From ab004d8022b10128a47ce8c0091eeb1d419e567e Mon Sep 17 00:00:00 2001 From: Christophe Diederichs <45171645+chm-diederichs@users.noreply.github.com> Date: Tue, 22 Sep 2020 14:46:45 +0200 Subject: [PATCH] Add ed25519 conversion operations (#46) * add ed25519 methods and constants --- crypto_sign.js | 189 +++++++++++++++++++++++++++++++++++++++++++++---- package.json | 2 +- 2 files changed, 178 insertions(+), 13 deletions(-) diff --git a/crypto_sign.js b/crypto_sign.js index fa60c33..97f73ba 100644 --- a/crypto_sign.js +++ b/crypto_sign.js @@ -8,11 +8,19 @@ const { inv25519, unpack25519 } = require('./internal/ed25519') const { randombytes } = require('./randombytes') +const { crypto_scalarmult_BYTES } = require('./crypto_scalarmult.js') +const { crypto_hash_sha512_BYTES } = require('./crypto_hash.js') +const assert = require('nanoassert') -const crypto_sign_BYTES = 64 -const crypto_sign_PUBLICKEYBYTES = 32 -const crypto_sign_SECRETKEYBYTES = 64 -const crypto_sign_SEEDBYTES = 32 +const crypto_sign_ed25519_PUBLICKEYBYTES = 32 +const crypto_sign_ed25519_SECRETKEYBYTES = 64 +const crypto_sign_ed25519_SEEDBYTES = 32 +const crypto_sign_ed25519_BYTES = 64 + +const crypto_sign_BYTES = crypto_sign_ed25519_BYTES +const crypto_sign_PUBLICKEYBYTES = crypto_sign_ed25519_PUBLICKEYBYTES +const crypto_sign_SECRETKEYBYTES = crypto_sign_ed25519_SECRETKEYBYTES +const crypto_sign_SEEDBYTES = crypto_sign_ed25519_SEEDBYTES module.exports = { crypto_sign_keypair, @@ -24,7 +32,15 @@ module.exports = { crypto_sign_BYTES, crypto_sign_PUBLICKEYBYTES, crypto_sign_SECRETKEYBYTES, - crypto_sign_SEEDBYTES + crypto_sign_SEEDBYTES, + crypto_sign_ed25519_PUBLICKEYBYTES, + crypto_sign_ed25519_SECRETKEYBYTES, + crypto_sign_ed25519_SEEDBYTES, + crypto_sign_ed25519_BYTES, + crypto_sign_ed25519_pk_to_curve25519, + crypto_sign_ed25519_sk_to_curve25519, + unpackneg, + pack } function set25519 (r, a) { @@ -85,6 +101,8 @@ function pack (r, p) { } function scalarmult (p, q, s) { + // don't mutate q + var h = [gf(q[0]), gf(q[1]), gf(q[2]), gf(q[3])] var b, i set25519(p[0], gf0) set25519(p[1], gf1) @@ -92,10 +110,10 @@ function scalarmult (p, q, s) { set25519(p[3], gf0) for (i = 255; i >= 0; --i) { b = (s[(i / 8) | 0] >> (i & 7)) & 1 - cswap(p, q, b) - add(q, p) + cswap(p, h, b) + add(h, p) add(p, p) - cswap(p, q, b) + cswap(p, h, b) } } @@ -126,7 +144,6 @@ function crypto_sign_keypair (pk, sk, seeded) { pack(pk, p) for (i = 0; i < 32; i++) sk[i + 32] = pk[i] - return 0 } function crypto_sign_seed_keypair (pk, sk, seed) { @@ -216,6 +233,24 @@ function crypto_sign_detached (sig, m, sk) { for (let i = 0; i < crypto_sign_BYTES; i++) sig[i] = sm[i] } +function is_zero25519 (f) { + var s = new Uint8Array(32) + pack25519(s, f) + + return sodium_is_zero(s, 32) + + function sodium_is_zero (n) { + let i + let d = 0 + + for (let i = 0; i < n.length; i++) { + d |= n[i] + } + + return 1 & ((d - 1) >> 8) + } +} + function unpackneg (r, p) { var t = gf(), chk = gf(), num = gf(), den = gf(), den2 = gf(), den4 = gf(), @@ -248,7 +283,9 @@ function unpackneg (r, p) { M(chk, chk, den) if (!neq25519(chk, num)) return false - if (par25519(r[0]) === (p[31] >> 7)) Z(r[0], gf0, r[0]) + if (par25519(r[0]) === (p[31] >> 7)) { + Z(r[0], gf(), r[0]) + } M(r[3], r[0], r[1]) return true @@ -317,6 +354,134 @@ function neq25519 (a, b) { return crypto_verify_32(c, 0, d, 0) } -function check (buf, len) { - if (!buf || (len && buf.length < len)) throw new Error('Argument must be a buffer' + (len ? ' of length ' + len : '')) +function ed25519_mul_l (p, q) { + scalarmult(p, q, L) +} + +function