RFC9381 ECVRF implementation (#1188)

* Version 12 of ECVRF

* Incorrect ordering of function inputs

* Identation and notation

* single multiscalar multiplication function

Also changed the style of tests, where the expected output is in vrf.exp rather than in test data (following the style of the hashing).

* declarations inside the if code block

* identation of test_data

* Rename to RFC9381

* Move declarations to top of block

* Check small order over deserialised PK

* Include from_string functions in ed25519_ref10

* Update quirks.h

---------

Co-authored-by: Frank Denis <[email protected]>

.gitignore

@@ -166,6 +166,7 @@ test/default/stream2
 test/default/stream3
 test/default/stream4
 test/default/verify1
+test/default/vrf
 test/default/xchacha20
 test/js.done
 testing

src/libsodium/Makefile.am

@@ -99,6 +99,12 @@ libsodium_la_SOURCES = \
 	crypto_stream/xsalsa20/stream_xsalsa20.c \
 	crypto_verify/verify.c \
 	include/sodium/private/asm_cet.h \
+	crypto_vrf/crypto_vrf.c \
+	crypto_vrf/rfc9381/keypair.c \
+	crypto_vrf/rfc9381/prove.c \
+	crypto_vrf/rfc9381/verify.c \
+	crypto_vrf/rfc9381/vrf.c \
+	crypto_vrf/rfc9381/vrf_rfc9381.h \
 	include/sodium/private/chacha20_ietf_ext.h \
 	include/sodium/private/common.h \
 	include/sodium/private/ed25519_ref10.h \

src/libsodium/crypto_core/ed25519/core_ed25519.c

@@ -65,54 +65,20 @@ crypto_core_ed25519_from_uniform(unsigned char *p, const unsigned char *r)
     return 0;
 }
 
-#define HASH_GE_L 48U
-
-static int
-_string_to_points(unsigned char * const px, const size_t n,
-                  const char *ctx, const unsigned char *msg, size_t msg_len,
-                  int hash_alg)
-{
-    unsigned char h[crypto_core_ed25519_HASHBYTES];
-    unsigned char h_be[2U * HASH_GE_L];
-    size_t        i, j;
-
-    if (n > 2U) {
-        abort(); /* LCOV_EXCL_LINE */
-    }
-    if (core_h2c_string_to_hash(h_be, n * HASH_GE_L, ctx, msg, msg_len,
-                                hash_alg) != 0) {
-        return -1;
-    }
-    COMPILER_ASSERT(sizeof h >= HASH_GE_L);
-    for (i = 0U; i < n; i++) {
-        for (j = 0U; j < HASH_GE_L; j++) {
-            h[j] = h_be[i * HASH_GE_L + HASH_GE_L - 1U - j];
-        }
-        memset(&h[j], 0, (sizeof h) - j);
-        ge25519_from_hash(&px[i * crypto_core_ed25519_BYTES], h);
-    }
-    return 0;
-}
-
 int
 crypto_core_ed25519_from_string(unsigned char p[crypto_core_ed25519_BYTES],
                                 const char *ctx, const unsigned char *msg,
                                 size_t msg_len, int hash_alg)
 {
-    return _string_to_points(p, 1, ctx, msg, msg_len, hash_alg);
+    return ge25519_from_string(p, ctx, msg, msg_len, hash_alg);
 }
 
 int
 crypto_core_ed25519_from_string_ro(unsigned char p[crypto_core_ed25519_BYTES],
                                    const char *ctx, const unsigned char *msg,
                                    size_t msg_len, int hash_alg)
 {
-    unsigned char px[2 * crypto_core_ed25519_BYTES];
-
-    if (_string_to_points(px, 2, ctx, msg, msg_len, hash_alg) != 0) {
-        return -1;
-    }
-    return crypto_core_ed25519_add(p, &px[0], &px[crypto_core_ed25519_BYTES]);
+    return ge25519_from_string_ro(p, ctx, msg, msg_len, hash_alg);
 }
 
 void

src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c

@@ -4,6 +4,7 @@
 #include <string.h>
 
 #include "crypto_verify_32.h"
+#include "../core_h2c.h"
 #include "private/common.h"
 #include "private/ed25519_ref10.h"
 #include "utils.h"
@@ -742,68 +743,76 @@ ge25519_tobytes(unsigned char *s, const ge25519_p2 *h)
 }
 
