// Verify returns true iff sig is a valid signature of message by publicKey. func Verify(publicKey *[PublicKeySize]byte, message []byte, sig *[SignatureSize]byte) bool { if sig[63]&224 != 0 { return false } var A edwards25519.ExtendedGroupElement if !A.FromBytes(publicKey) { return false } edwards25519.FeNeg(&A.X, &A.X) edwards25519.FeNeg(&A.T, &A.T) h := sha512.New() h.Write(sig[:32]) h.Write(publicKey[:]) h.Write(message) var digest [64]byte h.Sum(digest[:0]) var hReduced [32]byte edwards25519.ScReduce(&hReduced, &digest) var R edwards25519.ProjectiveGroupElement var b [32]byte copy(b[:], sig[32:]) edwards25519.GeDoubleScalarMultVartime(&R, &hReduced, &A, &b) var checkR [32]byte R.ToBytes(&checkR) return subtle.ConstantTimeCompare(sig[:32], checkR[:]) == 1 }
// GenerateKey generates a public/private key pair using randomness from rand. func GenerateKey(rand io.Reader) (publicKey *[PublicKeySize]byte, privateKey *[PrivateKeySize]byte, err error) { privateKey = new([64]byte) publicKey = new([32]byte) _, err = io.ReadFull(rand, privateKey[:32]) if err != nil { return nil, nil, err } h := sha512.New() h.Write(privateKey[:32]) digest := h.Sum(nil) digest[0] &= 248 digest[31] &= 127 digest[31] |= 64 var A edwards25519.ExtendedGroupElement var hBytes [32]byte copy(hBytes[:], digest) edwards25519.GeScalarMultBase(&A, &hBytes) A.ToBytes(publicKey) copy(privateKey[32:], publicKey[:]) return }
// HashToEdwards converts a 256-bit hash output into a point on the Edwards // curve isomorphic to Curve25519 in a manner that preserves // collision-resistance. The returned curve points are NOT indistinguishable // from random even if the hash value is. // Specifically, first one bit of the hash output is set aside for parity and // the rest is tuncated and fed into the elligator bijection (which covers half // of the points on the elliptic curve). func HashToEdwards(out *edwards25519.ExtendedGroupElement, h *[32]byte) { hh := *h bit := hh[31] >> 7 hh[31] &= 127 edwards25519.FeFromBytes(&out.Y, &hh) representativeToMontgomeryX(&out.X, &out.Y) montgomeryXToEdwardsY(&out.Y, &out.X) if ok := out.FromParityAndY(bit, &out.Y); !ok { panic("HashToEdwards: point not on curve") } }
// PublicKeyToCurve25519 converts an Ed25519 public key into the curve25519 // public key that would be generated from the same private key. func PublicKeyToCurve25519(curve25519Public *[32]byte, publicKey *[32]byte) bool { var A edwards25519.ExtendedGroupElement if !A.FromBytes(publicKey) { return false } // A.Z = 1 as a postcondition of FromBytes. var x edwards25519.FieldElement edwardsToMontgomeryX(&x, &A.Y) edwards25519.FeToBytes(curve25519Public, &x) return true }
func Compute(m []byte, sk *[SecretKeySize]byte) []byte { x, _ := expandSecret(sk) var ii edwards25519.ExtendedGroupElement var iiB [32]byte edwards25519.GeScalarMult(&ii, x, hashToCurve(m)) ii.ToBytes(&iiB) hash := sha3.NewShake256() hash.Write(iiB[:]) // const length: Size hash.Write(m) var vrf [Size]byte hash.Read(vrf[:]) return vrf[:] }
func TestUnmarshalMarshal(t *testing.T) { pk, _, _ := GenerateKey(rand.Reader) var A edwards25519.ExtendedGroupElement ret := A.FromBytes(pk) var pk2 [32]byte A.ToBytes(&pk2) if *pk != pk2 { _ = ret t.Errorf("FromBytes(%v)->ToBytes not idempotent:\n%x\nbytes:\n\t%x\n\t%x\ndelta: %x\n", ret, A, *pk, pk2, int(pk[31])-int(pk2[31])) } }
func TestUnmarshalMarshalNegative(t *testing.T) { pk, _, _ := GenerateKey(rand.Reader) var A edwards25519.ExtendedGroupElement ret := A.FromBytes(pk) var pk2 [32]byte A.ToBytes(&pk2) pk2[31] ^= 0x80 if *pk == pk2 { t.Errorf("FromBytes(%v)->flipping sign did not change public key:\n%x\nbytes:\n\t%x\n\t%x\ndelta: %x\n", ret, A, *pk, pk2, int(pk[31])-int(pk2[31])) } }
// GenerateKey creates a public/private key pair. rnd is used for randomness. // If it is nil, `crypto/rand` is used. func GenerateKey(rnd io.Reader) (pk []byte, sk *[SecretKeySize]byte, err error) { if rnd == nil { rnd = rand.Reader } sk = new([SecretKeySize]byte) _, err = io.ReadFull(rnd, sk[:32]) if err != nil { return nil, nil, err } x, _ := expandSecret(sk) var pkP edwards25519.ExtendedGroupElement edwards25519.GeScalarMultBase(&pkP, x) var pkBytes [PublicKeySize]byte pkP.ToBytes(&pkBytes) copy(sk[32:], pkBytes[:]) return pkBytes[:], sk, err }
