EdDSA support (Ed25519 and Ed448 curves) with Pure, Context and Prehash types + SHA3 (SHA3, SHAKE, CSHAKE and KMAC) #5800
Conversation
Largely inspired by the curve25519 definition. Signed-off-by: Aurelien Jarno <[email protected]>
Largely inspired by the curve448 definition. Signed-off-by: Aurelien Jarno <[email protected]>
Also tweak mbedtls_ecp_get_type to handle the edwards case. FIXME: there is probably a cleaner way of doing that. Signed-off-by: Aurelien Jarno <[email protected]>
The RFC8032 recommends to implement ed25519 in extended coordinates and ed448 in projective coordinates. The two coordinates systems are very close with T=x*y for extended coordinates. The corresponding point addition and point doubling formulas are actually very similar. Note that the formulas given in the RFC are the EFD one simplified with a = -1 for ed25519 and a = 1 for ed448. The Mbed TLS philosophy is to share as much code as possible, so projective coordinates are used for both Twisted Edwards and Edwards curves, using the formulas from EFD, which do include the a parameter of the quation. This also matches the mbedtls_ecp_point implementation which supports up to three coordinates. In order to verify EdDSA signatures, it is necessary to add two points. A new mbedtls_ecp_add function is therefore exported in the API. It is only implemented for Edwards curve and returns MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE for other curves. The ecp_check_pubkey function simply checks that the points is on the curve as there are no recommended checks in the RFC8032 nor in the FIPS 186-5 draft. FIXME: There is currently no check for mbedtls_ecp_check_privkey. It's not clear what check should be implemented. FIXME: mbedtls_ecp_set_zero and mbedtls_ecp_is_zero are wrong for Edwards curve, the neutral element being (0, 1). This is not possible to fix that without changing the API as the group parameter is currently not in argument. FIXME: ecp_normalize_edxyz uses a modular inversion. For elliptic curves over GF(p) modular inversions could be done using x^-1 = x^(p-2) (mod p). As it doesn't seem to bring any measureable speed improvement, I kept the modular inversion. FIXME: The mbedtls_ecp_keypair type and the related functions (mbedtls_ecp_gen_key, mbedtls_ecp_read_key, mbedtls_ecp_check_pub_priv) assume that the secret key is a scalar and that the public key is a curve point that is obtained by the scalar multiplication of the base point by the secret key. This is only partially true for the EdDSA algorithm, which employs point enconding and hashes to manipulate those. Signed-off-by: Aurelien Jarno <[email protected]>
Those tests are extracted from RFC8032 sec 7 and correspond to the unique SECRET KEY and PUBLIC KEY tuples in the Ed25519 and Ed448 test vectors. The eddsa2 Python library defined from Appendix A is used to expand the SECRET KEY entries to a scalar value and to decode the PUBLIC KEY entries to a point value. Signed-off-by: Aurelien Jarno <[email protected]>
Note that decoding a point for curves over prime field p with p = 1 (mod 8) is not supported. This is not the case of Ed25519 and Ed448. Supporting that would require a more complex algorithm to compute the square root, for instance the Tonelli-Shanks algorithm. Note that the square root formulas come from the RFC Erratas 5758 and 5759. FIXME: mbedtls_ecp_point_read_binary_ed() has to be defined after the mbedtls_mpi_xxx_mod functions as some computation are needed to read a point. Currently mbedtls_ecp_point_read_binary() is defined before those functions, so a forward declaration is needed. This should probably be fixed by reshuffling functions in ecp.c. Signed-off-by: Aurelien Jarno <[email protected]>
…el32-edwards Signed-off-by: Pol Henarejos <[email protected]> # Conflicts: # library/ecp.c # library/version_features.c # programs/test/query_config.c # tests/suites/test_suite_ecp.data
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Added method to derive public point from private ed25519 point. Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
EdDSA by definition is always deterministic. So, I do not distinguish between DET versions. This version does not support restarting functions. Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
…ably also affects to curve448. Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
|
@polhenarejos The Arm Jenkins instance is not accessible externally, so if you need to see logs, please ask here. We're in the process of moving to OpenCI, which is publicly visible. So far OpenCI is running the same Linux and FreeBSD jobs, but not Windows yet. On 525ec1f, builds with MSVC are failing due to this error: |
Signed-off-by: Pol Henarejos <[email protected]>
polhenarejos
changed the title
Also added NIST test vectors. Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Added test vectors for SHA-3 KMAC. Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
Signed-off-by: Pol Henarejos <[email protected]>
|
