mirror/zig
1
0
Fork 0
mirror of https://github.com/ziglang/zig.git synced 2026-02-14 05:20:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

std.crypto: add support for the NIST P-256 curve (#8627)

Browse Source 
Uses verified code generated by fiat-crypto for field arithmetic, and complete formulas to avoid side channels.

There's still plenty of room for optimizations, especially with a fixed base. But this gives us a framework to easily add other similar curves.
This commit is contained in:
Frank Denis 2021-05-01 08:14:32 +02:00 committed by GitHub
parent 557eb414ee
commit fe8781357a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 2770 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/std/crypto.zig
View File

@ -67,6 +67,7 @@ pub const dh = struct {
pub const ecc = struct {
pub const Curve25519 = @import("crypto/25519/curve25519.zig").Curve25519;
pub const Edwards25519 = @import("crypto/25519/edwards25519.zig").Edwards25519;
pub const P256 = @import("crypto/pcurves/p256.zig").P256;
pub const Ristretto255 = @import("crypto/25519/ristretto255.zig").Ristretto255;
};

412
lib/std/crypto/pcurves/p256.zig Normal file
View File

@ -0,0 +1,412 @@
// SPDX-License-Identifier: MIT
// Copyright (c) 2015-2021 Zig Contributors
// This file is part of [zig](https://ziglang.org/), which is MIT licensed.
// The MIT license requires this copyright notice to be included in all copies
// and substantial portions of the software.
const std = @import("std");
const builtin = std.builtin;
const crypto = std.crypto;
const mem = std.mem;
const meta = std.meta;
const EncodingError = crypto.errors.EncodingError;
const IdentityElementError = crypto.errors.IdentityElementError;
const NonCanonicalError = crypto.errors.NonCanonicalError;
const NotSquareError = crypto.errors.NotSquareError;
/// Group operations over P256.
pub const P256 = struct {
/// The underlying prime field.
pub const Fe = @import("p256/field.zig").Fe;
/// Field arithmetic mod the order of the main subgroup.
pub const scalar = @import("p256/scalar.zig");
x: Fe,
y: Fe,
z: Fe = Fe.one,
is_base: bool = false,
/// The P256 base point.
pub const basePoint = P256{
.x = try Fe.fromInt(48439561293906451759052585252797914202762949526041747995844080717082404635286),
.y = try Fe.fromInt(36134250956749795798585127919587881956611106672985015071877198253568414405109),
.z = Fe.one,
.is_base = true,
};
/// The P256 neutral element.
pub const identityElement = P256{ .x = Fe.zero, .y = Fe.one, .z = Fe.zero };
pub const B = try Fe.fromInt(41058363725152142129326129780047268409114441015993725554835256314039467401291);
/// Reject the neutral element.
pub fn rejectIdentity(p: P256) IdentityElementError!void {
if (p.x.isZero()) {
return error.IdentityElement;
}
}
/// Create a point from affine coordinates after checking that they match the curve equation.
pub fn fromAffineCoordinates(x: Fe, y: Fe) EncodingError!P256 {
const x3AxB = x.sq().mul(x).sub(x).sub(x).sub(x).add(B);
const yy = y.sq();
if (!x3AxB.equivalent(yy)) {
return error.InvalidEncoding;
}
const p: P256 = .{ .x = x, .y = y, .z = Fe.one };
return p;
}
/// Create a point from serialized affine coordinates.
pub fn fromSerializedAffineCoordinates(xs: [32]u8, ys: [32]u8, endian: builtin.Endian) (NonCanonicalError || EncodingError)!P256 {
const x = try Fe.fromBytes(xs, endian);
const y = try Fe.fromBytes(ys, endian);
return fromAffineCoordinates(x, y);
}
/// Recover the Y coordinate from the X coordinate.
pub fn recoverY(x: Fe, is_odd: bool) NotSquareError!Fe {
const x3AxB = x.sq().mul(x).sub(x).sub(x).sub(x).add(B);
var y = try x3AxB.sqrt();
const yn = y.neg();
y.cMov(yn, @boolToInt(is_odd) ^ @boolToInt(y.isOdd()));
return y;
}
/// Deserialize a SEC1-encoded point.
