Commit e59dd7eecf
Changed files (6)
lib
lib/std/crypto/25519/curve25519.zig
@@ -100,6 +100,14 @@ pub const Curve25519 = struct {
_ = ladder(p, cofactor, 4) catch |_| return error.WeakPublicKey;
return try ladder(p, s, 256);
}
+
+ /// Compute the Curve25519 equivalent to an Edwards25519 point.
+ pub fn fromEdwards25519(p: std.crypto.ecc.Edwards25519) !Curve25519 {
+ try p.clearCofactor().rejectIdentity();
+ const one = std.crypto.ecc.Edwards25519.Fe.one;
+ const x = one.add(p.y).mul(one.sub(p.y).invert()); // xMont=(1+yEd)/(1-yEd)
+ return Curve25519{ .x = x };
+ }
};
test "curve25519" {
lib/std/crypto/25519/edwards25519.zig
@@ -12,6 +12,8 @@ pub const Edwards25519 = struct {
pub const Fe = @import("field.zig").Fe;
/// Field arithmetic mod the order of the main subgroup.
pub const scalar = @import("scalar.zig");
+ /// Length in bytes of a compressed representation of a point.
+ pub const encoded_length: usize = 32;
x: Fe,
y: Fe,
@@ -21,7 +23,7 @@ pub const Edwards25519 = struct {
is_base: bool = false,
/// Decode an Edwards25519 point from its compressed (Y+sign) coordinates.
- pub fn fromBytes(s: [32]u8) !Edwards25519 {
+ pub fn fromBytes(s: [encoded_length]u8) !Edwards25519 {
const z = Fe.one;
const y = Fe.fromBytes(s);
var u = y.sq();
@@ -43,7 +45,7 @@ pub const Edwards25519 = struct {
}
/// Encode an Edwards25519 point.
- pub fn toBytes(p: Edwards25519) [32]u8 {
+ pub fn toBytes(p: Edwards25519) [encoded_length]u8 {
const zi = p.z.invert();
var s = p.y.mul(zi).toBytes();
s[31] ^= @as(u8, @boolToInt(p.x.mul(zi).isNegative())) << 7;
lib/std/crypto/25519/ristretto255.zig
@@ -14,6 +14,8 @@ pub const Ristretto255 = struct {
pub const Fe = Curve.Fe;
/// Field arithmetic mod the order of the main subgroup.
pub const scalar = Curve.scalar;
+ /// Length in byte of an encoded element.
+ pub const encoded_length: usize = 32;
p: Curve,
@@ -32,7 +34,7 @@ pub const Ristretto255 = struct {
return .{ .ratio_is_square = @boolToInt(has_m_root) | @boolToInt(has_p_root), .root = x.abs() };
}
- fn rejectNonCanonical(s: [32]u8) !void {
+ fn rejectNonCanonical(s: [encoded_length]u8) !void {
if ((s[0] & 1) != 0) {
return error.NonCanonical;
}
@@ -48,7 +50,7 @@ pub const Ristretto255 = struct {
pub const basePoint = Ristretto255{ .p = Curve.basePoint };
/// Decode a Ristretto255 representative.
- pub fn fromBytes(s: [32]u8) !Ristretto255 {
+ pub fn fromBytes(s: [encoded_length]u8) !Ristretto255 {
try rejectNonCanonical(s);
const s_ = Fe.fromBytes(s);
const ss = s_.sq(); // s^2
@@ -78,7 +80,7 @@ pub const Ristretto255 = struct {
}
/// Encode to a Ristretto255 representative.
- pub fn toBytes(e: Ristretto255) [32]u8 {
+ pub fn toBytes(e: Ristretto255) [encoded_length]u8 {
const p = &e.p;
var u1_ = p.z.add(p.y); // Z+Y
const zmy = p.z.sub(p.y); // Z-Y
@@ -151,7 +153,7 @@ pub const Ristretto255 = struct {
/// Multiply a Ristretto255 element with a scalar.
/// Return error.WeakPublicKey if the resulting element is
/// the identity element.
