alloc) {

  95.         SecureBuffer ret = Super::final(OUTPUT_BYTES);

  96.         reset();

  97.         return ret;

  98.     }

  99.     

  100.     /** Output from this hash */

  101.     void final(Buffer &b) throw(LengthException) {

  102.         if (b.size() != OUTPUT_BYTES) throw LengthException();

  103.         Super::final(b);

  104.         reset();

  105.     }

  106. };

  107. 

  108. template<class CRTP, Prehashed ph> class Signing;

  109. 

  110. template<class CRTP> class Signing<CRTP,PREHASHED> {

  111. public:

  112.     /* Sign a prehash context, and reset the context */

  113.     inline SecureBuffer sign_prehashed ( Prehash &ph ) const /*throw(std::bad_alloc)*/ {

  114.         SecureBuffer out(CRTP::SIG_BYTES);

  115.         FixedArrayBuffer<Prehash::OUTPUT_BYTES> tmp;

  116.         ph.final(tmp);

  117.         $(c_ns)_eddsa_sign (

  118.             out.data(),

  119.             ((const CRTP*)this)->priv_.data(),

  120.             ((const CRTP*)this)->pub_.data(),

  121.             tmp.data(),

  122.             tmp.size(),

  123.             1

  124. #if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS

  125.             , ph.context_.data(),

  126.             ph.context_.size()

  127. #endif

  128.         );

  129.         return out;

  130.     }

  131.     

  132.     /* Sign a message using the prehasher */

  133.     inline SecureBuffer sign_with_prehash (

  134.         const Block &message,

  135.         const Block &context = Block(NULL,0)

  136.     ) const /*throw(LengthException,CryptoException)*/ {

  137.         Prehash ph(context);

  138.         ph += message;

  139.         return sign_prehashed(ph);

  140.     }

  141. };

  142. 

  143. template<class CRTP> class Signing<CRTP,PURE>  {

  144. public:

  145.     /**

  146.      * Sign a message.

  147.      * @param [in] message The message to be signed.

  148.      * @param [in] context A context for the signature; must be at most 255 bytes;

  149.      * must be absent if SUPPORTS_CONTEXTS == false.

  150.      *

  151.      * @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.

  152.      */

  153.     inline SecureBuffer sign (

  154.         const Block &message,

  155.         const Block &context = Block(NULL,0)

  156.     ) const /* TODO: this exn spec tickles a Clang bug?

  157.              * throw(LengthException, std::bad_alloc)

  158.              */ {

  159.         if (context.size() > 255

  160.             || (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)

  161.         ) {

  162.             throw LengthException();

  163.         }

  164.         

  165.         SecureBuffer out(CRTP::SIG_BYTES);

  166.         $(c_ns)_eddsa_sign (

  167.             out.data(),

  168.             ((const CRTP*)this)->priv_.data(),

  169.             ((const CRTP*)this)->pub_.data(),

  170.             message.data(),

  171.             message.size(),

  172.             0

  173. #if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS

  174.             , context.data(),

  175.             context.size()

  176. #endif

  177.         );

  178.         return out;

  179.     }

  180. };

  181. 

  182. $("""

  183. class PrivateKeyBase

  184.     : public Serializable<PrivateKeyBase>

  185.     , public Signing<PrivateKeyBase,PURE>

  186.     , public Signing<PrivateKeyBase,PREHASHED> {

  187. public:

  188.     typedef class PublicKeyBase MyPublicKey;

  189. private:

  190. /** @cond internal */

  191.     friend class PublicKeyBase;

  192.     friend class Signing<PrivateKey,PURE>;

  193.     friend class Signing<PrivateKey,PREHASHED>;

  194. /** @endcond */

  195. """ if eddsa_supports_contexts else """

  196. template<Prehashed ph> class PrivateKeyBase

  197.     : public Serializable<PrivateKeyBase<ph> >

  198.     , public Signing<PrivateKeyBase<ph>,ph> {

  199. public:

  200.     typedef class PublicKeyBase<ph> MyPublicKey;

  201. private:

  202. /** @cond internal */

  203.     friend class PublicKeyBase<ph>;

  204.     friend class Signing<PrivateKeyBase<ph>, ph>;

  205. /** @endcond */

  206. """)

  207.     

  208.     /** The pre-expansion form of the signing key. */

  209.     FixedArrayBuffer<$(C_NS)_EDDSA_PRIVATE_BYTES> priv_;

  210.     

  211.     /** The post-expansion public key. */

  212.     FixedArrayBuffer<$(C_NS)_EDDSA_PUBLIC_BYTES> pub_;

  213.     

  214. public:

  215.     /** Underlying group */

  216.     typedef $(cxx_ns) Group;

  217.     

  218.     /** Signature size. */

  219.     static const size_t SIG_BYTES = $(C_NS)_EDDSA_SIGNATURE_BYTES;

  220.     

  221.     /** Serialization size. */

  222.     static const size_t SER_BYTES = $(C_NS)_EDDSA_PRIVATE_BYTES;

  223.     