pub fn fromSec1(s: []const u8) (EncodingError || NotSquareError || NonCanonicalError)!P256 {
if (s.len < 1) return error.InvalidEncoding;
const encoding_type = s[0];
const encoded = s[1..];
switch (encoding_type) {
0 => {
if (encoded.len != 0) return error.InvalidEncoding;
return P256.identityElement;
},
2, 3 => {
if (encoded.len != 32) return error.InvalidEncoding;
const x = try Fe.fromBytes(encoded[0..32].*, .Big);
const y_is_odd = (encoding_type == 3);
const y = try recoverY(x, y_is_odd);
return P256{ .x = x, .y = y };
},
4 => {
if (encoded.len != 64) return error.InvalidEncoding;
const x = try Fe.fromBytes(encoded[0..32].*, .Big);
const y = try Fe.fromBytes(encoded[32..64].*, .Big);
return P256.fromAffineCoordinates(x, y);
},
else => return error.InvalidEncoding,
}
}
/// Serialize a point using the compressed SEC-1 format.
pub fn toCompressedSec1(p: P256) [33]u8 {
var out: [33]u8 = undefined;
const xy = p.affineCoordinates();
out[0] = if (xy.y.isOdd()) 3 else 2;
mem.copy(u8, out[1..], &xy.x.toBytes(.Big));
return out;
}
/// Serialize a point using the uncompressed SEC-1 format.
pub fn toUncompressedSec1(p: P256) [65]u8 {
var out: [65]u8 = undefined;
out[0] = 4;
const xy = p.affineCoordinates();
mem.copy(u8, out[1..33], &xy.x.toBytes(.Big));
mem.copy(u8, out[33..65], &xy.y.toBytes(.Big));
return out;
}
/// Return a random point.
pub fn random() P256 {
const n = scalar.random(.Little);
return basePoint.mul(n, .Little) catch unreachable;
}
/// Flip the sign of the X coordinate.
pub fn neg(p: P256) P256 {
return .{ .x = p.x, .y = p.y.neg(), .z = p.z };
}
/// Double a P256 point.
// Algorithm 6 from https://eprint.iacr.org/2015/1060.pdf
pub fn dbl(p: P256) P256 {
var t0 = p.x.sq();
var t1 = p.y.sq();
var t2 = p.z.sq();
var t3 = p.x.mul(p.y);
t3 = t3.dbl();
var Z3 = p.x.mul(p.z);
Z3 = Z3.add(Z3);
var Y3 = B.mul(t2);
Y3 = Y3.sub(Z3);
var X3 = Y3.dbl();
Y3 = X3.add(Y3);
X3 = t1.sub(Y3);
Y3 = t1.add(Y3);
Y3 = X3.mul(Y3);
X3 = X3.mul(t3);
t3 = t2.dbl();
t2 = t2.add(t3);
Z3 = B.mul(Z3);
Z3 = Z3.sub(t2);
Z3 = Z3.sub(t0);
t3 = Z3.dbl();
Z3 = Z3.add(t3);
t3 = t0.dbl();
t0 = t3.add(t0);
t0 = t0.sub(t2);
t0 = t0.mul(Z3);
Y3 = Y3.add(t0);
t0 = p.y.mul(p.z);
t0 = t0.dbl();
Z3 = t0.mul(Z3);
X3 = X3.sub(Z3);
Z3 = t0.mul(t1);
Z3 = Z3.dbl().dbl();
return .{
.x = X3,
.y = Y3,
.z = Z3,
};
}
/// Add P256 points, the second being specified using affine coordinates.
// Algorithm 5 from https://eprint.iacr.org/2015/1060.pdf
pub fn addMixed(p: P256, q: struct { x: Fe, y: Fe }) P256 {
var t0 = p.x.mul(q.x);
var t1 = p.y.mul(q.y);
var t3 = q.x.add(q.y);
var t4 = p.x.add(p.y);
t3 = t3.mul(t4);
t4 = t0.add(t1);
t3 = t3.sub(t4);
t4 = q.y.mul(p.z);
t4 = t4.add(p.y);
var Y3 = q.x.mul(p.z);
Y3 = Y3.add(p.x);
var Z3 = B.mul(p.z);
var X3 = Y3.sub(Z3);
Z3 = X3.dbl();
X3 = X3.add(Z3);
Z3 = t1.sub(X3);
X3 = t1.dbl();
Y3 = B.mul(Y3);
t1 = p.z.add(p.z);
var t2 = t1.add(p.z);
Y3 = Y3.sub(t2);
Y3 = Y3.sub(t0);
t1 = Y3.dbl();
Y3 = t1.add(Y3);
t1 = t0.dbl();
t0 = t1.add(t0);
t0 = t0.sub(t2);
t1 = t4.mul(Y3);
t2 = t0.mul(Y3);
Y3 = X3.mul(Z3);
Y3 = Y3.add(t2);
X3 = t3.mul(X3);
X3 = X3.sub(t1);
Z3 = t4.mul(Z3);
t1 = t3.mul(t0);
Z3 = Z3.add(t1);
return .{
.x = X3,
.y = Y3,
.z = Z3,
};
}
// Add P256 points.