// Verify returns true iff vrf=Compute(m, sk) for the sk that corresponds to pk. func Verify(pkBytes, m, vrfBytes, proof []byte) bool { if len(proof) != ProofSize || len(vrfBytes) != Size || len(pkBytes) != PublicKeySize { return false } var pk, c, cRef, t, vrf, iiB, ABytes, BBytes [32]byte copy(vrf[:], vrfBytes) copy(pk[:], pkBytes) copy(c[:32], proof[:32]) copy(t[:32], proof[32:64]) copy(iiB[:], proof[64:96]) hash := sha3.NewShake256() hash.Write(iiB[:]) // const length hash.Write(m) var hCheck [Size]byte hash.Read(hCheck[:]) if !bytes.Equal(hCheck[:], vrf[:]) { return false } hash.Reset() var P, B, ii, iic edwards25519.ExtendedGroupElement var A, hmtP, iicP edwards25519.ProjectiveGroupElement if !P.FromBytesBaseGroup(&pk) { return false } if !ii.FromBytesBaseGroup(&iiB) { return false } edwards25519.GeDoubleScalarMultVartime(&A, &c, &P, &t) A.ToBytes(&ABytes) hm := hashToCurve(m) edwards25519.GeDoubleScalarMultVartime(&hmtP, &t, hm, &[32]byte{}) edwards25519.GeDoubleScalarMultVartime(&iicP, &c, &ii, &[32]byte{}) iicP.ToExtended(&iic) hmtP.ToExtended(&B) edwards25519.GeAdd(&B, &B, &iic) B.ToBytes(&BBytes) var cH [64]byte hash.Write(ABytes[:]) // const length hash.Write(BBytes[:]) // const length hash.Write(m) hash.Read(cH[:]) edwards25519.ScReduce(&cRef, &cH) return cRef == c }
// Sign signs the message with privateKey and returns a signature. func Sign(privateKey *[PrivateKeySize]byte, message []byte) *[SignatureSize]byte { h := sha512.New() h.Write(privateKey[:32]) var digest1, messageDigest, hramDigest [64]byte var expandedSecretKey [32]byte h.Sum(digest1[:0]) copy(expandedSecretKey[:], digest1[:]) expandedSecretKey[0] &= 248 expandedSecretKey[31] &= 63 expandedSecretKey[31] |= 64 h.Reset() h.Write(digest1[32:]) h.Write(message) h.Sum(messageDigest[:0]) var messageDigestReduced [32]byte edwards25519.ScReduce(&messageDigestReduced, &messageDigest) var R edwards25519.ExtendedGroupElement edwards25519.GeScalarMultBase(&R, &messageDigestReduced) var encodedR [32]byte R.ToBytes(&encodedR) h.Reset() h.Write(encodedR[:]) h.Write(privateKey[32:]) h.Write(message) h.Sum(hramDigest[:0]) var hramDigestReduced [32]byte edwards25519.ScReduce(&hramDigestReduced, &hramDigest) var s [32]byte edwards25519.ScMulAdd(&s, &hramDigestReduced, &expandedSecretKey, &messageDigestReduced) signature := new([64]byte) copy(signature[:], encodedR[:]) copy(signature[32:], s[:]) return signature }
// Prove returns the vrf value and a proof such that Verify(pk, m, vrf, proof) // == true. The vrf value is the same as returned by Compute(m, sk). func Prove(m []byte, sk *[SecretKeySize]byte) (vrf, proof []byte) { x, skhr := expandSecret(sk) var cH, rH [64]byte var r, c, minusC, t, grB, hrB, iiB [32]byte var ii, gr, hr edwards25519.ExtendedGroupElement hm := hashToCurve(m) edwards25519.GeScalarMult(&ii, x, hm) ii.ToBytes(&iiB) hash := sha3.NewShake256() hash.Write(skhr[:]) hash.Write(sk[32:]) // public key, as in ed25519 hash.Write(m) hash.Read(rH[:]) hash.Reset() edwards25519.ScReduce(&r, &rH) edwards25519.GeScalarMultBase(&gr, &r) edwards25519.GeScalarMult(&hr, &r, hm) gr.ToBytes(&grB) hr.ToBytes(&hrB) hash.Write(grB[:]) hash.Write(hrB[:]) hash.Write(m) hash.Read(cH[:]) hash.Reset() edwards25519.ScReduce(&c, &cH) edwards25519.ScNeg(&minusC, &c) edwards25519.ScMulAdd(&t, x, &minusC, &r) proof = make([]byte, ProofSize) copy(proof[:32], c[:]) copy(proof[32:64], t[:]) copy(proof[64:96], iiB[:]) hash.Write(iiB[:]) // const length: Size hash.Write(m) vrf = make([]byte, Size) hash.Read(vrf[:]) return }
func TestHashNoCollisions(t *testing.T) { type intpair struct { i int j uint } rainbow := make(map[[32]byte]intpair) N := 25 if testing.Short() { N = 3 } var h [32]byte // NOTE: hash values 0b100000000000... and 0b00000000000... both map to // the identity. this is a core part of the elligator function and not a // collision we need to worry about because an attacker would need to find // the preimages of these hashes to exploit it. h[0] = 1 for i := 0; i < N; i++ { for j := uint(0); j < 257; j++ { if j < 256 { h[j>>3] ^= byte(1) << (j & 7) } var P edwards25519.ExtendedGroupElement HashToEdwards(&P, &h) var p [32]byte P.ToBytes(&p) if c, ok := rainbow[p]; ok { t.Fatalf("found collision: (%d, %d) and (%d, %d)", i, j, c.i, c.j) } rainbow[p] = intpair{i, j} if j < 256 { h[j>>3] ^= byte(1) << (j & 7) } } hh := sha512.Sum512(h[:]) // this package already imports sha512 copy(h[:], hh[:]) } }