Merge pull request #4 from str4d/ref10

Radix-2^51 support from ref10

Author: str4d

README.md

@@ -1,9 +1,13 @@
 ed25519-java
 ============
 
-This is an implementation of Ed25519 in Java. Structurally, it is based on the ref10 implementation in SUPERCOP (see http://ed25519.cr.yp.to/software.html). Internally, it uses BigIntegers for calculation.
+This is an implementation of EdDSA in Java. Structurally, it is based on the ref10 implementation in SUPERCOP (see http://ed25519.cr.yp.to/software.html).
 
-There are no guarantees that this is secure for use. Tests against [the data from the Python implementation](http://ed25519.cr.yp.to/python/sign.input) are passing, but this has not yet been audited by a professional cryptographer. In particular, this implementation is unlikely to have the constant-time properties of ref10 (for now).
+There are two internal implementations:
+* A port of the radix-2^51 operations in ref10 - fast and constant-time, but only useful for Ed25519.
+* A generic version using BigIntegers for calculation - a bit slower and not constant-time, but compatible with any EdDSA parameter specification.
+
+There are no guarantees that this is secure for use. Tests against [the data from the Python implementation](http://ed25519.cr.yp.to/python/sign.input) are passing, but this has not yet been audited by a professional cryptographer. In particular, the constant-time properties of ref10 may not have been completely retained (although this is the eventual goal for the Ed25519-specific implementation).
 
 The code requires Java 6 (for e.g. the `Arrays.copyOfRange()` calls in `EdDSAEngine.engineVerify()`).
 

src/net/i2p/crypto/eddsa/EdDSAEngine.java

@@ -1,7 +1,6 @@
 package net.i2p.crypto.eddsa;
 
 import java.io.ByteArrayOutputStream;
-import java.math.BigInteger;
 import java.nio.ByteBuffer;
 import java.security.InvalidKeyException;
 import java.security.MessageDigest;
@@ -13,9 +12,8 @@
 import java.util.Arrays;
 
 import net.i2p.crypto.eddsa.math.Curve;
-import net.i2p.crypto.eddsa.math.FieldElement;
 import net.i2p.crypto.eddsa.math.GroupElement;
-import net.i2p.crypto.eddsa.math.LittleEndianEncoding;
+import net.i2p.crypto.eddsa.math.ScalarOps;
 
 /**
  * @author str4d
@@ -111,21 +109,16 @@ protected void engineUpdate(byte[] b, int off, int len)
     @Override
     protected byte[] engineSign() throws SignatureException {
         Curve curve = key.getParams().getCurve();
-        BigInteger l = key.getParams().getL();
-        BigInteger a = ((EdDSAPrivateKey) key).geta();
-        LittleEndianEncoding leEnc = new LittleEndianEncoding();
+        ScalarOps sc = key.getParams().getScalarOps();
+        byte[] a = ((EdDSAPrivateKey) key).geta();
 
         byte[] message = baos.toByteArray();
         // r = H(h_b,...,h_2b-1,M)
         byte[] r = digest.digest(message);
-        // From the Ed25519 paper:
-        // Here we interpret 2b-bit strings in little-endian form as integers in
-        // {0, 1,..., 2^(2b)-1}.
-        BigInteger rBI = leEnc.decode(r);
 
         // r mod l
         // Reduces r from 64 bytes to 32 bytes
-        r = leEnc.encode(rBI.mod(l), curve.getField().getb()/8);
+        r = sc.reduce(r);
 
         // R = rB
         GroupElement R = key.getParams().getB().scalarMultiply(r);
@@ -134,12 +127,14 @@ protected byte[] engineSign() throws SignatureException {
         // S = (r + H(Rbar,Abar,M)*a) mod l
         digest.update(Rbyte);
         digest.update(((EdDSAPrivateKey) key).getAbyte());
-        FieldElement S = curve.fromBigInteger(leEnc.decode(digest.digest(message)).multiply(a).add(rBI).mod(l));
+        byte[] h = digest.digest(message);
+        h = sc.reduce(h);
+        byte[] S = sc.multiplyAndAdd(h, a, r);
 
         // R+S
         int b = curve.getField().getb();
         ByteBuffer out = ByteBuffer.allocate(b/4);
-        out.put(Rbyte).put(S.toByteArray());
+        out.put(Rbyte).put(S);
         return out.array();
     }
 
@@ -158,20 +153,21 @@ protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
         byte[] h = digest.digest(message);
 
         // h mod l
-        LittleEndianEncoding leEnc = new LittleEndianEncoding();
-        h = leEnc.encode(leEnc.decode(h).mod(key.getParams().getL()), b/8);
+        h = key.getParams().getScalarOps().reduce(h);
 
         byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
         // R = SB - H(Rbar,Abar,M)A
         GroupElement R = key.getParams().getB().doubleScalarMultiplyVariableTime(
                 ((EdDSAPublicKey) key).getNegativeA(), h, Sbyte);
 
