Merge remote-tracking branch 'refs/remotes/origin/master'

dghgit · dghgit · commit 1f4e5de43779 · 2022-11-21T06:17:07.000+11:00
diff --git a/core/src/test/java/org/bouncycastle/math/ec/rfc8032/test/Ed25519Test.java b/core/src/test/java/org/bouncycastle/math/ec/rfc8032/test/Ed25519Test.java
@@ -6,6 +6,7 @@
 import org.bouncycastle.crypto.Digest;
 import org.bouncycastle.math.ec.rfc8032.Ed25519;
 import org.bouncycastle.util.Arrays;
+import org.bouncycastle.util.Strings;
 import org.bouncycastle.util.encoders.Hex;
 
 public class Ed25519Test
@@ -456,6 +457,166 @@ public void testPublicKeyValidationPartial()
         assertTrue(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("379B071E6F7E2479D5A8588AB708137808D63F689127D4A228E2C1681873C55E"), 0));
     }
 
+    /*
+     * Test vectors from the paper "Taming the many EdDSAs" (https://ia.cr/2020/1244).
+     */
+
+    public void testTamingNonRepudiation()
+    {
+        // TODO Algorithm 2 rejects this because A is one of 8 small order points
+
+        byte[] msg1 = Strings.toUTF8ByteArray("Send 100 USD to Alice");
+        byte[] msg2 = Strings.toUTF8ByteArray("Send 100000 USD to Alice");
+        byte[] pub = Hex.decodeStrict("ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f");
+        byte[] sig = Hex.decodeStrict("a9d55260f765261eb9b84e106f665e00b867287a761990d7135963ee0a7d59dc" +
+                                      "a5bb704786be79fc476f91d3f3f89b03984d8068dcf1bb7dfc6637b45450ac04");
+
+        assertTrue(Ed25519.verify(sig, 0, pub, 0, msg1, 0, msg1.length));
+        assertTrue(Ed25519.verify(sig, 0, pub, 0, msg2, 0, msg2.length));
+    }
+
+    public void testTamingVector_00()
+    {
+        // TODO Algorithm 2 rejects this because A is one of 8 small order points
+        implTamingVector(0, true,
+            "8c93255d71dcab10e8f379c26200f3c7bd5f09d9bc3068d3ef4edeb4853022b6",
+            "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa",
+            "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a" +
+            "0000000000000000000000000000000000000000000000000000000000000000");
+    }
+
+    public void testTamingVector_01()
+    {
+        // TODO Algorithm 2 rejects this because A is one of 8 small order points
+        implTamingVector(1, true,
+            "9bd9f44f4dcc75bd531b56b2cd280b0bb38fc1cd6d1230e14861d861de092e79",
+            "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa",
+            "f7badec5b8abeaf699583992219b7b223f1df3fbbea919844e3f7c554a43dd43" +
+            "a5bb704786be79fc476f91d3f3f89b03984d8068dcf1bb7dfc6637b45450ac04");
+    }
+
+    public void testTamingVector_02()
+    {
+        // NOTE: Algorithm 2 accepts this, although LibSodium rejects R as one of 8 small order points
+        implTamingVector(2, true,
+            "aebf3f2601a0c8c5d39cc7d8911642f740b78168218da8471772b35f9d35b9ab",
+            "f7badec5b8abeaf699583992219b7b223f1df3fbbea919844e3f7c554a43dd43",
+            "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa" +
+            "8c4bd45aecaca5b24fb97bc10ac27ac8751a7dfe1baff8b953ec9f5833ca260e");
+    }
+
+    public void testTamingVector_03()
+    {
+        // NOTE: Has mixed-order A and R; a full check could catch this, but is (too) expensive
+        implTamingVector(3, true,
+            "9bd9f44f4dcc75bd531b56b2cd280b0bb38fc1cd6d1230e14861d861de092e79",
+            "cdb267ce40c5cd45306fa5d2f29731459387dbf9eb933b7bd5aed9a765b88d4d",
+            "9046a64750444938de19f227bb80485e92b83fdb4b6506c160484c016cc1852f" +
+            "87909e14428a7a1d62e9f22f3d3ad7802db02eb2e688b6c52fcd6648a98bd009");
+    }
+
+    public void testTamingVector_04()
+    {
+        // TODO Algorithm 2 accepts this (cofactored verification)
+        implTamingVector(4, false,
+            "e47d62c63f830dc7a6851a0b1f33ae4bb2f507fb6cffec4011eaccd55b53f56c",
+            "cdb267ce40c5cd45306fa5d2f29731459387dbf9eb933b7bd5aed9a765b88d4d",
+            "160a1cb0dc9c0258cd0a7d23e94d8fa878bcb1925f2c64246b2dee1796bed512" +