// Algorithm 4 from https://eprint.iacr.org/2015/1060.pdf
pub fn add(p: P256, q: P256) P256 {
var t0 = p.x.mul(q.x);
var t1 = p.y.mul(q.y);
var t2 = p.z.mul(q.z);
var t3 = p.x.add(p.y);
var t4 = q.x.add(q.y);
t3 = t3.mul(t4);
t4 = t0.add(t1);
t3 = t3.sub(t4);
t4 = p.y.add(p.z);
var X3 = q.y.add(q.z);
t4 = t4.mul(X3);
X3 = t1.add(t2);
t4 = t4.sub(X3);
X3 = p.x.add(p.z);
var Y3 = q.x.add(q.z);
X3 = X3.mul(Y3);
Y3 = t0.add(t2);
Y3 = X3.sub(Y3);
var Z3 = B.mul(t2);
X3 = Y3.sub(Z3);
Z3 = X3.dbl();
X3 = X3.add(Z3);
Z3 = t1.sub(X3);
X3 = t1.add(X3);
Y3 = B.mul(Y3);
t1 = t2.dbl();
t2 = t1.add(t2);
Y3 = Y3.sub(t2);
Y3 = Y3.sub(t0);
t1 = Y3.dbl();
Y3 = t1.add(Y3);
t1 = t0.dbl();
t0 = t1.add(t0);
t0 = t0.sub(t2);
t1 = t4.mul(Y3);
t2 = t0.mul(Y3);
Y3 = X3.mul(Z3);
Y3 = Y3.add(t2);
X3 = t3.mul(X3);
X3 = X3.sub(t1);
Z3 = t4.mul(Z3);
t1 = t3.mul(t0);
Z3 = Z3.add(t1);
return .{
.x = X3,
.y = Y3,
.z = Z3,
};
}
// Subtract P256 points.
pub fn sub(p: P256, q: P256) P256 {
return p.add(q.neg());
}
/// Return affine coordinates.
pub fn affineCoordinates(p: P256) struct { x: Fe, y: Fe } {
const zinv = p.z.invert();
const ret = .{
.x = p.x.mul(zinv),
.y = p.y.mul(zinv),
};
return ret;
}
/// Return true if both coordinate sets represent the same point.
pub fn equivalent(a: P256, b: P256) bool {
if (a.sub(b).rejectIdentity()) {
return false;
} else |_| {
return true;
}
}
fn cMov(p: *P256, a: P256, c: u1) void {
p.x.cMov(a.x, c);
p.y.cMov(a.y, c);
p.z.cMov(a.z, c);
}
fn pcSelect(comptime n: usize, pc: [n]P256, b: u8) P256 {
var t = P256.identityElement;
comptime var i: u8 = 1;
inline while (i < pc.len) : (i += 1) {
t.cMov(pc[i], @truncate(u1, (@as(usize, b ^ i) -% 1) >> 8));
}
return t;
}
fn slide(s: [32]u8) [2 * 32 + 1]i8 {
var e: [2 * 32 + 1]i8 = undefined;
for (s) |x, i| {
e[i * 2 + 0] = @as(i8, @truncate(u4, x));
e[i * 2 + 1] = @as(i8, @truncate(u4, x >> 4));
}
// Now, e[0..63] is between 0 and 15, e[63] is between 0 and 7
var carry: i8 = 0;
for (e[0..64]) |*x| {
x.* += carry;
carry = (x.* + 8) >> 4;
x.* -= carry * 16;
std.debug.assert(x.* >= -8 and x.* <= 8);
}
e[64] = carry;
// Now, e[*] is between -8 and 8, including e[64]
std.debug.assert(carry >= -8 and carry <= 8);
return e;
}
fn pcMul(pc: [9]P256, s: [32]u8, comptime vartime: bool) IdentityElementError!P256 {
std.debug.assert(vartime);
const e = slide(s);
var q = P256.identityElement;
var pos = e.len - 1;
while (true) : (pos -= 1) {
const slot = e[pos];
if (slot > 0) {
q = q.add(pc[@intCast(usize, slot)]);
} else if (slot < 0) {
q = q.sub(pc[@intCast(usize, -slot)]);
}
if (pos == 0) break;
q = q.dbl().dbl().dbl().dbl();
}
try q.rejectIdentity();
return q;
}
fn pcMul16(pc: [16]P256, s: [32]u8, comptime vartime: bool) IdentityElementError!P256 {
var q = P256.identityElement;
var pos: usize = 252;
while (true) : (pos -= 4) {
const slot = @truncate(u4, (s[pos >> 3] >> @truncate(u3, pos)));
if (vartime) {
if (slot != 0) {
q = q.add(pc[slot]);
}
} else {
q = q.add(pcSelect(16, pc, slot));
}
if (pos == 0) break;
q = q.dbl().dbl().dbl().dbl();
}
try q.rejectIdentity();
return q;
}
fn precompute(p: P256, comptime count: usize) [1 + count]P256 {
var pc: [1 + count]P256 = undefined;
pc[0] = P256.identityElement;
pc[1] = p;
var i: usize = 2;
while (i <= count) : (i += 1) {
pc[i] = if (i % 2 == 0) pc[i / 2].dbl() else pc[i - 1].add(p);
}
return pc;
}
/// Multiply an elliptic curve point by a scalar.
