mirror/zig
1
0
Fork 0
mirror of https://github.com/ziglang/zig.git synced 2026-02-20 16:24:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

crypto: add support for the NIST P-384 curve (#11735)

Browse Source 
After P-256, here comes P-384, also known as secp384r1.

Like P-256, it is required for TLS, and is the current NIST recommendation for key exchange and signatures, for better or for worse.

Like P-256, all the finite field arithmetic has been computed and verified to be correct by fiat-crypto.
This commit is contained in:
Frank Denis 2022-05-31 17:29:38 +02:00 committed by GitHub
parent 83beed09e1
commit 26aea8cfa1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 8067 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/std/crypto.zig
View File

@ -62,6 +62,7 @@ pub const ecc = struct {
pub const Curve25519 = @import("crypto/25519/curve25519.zig").Curve25519;
pub const Edwards25519 = @import("crypto/25519/edwards25519.zig").Edwards25519;
pub const P256 = @import("crypto/pcurves/p256.zig").P256;
pub const P384 = @import("crypto/pcurves/p384.zig").P384;
pub const Ristretto255 = @import("crypto/25519/ristretto255.zig").Ristretto255;
};
@ -201,6 +202,7 @@ test {
_ = ecc.Curve25519;
_ = ecc.Edwards25519;
_ = ecc.P256;
_ = ecc.P384;
_ = ecc.Ristretto255;
_ = hash.blake2;

23
lib/std/crypto/pcurves/common.zig
View File

@ -253,6 +253,18 @@ pub fn Field(comptime params: FieldParams) type {
const x47 = x15.mul(x53);
const ls = x47.mul(((x53.sqn(17).mul(x2)).sqn(143).mul(x47)).sqn(47)).sq().mul(x2);
return ls.equivalent(Fe.one);
} else if (field_order == 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319) {
const t111 = x2.mul(x2.mul(x2.sq()).sq());
const t111111 = t111.mul(t111.sqn(3));
const t1111110 = t111111.sq();
const t1111111 = x2.mul(t1111110);
const x12 = t1111110.sqn(5).mul(t111111);
const x31 = x12.sqn(12).mul(x12).sqn(7).mul(t1111111);
const x32 = x31.sq().mul(x2);
const x63 = x32.sqn(31).mul(x31);
const x126 = x63.sqn(63).mul(x63);
const ls = x126.sqn(126).mul(x126).sqn(3).mul(t111).sqn(33).mul(x32).sqn(95).mul(x31);
return ls.equivalent(Fe.one);
} else {
const ls = x2.pow(std.meta.Int(.unsigned, field_bits), (field_order - 1) / 2); // Legendre symbol
return ls.equivalent(Fe.one);
@ -268,6 +280,17 @@ pub fn Field(comptime params: FieldParams) type {
const t11111111 = t1111.mul(t1111.sqn(4));
const x16 = t11111111.sqn(8).mul(t11111111);
return x16.sqn(16).mul(x16).sqn(32).mul(x2).sqn(96).mul(x2).sqn(94);
} else if (field_order == 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319) {
const t111 = x2.mul(x2.mul(x2.sq()).sq());
const t111111 = t111.mul(t111.sqn(3));
const t1111110 = t111111.sq();
const t1111111 = x2.mul(t1111110);
const x12 = t1111110.sqn(5).mul(t111111);
const x31 = x12.sqn(12).mul(x12).sqn(7).mul(t1111111);
const x32 = x31.sq().mul(x2);
const x63 = x32.sqn(31).mul(x31);
const x126 = x63.sqn(63).mul(x63);
return x126.sqn(126).mul(x126).sqn(3).mul(t111).sqn(33).mul(x32).sqn(64).mul(x2).sqn(30);
} else {
return x2.pow(std.meta.Int(.unsigned, field_bits), (field_order + 1) / 4);
}

2
lib/std/crypto/pcurves/p256.zig
View File

@ -474,5 +474,5 @@ pub const AffineCoordinates = struct {
};
test "p256" {
_ = @import("tests.zig");
_ = @import("tests/p256.zig");
}

2
lib/std/crypto/pcurves/p256/field.zig
View File

@ -7,6 +7,6 @@ pub const Fe = Field(.{
.fiat = @import("p256_64.zig"),
.field_order = 115792089210356248762697446949407573530086143415290314195533631308867097853951,
.field_bits = 256,
.saturated_bits = 255,
.saturated_bits = 256,
.encoded_length = 32,
});

2
lib/std/crypto/pcurves/p256/scalar.zig
View File

@ -20,7 +20,7 @@ const Fe = Field(.{
.fiat = @import("p256_scalar_64.zig"),
.field_order = 115792089210356248762697446949407573529996955224135760342422259061068512044369,
.field_bits = 256,
.saturated_bits = 255,
.saturated_bits = 256,
.encoded_length = encoded_length,
});

