jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
377 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: f1df5e4714
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f1df5e4714'
${ noResults }
ed448goldilocks/src/per_curve/eddsa.tmpl.hxx

345 lines
10 KiB
Raw Blame History 

  1. 

  2. /*

  3.  * Example Decaf cyrpto routines, C++ wrapper.

  4.  * @warning These are merely examples, though they ought to be secure.  But real

  5.  * protocols will decide differently on magic numbers, formats, which items to

  6.  * hash, etc.

  7.  * @warning Experimental!  The names, parameter orders etc are likely to change.

  8.  */

  9. 

  10. #include <decaf/decaf_$(gf_bits).hxx>

  11. #include <decaf/eddsa_$(gf_bits).h>

  12. 

  13. #include <decaf/shake.hxx>

  14. #include <decaf/sha512.hxx>

  15. 

  16. /** @cond internal */

  17. #if __cplusplus >= 201103L

  18. #define NOEXCEPT noexcept

  19. #else

  20. #define NOEXCEPT throw()

  21. #endif

  22. /** @endcond */

  23. 

  24. namespace decaf {

  25. 

  26. /** A public key for crypto over some Group */

  27. template <typename Group> struct EdDSA;

  28. 

  29. /** A public key for crypto over $(name) */

  30. template<> struct EdDSA<$(cxx_ns)> {

  31. 

  32. /** @cond internal */

  33. class PrivateKey;

  34. class PublicKey;

  35. /** @endcond */

  36. 

  37. /** Prehash context for EdDSA.  TODO: test me! */

  38. class Prehash : public $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) {

  39. public:

  40.     /** Do we support contexts for signatures?  If not, they must always be NULL */

  41.     static const bool SUPPORTS_CONTEXTS = $(C_NS)_EDDSA_SUPPORTS_CONTEXTS;

  42.     

  43. private:

  44.     typedef $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) Super;

  45.     SecureBuffer context_;

  46.     friend class PrivateKey;

  47.     friend class PublicKey;

  48.     

  49.     void init() throw(LengthException) {

  50.         Super::reset();

  51.         

  52.         if (context_.size() > 255

  53.             || (context_.size() != 0 && !SUPPORTS_CONTEXTS)

  54.         ) {

  55.             throw LengthException();

  56.         }

  57.         

  58.         if (SUPPORTS_CONTEXTS) {

  59.             uint8_t dom[2] = {2, context_.size() };

  60.             update(dom,2);

  61.             update(context_);

  62.         }

  63.     }

  64.     

  65. public:

  66.     /** Number of output bytes in prehash */

  67.     static const size_t OUTPUT_BYTES = Super::DEFAULT_OUTPUT_BYTES;

  68.     

  69.     /** Create the prehash */

  70.     Prehash(Block context = Block(NULL,0)) throw(LengthException) {

  71.         context_ = context;

  72.         init();

  73.     }

  74. 

  75.     /** Reset this hash */

  76.     void reset() NOEXCEPT { init(); }

  77.     

  78.     /** Output from this hash */

  79.     SecureBuffer final() throw(std::bad_alloc) {

  80.         SecureBuffer ret = Super::final(OUTPUT_BYTES);

  81.         reset();

  82.         return ret;

  83.     }

  84.     

  85.     /** Output from this hash */

  86.     void final(Buffer &b) throw(LengthException) {

  87.         if (b.size() != OUTPUT_BYTES) throw LengthException();

  88.         Super::final(b);

  89.         reset();

  90.     }

  91. };

  92. 

  93. class PrivateKey : public Serializable<PrivateKey>  {

  94. private:

  95. /** @cond internal */

  96.     friend class PublicKey;

  97. /** @endcond */

  98.     

  99.     /** The pre-expansion form of the signing key. */

  100.     FixedArrayBuffer<$(C_NS)_EDDSA_PRIVATE_BYTES> priv_;

  101.     

  102.     /** The post-expansion public key. */

  103.     FixedArrayBuffer<$(C_NS)_EDDSA_PUBLIC_BYTES> pub_;

  104.     

  105. public:

  106.     /** Underlying group */

  107.     typedef $(cxx_ns) Group;

  108.     

  109.     /** Signature size. */

  110.     static const size_t SIG_BYTES = $(C_NS)_EDDSA_SIGNATURE_BYTES;

  111.     

  112.     /** Serialization size. */

  113.     static const size_t SER_BYTES = $(C_NS)_EDDSA_PRIVATE_BYTES;

  114.     

  115.     /** Do we support contexts for signatures?  If not, they must always be NULL */

  116.     static const bool SUPPORTS_CONTEXTS = $(C_NS)_EDDSA_SUPPORTS_CONTEXTS;

  117.     

