diff options
Diffstat (limited to 'lib/std')
| -rw-r--r-- | lib/std/crypto/25519/ed25519.zig | 578 | ||||
| -rw-r--r-- | lib/std/crypto/25519/x25519.zig | 8 | ||||
| -rw-r--r-- | lib/std/crypto/benchmark.zig | 22 |
3 files changed, 405 insertions, 203 deletions
diff --git a/lib/std/crypto/25519/ed25519.zig b/lib/std/crypto/25519/ed25519.zig index 7066b1a154..0a9db10d15 100644 --- a/lib/std/crypto/25519/ed25519.zig +++ b/lib/std/crypto/25519/ed25519.zig @@ -16,27 +16,227 @@ const WeakPublicKeyError = crypto.errors.WeakPublicKeyError; /// Ed25519 (EdDSA) signatures. pub const Ed25519 = struct { /// The underlying elliptic curve. - pub const Curve = @import("edwards25519.zig").Edwards25519; - /// Length (in bytes) of a seed required to create a key pair. - pub const seed_length = 32; - /// Length (in bytes) of a compressed secret key. - pub const secret_length = 64; - /// Length (in bytes) of a compressed public key. - pub const public_length = 32; - /// Length (in bytes) of a signature. - pub const signature_length = 64; + pub const Curve = std.crypto.ecc.Edwards25519; + /// Length (in bytes) of optional random bytes, for non-deterministic signatures. pub const noise_length = 32; const CompressedScalar = Curve.scalar.CompressedScalar; const Scalar = Curve.scalar.Scalar; + /// An Ed25519 secret key. + pub const SecretKey = struct { + /// Length (in bytes) of a raw secret key. + pub const encoded_length = 64; + + bytes: [encoded_length]u8, + + /// Return the seed used to generate this secret key. + pub fn seed(self: SecretKey) [KeyPair.seed_length]u8 { + return self.bytes[0..KeyPair.seed_length].*; + } + + /// Return the raw public key bytes corresponding to this secret key. + pub fn publicKeyBytes(self: SecretKey) [PublicKey.encoded_length]u8 { + return self.bytes[KeyPair.seed_length..].*; + } + + /// Create a secret key from raw bytes. + pub fn fromBytes(bytes: [encoded_length]u8) !SecretKey { + return SecretKey{ .bytes = bytes }; + } + + /// Return the secret key as raw bytes. + pub fn toBytes(sk: SecretKey) [encoded_length]u8 { + return sk.bytes; + } + + // Return the clamped secret scalar and prefix for this secret key + fn scalarAndPrefix(self: SecretKey) struct { scalar: CompressedScalar, prefix: [32]u8 } { + var az: [Sha512.digest_length]u8 = undefined; + var h = Sha512.init(.{}); + h.update(&self.seed()); + h.final(&az); + + var s = az[0..32].*; + Curve.scalar.clamp(&s); + + return .{ .scalar = s, .prefix = az[32..].* }; + } + }; + + /// A Signer is used to incrementally compute a signature. + /// It can be obtained from a `KeyPair`, using the `signer()` function. + pub const Signer = struct { + h: Sha512, + scalar: CompressedScalar, + nonce: CompressedScalar, + r_bytes: [Curve.encoded_length]u8, + + fn init(scalar: CompressedScalar, nonce: CompressedScalar, public_key: PublicKey) (IdentityElementError || KeyMismatchError || NonCanonicalError || WeakPublicKeyError)!Signer { + const r = try Curve.basePoint.mul(nonce); + const r_bytes = r.toBytes(); + + var t: [64]u8 = undefined; + mem.copy(u8, t[0..32], &r_bytes); + mem.copy(u8, t[32..], &public_key.bytes); + var h = Sha512.init(.{}); + h.update(&t); + + return Signer{ .h = h, .scalar = scalar, .nonce = nonce, .r_bytes = r_bytes }; + } + + /// Add new data to the message being signed. + pub fn update(self: *Signer, data: []const u8) void { + self.h.update(data); + } + + /// Compute a signature over the entire message. + pub fn finalize(self: *Signer) Signature { + var hram64: [Sha512.digest_length]u8 = undefined; + self.h.final(&hram64); + const hram = Curve.scalar.reduce64(hram64); + + const s = Curve.scalar.mulAdd(hram, self.scalar, self.nonce); + + return Signature{ .r = self.r_bytes, .s = s }; + } + }; + + /// An Ed25519 public key. + pub const PublicKey = struct { + /// Length (in bytes) of a raw public key. + pub const encoded_length = 32; + + bytes: [encoded_length]u8, + + /// Create a public key from raw bytes. + pub fn fromBytes(bytes: [encoded_length]u8) NonCanonicalError!PublicKey { + try Curve.rejectNonCanonical(bytes); + return PublicKey{ .bytes = bytes }; + } + + /// Convert a public key to raw bytes. + pub fn toBytes(pk: PublicKey) [encoded_length]u8 { + return pk.bytes; + } + + fn signWithNonce(public_key: PublicKey, msg: []const u8, scalar: CompressedScalar, nonce: CompressedScalar) (IdentityElementError || NonCanonicalError || KeyMismatchError || WeakPublicKeyError)!Signature { + var st = try Signer.init(scalar, nonce, public_key); + st.update(msg); + return st.finalize(); + } + + fn computeNonceAndSign(public_key: PublicKey, msg: []const u8, noise: ?