1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-23 23:08:14 +00:00

crypto: add support for schnorr signatures

This commit is contained in:
armatusmiles 2019-04-20 17:01:04 +03:00 committed by Pavol Rusnak
parent b439b536a1
commit 8114e0f9fc
No known key found for this signature in database
GPG Key ID: 91F3B339B9A02A3D
4 changed files with 342 additions and 0 deletions

View File

@ -63,6 +63,7 @@ SRCS += rc4.c
SRCS += nem.c
SRCS += segwit_addr.c cash_addr.c
SRCS += memzero.c
SRCS += schnorr.c
OBJS = $(SRCS:.c=.o)

104
crypto/schnorr.c Normal file
View File

@ -0,0 +1,104 @@
/**
* Copyright (c) 2019 Anatolii Kurotych
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
* OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
* OTHER DEALINGS IN THE SOFTWARE.
*/
#include "schnorr.h"
#include "memzero.h"
// r = H(Q, kpub, m)
static void calc_r(const curve_point *Q, const uint8_t pub_key[33],
const uint8_t *msg, const uint32_t msg_len, bignum256 *r) {
uint8_t Q_compress[33];
compress_coords(Q, Q_compress);
SHA256_CTX ctx;
uint8_t digest[SHA256_DIGEST_LENGTH];
sha256_Init(&ctx);
sha256_Update(&ctx, Q_compress, 33);
sha256_Update(&ctx, pub_key, 33);
sha256_Update(&ctx, msg, msg_len);
sha256_Final(&ctx, digest);
bn_read_be(digest, r);
}
// returns 0 if signing succeeded
int schnorr_sign(const ecdsa_curve *curve, const uint8_t *priv_key,
const bignum256 *k, const uint8_t *msg, const uint32_t msg_len,
schnorr_sign_pair *result) {
bignum256 private_key_scalar;
bn_read_be(priv_key, &private_key_scalar);
uint8_t pub_key[33];
ecdsa_get_public_key33(curve, priv_key, pub_key);
/* Q = kG */
curve_point Q;
scalar_multiply(curve, k, &Q);
/* r = H(Q, kpub, m) */
calc_r(&Q, pub_key, msg, msg_len, &result->r);
/* s = k - r*kpriv mod(order) */
bignum256 s_temp;
bn_copy(&result->r, &s_temp);
bn_multiply(&private_key_scalar, &s_temp, &curve->order);
bn_subtractmod(k, &s_temp, &result->s, &curve->order);
memzero(&private_key_scalar, sizeof(private_key_scalar));
while (bn_is_less(&curve->order, &result->s)) {
bn_mod(&result->s, &curve->order);
}
if (bn_is_zero(&result->s) || bn_is_zero(&result->r)) {
return 1;
}
return 0;
}
// returns 0 if verification succeeded
int schnorr_verify(const ecdsa_curve *curve, const uint8_t *pub_key,
const uint8_t *msg, const uint32_t msg_len,
const schnorr_sign_pair *sign) {
if (msg_len == 0) return 1;
if (bn_is_zero(&sign->r)) return 2;
if (bn_is_zero(&sign->s)) return 3;
if (bn_is_less(&curve->order, &sign->r)) return 4;
if (bn_is_less(&curve->order, &sign->s)) return 5;
curve_point pub_key_point;
if (!ecdsa_read_pubkey(curve, pub_key, &pub_key_point)) {
return 6;
}
// Compute Q = sG + r*kpub
curve_point sG, Q;
scalar_multiply(curve, &sign->s, &sG);
point_multiply(curve, &sign->r, &pub_key_point, &Q);
point_add(curve, &sG, &Q);
/* r = H(Q, kpub, m) */
bignum256 r;
calc_r(&Q, pub_key, msg, msg_len, &r);
if (bn_is_equal(&r, &sign->r)) return 0; // success
return 10;
}

42
crypto/schnorr.h Normal file
View File

@ -0,0 +1,42 @@
/**
* Copyright (c) 2019 Anatolii Kurotych
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES
* OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
* OTHER DEALINGS IN THE SOFTWARE.
*/
#ifndef __SCHNORR_H__
#define __SCHNORR_H__
#include "ecdsa.h"
// result of sign operation
typedef struct {
bignum256 r, s;
} schnorr_sign_pair;
// sign/verify returns 0 if operation succeeded
// k is a random from [1, ..., order-1]
int schnorr_sign(const ecdsa_curve *curve, const uint8_t *priv_key,
const bignum256 *k, const uint8_t *msg, const uint32_t msg_len,
schnorr_sign_pair *result);
int schnorr_verify(const ecdsa_curve *curve, const uint8_t *pub_key,
const uint8_t *msg, const uint32_t msg_len,
const schnorr_sign_pair *sign);
#endif

