jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: d7f64fd885
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd7f64fd885'
${ noResults }
ed448goldilocks/include/goldilocks.h

211 lines
6.3 KiB
Raw Blame History 

  1. /* Copyright (c) 2014 Cryptography Research, Inc.

  2.  * Released under the MIT License.  See LICENSE.txt for license information.

  3.  */

  4. 

  5. /**

  6.  * @file goldilocks.h

  7.  * @author Mike Hamburg

  8.  * @brief Goldilocks high-level functions.

  9.  */

  10. #ifndef __GOLDILOCKS_H__

  11. #define __GOLDILOCKS_H__ 1

  12. 

  13. #include <stdint.h>

  14. 

  15. /**

  16.  * @brief Serialized form of a Goldilocks public key.

  17.  *

  18.  * @warning This isn't even my final form!

  19.  */

  20. struct goldilocks_public_key_t {

  21.     uint8_t opaque[56]; /**< Serialized data. */

  22. };

  23. 

  24. /**

  25.  * @brief Serialized form of a Goldilocks private key.

  26.  *

  27.  * Contains 56 bytes of actual private key, 56 bytes of

  28.  * public key, and 32 bytes of symmetric key for randomization.

  29.  *

  30.  * @warning This isn't even my final form!

  31.  */

  32. struct goldilocks_private_key_t {

  33.     uint8_t opaque[144]; /**< Serialized data. */

  34. };

  35. 

  36. #ifdef __cplusplus

  37. extern "C" {

  38. #endif

  39. 

  40. /** @brief No error. */

  41. static const int GOLDI_EOK      = 0;

  42. 

  43. /** @brief Error: your key or other state is corrupt. */

  44. static const int GOLDI_ECORRUPT = 44801;

  45. 

  46. /** @brief Error: other party's key is corrupt. */

  47. static const int GOLDI_EINVAL   = 44802;

  48. 

  49. /** @brief Error: not enough entropy. */

  50. static const int GOLDI_ENODICE  = 44804;

  51. 

  52. /** @brief Error: you need to initialize the library first. */

  53. static const int GOLDI_EUNINIT  = 44805;

  54. 

  55. /** @brief Error: called init() but we are already initialized. */

  56. static const int GOLDI_EALREADYINIT  = 44805;

  57. 

  58. /**

  59.  * @brief Initialize Goldilocks' precomputed tables and

  60.  * random number generator.  This function must be called before

  61.  * any of the other Goldilocks routines (except

  62.  * goldilocks_shared_secret in the current version) and should be

  63.  * called only once per process.

  64.  *

  65.  * There is currently no way to tear down this state.  It is possible

  66.  * that a future version of this library will not require this function.

  67.  *

  68.  * @retval GOLDI_EOK Success.

  69.  * @retval GOLDI_EALREADYINIT Already initialized.

  70.  * @retval GOLDI_ECORRUPT Memory is corrupted, or another thread is already init'ing.

  71.  * @retval Nonzero An error occurred.

  72.  */

  73. int

  74. goldilocks_init ()

  75. __attribute__((warn_unused_result));

  76. 

  77. 

  78. /**

  79.  * @brief Generate a new random keypair.

  80.  * @param [out] privkey The generated private key.

  81.  * @param [out] pubkey The generated public key.

  82.  *

  83.  * @warning This isn't even my final form!

  84.  *

  85.  * @retval GOLDI_EOK Success.

  86.  * @retval GOLDI_ENODICE Insufficient entropy.

  87.  * @retval GOLDI_EUNINIT You must call goldilocks_init() first.

  88.  */

  89. int

  90. goldilocks_keygen (

  91.     struct goldilocks_private_key_t *privkey,

  92.     struct goldilocks_public_key_t *pubkey

  93. ) __attribute__((warn_unused_result,nonnull(1,2)));

  94. 

  95. /**

  96.  * @brief Extract the public key from a private key.

  97.  *

  98.  * This is essentially a memcpy from the public part of the privkey.

  99.  *    

  100.  * @param [out] pubkey The extracted private key.

  101.  * @param [in] privkey The private key.

  102.  *

  103.  * @retval GOLDI_EOK Success.

  104.  * @retval GOLDI_ECORRUPT The private key is corrupt.

  105.  */

  106. int

  107. goldilocks_private_to_public (

  108.     struct goldilocks_public_key_t *pubkey,

  109.     const struct goldilocks_private_key_t *privkey

  110. ) __attribute__((nonnull(1,2)));

  111. 