478
lib/std/crypto/pcurves/p384.zig Normal file
View File

@ -0,0 +1,478 @@
const std = @import("std");
const crypto = std.crypto;
const mem = std.mem;
const meta = std.meta;
const EncodingError = crypto.errors.EncodingError;
const IdentityElementError = crypto.errors.IdentityElementError;
const NonCanonicalError = crypto.errors.NonCanonicalError;
const NotSquareError = crypto.errors.NotSquareError;
/// Group operations over P384.
pub const P384 = struct {
/// The underlying prime field.
pub const Fe = @import("p384/field.zig").Fe;
/// Field arithmetic mod the order of the main subgroup.
pub const scalar = @import("p384/scalar.zig");
x: Fe,
y: Fe,
z: Fe = Fe.one,
is_base: bool = false,
/// The P384 base point.
pub const basePoint = P384{
.x = Fe.fromInt(26247035095799689268623156744566981891852923491109213387815615900925518854738050089022388053975719786650872476732087) catch unreachable,
.y = Fe.fromInt(8325710961489029985546751289520108179287853048861315594709205902480503199884419224438643760392947333078086511627871) catch unreachable,
.z = Fe.one,
.is_base = true,
};
/// The P384 neutral element.
pub const identityElement = P384{ .x = Fe.zero, .y = Fe.one, .z = Fe.zero };
pub const B = Fe.fromInt(27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575) catch unreachable;
/// Reject the neutral element.
pub fn rejectIdentity(p: P384) IdentityElementError!void {
if (p.x.isZero()) {
return error.IdentityElement;
}
}
/// Create a point from affine coordinates after checking that they match the curve equation.
pub fn fromAffineCoordinates(p: AffineCoordinates) EncodingError!P384 {
const x = p.x;
const y = p.y;
const x3AxB = x.sq().mul(x).sub(x).sub(x).sub(x).add(B);
const yy = y.sq();
const on_curve = @boolToInt(x3AxB.equivalent(yy));
const is_identity = @boolToInt(x.equivalent(AffineCoordinates.identityElement.x)) & @boolToInt(y.equivalent(AffineCoordinates.identityElement.y));
if ((on_curve | is_identity) == 0) {
return error.InvalidEncoding;
}
var ret = P384{ .x = x, .y = y, .z = Fe.one };
ret.z.cMov(P384.identityElement.z, is_identity);
return ret;
}
/// Create a point from serialized affine coordinates.
pub fn fromSerializedAffineCoordinates(xs: [48]u8, ys: [48]u8, endian: std.builtin.Endian) (NonCanonicalError || EncodingError)!P384 {
const x = try Fe.fromBytes(xs, endian);
const y = try Fe.fromBytes(ys, endian);
return fromAffineCoordinates(.{ .x = x, .y = y });
}
/// Recover the Y coordinate from the X coordinate.
pub fn recoverY(x: Fe, is_odd: bool) NotSquareError!Fe {
const x3AxB = x.sq().mul(x).sub(x).sub(x).sub(x).add(B);
var y = try x3AxB.sqrt();
const yn = y.neg();
y.cMov(yn, @boolToInt(is_odd) ^ @boolToInt(y.isOdd()));
return y;
}
/// Deserialize a SEC1-encoded point.
pub fn fromSec1(s: []const u8) (EncodingError || NotSquareError || NonCanonicalError)!P384 {
if (s.len < 1) return error.InvalidEncoding;
const encoding_type = s[0];
const encoded = s[1..];
switch (encoding_type) {
0 => {
if (encoded.len != 0) return error.InvalidEncoding;
return P384.identityElement;
},
2, 3 => {