+            "5ec6bc982a269b723e0668e540911a9a6a58921d6925e434ab10aa7940551a09");
+    }
+
+    public void testTamingVector_05()
+    {
+        // TODO Algorithm 2 accepts this (cofactored verification)
+        implTamingVector(5, false,
+            "e47d62c63f830dc7a6851a0b1f33ae4bb2f507fb6cffec4011eaccd55b53f56c",
+            "cdb267ce40c5cd45306fa5d2f29731459387dbf9eb933b7bd5aed9a765b88d4d",
+            "21122a84e0b5fca4052f5b1235c80a537878b38f3142356b2c2384ebad4668b7" +
+            "e40bc836dac0f71076f9abe3a53f9c03c1ceeeddb658d0030494ace586687405");
+    }
+
+    public void testTamingVector_06()
+    {
+        implTamingVector(6, false,
+            "85e241a07d148b41e47d62c63f830dc7a6851a0b1f33ae4bb2f507fb6cffec40",
+            "442aad9f089ad9e14647b1ef9099a1ff4798d78589e66f28eca69c11f582a623",
+            "e96f66be976d82e60150baecff9906684aebb1ef181f67a7189ac78ea23b6c0e" +
+            "547f7690a0e2ddcd04d87dbc3490dc19b3b3052f7ff0538cb68afb369ba3a514");
+    }
+
+    public void testTamingVector_07()
+    {
+        implTamingVector(7, false,
+            "85e241a07d148b41e47d62c63f830dc7a6851a0b1f33ae4bb2f507fb6cffec40",
+            "442aad9f089ad9e14647b1ef9099a1ff4798d78589e66f28eca69c11f582a623",
+            "8ce5b96c8f26d0ab6c47958c9e68b937104cd36e13c33566acd2fe8d38aa1942" +
+            "7e71f98a4734e74f2f13f06f97c20d58cc3f54b8bd0d272f42b695dd7e89a8c22");
+    }
+
+    public void testTamingVector_08()
+    {
+        implTamingVector(8, false,
+            "9bedc267423725d473888631ebf45988bad3db83851ee85c85e241a07d148b41",
+            "f7badec5b8abeaf699583992219b7b223f1df3fbbea919844e3f7c554a43dd43",
+            "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" +
+            "03be9678ac102edcd92b0210bb34d7428d12ffc5df5f37e359941266a4e35f0f");
+    }
+
+    public void testTamingVector_09()
+    {
+        implTamingVector(9, false,
+            "9bedc267423725d473888631ebf45988bad3db83851ee85c85e241a07d148b41",
+            "f7badec5b8abeaf699583992219b7b223f1df3fbbea919844e3f7c554a43dd43",
+            "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" +
+            "ca8c5b64cd208982aa38d4936621a4775aa233aa0505711d8fdcfdaa943d4908");
+    }
+
+    public void testTamingVector_10()
+    {
+        implTamingVector(10, false,
+            "e96b7021eb39c1a163b6da4e3093dcd3f21387da4cc4572be588fafae23c155b",
+            "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+            "a9d55260f765261eb9b84e106f665e00b867287a761990d7135963ee0a7d59dc" +
+            "a5bb704786be79fc476f91d3f3f89b03984d8068dcf1bb7dfc6637b45450ac04");
+    }
+
+    public void testTamingVector_11()
+    {
+        implTamingVector(11, false,
+            "39a591f5321bbe07fd5a23dc2f39d025d74526615746727ceefd6e82ae65c06f",
+            "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
+            "a9d55260f765261eb9b84e106f665e00b867287a761990d7135963ee0a7d59dc" +
+            "a5bb704786be79fc476f91d3f3f89b03984d8068dcf1bb7dfc6637b45450ac04");
+    }
+
+    private static void implTamingVector(int number, boolean expected, String msgHex, String pubHex, String sigHex)
+    {
+        boolean actual = implTamingVector(msgHex, pubHex, sigHex);
+
+        assertEquals("Failed Taming EdDSA Vector #" + number, expected, actual);
+    }
+
+    private static boolean implTamingVector(String msgHex, String pubHex, String sigHex)
+    {
+        if (sigHex.length() != Ed25519.SIGNATURE_SIZE * 2)
+        {
+            return false;
+        }
+
+        byte[] msg = Hex.decodeStrict(msgHex);
+        byte[] pub = Hex.decodeStrict(pubHex);
+        byte[] sig = Hex.decodeStrict(sigHex);
+
+        try
+        {
+            return Ed25519.verify(sig, 0, pub, 0, msg, 0, msg.length);
+        }
+        catch (RuntimeException e)
+        {
+            return false;
+        }
+    }
+
     private static void checkEd25519Vector(String sSK, String sPK, String sM, String sSig, String text)
     {
         byte[] sk = Hex.decode(sSK);