  118.     

  119.     /** Create but don't initialize */

  120.     inline explicit PrivateKey(const NOINIT&) NOEXCEPT : priv_((NOINIT())), pub_((NOINIT())) { }

  121.     

  122.     /** Read a private key from a string */

  123.     inline explicit PrivateKey(const FixedBlock<SER_BYTES> &b) NOEXCEPT { *this = b; }

  124.     

  125.     /** Copy constructor */

  126.     inline PrivateKey(const PrivateKey &k) NOEXCEPT { *this = k; }

  127.     

  128.     /** Create at random */

  129.     inline explicit PrivateKey(Rng &r) NOEXCEPT : priv_(r) {

  130.         $(c_ns)_eddsa_derive_public_key(pub_.data(), priv_.data());

  131.     }

  132.     

  133.     /** Assignment from string */

  134.     inline PrivateKey &operator=(const FixedBlock<SER_BYTES> &b) NOEXCEPT {

  135.         memcpy(priv_.data(),b.data(),b.size());

  136.         $(c_ns)_eddsa_derive_public_key(pub_.data(), priv_.data());

  137.         return *this;

  138.     }

  139.     

  140.     /** Copy assignment */

  141.     inline PrivateKey &operator=(const PrivateKey &k) NOEXCEPT {

  142.         memcpy(priv_.data(),k.priv_.data(), priv_.size());

  143.         memcpy(pub_.data(),k.pub_.data(), pub_.size());

  144.         return *this;

  145.     }

  146.     

  147.     /** Serialization size. */

  148.     inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }

  149.     

  150.     /** Serialize into a buffer. */

  151.     inline void serialize_into(unsigned char *x) const NOEXCEPT {

  152.         memcpy(x,priv_.data(), priv_.size());

  153.     }

  154.     

  155.     /** Return the corresponding public key */

  156.     inline PublicKey pub() const NOEXCEPT {

  157.         PublicKey pub(*this);

  158.         return pub;

  159.     }

  160.     

  161.     /**

  162.      * Sign a message.

  163.      * @param [in] message The message to be signed.

  164.      * @param [in] prehashed If true, the message to be signed is already hashed.

  165.      * @param [in] context A context for the signature; must be at most 255 bytes;

  166.      * must be absent if SUPPORTS_CONTEXTS == false.

  167.      *

  168.      * @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.

  169.      */

  170.     inline SecureBuffer sign (

  171.         const Block &message,

  172.         bool prehashed = false,

  173.         const Block &context = Block(NULL,0)

  174.     ) const throw(LengthException, std::bad_alloc) {

  175.         if (context.size() > 255

  176.             || (context.size() != 0 && !SUPPORTS_CONTEXTS)

  177.         ) {

  178.             throw LengthException();

  179.         }

  180.         

  181.         SecureBuffer out(SIG_BYTES);

  182.         $(c_ns)_eddsa_sign (

  183.             out.data(),

  184.             priv_.data(),

  185.             pub_.data(),

  186.             message.data(),

  187.             message.size(),

  188.             prehashed

  189. #if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS

  190.             , context.data(),

  191.             context.size()

  192. #endif

  193.         );

  194.         return out;

  195.     }

  196. 

  197.     /* Sign a prehash context, and reset the context */

  198.     inline SecureBuffer sign ( Prehash &ph ) const throw(std::bad_alloc) {

  199.         FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;

  200.         ph.final(m);

  201.         return sign(m, true, ph.context_);

  202.     }

  203. }; /* class PrivateKey */

  204. 

  205. class PublicKey : public Serializable<PublicKey> {

  206. private:

  207. /** @cond internal */

  208.     friend class PrivateKey;

  209. /** @endcond */

  210. 

  211. public:

  212.     /** The pre-expansion form of the signature */

  213.     FixedArrayBuffer<$(C_NS)_EDDSA_PUBLIC_BYTES> pub_;

  214.     

  215.     /* PERF FUTURE: Pre-cached decoding? Precomputed table?? */

  216.     

  217. public:

  218.     /** Underlying group */

  219.     typedef $(cxx_ns) Group;

  220.     

  221.     /** Signature size. */

  222.     static const size_t SIG_BYTES = $(C_NS)_EDDSA_SIGNATURE_BYTES;

  223.     

  224.     /** Serialization size. */

  225.     static const size_t SER_BYTES = $(C_NS)_EDDSA_PRIVATE_BYTES;

  226.     

  227.     /** Do we support contexts for signatures?  If not, they must always be NULL */

  228.     static const bool SUPPORTS_CONTEXTS = $(C_NS)_EDDSA_SUPPORTS_CONTEXTS;

  229.     