if (encoded.len != 48) return error.InvalidEncoding;
const x = try Fe.fromBytes(encoded[0..48].*, .Big);
const y_is_odd = (encoding_type == 3);
const y = try recoverY(x, y_is_odd);
return P384{ .x = x, .y = y };
},
4 => {
if (encoded.len != 96) return error.InvalidEncoding;
const x = try Fe.fromBytes(encoded[0..48].*, .Big);
const y = try Fe.fromBytes(encoded[48..96].*, .Big);
return P384.fromAffineCoordinates(.{ .x = x, .y = y });
},
else => return error.InvalidEncoding,
}
}
/// Serialize a point using the compressed SEC-1 format.
pub fn toCompressedSec1(p: P384) [49]u8 {
var out: [49]u8 = undefined;
const xy = p.affineCoordinates();
out[0] = if (xy.y.isOdd()) 3 else 2;
mem.copy(u8, out[1..], &xy.x.toBytes(.Big));
return out;
}
/// Serialize a point using the uncompressed SEC-1 format.
pub fn toUncompressedSec1(p: P384) [97]u8 {
var out: [97]u8 = undefined;
out[0] = 4;
const xy = p.affineCoordinates();
mem.copy(u8, out[1..49], &xy.x.toBytes(.Big));
mem.copy(u8, out[49..97], &xy.y.toBytes(.Big));
return out;
}
/// Return a random point.
pub fn random() P384 {
const n = scalar.random(.Little);
return basePoint.mul(n, .Little) catch unreachable;
}
/// Flip the sign of the X coordinate.
pub fn neg(p: P384) P384 {
return .{ .x = p.x, .y = p.y.neg(), .z = p.z };
}
/// Double a P384 point.
// Algorithm 6 from https://eprint.iacr.org/2015/1060.pdf
pub fn dbl(p: P384) P384 {
var t0 = p.x.sq();
var t1 = p.y.sq();
var t2 = p.z.sq();
var t3 = p.x.mul(p.y);
t3 = t3.dbl();
var Z3 = p.x.mul(p.z);
Z3 = Z3.add(Z3);
var Y3 = B.mul(t2);
Y3 = Y3.sub(Z3);
var X3 = Y3.dbl();
Y3 = X3.add(Y3);
X3 = t1.sub(Y3);
Y3 = t1.add(Y3);
Y3 = X3.mul(Y3);
X3 = X3.mul(t3);
t3 = t2.dbl();
t2 = t2.add(t3);
Z3 = B.mul(Z3);
Z3 = Z3.sub(t2);
Z3 = Z3.sub(t0);
t3 = Z3.dbl();
Z3 = Z3.add(t3);
t3 = t0.dbl();
t0 = t3.add(t0);
t0 = t0.sub(t2);
t0 = t0.mul(Z3);
Y3 = Y3.add(t0);
t0 = p.y.mul(p.z);
t0 = t0.dbl();
Z3 = t0.mul(Z3);
X3 = X3.sub(Z3);
Z3 = t0.mul(t1);
Z3 = Z3.dbl().dbl();
return .{
.x = X3,
.y = Y3,
.z = Z3,
};
}
/// Add P384 points, the second being specified using affine coordinates.
// Algorithm 5 from https://eprint.iacr.org/2015/1060.pdf
pub fn addMixed(p: P384, q: AffineCoordinates) P384 {
var t0 = p.x.mul(q.x);
var t1 = p.y.mul(q.y);
var t3 = q.x.add(q.y);
var t4 = p.x.add(p.y);
t3 = t3.mul(t4);
t4 = t0.add(t1);
t3 = t3.sub(t4);
t4 = q.y.mul(p.z);
t4 = t4.add(p.y);
var Y3 = q.x.mul(p.z);
Y3 = Y3.add(p.x);
var Z3 = B.mul(p.z);
var X3 = Y3.sub(Z3);
Z3 = X3.dbl();
X3 = X3.add(Z3);
Z3 = t1.sub(X3);
X3 = t1.add(X3);
Y3 = B.mul(Y3);
t1 = p.z.dbl();
var t2 = t1.add(p.z);
Y3 = Y3.sub(t2);
Y3 = Y3.sub(t0);
t1 = Y3.dbl();
Y3 = t1.add(Y3);
t1 = t0.dbl();
t0 = t1.add(t0);
t0 = t0.sub(t2);
t1 = t4.mul(Y3);
t2 = t0.mul(Y3);
Y3 = X3.mul(Z3);
Y3 = Y3.add(t2);
X3 = t3.mul(X3);
X3 = X3.sub(t1);
Z3 = t4.mul(Z3);
t1 = t3.mul(t0);
Z3 = Z3.add(t1);
var ret = P384{
.x = X3,
.y = Y3,
.z = Z3,
};
ret.cMov(p, @boolToInt(q.x.isZero()));
return ret;
}
/// Add P384 points.
// Algorithm 4 from https://eprint.iacr.org/2015/1060.pdf
pub fn add(p: P384, q: P384) P384 {