/// Return error.IdentityElement if the result is the identity element.
pub fn mul(p: P256, s_: [32]u8, endian: builtin.Endian) IdentityElementError!P256 {
const s = if (endian == .Little) s_ else Fe.orderSwap(s_);
const pc = if (p.is_base) precompute(P256.basePoint, 15) else pc: {
try p.rejectIdentity();
const xpc = precompute(p, 15);
break :pc xpc;
};
return pcMul16(pc, s, false);
}
/// Multiply an elliptic curve point by a *PUBLIC* scalar *IN VARIABLE TIME*
/// This can be used for signature verification.
pub fn mulPublic(p: P256, s_: [32]u8, endian: builtin.Endian) IdentityElementError!P256 {
const s = if (endian == .Little) s_ else Fe.orderSwap(s_);
const pc = if (p.is_base) precompute(P256.basePoint, 8) else pc: {
try p.rejectIdentity();
const xpc = precompute(p, 8);
break :pc xpc;
};
return pcMul(pc, s, true);
}
};
test "p256" {
_ = @import("tests.zig");
}

261
lib/std/crypto/pcurves/p256/field.zig Normal file
View File

@ -0,0 +1,261 @@
// SPDX-License-Identifier: MIT
// Copyright (c) 2015-2021 Zig Contributors
// This file is part of [zig](https://ziglang.org/), which is MIT licensed.
// The MIT license requires this copyright notice to be included in all copies
// and substantial portions of the software.
const std = @import("std");
const builtin = std.builtin;
const crypto = std.crypto;
const debug = std.debug;
const mem = std.mem;
const meta = std.meta;
const fiat = @import("p256_64.zig");
const NonCanonicalError = crypto.errors.NonCanonicalError;
const NotSquareError = crypto.errors.NotSquareError;
const Limbs = fiat.Limbs;
/// A field element, internally stored in Montgomery domain.
pub const Fe = struct {
limbs: Limbs,
/// Field size.
pub const field_order = 115792089210356248762697446949407573530086143415290314195533631308867097853951;
/// Numer of bits that can be saturated without overflowing.
pub const saturated_bits = 255;
/// Zero.
pub const zero: Fe = Fe{ .limbs = mem.zeroes(Limbs) };
/// One.
pub const one = comptime one: {
var fe: Fe = undefined;
fiat.p256SetOne(&fe.limbs);
break :one fe;
};
/// Reject non-canonical encodings of an element.
pub fn rejectNonCanonical(s_: [32]u8, endian: builtin.Endian) NonCanonicalError!void {
var s = if (endian == .Little) s_ else orderSwap(s_);
const field_order_s = comptime fos: {
var fos: [32]u8 = undefined;
mem.writeIntLittle(u256, &fos, field_order);
break :fos fos;
};
if (crypto.utils.timingSafeCompare(u8, &s, &field_order_s, .Little) != .lt) {
return error.NonCanonical;
}
}
/// Swap the endianness of an encoded element.
pub fn orderSwap(s: [32]u8) [32]u8 {
var t = s;
for (s) |x, i| t[t.len - 1 - i] = x;
return t;
}
/// Unpack a field element.
pub fn fromBytes(s_: [32]u8, endian: builtin.Endian) NonCanonicalError!Fe {
var s = if (endian == .Little) s_ else orderSwap(s_);
try rejectNonCanonical(s, .Little);
var limbs_z: Limbs = undefined;
fiat.p256FromBytes(&limbs_z, s);
var limbs: Limbs = undefined;
fiat.p256ToMontgomery(&limbs, limbs_z);
return Fe{ .limbs = limbs };
}
/// Pack a field element.
pub fn toBytes(fe: Fe, endian: builtin.Endian) [32]u8 {
var limbs_z: Limbs = undefined;
fiat.p256FromMontgomery(&limbs_z, fe.limbs);
var s: [32]u8 = undefined;
fiat.p256ToBytes(&s, limbs_z);
return if (endian == .Little) s else orderSwap(s);
}
/// Create a field element from an integer.