  230.     

  231.     /** Create but don't initialize */

  232.     inline explicit PublicKey(const NOINIT&) NOEXCEPT : pub_((NOINIT())) { }

  233.     

  234.     /** Read a private key from a string */

  235.     inline explicit PublicKey(const FixedBlock<SER_BYTES> &b) NOEXCEPT { *this = b; }

  236.     

  237.     /** Copy constructor */

  238.     inline PublicKey(const PublicKey &k) NOEXCEPT { *this = k; }

  239.     

  240.     /** Copy constructor */

  241.     inline explicit PublicKey(const PrivateKey &k) NOEXCEPT { *this = k; }

  242. 

  243.     /** Assignment from string */

  244.     inline PublicKey &operator=(const FixedBlock<SER_BYTES> &b) NOEXCEPT {

  245.         memcpy(pub_.data(),b.data(),b.size());

  246.         return *this;

  247.     }

  248. 

  249.     /** Assignment from private key */

  250.     inline PublicKey &operator=(const PublicKey &p) NOEXCEPT {

  251.         return *this = p.pub_;

  252.     }

  253. 

  254.     /** Assignment from private key */

  255.     inline PublicKey &operator=(const PrivateKey &p) NOEXCEPT {

  256.         return *this = p.pub_;

  257.     }

  258. 

  259.     

  260.     /** Serialization size. */

  261.     inline size_t ser_size() const NOEXCEPT { return SER_BYTES; }

  262.     

  263.     /** Serialize into a buffer. */

  264.     inline void serialize_into(unsigned char *x) const NOEXCEPT {

  265.         memcpy(x,pub_.data(), pub_.size());

  266.     }

  267.     

  268.     /** Verify a signature, returning DECAF_FAILURE if verification fails */

  269.     inline decaf_error_t WARN_UNUSED verify_noexcept (

  270.         const FixedBlock<SIG_BYTES> &sig,

  271.         const Block &message,

  272.         bool prehashed = false,

  273.         const Block &context = Block(NULL,0)

  274.     ) const NOEXCEPT {

  275.         if (context.size() > 255

  276.             || (context.size() != 0 && !SUPPORTS_CONTEXTS)

  277.         ) {

  278.             return DECAF_FAILURE;

  279.         }

  280.         

  281.         return $(c_ns)_eddsa_verify (

  282.             sig.data(),

  283.             pub_.data(),

  284.             message.data(),

  285.             message.size(),

  286.             prehashed

  287. #if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS

  288.             , context.data(),

  289.             context.size()

  290. #endif

  291.         );

  292.     }

  293.     

  294.     /** Verify a signature, throwing an exception if verification fails

  295.      * @param [in] sig The signature.

  296.      * @param [in] message The signed message.

  297.      * @param [in] prehashed If true, the message is already hashed.

  298.      * @param [in] context A context for the signature; must be at most 255 bytes;

  299.      * must be absent if SUPPORTS_CONTEXTS == false.

  300.      *

  301.      * @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.

  302.      */

  303.     inline void verify (

  304.         const FixedBlock<SIG_BYTES> &sig,

  305.         const Block &message,

  306.         bool prehashed = false,

  307.         const Block &context = Block(NULL,0)

  308.     ) const throw(LengthException,CryptoException) {

  309.         if (context.size() > 255

  310.             || (context.size() != 0 && !SUPPORTS_CONTEXTS)

  311.         ) {

  312.             throw LengthException();

  313.         }

  314.         

  315.         if (DECAF_SUCCESS != verify_noexcept( sig, message, prehashed, context )) {

  316.             throw CryptoException();

  317.         }

  318.     }

  319.     

  320.     /* Verify a prehash context, and reset the context */

  321.     inline decaf_error_t WARN_UNUSED verify_noexcept (

  322.         const FixedBlock<SIG_BYTES> &sig,

  323.         Prehash &ph

  324.     ) const NOEXCEPT {

  325.         FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;

  326.         ph.final(m);

  327.         return verify_noexcept(sig, m, true, ph.context_);

  328.     }

  329.     

  330.     /* Verify a prehash context, and reset the context */

  331.     inline void verify (

  332.         const FixedBlock<SIG_BYTES> &sig,

  333.         Prehash &ph

  334.     ) const throw(CryptoException) {

  335.         FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;

  336.         ph.final(m);

  337.         verify(sig, m, true, ph.context_);

  338.     }

  339. }; /* class PublicKey */

  340. 

  341. }; /* template<> struct EdDSA<$(cxx_ns)> */

  342. 

  343. #undef NOEXCEPT

  344. } /* namespace decaf */