- pub inline fn mul(p: Ristretto255, s: [32]u8) !Ristretto255 {
+ pub inline fn mul(p: Ristretto255, s: [encoded_length]u8) !Ristretto255 {
return Ristretto255{ .p = try p.p.mul(s) };
}
@@ -170,7 +172,7 @@ test "ristretto255" {
var buf: [256]u8 = undefined;
std.testing.expectEqualStrings(try std.fmt.bufPrint(&buf, "{X}", .{p.toBytes()}), "E2F2AE0A6ABC4E71A884A961C500515F58E30B6AA582DD8DB6A65945E08D2D76");
- var r: [32]u8 = undefined;
+ var r: [Ristretto255.encoded_length]u8 = undefined;
try fmt.hexToBytes(r[0..], "6a493210f7499cd17fecb510ae0cea23a110e8d5b901f8acadd3095c73a3b919");
var q = try Ristretto255.fromBytes(r);
q = q.dbl().add(p);
lib/std/crypto/25519/x25519.zig
@@ -8,6 +8,8 @@ const crypto = std.crypto;
const mem = std.mem;
const fmt = std.fmt;
+const Sha512 = crypto.hash.sha2.Sha512;
+
/// X25519 DH function.
pub const X25519 = struct {
/// The underlying elliptic curve.
@@ -37,33 +39,55 @@ pub const X25519 = struct {
};
var kp: KeyPair = undefined;
mem.copy(u8, &kp.secret_key, sk[0..]);
- try X25519.recoverPublicKey(&kp.public_key, sk);
+ kp.public_key = try X25519.recoverPublicKey(sk);
return kp;
}
+
+ /// Create a key pair from an Ed25519 key pair
+ pub fn fromEd25519(ed25519_key_pair: crypto.sign.Ed25519.KeyPair) !KeyPair {
+ const seed = ed25519_key_pair.secret_key[0..32];
+ var az: [Sha512.digest_length]u8 = undefined;
+ Sha512.hash(seed, &az, .{});
+ var sk = az[0..32].*;
+ Curve.scalar.clamp(&sk);
+ const pk = try publicKeyFromEd25519(ed25519_key_pair.public_key);
+ return KeyPair{
+ .public_key = pk,
+ .secret_key = sk,
+ };
+ }
};
/// Compute the public key for a given private key.
- pub fn recoverPublicKey(public_key: *[public_length]u8, secret_key: [secret_length]u8) !void {
+ pub fn recoverPublicKey(secret_key: [secret_length]u8) ![public_length]u8 {
const q = try Curve.basePoint.clampedMul(secret_key);
- mem.copy(u8, public_key, q.toBytes()[0..]);
+ return q.toBytes();
+ }
+
+ /// Compute the X25519 equivalent to an Ed25519 public eky.
+ pub fn publicKeyFromEd25519(ed25519_public_key: [crypto.sign.Ed25519.public_length]u8) ![public_length]u8 {
+ const pk_ed = try crypto.ecc.Edwards25519.fromBytes(ed25519_public_key);
+ const pk = try Curve.fromEdwards25519(pk_ed);
+ return pk.toBytes();
}
/// Compute the scalar product of a public key and a secret scalar.
/// Note that the output should not be used as a shared secret without
/// hashing it first.
- pub fn scalarmult(out: *[shared_length]u8, secret_key: [secret_length]u8, public_key: [public_length]u8) !void {
+ pub fn scalarmult(secret_key: [secret_length]u8, public_key: [public_length]u8) ![shared_length]u8 {
const q = try Curve.fromBytes(public_key).clampedMul(secret_key);
- mem.copy(u8, out, q.toBytes()[0..]);
+ return q.toBytes();
}
};
+const htest = @import("../test.zig");
+
test "x25519 public key calculation from secret key" {
var sk: [32]u8 = undefined;
var pk_expected: [32]u8 = undefined;
- var pk_calculated: [32]u8 = undefined;
try fmt.hexToBytes(sk[0..], "8052030376d47112be7f73ed7a019293dd12ad910b654455798b4667d73de166");
try fmt.hexToBytes(pk_expected[0..], "f1814f0e8ff1043d8a44d25babff3cedcae6c22c3edaa48f857ae70de2baae50");
- try X25519.recoverPublicKey(&pk_calculated, sk);
+ const pk_calculated = try X25519.recoverPublicKey(sk);
std.testing.expectEqual(pk_calculated, pk_expected);
}
@@ -73,9 +97,7 @@ test "x25519 rfc7748 vector1" {
const expected_output = [32]u8{ 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90, 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f, 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7, 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 };