pub fn fromInt(comptime x: u256) NonCanonicalError!Fe {
var s: [32]u8 = undefined;
mem.writeIntLittle(u256, &s, x);
return fromBytes(s, .Little);
}
/// Return the field element as an integer.
pub fn toInt(fe: Fe) u256 {
const s = fe.toBytes(.Little);
return mem.readIntLittle(u256, &s);
}
/// Return true if the field element is zero.
pub fn isZero(fe: Fe) bool {
var z: @TypeOf(fe.limbs[0]) = undefined;
fiat.p256Nonzero(&z, fe.limbs);
return z == 0;
}
/// Return true if both field elements are equivalent.
pub fn equivalent(a: Fe, b: Fe) bool {
return a.sub(b).isZero();
}
/// Return true if the element is odd.
pub fn isOdd(fe: Fe) bool {
const s = fe.toBytes(.Little);
return @truncate(u1, s[0]) != 0;
}
/// Conditonally replace a field element with `a` if `c` is positive.
pub fn cMov(fe: *Fe, a: Fe, c: u1) void {
fiat.p256Selectznz(&fe.limbs, c, fe.limbs, a.limbs);
}
/// Add field elements.
pub fn add(a: Fe, b: Fe) Fe {
var fe: Fe = undefined;
fiat.p256Add(&fe.limbs, a.limbs, b.limbs);
return fe;
}
/// Subtract field elements.
pub fn sub(a: Fe, b: Fe) Fe {
var fe: Fe = undefined;
fiat.p256Sub(&fe.limbs, a.limbs, b.limbs);
return fe;
}
/// Double a field element.
pub fn dbl(a: Fe) Fe {
var fe: Fe = undefined;
fiat.p256Add(&fe.limbs, a.limbs, a.limbs);
return fe;
}
/// Multiply field elements.
pub fn mul(a: Fe, b: Fe) Fe {
var fe: Fe = undefined;
fiat.p256Mul(&fe.limbs, a.limbs, b.limbs);
return fe;
}
/// Square a field element.
pub fn sq(a: Fe) Fe {
var fe: Fe = undefined;
fiat.p256Square(&fe.limbs, a.limbs);
return fe;
}
/// Square a field element n times.
fn sqn(a: Fe, comptime n: comptime_int) Fe {
var i: usize = 0;
var fe = a;
while (i < n) : (i += 1) {
fe = fe.sq();
}
return fe;
}
/// Compute a^n.
pub fn pow(a: Fe, comptime T: type, comptime n: T) Fe {
var fe = one;
var x: T = n;
var t = a;
while (true) {
if (@truncate(u1, x) != 0) fe = fe.mul(t);
x >>= 1;
if (x == 0) break;
t = t.sq();
}
return fe;
}
/// Negate a field element.
pub fn neg(a: Fe) Fe {
var fe: Fe = undefined;
fiat.p256Opp(&fe.limbs, a.limbs);
return fe;
}
/// Return the inverse of a field element, or 0 if a=0.
// Field inversion from https://eprint.iacr.org/2021/549.pdf
pub fn invert(a: Fe) Fe {
const len_prime = 256;
const iterations = (49 * len_prime + 57) / 17;
const Word = @TypeOf(a.limbs[0]);
const XLimbs = [a.limbs.len + 1]Word;
var d: Word = 1;
var f: XLimbs = undefined;
fiat.p256Msat(&f);
var g: XLimbs = undefined;
fiat.p256FromMontgomery(g[0..a.limbs.len], a.limbs);
g[g.len - 1] = 0;
var r: Limbs = undefined;
fiat.p256SetOne(&r);
var v = mem.zeroes(Limbs);
var precomp: Limbs = undefined;
fiat.p256DivstepPrecomp(&precomp);
var out1: Word = undefined;
var out2: XLimbs = undefined;
var out3: XLimbs = undefined;
var out4: Limbs = undefined;
var out5: Limbs = undefined;
var i: usize = 0;
while (i < iterations - iterations % 2) : (i += 2) {
fiat.p256Divstep(&out1, &out2, &out3, &out4, &out5, d, f, g, v, r);
fiat.p256Divstep(&d, &f, &g, &v, &r, out1, out2, out3, out4, out5);
}
if (iterations % 2 != 0) {
fiat.p256Divstep(&out1, &out2, &out3, &out4, &out5, d, f, g, v, r);
mem.copy(Word, &v, &out4);
mem.copy(Word, &f, &out2);
}
var v_opp: Limbs = undefined;
fiat.p256Opp(&v_opp, v);
fiat.p256Selectznz(&v, @truncate(u1, f[f.len - 1] >> (meta.bitCount(Word) - 1)), v, v_opp);
var fe: Fe = undefined;
fiat.p256Mul(&fe.limbs, v, precomp);
return fe;
}
/// Return true if the field element is a square.