ed25519_is_on_main_subgroup (p) { + var pl = [gf(), gf(), gf(), gf()] + + ed25519_mul_l(pl, p) + + var zero = 0 + for (let i = 0; i < 16; i++) { + zero |= (pl[0][i] & 0xffff) + } + + return zero === 0 +} + +function crypto_sign_ed25519_pk_to_curve25519 (x25519_pk, ed25519_pk) { + check(x25519_pk, crypto_sign_PUBLICKEYBYTES) + check(ed25519_pk, crypto_sign_ed25519_PUBLICKEYBYTES) + + var a = [gf(), gf(), gf(), gf()] + var x = gf([1]) + var one_minus_y = gf([1]) + + assert( + isSmallOrder(ed25519_pk) && + unpackneg(a, ed25519_pk) && + ed25519_is_on_main_subgroup(a), 'Cannot convert key: bad point') + + for (let i = 0; i < a.length; i++) { + pack25519(x25519_pk, a[i]); + } + + Z(one_minus_y, one_minus_y, a[1]) + A(x, x, a[1]) + inv25519(one_minus_y, one_minus_y) + M(x, x, one_minus_y) + pack25519(x25519_pk, x) + + return 0 +} + +function isSmallOrder (s) { + Uint8Array.from([]) + + var bad_points = [ + // 0 (order 4) + Uint8Array.from([0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]), + + // 1 (order 1) + Uint8Array.from([0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]), + + // 2707385501144840649318225287225658788936804267575313519463743609750303402022(order 8) + Uint8Array.from([0x26, 0xe8, 0x95, 0x8f, 0xc2, 0xb2, 0x27, 0xb0, 0x45, 0xc3, + 0xf4, 0x89, 0xf2, 0xef, 0x98, 0xf0, 0xd5, 0xdf, 0xac, 0x05, 0xd3, + 0xc6, 0x33, 0x39, 0xb1, 0x38, 0x02, 0x88, 0x6d, 0x53, 0xfc, 0x05]), + + // 55188659117513257062467267217118295137698188065244968500265048394206261417927 (order 8) + Uint8Array.from([0xc7, 0x17, 0x6a, 0x70, 0x3d, 0x4d, 0xd8, 0x4f, 0xba, 0x3c, + 0x0b, 0x76, 0x0d, 0x10, 0x67, 0x0f, 0x2a, 0x20, 0x53, 0xfa, 0x2c, + 0x39, 0xcc, 0xc6, 0x4e, 0xc7, 0xfd, 0x77, 0x92, 0xac, 0x03, 0x7a]), + + // p-1 (order 2) + Uint8Array.from([0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f]), + + // p (=0 order 4) + Uint8Array.from([0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f]), + + // p + 1 (=1 order 1) + Uint8Array.from([0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f]) + ] + + var c = new Uint8Array(7) + var j + + check (bad_points, 7) + for (let i = 0; i < bad_points.length; i++) { + for (j = 0; j < 31; j++) { + c[i] |= s[j] ^ bad_points[i][j] + } + } + + for (let i = 0; i < bad_points.length; i++) { + c[i] |= (s[j] & 0x7f) ^ bad_points[i][j] + } + + var k = 0 + for (let i = 0; i < bad_points.length; i++) { + k |= (c[i] - 1) + } + + return ((k >> 8) & 1) === 0 +} + +function crypto_sign_ed25519_sk_to_pk (pk, sk) { + check(pk, crypto_sign_ed25519_PUBLICKEYBYTES) + pk.set(sk.subarray(crypto_sign_ed25519_SEEDBYTES)) + return pk +} + +function crypto_sign_ed25519_sk_to_curve25519 (curveSk, edSk) { + assert(curveSk && curveSk.byteLength === crypto_scalarmult_BYTES, "curveSk must be 'crypto_sign_SECRETKEYBYTES' long") + assert(edSk && edSk.byteLength === crypto_sign_ed25519_SECRETKEYBYTES, "edSk must be 'crypto_sign_ed25519_SECRETKEYBYTES' long") + + var h = Buffer.alloc(crypto_hash_sha512_BYTES); + crypto_hash(h, edSk, 32) + + h[0] &= 248; + h[31] &= 127; + h[31] |= 64; + + curveSk.set(h.subarray(0, crypto_scalarmult_BYTES)) + h.fill(0) + return curveSk +} + + +function check (buf, len, arg = 'Argument') { + if (!buf || (len && buf.length < len)) throw new Error(arg + ' must be a buffer' + (len ? ' of length ' + len : '')) } diff --git a/package.json b/package.json index 5bb7e67..766c98a 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,7 @@ }, "devDependencies": { "browserify": "^16.5.1", - "sodium-test": "^0.9.0", + "sodium-test": "^0.10.0", "standard": "^14.3.4", "tape-run": "^7.0.0" },