var t0 = p.x.mul(q.x);
var t1 = p.y.mul(q.y);
var t2 = p.z.mul(q.z);
var t3 = p.x.add(p.y);
var t4 = q.x.add(q.y);
t3 = t3.mul(t4);
t4 = t0.add(t1);
t3 = t3.sub(t4);
t4 = p.y.add(p.z);
var X3 = q.y.add(q.z);
t4 = t4.mul(X3);
X3 = t1.add(t2);
t4 = t4.sub(X3);
X3 = p.x.add(p.z);
var Y3 = q.x.add(q.z);
X3 = X3.mul(Y3);
Y3 = t0.add(t2);
Y3 = X3.sub(Y3);
var Z3 = B.mul(t2);
X3 = Y3.sub(Z3);
Z3 = X3.dbl();
X3 = X3.add(Z3);
Z3 = t1.sub(X3);
X3 = t1.add(X3);
Y3 = B.mul(Y3);
t1 = t2.dbl();
t2 = t1.add(t2);
Y3 = Y3.sub(t2);
Y3 = Y3.sub(t0);
t1 = Y3.dbl();
Y3 = t1.add(Y3);
t1 = t0.dbl();
t0 = t1.add(t0);
t0 = t0.sub(t2);
t1 = t4.mul(Y3);
t2 = t0.mul(Y3);
Y3 = X3.mul(Z3);
Y3 = Y3.add(t2);
X3 = t3.mul(X3);
X3 = X3.sub(t1);
Z3 = t4.mul(Z3);
t1 = t3.mul(t0);
Z3 = Z3.add(t1);
return .{
.x = X3,
.y = Y3,
.z = Z3,
};
}
/// Subtract P384 points.
pub fn sub(p: P384, q: P384) P384 {
return p.add(q.neg());
}
/// Subtract P384 points, the second being specified using affine coordinates.
pub fn subMixed(p: P384, q: AffineCoordinates) P384 {
return p.addMixed(q.neg());
}
/// Return affine coordinates.
pub fn affineCoordinates(p: P384) AffineCoordinates {
const zinv = p.z.invert();
var ret = AffineCoordinates{
.x = p.x.mul(zinv),
.y = p.y.mul(zinv),
};
ret.cMov(AffineCoordinates.identityElement, @boolToInt(p.x.isZero()));
return ret;
}
/// Return true if both coordinate sets represent the same point.
pub fn equivalent(a: P384, b: P384) bool {
if (a.sub(b).rejectIdentity()) {
return false;
} else |_| {
return true;
}
}
fn cMov(p: *P384, a: P384, c: u1) void {
p.x.cMov(a.x, c);
p.y.cMov(a.y, c);
p.z.cMov(a.z, c);
}
fn pcSelect(comptime n: usize, pc: *const [n]P384, b: u8) P384 {
var t = P384.identityElement;
comptime var i: u8 = 1;
inline while (i < pc.len) : (i += 1) {
t.cMov(pc[i], @truncate(u1, (@as(usize, b ^ i) -% 1) >> 8));
}
return t;
}
fn slide(s: [48]u8) [2 * 48 + 1]i8 {
var e: [2 * 48 + 1]i8 = undefined;
for (s) |x, i| {
e[i * 2 + 0] = @as(i8, @truncate(u4, x));
e[i * 2 + 1] = @as(i8, @truncate(u4, x >> 4));
}
// Now, e[0..63] is between 0 and 15, e[63] is between 0 and 7
var carry: i8 = 0;
for (e[0..96]) |*x| {
x.* += carry;
carry = (x.* + 8) >> 4;
x.* -= carry * 16;
std.debug.assert(x.* >= -8 and x.* <= 8);
}
e[96] = carry;
// Now, e[*] is between -8 and 8, including e[64]
std.debug.assert(carry >= -8 and carry <= 8);
return e;
}
fn pcMul(pc: *const [9]P384, s: [48]u8, comptime vartime: bool) IdentityElementError!P384 {
std.debug.assert(vartime);
const e = slide(s);
var q = P384.identityElement;
var pos = e.len - 1;
while (true) : (pos -= 1) {
const slot = e[pos];
if (slot > 0) {
q = q.add(pc[@intCast(usize, slot)]);
} else if (slot < 0) {
q = q.sub(pc[@intCast(usize, -slot)]);
}
if (pos == 0) break;
q = q.dbl().dbl().dbl().dbl();
}
try q.rejectIdentity();
return q;
}
fn pcMul16(pc: *const [16]P384, s: [48]u8, comptime vartime: bool) IdentityElementError!P384 {
var q = P384.identityElement;
var pos: usize = 380;
while (true) : (pos -= 4) {
const slot = @truncate(u4, (s[pos >> 3] >> @truncate(u3, pos)));
if (vartime) {