[noise_length]u8, scalar: CompressedScalar, prefix: []const u8) (IdentityElementError || NonCanonicalError || KeyMismatchError || WeakPublicKeyError)!Signature { + var h = Sha512.init(.{}); + if (noise) |*z| { + h.update(z); + } + h.update(prefix); + h.update(msg); + var nonce64: [64]u8 = undefined; + h.final(&nonce64); + + const nonce = Curve.scalar.reduce64(nonce64); + + return public_key.signWithNonce(msg, scalar, nonce); + } + }; + + /// A Verifier is used to incrementally verify a signature. + /// It can be obtained from a `Signature`, using the `verifier()` function. + pub const Verifier = struct { + h: Sha512, + s: CompressedScalar, + a: Curve, + expected_r: Curve, + + fn init(sig: Signature, public_key: PublicKey) (NonCanonicalError || EncodingError || IdentityElementError)!Verifier { + const r = sig.r; + const s = sig.s; + try Curve.scalar.rejectNonCanonical(s); + const a = try Curve.fromBytes(public_key.bytes); + try a.rejectIdentity(); + try Curve.rejectNonCanonical(r); + const expected_r = try Curve.fromBytes(r); + try expected_r.rejectIdentity(); + + var h = Sha512.init(.{}); + h.update(&r); + h.update(&public_key.bytes); + + return Verifier{ .h = h, .s = s, .a = a, .expected_r = expected_r }; + } + + /// Add new content to the message to be verified. + pub fn update(self: *Verifier, msg: []const u8) void { + self.h.update(msg); + } + + /// Verify that the signature is valid for the entire message. + pub fn verify(self: *Verifier) (SignatureVerificationError || WeakPublicKeyError || IdentityElementError)!void { + var hram64: [Sha512.digest_length]u8 = undefined; + self.h.final(&hram64); + const hram = Curve.scalar.reduce64(hram64); + + const sb_ah = try Curve.basePoint.mulDoubleBasePublic(self.s, self.a.neg(), hram); + if (self.expected_r.sub(sb_ah).clearCofactor().rejectIdentity()) |_| { + return error.SignatureVerificationFailed; + } else |_| {} + } + }; + + /// An Ed25519 signature. + pub const Signature = struct { + /// Length (in bytes) of a raw signature. + pub const encoded_length = Curve.encoded_length + @sizeOf(CompressedScalar); + + /// The R component of an EdDSA signature. + r: [Curve.encoded_length]u8, + /// The S component of an EdDSA signature. + s: CompressedScalar, + + /// Return the raw signature (r, s) in little-endian format. + pub fn toBytes(self: Signature) [encoded_length]u8 { + var bytes: [encoded_length]u8 = undefined; + mem.copy(u8, bytes[0 .. encoded_length / 2], &self.r); + mem.copy(u8, bytes[encoded_length / 2 ..], &self.s); + return bytes; + } + + /// Create a signature from a raw encoding of (r, s). + /// EdDSA always assumes little-endian. + pub fn fromBytes(bytes: [encoded_length]u8) Signature { + return Signature{ + .r = bytes[0 .. encoded_length / 2].*, + .s = bytes[encoded_length / 2 ..].*, + }; + } + + /// Create a Verifier for incremental verification of a signature. + pub fn verifier(self: Signature, public_key: PublicKey) (NonCanonicalError || EncodingError || IdentityElementError)!Verifier { + return Verifier.init(self, public_key); + } + + /// Verify the signature against a message and public key. + /// Return IdentityElement or NonCanonical if the public key or signature are not in the expected range, + /// or SignatureVerificationError if the signature is invalid for the given message and key. + pub fn verify(self: Signature, msg: []const u8, public_key: PublicKey) (IdentityElementError || NonCanonicalError || SignatureVerificationError || EncodingError || WeakPublicKeyError)!void { + var st = try Verifier.init(self, public_key); + st.update(msg); + return st.verify(); + } + }; + /// An Ed25519 key pair. pub const KeyPair = struct { + /// Length (in bytes) of a seed required to create a key pair. + pub const seed_length = noise_length; + /// Public part. - public_key: [public_length]u8, - /// Secret part. What we expose as a secret key is, under the hood, the concatenation of the seed and the public key. - secret_key: [secret_length]u8, + public_key: PublicKey, + /// Secret scalar. + secret_key: SecretKey, /// Derive a key pair from an optional secret seed. /// @@ -56,120 +256,101 @@ pub const Ed25519 = struct { var h = Sha512.init(.{}); h.update(&ss); h.final(&az); - const p = Curve.basePoint.clampedMul(az[0..32].*) catch return error.IdentityElement; - var sk: [secret_length]u8 = undefined; - mem.copy(u8, &sk, &ss); - const pk = p.toBytes(); - mem.copy(u8, sk[seed_length..], &pk); - - return KeyPair{ .public_key = pk, .secret_key = sk }; + const pk_p = Curve.basePoint.clampedMul(az[0..32].*) catch return error.IdentityElement; + const pk_bytes = pk_p.toBytes(); + var sk_bytes: [SecretKey.encoded_length]u8 = undefined; + mem.copy(u8, &sk_bytes, &ss); + mem.copy(u8, sk_bytes[seed_length..], &pk_bytes); + return KeyPair{ + .public_key = PublicKey.fromBytes(pk_bytes) catch unreachable, + .secret_key = try SecretKey.fromBytes(sk_bytes), + }; } /// Create a KeyPair from a secret key. - pub fn fromSecretKey(secret_key: [secret_length]u8) KeyPair { + pub fn fromSecretKey(secret_key: SecretKey) IdentityElementError!KeyPair { + const pk_p = try Curve.fromBytes(secret_key.publicKeyBytes()); + + // It is critical for EdDSA to use the correct public key. + // In order to enforce this, a SecretKey implicitly includes a copy of the public key. + // In Debug mode, we can still afford checking that the public key is correct for extra safety. + if (std.builtin.mode == .Debug) { + const recomputed_kp = try create(secret_key[0..seed_length].*); + debug.assert(recomputed_kp.public_key.p.toBytes() == pk_p.toBytes()); + } return KeyPair{ + .public_key = PublicKey{ .p = pk_p }, .secret_key = secret_key, - .public_key = secret_key[seed_length..].*, }; } - }; - /// Sign a message using a key pair, and optional random noise. - /// Having noise creates non-standard, non-deterministic signatures, - /// but has been proven to increase resilience against fault attacks. - pub fn sign(msg: []const u8, key_pair: KeyPair, noise: ?[noise_length]u8) (IdentityElementError || WeakPublicKeyError || KeyMismatchError)![signature_length]u8 { - const seed = key_pair.secret_key[0..seed_length]; - const public_key = key_pair.secret_key[seed_length..]; - if (!mem.eql(u8, public_key, &key_pair.public_key)) { - return error.KeyMismatch; - } - var az: [Sha512.digest_length]u8 = undefined; - var h = Sha512.init(.{}); - h.update(seed); - h.final(&az); - - h = Sha512.init(.{}); - if (noise) |*z| { - h.update(z); + /// Sign a message using the key pair. + /// The noise can be null in order to create deterministic signatures. + /// If deterministic signatures are not required, the noise should be randomly generated instead. + /// This helps defend against fault attacks. + pub fn sign(key_pair: KeyPair, msg: []const u8, noise: ?[noise_length]u8) (IdentityElementError || NonCanonicalError || KeyMismatchError || WeakPublicKeyError)!Signature { + if (!mem.eql(u8, &key_pair.secret_key.publicKeyBytes(), &key_pair.public_key.toBytes())) { + return error.KeyMismatch; + } + const scalar_and_prefix = key_pair.secret_key.scalarAndPrefix(); + return key_pair.public_key.computeNonceAndSign( + msg, + noise, + scalar_and_prefix.scalar, + &scalar_and_prefix.prefix, + ); } - h.update(az[32..]); - h.update(msg); - var nonce64: [64]u8 = undefined; - h.final(&nonce64); - const nonce = Curve.scalar.reduce64(nonce64); - const r = try Curve.basePoint.mul(nonce); - - var sig: [signature_length]u8 = undefined; - mem.copy(u8, sig[0..32], &r.toBytes()); - mem.copy(u8, sig[32..], public_key); - h = Sha512.init(.