  224.     /** Do we support contexts for signatures?  If not, they must always be NULL */

  225.     static const bool SUPPORTS_CONTEXTS = $(C_NS)_EDDSA_SUPPORTS_CONTEXTS;

  226.     

  227.     

  228.     /** Create but don't initialize */

  229.     inline explicit PrivateKeyBase(const NOINIT&) NOEXCEPT : priv_((NOINIT())), pub_((NOINIT())) { }

  230.     

  231.     /** Read a private key from a string */

  232.     inline explicit PrivateKeyBase(const FixedBlock<SER_BYTES> &b) NOEXCEPT { *this = b; }

  233.     

  234.     /** Copy constructor */

  235.     inline PrivateKeyBase(const PrivateKey &k) NOEXCEPT { *this = k; }

  236.     

  237.     /** Create at random */

  238.     inline explicit PrivateKeyBase(Rng &r) NOEXCEPT : priv_(r) {

  239.         $(c_ns)_eddsa_derive_public_key(pub_.data(), priv_.data());

  240.     }

  241.     

  242.     /** Assignment from string */

  243.     inline PrivateKeyBase &operator=(const FixedBlock<SER_BYTES> &b) NOEXCEPT {

  244.         memcpy(priv_.data(),b.data(),b.size());

  245.         $(c_ns)_eddsa_derive_public_key(pub_.data(), priv_.data());

  246.         return *this;

  247.     }

  248.     

  249.     /** Copy assignment */

  250.     inline PrivateKeyBase &operator=(const PrivateKey &k) NOEXCEPT {

  251.         memcpy(priv_.data(),k.priv_.data(), priv_.size());

  252.         memcpy(pub_.data(),k.pub_.data(), pub_.size());

  253.         return *this;

  254.     }

  255.     

  256.     /** Serialization size. */

  257.     inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }

  258.     

  259.     /** Serialize into a buffer. */

  260.     inline void serialize_into(unsigned char *x) const NOEXCEPT {

  261.         memcpy(x,priv_.data(), priv_.size());

  262.     }

  263.     

  264.     /** Return the corresponding public key */

  265.     inline MyPublicKey pub() const NOEXCEPT {

  266.         MyPublicKey pub(*this);

  267.         return pub;

  268.     }

  269. }; /* class PrivateKey */

  270. 

  271. 

  272. 

  273. template<class CRTP> class Verification<CRTP,PURE> {

  274. public:

  275.     /** Verify a signature, returning DECAF_FAILURE if verification fails */

  276.     inline decaf_error_t WARN_UNUSED verify_noexcept (

  277.         const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig,

  278.         const Block &message,

  279.         const Block &context = Block(NULL,0)

  280.     ) const /*NOEXCEPT*/ {

  281.         if (context.size() > 255

  282.             || (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)

  283.         ) {

  284.             return DECAF_FAILURE;

  285.         }

  286.         

  287.         return $(c_ns)_eddsa_verify (

  288.             sig.data(),

  289.             ((const CRTP*)this)->pub_.data(),

  290.             message.data(),

  291.             message.size(),

  292.             0

  293. #if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS

  294.             , context.data(),

  295.             context.size()

  296. #endif

  297.         );

  298.     }

  299.     

  300.     /** Verify a signature, throwing an exception if verification fails

  301.      * @param [in] sig The signature.

  302.      * @param [in] message The signed message.

  303.      * @param [in] context A context for the signature; must be at most 255 bytes;

  304.      * must be absent if SUPPORTS_CONTEXTS == false.

  305.      *

  306.      * @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.

  307.      */

  308.     inline void verify (

  309.         const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig,

  310.         const Block &message,

  311.         const Block &context = Block(NULL,0)

  312.     ) const /*throw(LengthException,CryptoException)*/ {

  313.         if (context.size() > 255

  314.             || (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)

  315.         ) {

  316.             throw LengthException();

  317.         }

  318.         

  319.         if (DECAF_SUCCESS != verify_noexcept( sig, message, context )) {

  320.             throw CryptoException();

  321.         }

  322.     }

  323. };

  324. 

  325. 

  326. template<class CRTP> class Verification<CRTP,PREHASHED> {

  327. public:

  328.     /* Verify a prehash context, and reset the context */

  329.     inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept (

  330.         const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig,

  331.         Prehash &ph

  332.     ) const /*NOEXCEPT*/ {

  333.         FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;

  334.         ph.final(m);

  335.         return $(c_ns)_eddsa_verify (

  336.             sig.data(),

  337.             ((const CRTP*)this)->pub_.data(),

  338.             m.data(),

  339.             m.size(),

  340.             1

  341. #if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS

  342.             , ph.context_.data(),

  343.             ph.context_.size()

  344. #endif

  345.         );

  346.     }

  347.     