if (slot != 0) {
q = q.add(pc[slot]);
}
} else {
q = q.add(pcSelect(16, pc, slot));
}
if (pos == 0) break;
q = q.dbl().dbl().dbl().dbl();
}
try q.rejectIdentity();
return q;
}
fn precompute(p: P384, comptime count: usize) [1 + count]P384 {
var pc: [1 + count]P384 = undefined;
pc[0] = P384.identityElement;
pc[1] = p;
var i: usize = 2;
while (i <= count) : (i += 1) {
pc[i] = if (i % 2 == 0) pc[i / 2].dbl() else pc[i - 1].add(p);
}
return pc;
}
const basePointPc = pc: {
@setEvalBranchQuota(50000);
break :pc precompute(P384.basePoint, 15);
};
/// Multiply an elliptic curve point by a scalar.
/// Return error.IdentityElement if the result is the identity element.
pub fn mul(p: P384, s_: [48]u8, endian: std.builtin.Endian) IdentityElementError!P384 {
const s = if (endian == .Little) s_ else Fe.orderSwap(s_);
if (p.is_base) {
return pcMul16(&basePointPc, s, false);
}
try p.rejectIdentity();
const pc = precompute(p, 15);
return pcMul16(&pc, s, false);
}
/// Multiply an elliptic curve point by a *PUBLIC* scalar *IN VARIABLE TIME*
/// This can be used for signature verification.
pub fn mulPublic(p: P384, s_: [48]u8, endian: std.builtin.Endian) IdentityElementError!P384 {
const s = if (endian == .Little) s_ else Fe.orderSwap(s_);
if (p.is_base) {
return pcMul16(&basePointPc, s, true);
}
try p.rejectIdentity();
const pc = precompute(p, 8);
return pcMul(&pc, s, true);
}
/// Double-base multiplication of public parameters - Compute (p1*s1)+(p2*s2) *IN VARIABLE TIME*
/// This can be used for signature verification.
pub fn mulDoubleBasePublic(p1: P384, s1_: [48]u8, p2: P384, s2_: [48]u8, endian: std.builtin.Endian) IdentityElementError!P384 {
const s1 = if (endian == .Little) s1_ else Fe.orderSwap(s1_);
const s2 = if (endian == .Little) s2_ else Fe.orderSwap(s2_);
try p1.rejectIdentity();
var pc1_array: [9]P384 = undefined;
const pc1 = if (p1.is_base) basePointPc[0..9] else pc: {
pc1_array = precompute(p1, 8);
break :pc &pc1_array;
};
try p2.rejectIdentity();
var pc2_array: [9]P384 = undefined;
const pc2 = if (p2.is_base) basePointPc[0..9] else pc: {
pc2_array = precompute(p2, 8);
break :pc &pc2_array;
};
const e1 = slide(s1);
const e2 = slide(s2);
var q = P384.identityElement;
var pos: usize = 2 * 48 - 1;
while (true) : (pos -= 1) {
const slot1 = e1[pos];
if (slot1 > 0) {
q = q.add(pc1[@intCast(usize, slot1)]);
} else if (slot1 < 0) {
q = q.sub(pc1[@intCast(usize, -slot1)]);
}
const slot2 = e2[pos];
if (slot2 > 0) {
q = q.add(pc2[@intCast(usize, slot2)]);
} else if (slot2 < 0) {
q = q.sub(pc2[@intCast(usize, -slot2)]);
}
if (pos == 0) break;
q = q.dbl().dbl().dbl().dbl();
}
try q.rejectIdentity();
return q;
}
};
/// A point in affine coordinates.
pub const AffineCoordinates = struct {
x: P384.Fe,
y: P384.Fe,
/// Identity element in affine coordinates.
pub const identityElement = AffineCoordinates{ .x = P384.identityElement.x, .y = P384.identityElement.y };
fn cMov(p: *AffineCoordinates, a: AffineCoordinates, c: u1) void {
p.x.cMov(a.x, c);
p.y.cMov(a.y, c);
}
};
test "p384" {
_ = @import("tests/p384.zig");
}