{}); - h.update(&sig); - h.update(msg); - var hram64: [Sha512.digest_length]u8 = undefined; - h.final(&hram64); - const hram = Curve.scalar.reduce64(hram64); - - var x = az[0..32]; - Curve.scalar.clamp(x); - const s = Curve.scalar.mulAdd(hram, x.*, nonce); - mem.copy(u8, sig[32..], s[0..]); - return sig; - } - /// Verify an Ed25519 signature given a message and a public key. - /// Returns error.SignatureVerificationFailed is the signature verification failed. - pub fn verify(sig: [signature_length]u8, msg: []const u8, public_key: [public_length]u8) (SignatureVerificationError || WeakPublicKeyError || EncodingError || NonCanonicalError || IdentityElementError)!void { - const r = sig[0..32]; - const s = sig[32..64]; - try Curve.scalar.rejectNonCanonical(s.*); - try Curve.rejectNonCanonical(public_key); - const a = try Curve.fromBytes(public_key); - try a.rejectIdentity(); - try Curve.rejectNonCanonical(r.*); - const expected_r = try Curve.fromBytes(r.*); - try expected_r.rejectIdentity(); - - var h = Sha512.init(.{}); - h.update(r); - h.update(&public_key); - h.update(msg); - var hram64: [Sha512.digest_length]u8 = undefined; - h.final(&hram64); - const hram = Curve.scalar.reduce64(hram64); - - const sb_ah = try Curve.basePoint.mulDoubleBasePublic(s.*, a.neg(), hram); - if (expected_r.sub(sb_ah).clearCofactor().rejectIdentity()) |_| { - return error.SignatureVerificationFailed; - } else |_| {} - } + /// Create a Signer, that can be used for incremental signing. + /// Note that the signature is not deterministic. + /// The noise parameter, if set, should be something unique for each message, + /// such as a random nonce, or a counter. + pub fn signer(key_pair: KeyPair, noise: ?[noise_length]u8) (IdentityElementError || KeyMismatchError || NonCanonicalError || WeakPublicKeyError)!Signer { + if (!mem.eql(u8, &key_pair.secret_key.publicKeyBytes(), &key_pair.public_key.toBytes())) { + return error.KeyMismatch; + } + const scalar_and_prefix = key_pair.secret_key.scalarAndPrefix(); + var h = Sha512.init(.{}); + h.update(&scalar_and_prefix.prefix); + var noise2: [noise_length]u8 = undefined; + crypto.random.bytes(&noise2); + if (noise) |*z| { + h.update(z); + } + var nonce64: [64]u8 = undefined; + h.final(&nonce64); + const nonce = Curve.scalar.reduce64(nonce64); + + return Signer.init(scalar_and_prefix.scalar, nonce, key_pair.public_key); + } + }; /// A (signature, message, public_key) tuple for batch verification pub const BatchElement = struct { - sig: [signature_length]u8, + sig: Signature, msg: []const u8, - public_key: [public_length]u8, + public_key: PublicKey, }; /// Verify several signatures in a single operation, much faster than verifying signatures one-by-one pub fn verifyBatch(comptime count: usize, signature_batch: [count]BatchElement) (SignatureVerificationError || IdentityElementError || WeakPublicKeyError || EncodingError || NonCanonicalError)!void { - var r_batch: [count][32]u8 = undefined; - var s_batch: [count][32]u8 = undefined; + var r_batch: [count]CompressedScalar = undefined; + var s_batch: [count]CompressedScalar = undefined; var a_batch: [count]Curve = undefined; var expected_r_batch: [count]Curve = undefined; for (signature_batch) |signature, i| { - const r = signature.sig[0..32]; - const s = signature.sig[32..64]; - try Curve.scalar.rejectNonCanonical(s.*); - try Curve.rejectNonCanonical(signature.public_key); - const a = try Curve.fromBytes(signature.public_key); + const r = signature.sig.r; + const s = signature.sig.s; + try Curve.scalar.rejectNonCanonical(s); + const a = try Curve.fromBytes(signature.public_key.bytes); try a.rejectIdentity(); - try Curve.rejectNonCanonical(r.*); - const expected_r = try Curve.fromBytes(r.*); + try Curve.rejectNonCanonical(r); + const expected_r = try Curve.fromBytes(r); try expected_r.rejectIdentity(); expected_r_batch[i] = expected_r; - r_batch[i] = r.*; - s_batch[i] = s.*; + r_batch[i] = r; + s_batch[i] = s; a_batch[i] = a; } @@ -177,7 +358,7 @@ pub const Ed25519 = struct { for (signature_batch) |signature, i| { var h = Sha512.init(.