  348.     /* Verify a prehash context, and reset the context */

  349.     inline void verify_prehashed (

  350.         const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig,

  351.         Prehash &ph

  352.     ) const /*throw(CryptoException)*/ {

  353.         FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;

  354.         ph.final(m);

  355.         if (DECAF_SUCCESS != $(c_ns)_eddsa_verify (

  356.             sig.data(),

  357.             ((const CRTP*)this)->pub_.data(),

  358.             m.data(),

  359.             m.size(),

  360.             1

  361. #if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS

  362.             , ph.context_.data(),

  363.             ph.context_.size()

  364. #endif

  365.         )) {

  366.             throw CryptoException();

  367.         }

  368.     }

  369.     

  370.     /* Verify a message using the prehasher */

  371.     inline void verify_with_prehash (

  372.         const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig,

  373.         const Block &message,

  374.         const Block &context = Block(NULL,0)

  375.     ) const /*throw(LengthException,CryptoException)*/ {

  376.         Prehash ph(context);

  377.         ph += message;

  378.         verify_prehashed(sig,ph);

  379.     }

  380. };

  381. 

  382. 

  383. $("""

  384. class PublicKeyBase

  385.     : public Serializable<PublicKeyBase>

  386.     , public Verification<PublicKeyBase,PURE>

  387.     , public Verification<PublicKeyBase,PREHASHED> {

  388. public:

  389.     typedef class PrivateKeyBase MyPrivateKey;

  390.     

  391. private:

  392. /** @cond internal */

  393.     friend class PrivateKeyBase;

  394.     friend class Verification<PublicKey,PURE>;

  395.     friend class Verification<PublicKey,PREHASHED>;

  396. /** @endcond */

  397. """ if eddsa_supports_contexts else """

  398. template<Prehashed ph> class PublicKeyBase

  399.     : public Serializable<PublicKeyBase<ph> >

  400.     , public Verification<PublicKeyBase<ph>,ph> {

  401. public:

  402.     typedef class PrivateKeyBase<ph> MyPrivateKey;

  403.     

  404. private:

  405. /** @cond internal */

  406.     friend class PrivateKeyBase<ph>;

  407.     friend class Verification<PublicKeyBase<ph>, ph>;

  408. /** @endcond */

  409. """)

  410. 

  411. private:

  412.     /** The pre-expansion form of the signature */

  413.     FixedArrayBuffer<$(C_NS)_EDDSA_PUBLIC_BYTES> pub_;

  414.     

  415. public:

  416.     /* PERF FUTURE: Pre-cached decoding? Precomputed table?? */

  417.   

  418.     /** Underlying group */

  419.     typedef $(cxx_ns) Group;

  420.     

  421.     /** Signature size. */

  422.     static const size_t SIG_BYTES = $(C_NS)_EDDSA_SIGNATURE_BYTES;

  423.     

  424.     /** Serialization size. */

  425.     static const size_t SER_BYTES = $(C_NS)_EDDSA_PRIVATE_BYTES;

  426.     

  427.     /** Do we support contexts for signatures?  If not, they must always be NULL */

  428.     static const bool SUPPORTS_CONTEXTS = $(C_NS)_EDDSA_SUPPORTS_CONTEXTS;

  429.     

  430.     

  431.     /** Create but don't initialize */

  432.     inline explicit PublicKeyBase(const NOINIT&) NOEXCEPT : pub_((NOINIT())) { }

  433.     

  434.     /** Read a private key from a string */

  435.     inline explicit PublicKeyBase(const FixedBlock<SER_BYTES> &b) NOEXCEPT { *this = b; }

  436.     

  437.     /** Copy constructor */

  438.     inline PublicKeyBase(const PublicKeyBase &k) NOEXCEPT { *this = k; }

  439.     

  440.     /** Copy constructor */

  441.     inline explicit PublicKeyBase(const MyPrivateKey &k) NOEXCEPT { *this = k; }

  442. 

  443.     /** Assignment from string */

  444.     inline PublicKey &operator=(const FixedBlock<SER_BYTES> &b) NOEXCEPT {

  445.         memcpy(pub_.data(),b.data(),b.size());

  446.         return *this;

  447.     }

  448. 

  449.     /** Assignment from private key */

  450.     inline PublicKey &operator=(const PublicKey &p) NOEXCEPT {

  451.         return *this = p.pub_;

  452.     }

  453. 

  454.     /** Assignment from private key */

  455.     inline PublicKey &operator=(const MyPrivateKey &p) NOEXCEPT {

  456.         return *this = p.pub_;

  457.     }

  458. 

  459.     /** Serialization size. */

  460.     inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }

  461.     

  462.     /** Serialize into a buffer. */

  463.     inline void serialize_into(unsigned char *x) const NOEXCEPT {

  464.         memcpy(x,pub_.data(), pub_.size());

  465.     }

  466. }; /* class PublicKey */

  467. 

  468. }; /* template<> struct EdDSA<$(cxx_ns)> */

  469. 

  470. #undef NOEXCEPT

  471. } /* namespace decaf */