pub fn isSquare(x2: Fe) bool {
const t110 = x2.mul(x2.sq()).sq();
const t111 = x2.mul(t110);
const t111111 = t111.mul(x2.mul(t110).sqn(3));
const x15 = t111111.sqn(6).mul(t111111).sqn(3).mul(t111);
const x16 = x15.sq().mul(x2);
const x53 = x16.sqn(16).mul(x16).sqn(15);
const x47 = x15.mul(x53);
const ls = x47.mul(((x53.sqn(17).mul(x2)).sqn(143).mul(x47)).sqn(47)).sq().mul(x2); // Legendre symbol, (p-1)/2
return ls.equivalent(Fe.one);
}
// x=x2^((field_order+1)/4) w/ field order=3 (mod 4).
fn uncheckedSqrt(x2: Fe) Fe {
comptime debug.assert(field_order % 4 == 3);
const t11 = x2.mul(x2.sq());
const t1111 = t11.mul(t11.sqn(2));
const t11111111 = t1111.mul(t1111.sqn(4));
const x16 = t11111111.sqn(8).mul(t11111111);
return x16.sqn(16).mul(x16).sqn(32).mul(x2).sqn(96).mul(x2).sqn(94);
}
/// Compute the square root of `x2`, returning `error.NotSquare` if `x2` was not a square.
pub fn sqrt(x2: Fe) NotSquareError!Fe {
const x = x2.uncheckedSqrt();
if (x.sq().equivalent(x2)) {
return x;
}
return error.NotSquare;
}
};

1774
lib/std/crypto/pcurves/p256/p256_64.zig Normal file
View File

File diff suppressed because it is too large Load Diff

219
lib/std/crypto/pcurves/p256/scalar.zig Normal file
View File

@ -0,0 +1,219 @@
// SPDX-License-Identifier: MIT
// Copyright (c) 2015-2021 Zig Contributors
// This file is part of [zig](https://ziglang.org/), which is MIT licensed.
// The MIT license requires this copyright notice to be included in all copies
// and substantial portions of the software.
const std = @import("std");
const builtin = std.builtin;
const crypto = std.crypto;
const debug = std.debug;
const math = std.math;
const mem = std.mem;
const Fe = @import("field.zig").Fe;
const NonCanonicalError = std.crypto.errors.NonCanonicalError;
const NotSquareError = std.crypto.errors.NotSquareError;
/// A compressed scalar, in canonical form.
pub const CompressedScalar = [32]u8;
/// Reject a scalar whose encoding is not canonical.
pub fn rejectNonCanonical(s: CompressedScalar) NonCanonicalError!void {
return Fe.rejectNonCanonical(s);
}
/// Reduce a 48-bytes scalar to the field size.
pub fn reduce48(s: [48]u8) CompressedScalar {
return Scalar.fromBytes48(s).toBytes();
}
/// Reduce a 64-bytes scalar to the field size.
pub fn reduce64(s: [64]u8) CompressedScalar {
return ScalarDouble.fromBytes64(s).toBytes();
}
/// Return a*b (mod L)
pub fn mul(a: CompressedScalar, b: CompressedScalar, endian: builtin.Endian) NonCanonicalError!CompressedScalar {
return (try Scalar.fromBytes(a, endian)).mul(try Scalar.fromBytes(b, endian)).toBytes(endian);
}
/// Return a*b+c (mod L)
pub fn mulAdd(a: CompressedScalar, b: CompressedScalar, c: CompressedScalar, endian: builtin.Endian) NonCanonicalError!CompressedScalar {
return (try Scalar.fromBytes(a, endian)).mul(try Scalar.fromBytes(b, endian)).add(try Scalar.fromBytes(c, endian)).toBytes(endian);
}
/// Return a+b (mod L)
pub fn add(a: CompressedScalar, b: CompressedScalar, endian: builtin.Endian) NonCanonicalError!CompressedScalar {
return (try Scalar.fromBytes(a, endian)).add(try Scalar.fromBytes(b, endian)).toBytes(endian);
}
/// Return -s (mod L)
pub fn neg(s: CompressedScalar, endian: builtin.Endian) NonCanonicalError!CompressedScalar {
return (try Scalar.fromBytes(a, endian)).neg().toBytes(endian);
}
/// Return (a-b) (mod L)
pub fn sub(a: CompressedScalar, b: CompressedScalar, endian: builtin.Endian) NonCanonicalError!CompressedScalar {
return (try Scalar.fromBytes(a, endian)).sub(try Scalar.fromBytes(b.endian)).toBytes(endian);
}
/// Return a random scalar
pub fn random(endian: builtin.Endian) CompressedScalar {
return Scalar.random().toBytes(endian);
}
/// A scalar in unpacked representation.