+        // Variable time. This should be okay, because there are no secret
+        // values used anywhere in verification.
         byte[] Rcalc = R.toByteArray();
-        int result = 1;
         for (int i = 0; i < Rcalc.length; i++) {
-            result &= Utils.equal(Rcalc[i], sigBytes[i]);
+            if (Rcalc[i] != sigBytes[i])
+                return false;
         }
-        return result == 1;
+        return true;
     }
 
     /**

src/net/i2p/crypto/eddsa/EdDSAPrivateKey.java

@@ -1,6 +1,5 @@
 package net.i2p.crypto.eddsa;
 
-import java.math.BigInteger;
 import java.security.PrivateKey;
 
 import net.i2p.crypto.eddsa.math.GroupElement;
@@ -16,7 +15,7 @@ public class EdDSAPrivateKey implements EdDSAKey, PrivateKey {
     private static final long serialVersionUID = 23495873459878957L;
     private transient final byte[] seed;
     private transient final byte[] h;
-    private transient final BigInteger a;
+    private transient final byte[] a;
     private transient final GroupElement A;
     private transient final byte[] Abyte;
     private transient final EdDSAParameterSpec edDsaSpec;
@@ -55,7 +54,7 @@ public byte[] getH() {
         return h;
     }
 
-    public BigInteger geta() {
+    public byte[] geta() {
         return a;
     }
 

src/net/i2p/crypto/eddsa/Utils.java

@@ -36,4 +36,19 @@ public static int negative(int b) {
     public static int bit(byte[] h, int i) {
         return (h[i/8] >> (i%8)) & 1;
     }
+
+    /**
+     * Converts a hex string to bytes.
+     * @param s the hex string to be converted.
+     * @return the byte[]
+     */
+    public static byte[] hexToBytes(String s) {
+        int len = s.length();
+        byte[] data = new byte[len / 2];
+        for (int i = 0; i < len; i += 2) {
+            data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4)
+                    + Character.digit(s.charAt(i+1), 16));
+        }
+        return data;
+    }
 }

src/net/i2p/crypto/eddsa/math/Constants.java

@@ -1,12 +1,12 @@
 package net.i2p.crypto.eddsa.math;
 
-import java.math.BigInteger;
+import net.i2p.crypto.eddsa.Utils;
 
 public class Constants {
-    public static final BigInteger ZERO = BigInteger.ZERO;
-    public static final BigInteger ONE = BigInteger.ONE;
-    public static final BigInteger TWO = BigInteger.valueOf(2);
-    public static final BigInteger FOUR = BigInteger.valueOf(4);
-    public static final BigInteger FIVE = BigInteger.valueOf(5);
-    public static final BigInteger EIGHT = BigInteger.valueOf(8);
+    public static final byte[] ZERO = Utils.hexToBytes("0000000000000000000000000000000000000000000000000000000000000000");
+    public static final byte[] ONE = Utils.hexToBytes("0100000000000000000000000000000000000000000000000000000000000000");
+    public static final byte[] TWO = Utils.hexToBytes("0200000000000000000000000000000000000000000000000000000000000000");
+    public static final byte[] FOUR = Utils.hexToBytes("0400000000000000000000000000000000000000000000000000000000000000");
+    public static final byte[] FIVE = Utils.hexToBytes("0500000000000000000000000000000000000000000000000000000000000000");
+    public static final byte[] EIGHT = Utils.hexToBytes("0800000000000000000000000000000000000000000000000000000000000000");
 }

src/net/i2p/crypto/eddsa/math/Curve.java

@@ -1,7 +1,6 @@
 package net.i2p.crypto.eddsa.math;
 
 import java.io.Serializable;
-import java.math.BigInteger;
 
 /**
  * A twisted Edwards curve.
@@ -20,16 +19,16 @@ public class Curve implements Serializable {
     private final GroupElement zeroP3;
     private final GroupElement zeroPrecomp;
 
-    public Curve(Field f, BigInteger d) {
+    public Curve(Field f, byte[] d, FieldElement I) {
         this.f = f;
-        this.d = fromBigInteger(d);
-        this.d2 = this.d.multiply(fromBigInteger(Constants.TWO));
-        this.I = fromBigInteger(Constants.TWO).modPow(f.getQ().subtract(Constants.ONE).divide(Constants.FOUR), f.getQ());
+        this.d = f.fromByteArray(d);
+        this.d2 = this.d.add(this.d);
+        this.I = I;
 
-        FieldElement zero = fromBigInteger(Constants.ZERO);
-        FieldElement one = fromBigInteger(Constants.ONE);
+        FieldElement zero = f.zero;
+        FieldElement one = f.one;
         zeroP2 = GroupElement.p2(this, zero, one, one);
-        zeroP3 = createPoint(Constants.ZERO, Constants.ONE);
+        zeroP3 = GroupElement.p3(this, zero, one, one, zero);
         zeroPrecomp = GroupElement.precomp(this, one, one, zero);
     }
 
@@ -62,22 +61,8 @@ public GroupElement getZero(GroupElement.Representation repr) {
         }
     }
 