12
lib/std/crypto/pcurves/p384/field.zig Normal file
View File

@ -0,0 +1,12 @@
const std = @import("std");
const common = @import("../common.zig");
const Field = common.Field;
pub const Fe = Field(.{
.fiat = @import("p384_64.zig"),
.field_order = 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319,
.field_bits = 384,
.saturated_bits = 384,
.encoded_length = 48,
});

3578
lib/std/crypto/pcurves/p384/p384_64.zig Normal file
View File

File diff suppressed because it is too large Load Diff

3632
lib/std/crypto/pcurves/p384/p384_scalar_64.zig Normal file
View File

File diff suppressed because it is too large Load Diff

202
lib/std/crypto/pcurves/p384/scalar.zig Normal file
View File

@ -0,0 +1,202 @@
const std = @import("std");
const common = @import("../common.zig");
const crypto = std.crypto;
const debug = std.debug;
const math = std.math;
const mem = std.mem;
const Field = common.Field;
const NonCanonicalError = std.crypto.errors.NonCanonicalError;
const NotSquareError = std.crypto.errors.NotSquareError;
/// Number of bytes required to encode a scalar.
pub const encoded_length = 48;
/// A compressed scalar, in canonical form.
pub const CompressedScalar = [encoded_length]u8;
const Fe = Field(.{
.fiat = @import("p384_scalar_64.zig"),
.field_order = 39402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643,
.field_bits = 384,
.saturated_bits = 384,
.encoded_length = encoded_length,
});
/// Reject a scalar whose encoding is not canonical.
pub fn rejectNonCanonical(s: CompressedScalar, endian: std.builtin.Endian) NonCanonicalError!void {
return Fe.rejectNonCanonical(s, endian);
}
/// Reduce a 64-bytes scalar to the field size.
pub fn reduce64(s: [64]u8, endian: std.builtin.Endian) CompressedScalar {
return ScalarDouble.fromBytes64(s, endian).toBytes(endian);
}
/// Return a*b (mod L)
pub fn mul(a: CompressedScalar, b: CompressedScalar, endian: std.builtin.Endian) NonCanonicalError!CompressedScalar {
return (try Scalar.fromBytes(a, endian)).mul(try Scalar.fromBytes(b, endian)).toBytes(endian);
}
/// Return a*b+c (mod L)
pub fn mulAdd(a: CompressedScalar, b: CompressedScalar, c: CompressedScalar, endian: std.builtin.Endian) NonCanonicalError!CompressedScalar {
return (try Scalar.fromBytes(a, endian)).mul(try Scalar.fromBytes(b, endian)).add(try Scalar.fromBytes(c, endian)).toBytes(endian);
}
/// Return a+b (mod L)
pub fn add(a: CompressedScalar, b: CompressedScalar, endian: std.builtin.Endian) NonCanonicalError!CompressedScalar {
return (try Scalar.fromBytes(a, endian)).add(try Scalar.fromBytes(b, endian)).toBytes(endian);
}
/// Return -s (mod L)
pub fn neg(s: CompressedScalar, endian: std.builtin.Endian) NonCanonicalError!CompressedScalar {
return (try Scalar.fromBytes(s, endian)).neg().toBytes(endian);
}
/// Return (a-b) (mod L)
pub fn sub(a: CompressedScalar, b: CompressedScalar, endian: std.builtin.Endian) NonCanonicalError!CompressedScalar {
return (try Scalar.fromBytes(a, endian)).sub(try Scalar.fromBytes(b.endian)).toBytes(endian);
}
/// Return a random scalar
pub fn random(endian: std.builtin.Endian) CompressedScalar {
return Scalar.random().toBytes(endian);
}
/// A scalar in unpacked representation.
pub const Scalar = struct {