pub const Scalar = struct {
fe: Fe,
/// Zero.
pub const zero = Scalar{ .fe = Fe.zero };
/// One.
pub const one = Scalar{ .fe = Fe.one };
/// Unpack a serialized representation of a scalar.
pub fn fromBytes(s: CompressedScalar, endian: builtin.Endian) NonCanonicalError!Scalar {
return Scalar{ .fe = try Fe.fromBytes(s, endian) };
}
/// Reduce a 384 bit input to the field size.
pub fn fromBytes48(s: [48]u8, endian: builtin.Endian) Scalar {
const t = ScalarDouble.fromBytes(384, s, endian);
return t.reduce(384);
}
/// Reduce a 512 bit input to the field size.
pub fn fromBytes64(s: [64]u8, endian: builtin.Endian) Scalar {
const t = ScalarDouble.fromBytes(512, s, endian);
return t.reduce(512);
}
/// Pack a scalar into bytes.
pub fn toBytes(n: Scalar, endian: builtin.Endian) CompressedScalar {
return n.fe.toBytes(endian);
}
/// Return true if the scalar is zero..
pub fn isZero(n: Scalar) bool {
return n.fe.isZero();
}
/// Return true if a and b are equivalent.
pub fn equivalent(a: Scalar, b: Scalar) bool {
return a.fe.equivalent(b.fe);
}
/// Compute x+y (mod L)
pub fn add(x: Scalar, y: Scalar) Scalar {
return Scalar{ .fe = x.fe().add(y.fe) };
}
/// Compute x-y (mod L)
pub fn sub(x: Scalar, y: Scalar) Scalar {
return Scalar{ .fe = x.fe().sub(y.fe) };
}
/// Compute 2n (mod L)
pub fn dbl(n: Scalar) Scalar {
return Scalar{ .fe = n.fe.dbl() };
}
/// Compute x*y (mod L)
pub fn mul(x: Scalar, y: Scalar) Scalar {
return Scalar{ .fe = x.fe().mul(y.fe) };
}
/// Compute x^2 (mod L)
pub fn sq(n: Scalar) Scalar {
return Scalar{ .fe = n.fe.sq() };
}
/// Compute x^n (mod L)
pub fn pow(a: Scalar, comptime T: type, comptime n: T) Scalar {
return Scalar{ .fe = a.fe.pow(n) };
}
/// Compute -x (mod L)
pub fn neg(n: Scalar) Scalar {
return Scalar{ .fe = n.fe.neg() };
}
/// Compute x^-1 (mod L)
pub fn invert(n: Scalar) Scalar {
return Scalar{ .fe = n.fe.invert() };
}
/// Return true if n is a quadratic residue mod L.
pub fn isSquare(n: Scalar) Scalar {
return n.fe.isSquare();
}
/// Return the square root of L, or NotSquare if there isn't any solutions.
pub fn sqrt(n: Scalar) NotSquareError!Scalar {
return Scalar{ .fe = try n.fe.sqrt() };
}
/// Return a random scalar < L.
pub fn random() Scalar {
var s: [48]u8 = undefined;
while (true) {
crypto.random.bytes(&s);
const n = Scalar.fromBytes48(s, .Little);
if (!n.isZero()) {
return n;
}
}
}
};
const ScalarDouble = struct {
x1: Fe,
x2: Fe,
x3: Fe,
fn fromBytes(comptime bits: usize, s_: [bits / 8]u8, endian: builtin.Endian) ScalarDouble {
debug.assert(bits > 0 and bits <= 512 and bits >= Fe.saturated_bits and bits <= Fe.saturated_bits * 3);
var s = s_;
if (endian == .Big) {
for (s_) |x, i| s[s.len - 1 - i] = x;
}
var t = ScalarDouble{ .x1 = undefined, .x2 = Fe.zero, .x3 = Fe.zero };
{
var b = [_]u8{0} ** 32;
const len = math.min(s.len, 24);
mem.copy(u8, b[0..len], s[0..len]);
t.x1 = Fe.fromBytes(b, .Little) catch unreachable;
}
if (s_.len >= 24) {
var b = [_]u8{0} ** 32;
const len = math.min(s.len - 24, 24);
mem.copy(u8, b[0..len], s[24..][0..len]);
t.x2 = Fe.fromBytes(b, .Little) catch unreachable;
}
if (s_.len >= 48) {
var b = [_]u8{0} ** 32;
const len = s.len - 48;
mem.copy(u8, b[0..len], s[48..][0..len]);
t.x3 = Fe.fromBytes(b, .Little) catch unreachable;
}
return t;
}
fn reduce(expanded: ScalarDouble, comptime bits: usize) Scalar {
debug.assert(bits > 0 and bits <= Fe.saturated_bits * 3 and bits <= 512);
var fe = expanded.x1;
if (bits >= 192) {
const st1 = Fe.fromInt(1 << 192) catch unreachable;
fe = fe.add(expanded.x2.mul(st1));
if (bits >= 384) {
const st2 = st1.sq();
fe = fe.add(expanded.x3.mul(st2));
}
}
return Scalar{ .fe = fe };
}
};

103
lib/std/crypto/pcurves/tests.zig Normal file
View File

@ -0,0 +1,103 @@
// SPDX-License-Identifier: MIT
// Copyright (c) 2015-2021 Zig Contributors
// This file is part of [zig](https://ziglang.org/), which is MIT licensed.