 /*
- r = a * A + b * B
- where a = a[0]+256*a[1]+...+256^31 a[31].
- and b = b[0]+256*b[1]+...+256^31 b[31].
- B is the Ed25519 base point (x,4/5) with x positive.
-
- Only used for signatures verification.
+ * Precomputation of a base point, to use in multiscalar multiplication algorithm A,3A,5A,7A,9A,11A,13A,15A
  */
-
-void
-ge25519_double_scalarmult_vartime(ge25519_p2 *r, const unsigned char *a,
-                                  const ge25519_p3 *A, const unsigned char *b)
-{
-    static const ge25519_precomp Bi[8] = {
-#ifdef HAVE_TI_MODE
-# include "fe_51/base2.h"
-#else
-# include "fe_25_5/base2.h"
-#endif
-    };
-    signed char    aslide[256];
-    signed char    bslide[256];
-    ge25519_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
+static void point_precomputation(ge25519_cached cached[8], const ge25519_p3 *base) {
     ge25519_p1p1   t;
     ge25519_p3     u;
-    ge25519_p3     A2;
-    int            i;
+    ge25519_p3     A;
 
-    slide_vartime(aslide, a);
-    slide_vartime(bslide, b);
-
-    ge25519_p3_to_cached(&Ai[0], A);
+    // Precomputation of values of A
+    ge25519_p3_to_cached(&cached[0], base);
 
-    ge25519_p3_dbl(&t, A);
-    ge25519_p1p1_to_p3(&A2, &t);
+    ge25519_p3_dbl(&t, base);
+    ge25519_p1p1_to_p3(&A, &t);
 
-    ge25519_add_cached(&t, &A2, &Ai[0]);
+    ge25519_add_cached(&t, &A, &cached[0]);
     ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[1], &u);
+    ge25519_p3_to_cached(&cached[1], &u);
 
-    ge25519_add_cached(&t, &A2, &Ai[1]);
+    ge25519_add_cached(&t, &A, &cached[1]);
     ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[2], &u);
+    ge25519_p3_to_cached(&cached[2], &u);
 
-    ge25519_add_cached(&t, &A2, &Ai[2]);
+    ge25519_add_cached(&t, &A, &cached[2]);
     ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[3], &u);
+    ge25519_p3_to_cached(&cached[3], &u);
 
-    ge25519_add_cached(&t, &A2, &Ai[3]);
+    ge25519_add_cached(&t, &A, &cached[3]);
     ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[4], &u);
+    ge25519_p3_to_cached(&cached[4], &u);
 
-    ge25519_add_cached(&t, &A2, &Ai[4]);
+    ge25519_add_cached(&t, &A, &cached[4]);
     ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[5], &u);
+    ge25519_p3_to_cached(&cached[5], &u);
 
-    ge25519_add_cached(&t, &A2, &Ai[5]);
+    ge25519_add_cached(&t, &A, &cached[5]);
     ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[6], &u);
+    ge25519_p3_to_cached(&cached[6], &u);
 
-    ge25519_add_cached(&t, &A2, &Ai[6]);
+    ge25519_add_cached(&t, &A, &cached[6]);
     ge25519_p1p1_to_p3(&u, &t);
-    ge25519_p3_to_cached(&Ai[7], &u);
+    ge25519_p3_to_cached(&cached[7], &u);
+}
+
+/*
+ Variable time double scalar multiplication with variable bases
+ r = a * A + b * B
+ where a = a[0]+256*a[1]+...+256^31 a[31].
+ and b = b[0]+256*b[1]+...+256^31 b[31].
+
+ If a null pointer is passed as an argument for B, the function uses
+ the precomputed values of the base point for the scalar multiplication.
+
+ Only used for ed25519 and VRF verification.
+ */
+
+void
+ge25519_double_scalarmult_vartime(ge25519_p2 *r, const unsigned char *a,
+                                           const ge25519_p3 *A, const unsigned char *b,
+                                           const ge25519_p3 *B)
+{
+    signed char    aslide[256];
+    signed char    bslide[256];
+    ge25519_cached Ai[8];
+    ge25519_p1p1   t;
+    ge25519_p3     u;
+    int            i;
+
+    slide_vartime(aslide, a);
+    slide_vartime(bslide, b);
+
+    point_precomputation(Ai, A);
 
     ge25519_p2_0(r);
 
@@ -824,12 +833,31 @@ ge25519_double_scalarmult_vartime(ge25519_p2 *r, const unsigned char *a,
             ge25519_sub_cached(&t, &u, &Ai[(-aslide[i]) / 2]);
         }
 
-        if (bslide[i] > 0) {
-            ge25519_p1p1_to_p3(&u, &t);
-            ge25519_add_precomp(&t, &u, &Bi[bslide[i] / 2]);
-        } else if (bslide[i] < 0) {
-            ge25519_p1p1_to_p3(&u, &t);
-            ge25519_sub_precomp(&t, &u, &Bi[(-bslide[i]) / 2]);
+        if (B == NULL) {
+            static const ge25519_precomp Bi[8] = {
+#ifdef HAVE_TI_MODE
+# include "fe_51/base2.h"
+#else
+# include "fe_25_5/base2.h"
+#endif
+            };
+            if (bslide[i] > 0) {
+                ge25519_p1p1_to_p3(&u, &t);
+                ge25519_add_precomp(&t, &u, &Bi[bslide[i] / 2]);
+            } else if (bslide[i] < 0) {
+                ge25519_p1p1_to_p3(&u, &t);
+                ge25519_sub_precomp(&t, &u, &Bi[(-bslide[i]) / 2]);
+            }
+        } else {
+            ge25519_cached Bi[8];
+            point_precomputation(Bi, B);
+            if (bslide[i] > 0) {
+                ge25519_p1p1_to_p3(&u, &t);
+                ge25519_add_cached(&t, &u, &Bi[bslide[i] / 2]);
+            } else if (bslide[i] < 0) {
+                ge25519_p1p1_to_p3(&u, &t);
+                ge25519_sub_cached(&t, &u, &Bi[(-bslide[i]) / 2]);
+            }
         }
 