fe: Fe,
/// Zero.
pub const zero = Scalar{ .fe = Fe.zero };
/// One.
pub const one = Scalar{ .fe = Fe.one };
/// Unpack a serialized representation of a scalar.
pub fn fromBytes(s: CompressedScalar, endian: std.builtin.Endian) NonCanonicalError!Scalar {
return Scalar{ .fe = try Fe.fromBytes(s, endian) };
}
/// Reduce a 512 bit input to the field size.
pub fn fromBytes64(s: [64]u8, endian: std.builtin.Endian) Scalar {
const t = ScalarDouble.fromBytes(512, s, endian);
return t.reduce(512);
}
/// Pack a scalar into bytes.
pub fn toBytes(n: Scalar, endian: std.builtin.Endian) CompressedScalar {
return n.fe.toBytes(endian);
}
/// Return true if the scalar is zero..
pub fn isZero(n: Scalar) bool {
return n.fe.isZero();
}
/// Return true if a and b are equivalent.
pub fn equivalent(a: Scalar, b: Scalar) bool {
return a.fe.equivalent(b.fe);
}
/// Compute x+y (mod L)
pub fn add(x: Scalar, y: Scalar) Scalar {
return Scalar{ .fe = x.fe.add(y.fe) };
}
/// Compute x-y (mod L)
pub fn sub(x: Scalar, y: Scalar) Scalar {
return Scalar{ .fe = x.fe.sub(y.fe) };
}
/// Compute 2n (mod L)
pub fn dbl(n: Scalar) Scalar {
return Scalar{ .fe = n.fe.dbl() };
}
/// Compute x*y (mod L)
pub fn mul(x: Scalar, y: Scalar) Scalar {
return Scalar{ .fe = x.fe.mul(y.fe) };
}
/// Compute x^2 (mod L)
pub fn sq(n: Scalar) Scalar {
return Scalar{ .fe = n.fe.sq() };
}
/// Compute x^n (mod L)
pub fn pow(a: Scalar, comptime T: type, comptime n: T) Scalar {
return Scalar{ .fe = a.fe.pow(n) };
}
/// Compute -x (mod L)
pub fn neg(n: Scalar) Scalar {
return Scalar{ .fe = n.fe.neg() };
}
/// Compute x^-1 (mod L)
pub fn invert(n: Scalar) Scalar {
return Scalar{ .fe = n.fe.invert() };
}
/// Return true if n is a quadratic residue mod L.
pub fn isSquare(n: Scalar) Scalar {
return n.fe.isSquare();
}
/// Return the square root of L, or NotSquare if there isn't any solutions.
pub fn sqrt(n: Scalar) NotSquareError!Scalar {
return Scalar{ .fe = try n.fe.sqrt() };
}
/// Return a random scalar < L.
pub fn random() Scalar {
var s: [64]u8 = undefined;
while (true) {
crypto.random.bytes(&s);
const n = Scalar.fromBytes64(s, .Little);
if (!n.isZero()) {
return n;
}
}
}
};
const ScalarDouble = struct {
x1: Fe,
x2: Fe,
fn fromBytes(comptime bits: usize, s_: [bits / 8]u8, endian: std.builtin.Endian) ScalarDouble {
debug.assert(bits > 0 and bits <= 512 and bits >= Fe.saturated_bits and bits <= Fe.saturated_bits * 2);
var s = s_;
if (endian == .Big) {
for (s_) |x, i| s[s.len - 1 - i] = x;
}
var t = ScalarDouble{ .x1 = undefined, .x2 = Fe.zero };
{
var b = [_]u8{0} ** encoded_length;
const len = math.min(s.len, 32);
mem.copy(u8, b[0..len], s[0..len]);
t.x1 = Fe.fromBytes(b, .Little) catch unreachable;
}
if (s_.len >= 32) {
var b = [_]u8{0} ** encoded_length;
const len = math.min(s.len - 32, 32);
mem.copy(u8, b[0..len], s[32..][0..len]);
t.x2 = Fe.fromBytes(b, .Little) catch unreachable;
}
return t;
}
fn reduce(expanded: ScalarDouble, comptime bits: usize) Scalar {
debug.assert(bits > 0 and bits <= Fe.saturated_bits * 3 and bits <= 512);
var fe = expanded.x1;
if (bits >= 256) {
const st1 = Fe.fromInt(1 << 256) catch unreachable;
fe = fe.add(expanded.x2.mul(st1));
}
return Scalar{ .fe = fe };
}
};