// The MIT license requires this copyright notice to be included in all copies
// and substantial portions of the software.
const std = @import("std");
const fmt = std.fmt;
const testing = std.testing;
const P256 = @import("p256.zig").P256;
test "p256 ECDH key exchange" {
const dha = P256.scalar.random(.Little);
const dhb = P256.scalar.random(.Little);
const dhA = try P256.basePoint.mul(dha, .Little);
const dhB = try P256.basePoint.mul(dhb, .Little);
const shareda = try dhA.mul(dhb, .Little);
const sharedb = try dhB.mul(dha, .Little);
testing.expect(shareda.equivalent(sharedb));
}
test "p256 point from affine coordinates" {
const xh = "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296";
const yh = "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5";
var xs: [32]u8 = undefined;
_ = try fmt.hexToBytes(&xs, xh);
var ys: [32]u8 = undefined;
_ = try fmt.hexToBytes(&ys, yh);
var p = try P256.fromSerializedAffineCoordinates(xs, ys, .Big);
testing.expect(p.equivalent(P256.basePoint));
}
test "p256 test vectors" {
const expected = [_][]const u8{
"0000000000000000000000000000000000000000000000000000000000000000",
"6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
"7cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978",
"5ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c",
"e2534a3532d08fbba02dde659ee62bd0031fe2db785596ef509302446b030852",
"51590b7a515140d2d784c85608668fdfef8c82fd1f5be52421554a0dc3d033ed",
"b01a172a76a4602c92d3242cb897dde3024c740debb215b4c6b0aae93c2291a9",
"8e533b6fa0bf7b4625bb30667c01fb607ef9f8b8a80fef5b300628703187b2a3",
"62d9779dbee9b0534042742d3ab54cadc1d238980fce97dbb4dd9dc1db6fb393",
"ea68d7b6fedf0b71878938d51d71f8729e0acb8c2c6df8b3d79e8a4b90949ee0",
};
var p = P256.identityElement;
for (expected) |xh| {
const x = p.affineCoordinates().x;
p = p.add(P256.basePoint);
var xs: [32]u8 = undefined;
_ = try fmt.hexToBytes(&xs, xh);
testing.expectEqualSlices(u8, &x.toBytes(.Big), &xs);
}
}
test "p256 test vectors - doubling" {
const expected = [_][]const u8{
"6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
"7cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978",
"e2534a3532d08fbba02dde659ee62bd0031fe2db785596ef509302446b030852",
"62d9779dbee9b0534042742d3ab54cadc1d238980fce97dbb4dd9dc1db6fb393",
};
var p = P256.basePoint;
for (expected) |xh| {
const x = p.affineCoordinates().x;
p = p.dbl();
var xs: [32]u8 = undefined;
_ = try fmt.hexToBytes(&xs, xh);
testing.expectEqualSlices(u8, &x.toBytes(.Big), &xs);
}
}
test "p256 compressed sec1 encoding/decoding" {
const p = P256.random();
const s = p.toCompressedSec1();
const q = try P256.fromSec1(&s);
testing.expect(p.equivalent(q));
}
test "p256 uncompressed sec1 encoding/decoding" {
const p = P256.random();
const s = p.toUncompressedSec1();
const q = try P256.fromSec1(&s);
testing.expect(p.equivalent(q));
}
test "p256 public key is the neutral element" {
const n = P256.scalar.Scalar.zero.toBytes(.Little);
const p = P256.random();
testing.expectError(error.IdentityElement, p.mul(n, .Little));
}
test "p256 public key is the neutral element (public verification)" {
const n = P256.scalar.Scalar.zero.toBytes(.Little);
const p = P256.random();
testing.expectError(error.IdentityElement, p.mulPublic(n, .Little));
}
test "p256 field element non-canonical encoding" {
const s = [_]u8{0xff} ** 32;
testing.expectError(error.NonCanonical, P256.Fe.fromBytes(s, .Little));
}