  112. /**

  113.  * @brief Generate a Diffie-Hellman shared secret in constant time.

  114.  *

  115.  * This function uses some compile-time flags whose merit remains to

  116.  * be decided.

  117.  *

  118.  * If the flag EXPERIMENT_ECDH_OBLITERATE_CT is set, prepend 40 bytes

  119.  * of zeros to the secret before hashing.  In the case that the other

  120.  * party's key is detectably corrupt, instead the symmetric part

  121.  * of the secret key is used to produce a pseudorandom value.

  122.  *

  123.  * If EXPERIMENT_ECDH_STIR_IN_PUBKEYS is set, the sum and product of

  124.  * the two parties' public keys is prepended to the hash.

  125.  *

  126.  * In the current version, this function can safely be run even without

  127.  * goldilocks_init().  But this property is not guaranteed for future

  128.  * versions, so call it anyway.

  129.  *

  130.  * @warning This isn't even my final form!

  131.  *

  132.  * @param [out] shared The shared secret established with the other party.

  133.  * @param [in] my_privkey My private key.

  134.  * @param [in] your_pubkey The other party's public key.

  135.  *

  136.  * @retval GOLDI_EOK Success.

  137.  * @retval GOLDI_ECORRUPT My key is corrupt.

  138.  * @retval GOLDI_EINVAL   The other party's key is corrupt.

  139.  * @retval GOLDI_EUNINIT You must call goldilocks_init() first.

  140.  */

  141. int

  142. goldilocks_shared_secret (

  143.     uint8_t shared[64],

  144.     const struct goldilocks_private_key_t *my_privkey,

  145.     const struct goldilocks_public_key_t *your_pubkey

  146. ) __attribute__((warn_unused_result,nonnull(1,2,3)));

  147.     

  148. /**

  149.  * @brief Sign a message.

  150.  *

  151.  * The signature is deterministic, using the symmetric secret found in the

  152.  * secret key to form a nonce.

  153.  *

  154.  * The technique used in signing is a modified Schnorr system, like EdDSA.

  155.  *

  156.  * @warning This isn't even my final form!

  157.  *

  158.  * @param [out] signature_out Space for the output signature.

  159.  * @param [in] message The message to be signed.

  160.  * @param [in] message_len The length of the message to be signed.

  161.  * @param [in] privkey My private key.

  162.  *

  163.  * @retval GOLDI_EOK Success.

  164.  * @retval GOLDI_ECORRUPT My key is corrupt.

  165.  * @retval GOLDI_EUNINIT You must call goldilocks_init() first.

  166.  */

  167. int

  168. goldilocks_sign (

  169.     uint8_t signature_out[56*2],

  170.     const uint8_t *message,

  171.     uint64_t message_len,

  172.     const struct goldilocks_private_key_t *privkey

  173. ) __attribute__((nonnull(1,2,4)));

  174. 

  175. /**

  176.  * @brief Verify a signature.

  177.  *

  178.  * This function is fairly strict.  It will correctly detect when

  179.  * the signature has the wrong cofactor component, or when the sig

  180.  * values aren't less than p or q.

  181.  * 

  182.  * Currently this function does not detect when the public key is weird,

  183.  * eg 0, has cofactor, etc.  As a result, a party with a bogus public

  184.  * key could create signatures that succeed on some systems and fail on

  185.  * others.

  186.  *

  187.  * @warning This isn't even my final form!

  188.  *

  189.  * @param [in] signature The signature.

  190.  * @param [in] message The message to be verified.

  191.  * @param [in] message_len The length of the message to be verified.

  192.  * @param [in] pubkey The signer's public key.

  193.  *

  194.  * @retval GOLDI_EOK Success.

  195.  * @retval GOLDI_EINVAL The public key or signature is corrupt.

  196.  * @retval GOLDI_EUNINIT You must call goldilocks_init() first.

  197.  */

  198. int

  199. goldilocks_verify (

  200.     const uint8_t signature[56*2],

  201.     const uint8_t *message,

  202.     uint64_t message_len,

  203.     const struct goldilocks_public_key_t *pubkey

  204. ) __attribute__((warn_unused_result,nonnull(1,2,4)));

  205. 

  206. #ifdef __cplusplus

  207. }; /* extern "C" */

  208. #endif

  209. 

  210. #endif /* __GOLDILOCKS_H__ */