View File

@ -61,6 +61,7 @@
#include "rand.h"
#include "rc4.h"
#include "rfc6979.h"
#include "schnorr.h"
#include "script.h"
#include "secp256k1.h"
#include "sha2.h"
@ -8347,6 +8348,195 @@ START_TEST(test_compress_coords) {
}
END_TEST
// vectors generated using Schnorr::Sign function defined in
// https://github.com/Zilliqa/Zilliqa/blob/master/src/libCrypto/Schnorr.cpp#L88
START_TEST(test_schnorr_sign_verify) {
static struct {
const char *message;
const char *priv_key;
const char *k_hex;
const char *s_hex;
const char *r_hex;
} test_cases[] = {
{
"123",
"3382266517e2ebe6df51faf4bfe612236ad46fb8bd59ac982a223b045e080ac6",
"669301F724C555D7BB1185C04909E9CACA3EC7A292B3A1C92DDCCD5A5A7DDDD3",
"FFD72C290B98C93A4BCEDC0EDCDF040C35579BE962FE83E6821D4F3CB4B795D2",
"74AAE9C3E069E2806E1B0D890970BE387AEBED8040F37991AACAD70B27895E39",
},
{
"1234",
"51a2758eed776c40b367364909c8a9c98cc969104f69ff316f7a287495c37c9b",
"A0A1A9B3570AAE963535B8D4376C58A61646C18182C9FDDA5FB13703F88D4D1E",
"99A0CB942C81571B77C682F79CD3CB663CE9E1C55BB425BA24B9F11A0DE84FE2",
"C3C10363E38158BBA20556A36DE9358DFD81A31C180ABC9E7617C1CC1CAF03B3",
},
{
"12345",
"2685adffdbb4b2c515054cffc25cfcbfe2e462df65bbe82fb50f71e1e68dd285",
"38DE7B3315F201433D271E91FBE62966576CA05CBFEC1770B77D7EC9D6A01D6D",
"28982FA6C2B620CBC550F7EF9EAB605F409C584FBE5A765678877B79AB517086",
"9A0788E5B0947DEDEDE386DF57A006CF3FE43919A74D9CA630F8A1A9D97B4650",
},
{
"fun",
"7457dc574d927e5dae84b05264a5b637b5a68e34a85b3965084ed6fed5b7f12d",
"E005ABD242C7C602AB5EED080C5083C7C5F8DAEC6D046A54F384A8B8CDECF740",
"51070ABCA039DAC294F6BA3BFC8C36CFC66020EDF66D1ACF1A9B545B0BF09F52",
"330A924525EF722FA20E8E25CB6E8BD7DF4394886FA4414E4A0B6812AA25BBC0",
},
{
"funny",
"52c395a6d304de1a959e73e4604e32c5ad3f2bf01c8f730af426b38d7d5dd908",
"0CF28B5C40A8830F3195BB99A9F0E2808F576105F41D16ABCF596AC5A8CFE88A",
"3D60FB4664C994AD956378B9402BC68F7B4799D74F4783A6199C0D74865EA2B6",
"5ED5EDEE0314DFFBEE39EE4E9C76DE8BC3EB8CB891AEC32B83957514284B205B",
},
{
"What is great in man is that he is a bridge and not a goal",
"52c395a6d304de1a959e73e4604e32c5ad3f2bf01c8f730af426b38d7d5dd908",
"000000000000000000000000000000000000000000000000000000000000007B",
"546F70AA1FEE3718C95508240CDC073B9FEFED05959C5319DD8E2BF07A1DD028",
"B8667BE5E10B113608BFE5327C44E9F0462BE26F789177E10DCE53019AA33DAA",
},
{
"123456789147258369qwertyuiopasdfghjklzxcvbnm,",
"2685adffdbb4b2c515054cffc25cfcbfe2e462df65bbe82fb50f71e1e68dd285",
"1D0CB70310C4D793A4561FE592B7C156771E3E26283B28AB588E968243B52DD0",
"54D7A435E5E3F2811AA542F8895C20CCB760F2713DBDDB7291DAB6DA4E4F927E",
"20A3BDABFFF2C1BF8E2AF709F6CDCAFE70DA9A1DBC22305B6332E36844092984",
},
{
"11111111111111111111111111111111111111111111111111111111111111111"
"11111111111111111111111111111111111111111111111111111111111111111"
"111111111111111111",
"3382266517e2ebe6df51faf4bfe612236ad46fb8bd59ac982a223b045e080ac6",
"A669F372B3C2EEA351210082CAEC3B96767A7B222D19FF2EE3D814860F0D703A",
"4890F9AC3A8D102EE3A2A473930C01CAD29DCE3860ACB7A5DADAEF16FE808991",
"979F088E58F1814D5E462CB9F935D2924ABD8D32211D8F02DD7E0991726DF573",
},
{
"qwertyuiop[]asdfghjkl;'zxcvbnm,./1234567890-=",
"7457dc574d927e5dae84b05264a5b637b5a68e34a85b3965084ed6fed5b7f12d",
"000000000000000000000000000000000000000000000000000000000000007C",
"0AA595A649E517133D3448CA657424DD07BBED289030F0C0AA6738D26AB9A910",
"83812632F1443A70B198D112D075D886BE7BBC6EC6275AE52661E52B7358BB8B",
},
};
const ecdsa_curve *curve = &secp256k1;
bignum256 k;
uint8_t priv_key[32], buf_raw[32];
schnorr_sign_pair result;
for (size_t i = 0; i < sizeof(test_cases) / sizeof(*test_cases); i++) {
memcpy(priv_key, fromhex(test_cases[i].priv_key), 32);