- var output: [32]u8 = undefined;
-
- try X25519.scalarmult(&output, secret_key, public_key);
+ const output = try X25519.scalarmult(secret_key, public_key);
std.testing.expectEqual(output, expected_output);
}
@@ -85,9 +107,7 @@ test "x25519 rfc7748 vector2" {
const expected_output = [32]u8{ 0x95, 0xcb, 0xde, 0x94, 0x76, 0xe8, 0x90, 0x7d, 0x7a, 0xad, 0xe4, 0x5c, 0xb4, 0xb8, 0x73, 0xf8, 0x8b, 0x59, 0x5a, 0x68, 0x79, 0x9f, 0xa1, 0x52, 0xe6, 0xf8, 0xf7, 0x64, 0x7a, 0xac, 0x79, 0x57 };
- var output: [32]u8 = undefined;
-
- try X25519.scalarmult(&output, secret_key, public_key);
+ const output = try X25519.scalarmult(secret_key, public_key);
std.testing.expectEqual(output, expected_output);
}
@@ -100,9 +120,7 @@ test "x25519 rfc7748 one iteration" {
var i: usize = 0;
while (i < 1) : (i += 1) {
- var output: [32]u8 = undefined;
- try X25519.scalarmult(output[0..], k, u);
-
+ const output = try X25519.scalarmult(k, u);
mem.copy(u8, u[0..], k[0..]);
mem.copy(u8, k[0..], output[0..]);
}
@@ -124,9 +142,7 @@ test "x25519 rfc7748 1,000 iterations" {
var i: usize = 0;
while (i < 1000) : (i += 1) {
- var output: [32]u8 = undefined;
- std.testing.expect(X25519.scalarmult(output[0..], &k, &u));
-
+ const output = try X25519.scalarmult(&k, &u);
mem.copy(u8, u[0..], k[0..]);
mem.copy(u8, k[0..], output[0..]);
}
@@ -147,12 +163,17 @@ test "x25519 rfc7748 1,000,000 iterations" {
var i: usize = 0;
while (i < 1000000) : (i += 1) {
- var output: [32]u8 = undefined;
- std.testing.expect(X25519.scalarmult(output[0..], &k, &u));
-
+ const output = try X25519.scalarmult(&k, &u);
mem.copy(u8, u[0..], k[0..]);
mem.copy(u8, k[0..], output[0..]);
}
std.testing.expectEqual(k[0..], expected_output);
}
+
+test "edwards25519 -> curve25519 map" {
+ const ed_kp = try crypto.sign.Ed25519.KeyPair.create([_]u8{0x42} ** 32);
+ const mont_kp = try X25519.KeyPair.fromEd25519(ed_kp);
+ htest.assertEqual("90e7595fc89e52fdfddce9c6a43d74dbf6047025ee0462d2d172e8b6a2841d6e", &mont_kp.secret_key);
+ htest.assertEqual("cc4f2cdb695dd766f34118eb67b98652fed1d8bc49c330b119bbfa8a64989378", &mont_kp.public_key);
+}
lib/std/crypto/benchmark.zig
@@ -98,18 +98,20 @@ const exchanges = [_]Crypto{Crypto{ .ty = crypto.dh.X25519, .name = "x25519" }};
pub fn benchmarkKeyExchange(comptime DhKeyExchange: anytype, comptime exchange_count: comptime_int) !u64 {
std.debug.assert(DhKeyExchange.shared_length >= DhKeyExchange.secret_length);
- var in: [DhKeyExchange.shared_length]u8 = undefined;
- prng.random.bytes(in[0..]);
+ var secret: [DhKeyExchange.shared_length]u8 = undefined;
+ prng.random.bytes(secret[0..]);
- var out: [DhKeyExchange.shared_length]u8 = undefined;
- prng.random.bytes(out[0..]);
+ var public: [DhKeyExchange.shared_length]u8 = undefined;
+ prng.random.bytes(public[0..]);
var timer = try Timer.start();
const start = timer.lap();
{
var i: usize = 0;
while (i < exchange_count) : (i += 1) {
- try DhKeyExchange.scalarmult(&out, out, in);
+ const out = try DhKeyExchange.scalarmult(secret, public);
+ mem.copy(u8, secret[0..16], out[0..16]);
+ mem.copy(u8, public[0..16], out[16..32]);
mem.doNotOptimizeAway(&out);
}
}
lib/std/crypto/salsa20.zig
@@ -485,8 +485,7 @@ pub const Box = struct {
/// Compute a secret suitable for `secretbox` given a recipent's public key and a sender's secret key.
pub fn createSharedSecret(public_key: [public_length]u8, secret_key: [secret_length]u8) ![shared_length]u8 {
- var p: [32]u8 = undefined;
- try X25519.scalarmult(&p, secret_key, public_key);
+ const p = try X25519.scalarmult(secret_key, public_key);
const zero = [_]u8{0} ** 16;
return Salsa20Impl.hsalsa20(zero, p);
}