{}); h.update(&r_batch[i]); - h.update(&signature.public_key); + h.update(&signature.public_key.bytes); h.update(signature.msg); var hram64: [Sha512.digest_length]u8 = undefined; h.final(&hram64); @@ -212,7 +393,7 @@ pub const Ed25519 = struct { } /// Ed25519 signatures with key blinding. - pub const BlindKeySignatures = struct { + pub const key_blinding = struct { /// Length (in bytes) of a blinding seed. pub const blind_seed_length = 32; @@ -220,81 +401,69 @@ pub const Ed25519 = struct { pub const BlindSecretKey = struct { prefix: [64]u8, blind_scalar: CompressedScalar, - blind_public_key: CompressedScalar, + blind_public_key: BlindPublicKey, + }; + + /// A blind public key. + pub const BlindPublicKey = struct { + /// Public key equivalent, that can used for signature verification. + key: PublicKey, + + /// Recover a public key from a blind version of it. + pub fn unblind(blind_public_key: BlindPublicKey, blind_seed: [blind_seed_length]u8, ctx: []const u8) (IdentityElementError || NonCanonicalError || EncodingError || WeakPublicKeyError)!PublicKey { + const blind_h = blindCtx(blind_seed, ctx); + const inv_blind_factor = Scalar.fromBytes(blind_h[0..32].*).invert().toBytes(); + const pk_p = try (try Curve.fromBytes(blind_public_key.key.bytes)).mul(inv_blind_factor); + return PublicKey.fromBytes(pk_p.toBytes()); + } }; /// A blind key pair. pub const BlindKeyPair = struct { - blind_public_key: [public_length]u8, + blind_public_key: BlindPublicKey, blind_secret_key: BlindSecretKey, - }; - /// Blind an existing key pair with a blinding seed and a context. - pub fn blind(key_pair: Ed25519.KeyPair, blind_seed: [blind_seed_length]u8, ctx: []const u8) !BlindKeyPair { - var h: [Sha512.digest_length]u8 = undefined; - Sha512.hash(key_pair.secret_key[0..32], &h, .{}); - Curve.scalar.clamp(h[0..32]); - const scalar = Curve.scalar.reduce(h[0..32].*); - - const blind_h = blindCtx(blind_seed, ctx); - const blind_factor = Curve.scalar.reduce(blind_h[0..32].*); - - const blind_scalar = Curve.scalar.mul(scalar, blind_factor); - const blind_public_key = (Curve.basePoint.mul(blind_scalar) catch return error.IdentityElement).toBytes(); - - var prefix: [64]u8 = undefined; - mem.copy(u8, prefix[0..32], h[32..64]); - mem.copy(u8, prefix[32..64], blind_h[32..64]); - - const blind_secret_key = .{ - .prefix = prefix, - .blind_scalar = blind_scalar, - .blind_public_key = blind_public_key, - }; - return BlindKeyPair{ - .blind_public_key = blind_public_key, - .blind_secret_key = blind_secret_key, - }; - } - - /// Recover a public key from a blind version of it. - pub fn unblindPublicKey(blind_public_key: [public_length]u8, blind_seed: [blind_seed_length]u8, ctx: []const u8) ![public_length]u8 { - const blind_h = blindCtx(blind_seed, ctx); - const inv_blind_factor = Scalar.fromBytes(blind_h[0..32].*).invert().toBytes(); - const public_key = try (try Curve.fromBytes(blind_public_key)).mul(inv_blind_factor); - return public_key.toBytes(); - } - - /// Sign a message using a blind key pair, and optional random noise. - /// Having noise creates non-standard, non-deterministic signatures, - /// but has been proven to increase resilience against fault attacks. - pub fn sign(msg: []const u8, key_pair: BlindKeyPair, noise: ?[noise_length]u8) ![signature_length]u8 { - var h = Sha512.init(.{}); - if (noise) |*z| { - h.update(z); + /// Create an blind key pair from an existing key pair, a blinding seed and a context. + pub fn init(key_pair: Ed25519.KeyPair, blind_seed: [blind_seed_length]u8, ctx: []const u8) (NonCanonicalError || IdentityElementError)!BlindKeyPair { + var h: [Sha512.digest_length]u8 = undefined; + Sha512.hash(&key_pair.secret_key.seed(), &h, .{}); + Curve.scalar.clamp(h[0..32]); + const scalar = Curve.scalar.reduce(h[0..32].*); + + const blind_h = blindCtx(blind_seed, ctx); + const blind_factor = Curve.scalar.reduce(blind_h[0..32].