Thanks @gilles-peskine-arm for the comments and suggestions. PR passes all checks and I think the PR includes all necessary to run EdDSA and SHA3 hashing. Please let me know if it is still missing something or if I can do something else to speed up the merge. |
|
@polhenarejos Thank you very much! And wow, I blinked and now there's the whole SHA3 family? Wow! Unfortunately our bottleneck is review bandwidth. As this is a very large contribution, we need to schedule it, and I'm afraid we have no room until late 2022. |
|
Sure! Once you have shake working is straightforward to add sha3, cshake or kmac. In any case, if you think I can help for reviewing to mitigate the bottleneck, tell it to me and I will be glad to give a hand. |
|
We would gladly welcome your help with reviews! While I can't promise anything right now, we do normally prioritize the reviews of contributions from people who are also reviewing. If you're willing, please read a presentation to set the mood and our review guidelines. Pull requests normally need two approvals from trusted reviewers. Pull requests looking for a reviewer should have the "needs: reviewer" label. They should also be on the review board. We tend to prioritize pull requests that already have one approval and so are in the "Has Approval" column. I'm guessing that your interest is mainly on cryptographic code, so here are a few suggestions:
|
gilles-peskine-arm
added
needs-review
|
Speaking of reviews, would you mind splitting this pull request? It's very large, which makes it difficult to find two reviewers who will have enough time in a reasonably contiguous period. We've never managed to integrate the previous SHA3 contribution originally submitted in 2016... (By the way, did you reuse that for SHA3? Does your code cover the same ground?) Would you mind splitting this into at least three parts?
We'd planned an even finer breakdown, but since you've already done the work, I think this split would be fine. |
|
Honestly, I did not review other contributions for SHA-3 #1549 nor #479, as my intended PR was originally to provide Edwards signatures (and this is why I only added shake256). By a quick overview, I think both do the same but I also add cSHAKE and KMAC (with less code lines). I do not interface each keccak intermediate function because I think this is not useful for anyone and even for the entire keccak-f, which is declared static. If it may help, I do no have any objection on splitting in 4 parts. Do you mean submitting as many PR covering each point?
|
Yes, please. Or split differently if you think that's more meaningful. I think this is a reasonable split in terms of manageable review size. (That's with code that's already in a good shape. In general we'd ask for even smaller pieces, to reduce the amount of rework if there are a lot of review comments, but I can see that your code is already in a very good shape so I don't expect major difficulties.)
Yes, sorry, I meant SHA3 then SHAKE then (in either order) Ed448 and the rest of the SHA3 family. Or you could go directly for SHAKE then Ed448 and rest of SHA3 family including SHA3 itself. |
|
I added PR:
but I am not sure that they are completely splitted. #5823 adds KMAC support but it also contains the previous commits from the rest of PR. In addition to this, I do not know how to add a separated PR for Ed448, as it depends on #5819 and #5821. Which is the best approach to do not repeat previous commits? |
Description
This PR implements EdDSA signatures, with Ed25519 and Ed448 curves. It supports Pure, Context and Prehash types, resulting onto ed25519, ed25519ctx, ed25519ph, ed448 and ed448ph. I followed the RFC 8032, which specifies the procedure for signing and verifying. It also contains verification.
Ed448 uses SHAKE256 function, which is also added. Note that there are no specific CPU optimizations.
I added test suites for EdDSA and SHAKE256 with the test vectors provided in the RFC.
I took the PR from @aurel32, which defined the curves and arithmetic (I fixed some bugs), from #2452.
About SHA3
During this journey, I started with SHAKE256, since it is necessary for Ed448. However, SHAKE and SHA3 functions are very similar and I extended the sha3 module to include SHA-3, SHAKE, cSHAKE and KMAC (with and without XOF).
Ideally I would make two separate PR, but since EdDSA and SHA-3 are closely dependent I put altogether in this PR.
SHA-3 and SHAKE are based on FIPS 202. cSHAKE and KMAC are based on SP800-185. Test vectors are taken from NIST repository.
Note: it will only work for architectures that support real qwords (i.e., 64 bits). On smaller CPU Keccak permutation function has to be recompiled with other parameters.
Status
READY
Requires Backporting
NO
Migrations
NO
Additional comments
This PR does not contain restarting capability, but it can be extended easily.
Note that this PR obsoletes #3245, since it is contained here and it was not merged.
Todos
Splitted PR
This PR is being splitted into the following PR:
Related issues