memcpy(&buf_raw, fromhex(test_cases[i].k_hex), 32);
bn_read_be(buf_raw, &k);
schnorr_sign(curve, priv_key, &k, (const uint8_t *)test_cases[i].message,
strlen(test_cases[i].message), &result);
schnorr_sign_pair expected;
memcpy(&buf_raw, fromhex(test_cases[i].s_hex), 32);
bn_read_be(buf_raw, &expected.s);
memcpy(&buf_raw, fromhex(test_cases[i].r_hex), 32);
bn_read_be(buf_raw, &expected.r);
ck_assert_mem_eq(&expected.r, &result.r, 32);
ck_assert_mem_eq(&expected.s, &result.s, 32);
uint8_t pub_key[33];
ecdsa_get_public_key33(curve, priv_key, pub_key);
int res =
schnorr_verify(curve, pub_key, (const uint8_t *)test_cases[i].message,
strlen(test_cases[i].message), &result);
ck_assert_int_eq(res, 0);
}
}
END_TEST
// vectors generated using Schnorr::Sign function defined in
// https://github.com/Zilliqa/Zilliqa/blob/master/src/libCrypto/Schnorr.cpp#L88
START_TEST(test_schnorr_fail_verify) {
static struct {
const char *message;
const char *priv_key;
const char *k_hex;
const char *s_hex;
const char *r_hex;
} test_case = {
"123",
"3382266517e2ebe6df51faf4bfe612236ad46fb8bd59ac982a223b045e080ac6",
"669301F724C555D7BB1185C04909E9CACA3EC7A292B3A1C92DDCCD5A5A7DDDD3",
"FFD72C290B98C93A4BCEDC0EDCDF040C35579BE962FE83E6821D4F3CB4B795D2",
"74AAE9C3E069E2806E1B0D890970BE387AEBED8040F37991AACAD70B27895E39",
};
const ecdsa_curve *curve = &secp256k1;
bignum256 k;
uint8_t priv_key[32], buf_raw[32];
memcpy(priv_key, fromhex(test_case.priv_key), 32);
memcpy(&buf_raw, fromhex(test_case.k_hex), 32);
bn_read_be(buf_raw, &k);
schnorr_sign_pair result;
schnorr_sign(curve, priv_key, &k, (const uint8_t *)test_case.message,
strlen(test_case.message), &result);
uint8_t pub_key[33];
ecdsa_get_public_key33(curve, priv_key, pub_key);
// OK
int res = schnorr_verify(curve, pub_key, (const uint8_t *)test_case.message,
strlen(test_case.message), &result);
ck_assert_int_eq(res, 0);
res = schnorr_verify(curve, pub_key, (const uint8_t *)test_case.message, 0,
&result);
ck_assert_int_eq(res, 1);
schnorr_sign_pair bad_result;
bn_copy(&result.s, &bad_result.s);
bn_zero(&bad_result.r);
// r == 0
res = schnorr_verify(curve, pub_key, (const uint8_t *)test_case.message,
strlen(test_case.message), &bad_result);
ck_assert_int_eq(res, 2);
bn_copy(&result.r, &bad_result.r);
bn_zero(&bad_result.s);
// s == 0
res = schnorr_verify(curve, pub_key, (const uint8_t *)test_case.message,
strlen(test_case.message), &bad_result);
ck_assert_int_eq(res, 3);
bn_copy(&result.s, &bad_result.s);
bn_copy(&curve->order, &bad_result.r);
bn_addi(&bad_result.r, 1);
// r == curve->order + 1
res = schnorr_verify(curve, pub_key, (const uint8_t *)test_case.message,
strlen(test_case.message), &bad_result);
ck_assert_int_eq(res, 4);
bn_copy(&result.r, &bad_result.r);
bn_copy(&curve->order, &bad_result.s);
bn_addi(&bad_result.s, 1);
// s == curve->order + 1
res = schnorr_verify(curve, pub_key, (const uint8_t *)test_case.message,
strlen(test_case.message), &bad_result);
ck_assert_int_eq(res, 5);
bn_copy(&result.r, &bad_result.r);
bn_copy(&result.s, &bad_result.s);
// change message
test_case.message = "12";
res = schnorr_verify(curve, pub_key, (const uint8_t *)test_case.message,
strlen(test_case.message), &bad_result);
ck_assert_int_eq(res, 10);
}
END_TEST
static int my_strncasecmp(const char *s1, const char *s2, size_t n) {
size_t i = 0;
while (i < n) {
@ -8624,6 +8814,11 @@ Suite *test_suite(void) {
tcase_add_test(tc, test_compress_coords);
suite_add_tcase(s, tc);
tc = tcase_create("schnorr");
tcase_add_test(tc, test_schnorr_sign_verify);
tcase_add_test(tc, test_schnorr_fail_verify);
suite_add_tcase(s, tc);
#if USE_CARDANO
tc = tcase_create("bip32-cardano");