*); + + const blind_scalar = Curve.scalar.mul(scalar, blind_factor); + const blind_public_key = BlindPublicKey{ + .key = try PublicKey.fromBytes((Curve.basePoint.mul(blind_scalar) catch return error.IdentityElement).toBytes()), + }; + + var prefix: [64]u8 = undefined; + mem.copy(u8, prefix[0..32], h[32..64]); + mem.copy(u8, prefix[32..64], blind_h[32..64]); + + const blind_secret_key = BlindSecretKey{ + .prefix = prefix, + .blind_scalar = blind_scalar, + .blind_public_key = blind_public_key, + }; + return BlindKeyPair{ + .blind_public_key = blind_public_key, + .blind_secret_key = blind_secret_key, + }; } - h.update(&key_pair.blind_secret_key.prefix); - h.update(msg); - var nonce64: [64]u8 = undefined; - h.final(&nonce64); - const nonce = Curve.scalar.reduce64(nonce64); - const r = try Curve.basePoint.mul(nonce); + /// Sign a message using a blind key pair, and optional random noise. + /// Having noise creates non-standard, non-deterministic signatures, + /// but has been proven to increase resilience against fault attacks. + pub fn sign(key_pair: BlindKeyPair, msg: []const u8, noise: ?[noise_length]u8) (IdentityElementError || KeyMismatchError || NonCanonicalError || WeakPublicKeyError)!Signature { + const scalar = key_pair.blind_secret_key.blind_scalar; + const prefix = key_pair.blind_secret_key.prefix; - var sig: [signature_length]u8 = undefined; - mem.copy(u8, sig[0..32], &r.toBytes()); - mem.copy(u8, sig[32..], &key_pair.blind_public_key); - h = Sha512.init(.{}); - h.update(&sig); - h.update(msg); - var hram64: [Sha512.digest_length]u8 = undefined; - h.final(&hram64); - const hram = Curve.scalar.reduce64(hram64); - - const s = Curve.scalar.mulAdd(hram, key_pair.blind_secret_key.blind_scalar, nonce); - mem.copy(u8, sig[32..], s[0..]); - return sig; - } + return (try PublicKey.fromBytes(key_pair.blind_public_key.key.bytes)) + .computeNonceAndSign(msg, noise, scalar, &prefix); + } + }; /// Compute a blind context from a blinding seed and a context. fn blindCtx(blind_seed: [blind_seed_length]u8, ctx: []const u8) [Sha512.digest_length]u8 { @@ -306,7 +475,13 @@ pub const Ed25519 = struct { hx.final(&blind_h); return blind_h; } + + pub const sign = @compileError("deprecated; use BlindKeyPair.sign instead"); + pub const unblindPublicKey = @compileError("deprecated; use BlindPublicKey.unblind instead"); }; + + pub const sign = @compileError("deprecated; use KeyPair.sign instead"); + pub const verify = @compileError("deprecated; use PublicKey.verify instead"); }; test "ed25519 key pair creation" { @@ -314,8 +489,8 @@ test "ed25519 key pair creation" { _ = try fmt.hexToBytes(seed[0..], "8052030376d47112be7f73ed7a019293dd12ad910b654455798b4667d73de166"); const key_pair = try Ed25519.KeyPair.create(seed); var buf: [256]u8 = undefined; - try std.testing.expectEqualStrings(try std.fmt.bufPrint(&buf, "{s}", .{std.fmt.fmtSliceHexUpper(&key_pair.secret_key)}), "8052030376D47112BE7F73ED7A019293DD12AD910B654455798B4667D73DE1662D6F7455D97B4A3A10D7293909D1A4F2058CB9A370E43FA8154BB280DB839083"); - try std.testing.expectEqualStrings(try std.fmt.bufPrint(&buf, "{s}", .{std.fmt.fmtSliceHexUpper(&key_pair.public_key)}), "2D6F7455D97B4A3A10D7293909D1A4F2058CB9A370E43FA8154BB280DB839083"); + try std.testing.expectEqualStrings(try std.fmt.bufPrint(&buf, "{s}", .{std.fmt.fmtSliceHexUpper(&key_pair.secret_key.toBytes())}), "8052030376D47112BE7F73ED7A019293DD12AD910B654455798B4667D73DE1662D6F7455D97B4A3A10D7293909D1A4F2058CB9A370E43FA8154BB280DB839083"); + try std.testing.expectEqualStrings(try std.fmt.bufPrint(&buf, "{s}", .{std.fmt.fmtSliceHexUpper(&key_pair.public_key.toBytes())}), "2D6F7455D97B4A3A10D7293909D1A4F2058CB9A370E43FA8154BB280DB839083"); } test "ed25519 signature" { @@ -323,11 +498,11 @@ test "ed25519 signature" { _ = try fmt.hexToBytes(seed[0..], "8052030376d47112be7f73ed7a019293dd12ad910b654455798b4667d73de166"); const key_pair = try Ed25519.KeyPair.create(seed); - const sig = try Ed25519.sign("test", key_pair, null); + const sig = try key_pair.sign("test", null); var buf: [128]u8 = undefined; - try std.testing.expectEqualStrings(try std.fmt.bufPrint(&buf, "{s}", .