Merge pull request #31 from ivmaykov/master

str4d · web-flow · commit 8497fa194ef5 · 2017-03-11T18:31:09.000+13:00
Constant-time GroupElement.cmov()
diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>net.i2p.crypto</groupId>
   <artifactId>eddsa</artifactId>
-  <version>0.1.0</version>
+  <version>0.2.0-SNAPSHOT</version>
   <name>EdDSA-Java</name>
   <packaging>bundle</packaging>
   <description>Implementation of EdDSA in Java</description>
diff --git a/src/net/i2p/crypto/eddsa/math/FieldElement.java b/src/net/i2p/crypto/eddsa/math/FieldElement.java
@@ -70,5 +70,7 @@ public FieldElement divide(FieldElement val) {
 
     public abstract FieldElement pow22523();
 
+    public abstract FieldElement cmov(FieldElement val, final int b);
+
     // Note: concrete subclasses must implement hashCode() and equals()
 }
diff --git a/src/net/i2p/crypto/eddsa/math/GroupElement.java b/src/net/i2p/crypto/eddsa/math/GroupElement.java
@@ -238,7 +238,7 @@ public GroupElement(final Curve curve, final byte[] s) {
         y = curve.getField().fromByteArray(s);
         yy = y.square();
 
-        // u = y^2-1    
+        // u = y^2-1
         u = yy.subtractOne();
 
         // v = dy^2+1
@@ -248,7 +248,7 @@ public GroupElement(final Curve curve, final byte[] s) {
         v3 = v.square().multiply(v);
 
         // x = (v3^2)vu, aka x = uv^7
-        x = v3.square().multiply(v).multiply(u);    
+        x = v3.square().multiply(v).multiply(u);
 
         //  x = (uv^7)^((q-5)/8)
         x = x.pow22523();
@@ -815,19 +815,10 @@ static byte[] toRadix16(final byte[] a) {
      *
      * @param u The group element to return if $b == 1$.
      * @param b in $\{0, 1\}$
-     * @return $u$ if $b == 1$; this if $b == 0$; null otherwise.
+     * @return $u$ if $b == 1$; this if $b == 0$. Results undefined if $b$ is not in $\{0, 1\}$.
      */
     GroupElement cmov(final GroupElement u, final int b) {
-        GroupElement ret = null;
-        for (int i = 0; i < b; i++) {
-            // Only for b == 1
-            ret = u;
-        }
-        for (int i = 0; i < 1-b; i++) {
-            // Only for b == 0
-            ret = this;
-        }
-        return ret;
+        return precomp(curve, X.cmov(u.X, b), Y.cmov(u.Y, b), Z.cmov(u.Z, b));
     }
 
     /**
@@ -869,7 +860,7 @@ GroupElement select(final int pos, final int b) {
     /**
      * $h = a * B$ where $a = a[0]+256*a[1]+\dots+256^{31} a[31]$ and
      * $B$ is this point. If its lookup table has not been precomputed, it
-     * will be at the start of the method (and cached for later calls). 
+     * will be at the start of the method (and cached for later calls).
      * Constant time.
      * <p>
      * Preconditions: (TODO: Check this applies here)
diff --git a/src/net/i2p/crypto/eddsa/math/bigint/BigIntegerFieldElement.java b/src/net/i2p/crypto/eddsa/math/bigint/BigIntegerFieldElement.java
@@ -104,6 +104,13 @@ public FieldElement pow22523(){
         return pow(f.getQm5d8());
     }
 
+    @Override
+    public FieldElement cmov(FieldElement val, int b) {
+        // Not constant-time, but it doesn't really matter because none of the underlying BigInteger operations
+        // are either, so there's not much point in trying hard here ...
+        return b == 0 ? this : val;
+    }
+
     @Override
     public int hashCode() {
         return bi.hashCode();
diff --git a/src/net/i2p/crypto/eddsa/math/ed25519/Ed25519FieldElement.java b/src/net/i2p/crypto/eddsa/math/ed25519/Ed25519FieldElement.java
@@ -942,6 +942,29 @@ public FieldElement pow22523() {
         return multiply(t0);
     }
 
+    /**
+     * Constant-time conditional move. Well, actually it is a conditional copy.
+     * Logic is inspired by the SUPERCOP implementation at:
+     *   https://github.com/floodyberry/supercop/blob/master/crypto_sign/ed25519/ref10/fe_cmov.c
+     *
+     * @param val the other field element.
+     * @param b must be 0 or 1, otherwise results are undefined.
+     * @return a copy of this if $b == 0$, or a copy of val if $b == 1$.
+     */
+    @Override
+    public FieldElement cmov(FieldElement val, int b) {
+        Ed25519FieldElement that = (Ed25519FieldElement) val;
+        b = -b;
+        int[] result = new int[10];
+        for (int i = 0; i < 10; i++) {
+            result[i] = this.t[i];
+            int x = this.t[i] ^ that.t[i];
+            x &= b;
+            result[i] ^= x;
+        }
+        return new Ed25519FieldElement(this.f, result);
+    }
+
     @Override
     public int hashCode() {
         return Arrays.hashCode(t);
diff --git a/test/net/i2p/crypto/eddsa/math/AbstractFieldElementTest.java b/test/net/i2p/crypto/eddsa/math/AbstractFieldElementTest.java
@@ -190,6 +190,23 @@ public void pow22523ReturnsCorrectResult() {
 
     // endregion
 
+    // region cmov
+
+    @Test
+    public void cmovReturnsCorrectResult() {
+        final FieldElement zero = getZeroFieldElement();
+        final FieldElement nz = getNonZeroFieldElement();
+        final FieldElement f = getRandomFieldElement();
+
+        Assert.assertThat(zero.cmov(nz, 0), IsEqual.equalTo(zero));
+        Assert.assertThat(zero.cmov(nz, 1), IsEqual.equalTo(nz));
+
+        Assert.assertThat(f.cmov(nz, 0), IsEqual.equalTo(f));
+        Assert.assertThat(f.cmov(nz, 1), IsEqual.equalTo(nz));
+    }
+
+    // endregion
+
     // region hashCode / equals
 
     @Test

Original file line number	Diff line number	Diff line change
`@@ -70,5 +70,7 @@ public FieldElement divide(FieldElement val) {`
`70`	`70`
`71`	`71`	`public abstract FieldElement pow22523();`
`72`	`72`
	`73`	`+ public abstract FieldElement cmov(FieldElement val, final int b);`
	`74`	`+`
`73`	`75`	`// Note: concrete subclasses must implement hashCode() and equals()`
`74`	`76`	`}`