-    public FieldElement fromBigInteger(BigInteger x) {
-        return new FieldElement(f, x);
-    }
-
-    public FieldElement fromByteArray(byte[] x) {
-        return new FieldElement(f, x);
-    }
-
-    public GroupElement createPoint(BigInteger x, BigInteger y) {
-        return createPoint(x, y, false);
-    }
-
-    public GroupElement createPoint(BigInteger x, BigInteger y, boolean precompute) {
-        FieldElement X = fromBigInteger(x);
-        FieldElement Y = fromBigInteger(y);
-        GroupElement ge = GroupElement.p3(this, X, Y, fromBigInteger(Constants.ONE), X.multiply(Y));
+    public GroupElement createPoint(byte[] P, boolean precompute) {
+        GroupElement ge = new GroupElement(this, P);
         if (precompute)
             ge.precompute(true);
         return ge;

src/net/i2p/crypto/eddsa/math/Encoding.java

@@ -1,16 +1,31 @@
 package net.i2p.crypto.eddsa.math;
 
-import java.math.BigInteger;
-
 /**
  * Common interface for all (b-1)-bit encodings of elements
  * of EdDSA finite fields.
  * @author str4d
  *
  */
-public interface Encoding {
-    public byte[] encode(BigInteger x, int len);
-    public BigInteger decode(byte[] in);
+public abstract class Encoding {
+    protected Field f;
+
+    public void setField(Field f) {
+        this.f = f;
+    }
+
+    /**
+     * Encode a FieldElement in its (b-1)-bit encoding.
+     * @return the (b-1)-bit encoding of this FieldElement.
+     */
+    public abstract byte[] encode(FieldElement x);
+
+    /**
+     * Decode a FieldElement from its (b-1)-bit encoding.
+     * The highest bit is masked out.
+     * @param val the (b-1)-bit encoding of a FieldElement.
+     * @return the FieldElement represented by 'val'.
+     */
+    public abstract FieldElement decode(byte[] in);
 
     /**
      * From the Ed25519 paper:
@@ -20,5 +35,5 @@ public interface Encoding {
      * elements of F_q are {1, 3, 5,..., q-2}.
      * @return
      */
-    public boolean isNegative(BigInteger x);
+    public abstract boolean isNegative(FieldElement x);
 }

src/net/i2p/crypto/eddsa/math/Field.java

@@ -1,7 +1,6 @@
 package net.i2p.crypto.eddsa.math;
 
 import java.io.Serializable;
-import java.math.BigInteger;
 
 /**
  * An EdDSA finite field. Includes several pre-computed values.
@@ -10,51 +9,66 @@
  */
 public class Field implements Serializable {
     private static final long serialVersionUID = 8746587465875676L;
+
+    public final FieldElement zero;
+    public final FieldElement one;
+    public final FieldElement two;
+    public final FieldElement four;
+    public final FieldElement five;
+    public final FieldElement eight;
+
     private final int b;
-    private final BigInteger q;
+    private final FieldElement q;
     /**
      * q-2
      */
-    private final BigInteger qm2;
+    private final FieldElement qm2;
     /**
      * (q-5) / 8
      */
-    private final BigInteger qm5d8;
-    /**
-     * Mask where only the first b-1 bits are set.
-     */
-    private final BigInteger mask;
+    private final FieldElement qm5d8;
     private final Encoding enc;
 
-    public Field(int b, BigInteger q, Encoding enc) {
+    public Field(int b, byte[] q, Encoding enc) {
         this.b = b;
-        this.q = q;
-        this.qm2 = q.subtract(Constants.TWO);
-        this.qm5d8 = q.subtract(Constants.FIVE).divide(Constants.EIGHT);
-        this.mask = Constants.ONE.shiftLeft(b-1).subtract(Constants.ONE);
         this.enc = enc;
+        this.enc.setField(this);
+
+        this.q = fromByteArray(q);
+
+        // Set up constants
+        zero = fromByteArray(Constants.ZERO);
+        one = fromByteArray(Constants.ONE);
+        two = fromByteArray(Constants.TWO);
+        four = fromByteArray(Constants.FOUR);
+        five = fromByteArray(Constants.FIVE);
+        eight = fromByteArray(Constants.EIGHT);
+
+        // Precompute values
+        qm2 = this.q.subtract(two);
+        qm5d8 = this.q.subtract(five).divide(eight);
+    }
+
+    public FieldElement fromByteArray(byte[] x) {
+        return enc.decode(x);
     }
 
     public int getb() {
         return b;
     }
 
-    public BigInteger getQ() {
+    public FieldElement getQ() {
         return q;
     }
 
-    public BigInteger getQm2() {
+    public FieldElement getQm2() {
         return qm2;
     }
 
-    public BigInteger getQm5d8() {
+    public FieldElement getQm5d8() {
         return qm5d8;
     }
 
-    public BigInteger getMask() {
-        return mask;
-    }
-
     public Encoding getEncoding(){
         return enc;
     }