{std.fmt.fmtSliceHexUpper(&sig)}), "10A442B4A80CC4225B154F43BEF28D2472CA80221951262EB8E0DF9091575E2687CC486E77263C3418C757522D54F84B0359236ABBBD4ACD20DC297FDCA66808"); - try Ed25519.verify(sig, "test", key_pair.public_key); - try std.testing.expectError(error.SignatureVerificationFailed, Ed25519.verify(sig, "TEST", key_pair.public_key)); + try std.testing.expectEqualStrings(try std.fmt.bufPrint(&buf, "{s}", .{std.fmt.fmtSliceHexUpper(&sig.toBytes())}), "10A442B4A80CC4225B154F43BEF28D2472CA80221951262EB8E0DF9091575E2687CC486E77263C3418C757522D54F84B0359236ABBBD4ACD20DC297FDCA66808"); + try sig.verify("test", key_pair.public_key); + try std.testing.expectError(error.SignatureVerificationFailed, sig.verify("TEST", key_pair.public_key)); } test "ed25519 batch verification" { @@ -338,8 +513,8 @@ test "ed25519 batch verification" { var msg2: [32]u8 = undefined; crypto.random.bytes(&msg1); crypto.random.bytes(&msg2); - const sig1 = try Ed25519.sign(&msg1, key_pair, null); - const sig2 = try Ed25519.sign(&msg2, key_pair, null); + const sig1 = try key_pair.sign(&msg1, null); + const sig2 = try key_pair.sign(&msg2, null); var signature_batch = [_]Ed25519.BatchElement{ Ed25519.BatchElement{ .sig = sig1, @@ -355,9 +530,7 @@ test "ed25519 batch verification" { try Ed25519.verifyBatch(2, signature_batch); signature_batch[1].sig = sig1; - // TODO https://github.com/ziglang/zig/issues/12240 - const sig_len = signature_batch.len; - try std.testing.expectError(error.SignatureVerificationFailed, Ed25519.verifyBatch(sig_len, signature_batch)); + try std.testing.expectError(error.SignatureVerificationFailed, Ed25519.verifyBatch(signature_batch.len, signature_batch)); } } @@ -446,20 +619,25 @@ test "ed25519 test vectors" { for (entries) |entry| { var msg: [entry.msg_hex.len / 2]u8 = undefined; _ = try fmt.hexToBytes(&msg, entry.msg_hex); - var public_key: [32]u8 = undefined; - _ = try fmt.hexToBytes(&public_key, entry.public_key_hex); - var sig: [64]u8 = undefined; - _ = try fmt.hexToBytes(&sig, entry.sig_hex); + var public_key_bytes: [32]u8 = undefined; + _ = try fmt.hexToBytes(&public_key_bytes, entry.public_key_hex); + const public_key = Ed25519.PublicKey.fromBytes(public_key_bytes) catch |err| { + try std.testing.expectEqual(entry.expected.?, err); + continue; + }; + var sig_bytes: [64]u8 = undefined; + _ = try fmt.hexToBytes(&sig_bytes, entry.sig_hex); + const sig = Ed25519.Signature.fromBytes(sig_bytes); if (entry.expected) |error_type| { - try std.testing.expectError(error_type, Ed25519.verify(sig, &msg, public_key)); + try std.testing.expectError(error_type, sig.verify(&msg, public_key)); } else { - try Ed25519.verify(sig, &msg, public_key); + try sig.verify(&msg, public_key); } } } test "ed25519 with blind keys" { - const BlindKeySignatures = Ed25519.BlindKeySignatures; + const BlindKeyPair = Ed25519.key_blinding.BlindKeyPair; // Create a standard Ed25519 key pair const kp = try Ed25519.KeyPair.create(null); @@ -469,14 +647,30 @@ test "ed25519 with blind keys" { crypto.random.bytes(&blind); // Blind the key pair - const blind_kp = try BlindKeySignatures.blind(kp, blind, "ctx"); + const blind_kp = try BlindKeyPair.init(kp, blind, "ctx"); // Sign a message and check that it can be verified with the blind public key const msg = "test"; - const sig = try BlindKeySignatures.sign(msg, blind_kp, null); - try Ed25519.verify(sig, msg, blind_kp.blind_public_key); + const sig = try blind_kp.sign(msg, null); + try sig.verify(msg, blind_kp.blind_public_key.key); // Unblind the public key - const pk = try BlindKeySignatures.unblindPublicKey(blind_kp.blind_public_key, blind, "ctx"); - try std.testing.expectEqualSlices(u8, &pk, &kp.public_key); + const pk = try blind_kp.blind_public_key.unblind(blind, "ctx"); + try std.testing.expectEqualSlices(u8, &pk.toBytes(), &kp.public_key.toBytes()); +} + +test "ed25519 signatures with streaming" { + const kp = try Ed25519.KeyPair.create(null); + + var signer = try kp.signer(null); + signer.update("mes"); + signer.update("sage"); + const sig = signer.finalize(); + + try sig.verify("message", kp.public_key); + + var verifier = try sig.verifier(kp.public_key); + verifier.update("mess"); + verifier.update("age"); + try verifier.verify(); } diff --git a/lib/std/crypto/25519/x25519.zig b/lib/std/crypto/25519/x25519.zig index d935513ab6..22bcf00136 100644 --- a/lib/std/crypto/25519/x25519.zig +++ b/lib/std/crypto/25519/x25519.zig @@ -44,9 +44,9 @@ pub const X25519 = struct { /// Create a key pair from an Ed25519 key pair pub fn fromEd25519(ed25519_key_pair: crypto.sign.Ed25519.KeyPair) (IdentityElementError || EncodingError)!KeyPair { - const seed = ed25519_key_pair.secret_key[0..32]; + const seed = ed25519_key_pair.secret_key.seed(); var az: [Sha512.digest_length]u8 = undefined; - Sha512.hash(seed, &az, .{}); + Sha512.hash(&seed, &az, .{}); var sk = az[0..32].*; Curve.scalar.clamp(&sk); const pk = try publicKeyFromEd25519(ed25519_key_pair.public_key); @@ -64,8 +64,8 @@ pub const X25519 = struct { } /// Compute the X25519 equivalent to an Ed25519 public eky. - pub fn publicKeyFromEd25519(ed25519_public_key: [crypto.sign.Ed25519.public_length]u8) (IdentityElementError || EncodingError)![public_length]u8 { - const pk_ed = try crypto.ecc.Edwards25519.fromBytes(ed25519_public_key); + pub fn publicKeyFromEd25519(ed25519_public_key: crypto.sign.Ed25519.PublicKey) (IdentityElementError || EncodingError)![public_length]u8 { + const pk_ed = try crypto.ecc.Edwards25519.fromBytes(ed25519_public_key.bytes); const pk = try Curve.fromEdwards25519(pk_ed); return pk.toBytes(); } diff --git a/lib/std/crypto/benchmark.zig b/lib/std/crypto/benchmark.zig index 28d283048a..d4bf3d2633 100644 --- a/lib/std/crypto/benchmark.zig +++ b/lib/std/crypto/benchmark.zig @@ -130,7 +130,7 @@ pub fn benchmarkSignature(comptime Signature: anytype, comptime signatures_count { var i: usize = 0; while (i < signatures_count) : (i += 1) { - const sig = try Signature.sign(&msg, key_pair, null); + const sig = try key_pair.sign(&msg, null); mem.doNotOptimizeAway(&sig); } } @@ -147,14 +147,14 @@ const signature_verifications = [_]Crypto{Crypto{ .ty = crypto.sign.Ed25519, .na pub fn benchmarkSignatureVerification(comptime Signature: anytype, comptime signatures_count: comptime_int) !u64 { const msg = [_]u8{0} ** 64; const key_pair = try Signature.KeyPair.create(null); - const sig = try Signature.sign(&msg, key_pair, null); + const sig = try key_pair.sign(&msg, null); var timer = try Timer.start(); const start = timer.lap(); { var i: usize = 0; while (i < signatures_count) : (i += 1) { - try Signature.verify(sig, &msg, key_pair.public_key); + try sig.verify(&msg, key_pair.public_key); mem.doNotOptimizeAway(&sig); } } @@ -171,7 +171,7 @@ const batch_signature_verifications = [_]Crypto{Crypto{ .ty = crypto.sign.Ed2551 pub fn benchmarkBatchSignatureVerification(comptime Signature: anytype, comptime signatures_count: comptime_int) !u64 { const msg = [_]u8{0} ** 64; const key_pair = try Signature.KeyPair.create(null); - const sig = try Signature.sign(&msg, key_pair, null); + const sig = try key_pair.sign(&msg, null); var batch: [64]Signature.BatchElement = undefined; for (batch) |*element| { @@ -301,9 +301,13 @@ const CryptoPwhash = struct { params: *const anyopaque, name: []const u8, }; -const bcrypt_params = crypto.pwhash.bcrypt.Params{ .rounds_log = 12 }; +const bcrypt_params = crypto.pwhash.bcrypt.Params{ .rounds_log = 8 }; const pwhashes = [_]CryptoPwhash{ - .{ .ty = crypto.pwhash.bcrypt, .params = &bcrypt_params, .name = "bcrypt" }, + .{ + .ty = crypto.pwhash.bcrypt, + .params = &bcrypt_params, + .name = "bcrypt", + }, .{ .ty = crypto.pwhash.scrypt, .params = &crypto.pwhash.scrypt.Params.interactive, @@ -323,7 +327,11 @@ fn benchmarkPwhash( comptime count: comptime_int, ) !f64 { const password = "testpass" ** 2; - const opts = .{ .allocator = allocator, .params = @ptrCast(*const ty.Params, params).*, .encoding = .phc }; + const opts = .{ + .allocator = allocator, + .params = @ptrCast(*const ty.Params, @alignCast(std.meta.alignment(ty.Params), params)).*, + .encoding = .phc, + }; var buf: [256]u8 = undefined; var timer = try Timer.start(); |