2
lib/std/crypto/pcurves/tests.zig → lib/std/crypto/pcurves/tests/p256.zig
View File

@ -2,7 +2,7 @@ const std = @import("std");
const fmt = std.fmt;
const testing = std.testing;
const P256 = @import("p256.zig").P256;
const P256 = @import("../p256.zig").P256;
test "p256 ECDH key exchange" {
const dha = P256.scalar.random(.Little);

136
lib/std/crypto/pcurves/tests/p384.zig Normal file
View File

@ -0,0 +1,136 @@
const std = @import("std");
const fmt = std.fmt;
const testing = std.testing;
const P384 = @import("../p384.zig").P384;
test "p384 ECDH key exchange" {
const dha = P384.scalar.random(.Little);
const dhb = P384.scalar.random(.Little);
const dhA = try P384.basePoint.mul(dha, .Little);
const dhB = try P384.basePoint.mul(dhb, .Little);
const shareda = try dhA.mul(dhb, .Little);
const sharedb = try dhB.mul(dha, .Little);
try testing.expect(shareda.equivalent(sharedb));
}
test "p384 point from affine coordinates" {
const xh = "aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7";
const yh = "3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f";
var xs: [48]u8 = undefined;
_ = try fmt.hexToBytes(&xs, xh);
var ys: [48]u8 = undefined;
_ = try fmt.hexToBytes(&ys, yh);
var p = try P384.fromSerializedAffineCoordinates(xs, ys, .Big);
try testing.expect(p.equivalent(P384.basePoint));
}
test "p384 test vectors" {
const expected = [_][]const u8{
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7",
"08D999057BA3D2D969260045C55B97F089025959A6F434D651D207D19FB96E9E4FE0E86EBE0E64F85B96A9C75295DF61",
"077A41D4606FFA1464793C7E5FDC7D98CB9D3910202DCD06BEA4F240D3566DA6B408BBAE5026580D02D7E5C70500C831",
"138251CD52AC9298C1C8AAD977321DEB97E709BD0B4CA0ACA55DC8AD51DCFC9D1589A1597E3A5120E1EFD631C63E1835",
"11DE24A2C251C777573CAC5EA025E467F208E51DBFF98FC54F6661CBE56583B037882F4A1CA297E60ABCDBC3836D84BC",
"627BE1ACD064D2B2226FE0D26F2D15D3C33EBCBB7F0F5DA51CBD41F26257383021317D7202FF30E50937F0854E35C5DF",
"283C1D7365CE4788F29F8EBF234EDFFEAD6FE997FBEA5FFA2D58CC9DFA7B1C508B05526F55B9EBB2040F05B48FB6D0E1",
"1692778EA596E0BE75114297A6FA383445BF227FBE58190A900C3C73256F11FB5A3258D6F403D5ECE6E9B269D822C87D",
"8F0A39A4049BCB3EF1BF29B8B025B78F2216F7291E6FD3BAC6CB1EE285FB6E21C388528BFEE2B9535C55E4461079118B",
"A669C5563BD67EEC678D29D6EF4FDE864F372D90B79B9E88931D5C29291238CCED8E85AB507BF91AA9CB2D13186658FB",
};
var p = P384.identityElement;
for (expected) |xh| {
const x = p.affineCoordinates().x;
p = p.add(P384.basePoint);
var xs: [48]u8 = undefined;
_ = try fmt.hexToBytes(&xs, xh);
try testing.expectEqualSlices(u8, &x.toBytes(.Big), &xs);
}
}
test "p384 test vectors - doubling" {
const expected = [_][]const u8{
"AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7",
"08D999057BA3D2D969260045C55B97F089025959A6F434D651D207D19FB96E9E4FE0E86EBE0E64F85B96A9C75295DF61",
"138251CD52AC9298C1C8AAD977321DEB97E709BD0B4CA0ACA55DC8AD51DCFC9D1589A1597E3A5120E1EFD631C63E1835",
"1692778EA596E0BE75114297A6FA383445BF227FBE58190A900C3C73256F11FB5A3258D6F403D5ECE6E9B269D822C87D",
};
var p = P384.basePoint;
for (expected) |xh| {
const x = p.affineCoordinates().x;
p = p.dbl();
var xs: [48]u8 = undefined;
_ = try fmt.hexToBytes(&xs, xh);
try testing.expectEqualSlices(u8, &x.toBytes(.Big), &xs);
}
}
test "p384 compressed sec1 encoding/decoding" {
const p = P384.random();
const s0 = p.toUncompressedSec1();
const s = p.toCompressedSec1();
try testing.expectEqualSlices(u8, s0[1..49], s[1..49]);
const q = try P384.fromSec1(&s);
try testing.expect(p.equivalent(q));
}
test "p384 uncompressed sec1 encoding/decoding" {
const p = P384.random();
const s = p.toUncompressedSec1();
const q = try P384.fromSec1(&s);
try testing.expect(p.equivalent(q));
}
test "p384 public key is the neutral element" {
const n = P384.scalar.Scalar.zero.toBytes(.Little);
const p = P384.random();
try testing.expectError(error.IdentityElement, p.mul(n, .Little));
}
test "p384 public key is the neutral element (public verification)" {
const n = P384.scalar.Scalar.zero.toBytes(.Little);
const p = P384.random();
try testing.expectError(error.IdentityElement, p.mulPublic(n, .Little));
}
test "p384 field element non-canonical encoding" {
const s = [_]u8{0xff} ** 48;
try testing.expectError(error.NonCanonical, P384.Fe.fromBytes(s, .Little));
}
test "p384 neutral element decoding" {
try testing.expectError(error.InvalidEncoding, P384.fromAffineCoordinates(.{ .x = P384.Fe.zero, .y = P384.Fe.zero }));
const p = try P384.fromAffineCoordinates(.{ .x = P384.Fe.zero, .y = P384.Fe.one });
try testing.expectError(error.IdentityElement, p.rejectIdentity());
}
test "p384 double base multiplication" {
const p1 = P384.basePoint;
const p2 = P384.basePoint.dbl();
const s1 = [_]u8{0x01} ** 48;
const s2 = [_]u8{0x02} ** 48;
const pr1 = try P384.mulDoubleBasePublic(p1, s1, p2, s2, .Little);
const pr2 = (try p1.mul(s1, .Little)).add(try p2.mul(s2, .Little));
try testing.expect(pr1.equivalent(pr2));
}
test "p384 scalar inverse" {
const expected = "a3cc705f33b5679a66e76ce66e68055c927c5dba531b2837b18fe86119511091b54d733f26b2e7a0f6fa2e7ea21ca806";
var out: [48]u8 = undefined;
_ = try std.fmt.hexToBytes(&out, expected);
const scalar = try P384.scalar.Scalar.fromBytes(.{
0x94, 0xa1, 0xbb, 0xb1, 0x4b, 0x90, 0x6a, 0x61, 0xa2, 0x80, 0xf2, 0x45, 0xf9, 0xe9, 0x3c, 0x7f,
0x3b, 0x4a, 0x62, 0x47, 0x82, 0x4f, 0x5d, 0x33, 0xb9, 0x67, 0x07, 0x87, 0x64, 0x2a, 0x68, 0xde,
0x38, 0x36, 0xe8, 0x0f, 0xa2, 0x84, 0x6b, 0x4e, 0xf3, 0x9a, 0x02, 0x31, 0x24, 0x41, 0x22, 0xca,
}, .Big);
const inverse = scalar.invert();
const inverse2 = inverse.invert();
try testing.expectEqualSlices(u8, &out, &inverse.toBytes(.Big));
try testing.expect(inverse2.equivalent(scalar));
const sq = scalar.sq();
const sqr = try sq.sqrt();
try testing.expect(sqr.equivalent(scalar));
}