         ge25519_p1p1_to_p2(r, &t);
@@ -2224,6 +2252,29 @@ sc25519_invert(unsigned char recip[32], const unsigned char s[32])
     sc25519_sqmul(recip, 8, _11101011);
 }
 
+/* 2^252+27742317777372353535851937790883648493 */
+static const unsigned char L[] = {
+        0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7,
+        0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
+};
+
+void
+sc25519_negate(unsigned char neg[32], const unsigned char s[32])
+{
+    unsigned char t_[64];
+    unsigned char s_[64];
+
+    memset(t_, 0, sizeof t_);
+    memset(s_, 0, sizeof s_);
+    memcpy(t_ + 32, L,
+           32);
+    memcpy(s_, s, 32);
+    sodium_sub(t_, s_, sizeof t_);
+    sc25519_reduce(t_);
+    memcpy(neg, t_, 32);
+}
+
 /*
  Input:
  s[0]+256*s[1]+...+256^63*s[63] = s
@@ -2700,6 +2751,68 @@ ge25519_from_uniform(unsigned char s[32], const unsigned char r[32])
     ge25519_p3_tobytes(s, &p3);
 }
 
+#define HASH_GE_L 48U
+
+static int
+_string_to_points(unsigned char * const px, const size_t n,
+                  const char *ctx, const unsigned char *msg, size_t msg_len,
+                  int hash_alg)
+{
+    unsigned char h[64];
+    unsigned char h_be[2U * HASH_GE_L];
+    size_t        i, j;
+
+    if (n > 2U) {
+        abort(); /* LCOV_EXCL_LINE */;
+    }
+    if (core_h2c_string_to_hash(h_be, n * HASH_GE_L, ctx, msg, msg_len,
+                                hash_alg) != 0) {
+        return -1;
+    }
+    COMPILER_ASSERT(sizeof h >= HASH_GE_L);
+    for (i = 0U; i < n; i++) {
+        for (j = 0U; j < HASH_GE_L; j++) {
+            h[j] = h_be[i * HASH_GE_L + HASH_GE_L - 1U - j];
+        }
+        memset(&h[j], 0, (sizeof h) - j);
+        ge25519_from_hash(&px[i * 32], h);
+    }
+    return 0;
+}
+
+int
+ge25519_from_string(unsigned char p[32],
+                    const char *ctx, const unsigned char *msg,
+                    size_t msg_len, int hash_alg)
+{
+    return _string_to_points(p, 1, ctx, msg, msg_len, hash_alg);
+
+
+}
+
+int
+ge25519_from_string_ro(unsigned char p[32],
+                       const char *ctx, const unsigned char *msg,
+                       size_t msg_len, int hash_alg)
+{
+    unsigned char  px[64];
+    ge25519_p3     p_p3, q_p3, r_p3;
+
+    if (_string_to_points(px, 2, ctx, msg, msg_len, hash_alg) != 0) {
+        return -1;
+    }
+
+    if (ge25519_frombytes(&p_p3, &px[0]) != 0 || ge25519_is_on_curve(&p_p3) == 0 ||
+        ge25519_frombytes(&q_p3, &px[32]) != 0 || ge25519_is_on_curve(&q_p3) == 0) {
+        return -1;
+    }
+    ge25519_p3_add(&r_p3, &p_p3, &q_p3);
+    ge25519_p3_tobytes(p, &r_p3);
+
+    return 0;
+}
+
+
 static void
 fe25519_reduce64(fe25519 fe_f, const unsigned char h[64])
 {

src/libsodium/crypto_sign/ed25519/ref10/open.c

@@ -55,7 +55,7 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
     crypto_hash_sha512_final(&hs, h);
     sc25519_reduce(h);
 
-    ge25519_double_scalarmult_vartime(&sb_ah_p2, h, &A, sig + 32);
+    ge25519_double_scalarmult_vartime(&sb_ah_p2, h, &A, sig + 32, NULL);
     ge25519_p2_to_p3(&sb_ah, &sb_ah_p2);
     ge25519_p3_sub(&check, &expected_r, &sb_ah);