forked from facebook/opaque-ke
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcurve25519.rs
110 lines (93 loc) · 3.6 KB
/
curve25519.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
// Copyright (c) Facebook, Inc. and its affiliates.
//
// This source code is licensed under both the MIT license found in the
// LICENSE-MIT file in the root directory of this source tree and the Apache
// License, Version 2.0 found in the LICENSE-APACHE file in the root directory
// of this source tree.
//! Key Exchange group implementation for Curve25519
use curve25519_dalek::constants::X25519_BASEPOINT;
use curve25519_dalek::montgomery::MontgomeryPoint;
use curve25519_dalek::scalar::Scalar;
use curve25519_dalek::traits::Identity;
use digest::core_api::BlockSizeUser;
use digest::{FixedOutput, HashMarker};
use elliptic_curve::hash2curve::{ExpandMsg, ExpandMsgXmd, Expander};
use generic_array::typenum::{IsLess, IsLessOrEqual, U256, U32, U64};
use generic_array::GenericArray;
use rand::{CryptoRng, RngCore};
use subtle::ConstantTimeEq;
use super::KeGroup;
use crate::errors::InternalError;
/// Implementation for Curve25519.
pub struct Curve25519;
/// The implementation of such a subgroup for Curve25519
impl KeGroup for Curve25519 {
type Pk = MontgomeryPoint;
type PkLen = U32;
type Sk = Scalar;
type SkLen = U32;
fn serialize_pk(pk: Self::Pk) -> GenericArray<u8, Self::PkLen> {
pk.to_bytes().into()
}
fn deserialize_pk(bytes: &[u8]) -> Result<Self::Pk, InternalError> {
bytes
.try_into()
.ok()
.map(MontgomeryPoint)
.filter(|pk| pk != &MontgomeryPoint::identity())
.ok_or(InternalError::PointError)
}
fn random_sk<R: RngCore + CryptoRng>(rng: &mut R) -> Self::Sk {
loop {
// Sample 32 random bytes and then clamp, as described in https://cr.yp.to/ecdh.html
let mut scalar_bytes = [0u8; 32];
rng.fill_bytes(&mut scalar_bytes);
let scalar = Scalar::from_bits_clamped(scalar_bytes);
if scalar != Scalar::ZERO {
break scalar;
}
}
}
// Implements the `HashToScalar()` function from
// <https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-19.html#section-4>
fn hash_to_scalar<'a, H>(input: &[&[u8]], dst: &[&[u8]]) -> Result<Self::Sk, InternalError>
where
H: BlockSizeUser + Default + FixedOutput + HashMarker,
H::OutputSize: IsLess<U256> + IsLessOrEqual<H::BlockSize>,
{
let mut uniform_bytes = GenericArray::<_, U64>::default();
ExpandMsgXmd::<H>::expand_message(input, dst, 64)
.map_err(|_| InternalError::HashToScalar)?
.fill_bytes(&mut uniform_bytes);
let scalar = Scalar::from_bytes_mod_order_wide(&uniform_bytes.into());
let scalar = Scalar::from_bits_clamped(scalar.to_bytes());
if scalar == Scalar::ZERO {
Err(InternalError::HashToScalar)
} else {
Ok(scalar)
}
}
fn is_zero_scalar(scalar: Self::Sk) -> subtle::Choice {
scalar.ct_eq(&Scalar::ZERO)
}
fn public_key(sk: Self::Sk) -> Self::Pk {
X25519_BASEPOINT * sk
}
fn diffie_hellman(pk: Self::Pk, sk: Self::Sk) -> GenericArray<u8, Self::PkLen> {
Self::serialize_pk(sk * pk)
}
fn serialize_sk(sk: Self::Sk) -> GenericArray<u8, Self::SkLen> {
sk.to_bytes().into()
}
fn deserialize_sk(bytes: &[u8]) -> Result<Self::Sk, InternalError> {
bytes
.try_into()
.ok()
.and_then(|bytes| {
let scalar = Scalar::from_bits_clamped(bytes);
(scalar.as_bytes() == &bytes).then_some(scalar)
})
.filter(|scalar| scalar != &Scalar::ZERO)
.ok_or(InternalError::PointError)
}
}