From 8114e0f9fc7af5d41ac73d69209b4065d3638327 Mon Sep 17 00:00:00 2001 From: armatusmiles Date: Sat, 20 Apr 2019 17:01:04 +0300 Subject: [PATCH] crypto: add support for schnorr signatures --- crypto/Makefile | 1 + crypto/schnorr.c | 104 ++++++++++++++++++++ crypto/schnorr.h | 42 ++++++++ crypto/tests/test_check.c | 195 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 342 insertions(+) create mode 100644 crypto/schnorr.c create mode 100644 crypto/schnorr.h diff --git a/crypto/Makefile b/crypto/Makefile index 6d14fec61..8dd944be4 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -63,6 +63,7 @@ SRCS += rc4.c SRCS += nem.c SRCS += segwit_addr.c cash_addr.c SRCS += memzero.c +SRCS += schnorr.c OBJS = $(SRCS:.c=.o) diff --git a/crypto/schnorr.c b/crypto/schnorr.c new file mode 100644 index 000000000..9be43eef2 --- /dev/null +++ b/crypto/schnorr.c @@ -0,0 +1,104 @@ +/** + * Copyright (c) 2019 Anatolii Kurotych + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES + * OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR + * OTHER DEALINGS IN THE SOFTWARE. + */ + +#include "schnorr.h" +#include "memzero.h" + +// r = H(Q, kpub, m) +static void calc_r(const curve_point *Q, const uint8_t pub_key[33], + const uint8_t *msg, const uint32_t msg_len, bignum256 *r) { + uint8_t Q_compress[33]; + compress_coords(Q, Q_compress); + + SHA256_CTX ctx; + uint8_t digest[SHA256_DIGEST_LENGTH]; + sha256_Init(&ctx); + sha256_Update(&ctx, Q_compress, 33); + sha256_Update(&ctx, pub_key, 33); + sha256_Update(&ctx, msg, msg_len); + sha256_Final(&ctx, digest); + bn_read_be(digest, r); +} + +// returns 0 if signing succeeded +int schnorr_sign(const ecdsa_curve *curve, const uint8_t *priv_key, + const bignum256 *k, const uint8_t *msg, const uint32_t msg_len, + schnorr_sign_pair *result) { + bignum256 private_key_scalar; + bn_read_be(priv_key, &private_key_scalar); + uint8_t pub_key[33]; + ecdsa_get_public_key33(curve, priv_key, pub_key); + + /* Q = kG */ + curve_point Q; + scalar_multiply(curve, k, &Q); + + /* r = H(Q, kpub, m) */ + calc_r(&Q, pub_key, msg, msg_len, &result->r); + + /* s = k - r*kpriv mod(order) */ + bignum256 s_temp; + bn_copy(&result->r, &s_temp); + bn_multiply(&private_key_scalar, &s_temp, &curve->order); + bn_subtractmod(k, &s_temp, &result->s, &curve->order); + memzero(&private_key_scalar, sizeof(private_key_scalar)); + + while (bn_is_less(&curve->order, &result->s)) { + bn_mod(&result->s, &curve->order); + } + + if (bn_is_zero(&result->s) || bn_is_zero(&result->r)) { + return 1; + } + + return 0; +} + +// returns 0 if verification succeeded +int schnorr_verify(const ecdsa_curve *curve, const uint8_t *pub_key, + const uint8_t *msg, const uint32_t msg_len, + const schnorr_sign_pair *sign) { + if (msg_len == 0) return 1; + if (bn_is_zero(&sign->r)) return 2; + if (bn_is_zero(&sign->s)) return 3; + if (bn_is_less(&curve->order, &sign->r)) return 4; + if (bn_is_less(&curve->order, &sign->s)) return 5; + + curve_point pub_key_point; + if (!ecdsa_read_pubkey(curve, pub_key, &pub_key_point)) { + return 6; + } + + // Compute Q = sG + r*kpub + curve_point sG, Q; + scalar_multiply(curve, &sign->s, &sG); + point_multiply(curve, &sign->r, &pub_key_point, &Q); + point_add(curve, &sG, &Q); + + /* r = H(Q, kpub, m) */ + bignum256 r; + calc_r(&Q, pub_key, msg, msg_len, &r); + + if (bn_is_equal(&r, &sign->r)) return 0; // success + + return 10; +} diff --git a/crypto/schnorr.h b/crypto/schnorr.h new file mode 100644 index 000000000..57bfc46d7 --- /dev/null +++ b/crypto/schnorr.h @@ -0,0 +1,42 @@ +/** + * Copyright (c) 2019 Anatolii Kurotych + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES + * OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR + * OTHER DEALINGS IN THE SOFTWARE. + */ + +#ifndef __SCHNORR_H__ +#define __SCHNORR_H__ + +#include "ecdsa.h" + +// result of sign operation +typedef struct { + bignum256 r, s; +} schnorr_sign_pair; + +// sign/verify returns 0 if operation succeeded + +// k is a random from [1, ..., order-1] +int schnorr_sign(const ecdsa_curve *curve, const uint8_t *priv_key, + const bignum256 *k, const uint8_t *msg, const uint32_t msg_len, + schnorr_sign_pair *result); +int schnorr_verify(const ecdsa_curve *curve, const uint8_t *pub_key, + const uint8_t *msg, const uint32_t msg_len, + const schnorr_sign_pair *sign); +#endif diff --git a/crypto/tests/test_check.c b/crypto/tests/test_check.c index fc2de3033..310ce808d 100644 --- a/crypto/tests/test_check.c +++ b/crypto/tests/test_check.c @@ -61,6 +61,7 @@ #include "rand.h" #include "rc4.h" #include "rfc6979.h" +#include "schnorr.h" #include "script.h" #include "secp256k1.h" #include "sha2.h" @@ -8347,6 +8348,195 @@ START_TEST(test_compress_coords) { } END_TEST +// vectors generated using Schnorr::Sign function defined in +// https://github.com/Zilliqa/Zilliqa/blob/master/src/libCrypto/Schnorr.cpp#L88 +START_TEST(test_schnorr_sign_verify) { + static struct { + const char *message; + const char *priv_key; + const char *k_hex; + const char *s_hex; + const char *r_hex; + } test_cases[] = { + { + "123", + "3382266517e2ebe6df51faf4bfe612236ad46fb8bd59ac982a223b045e080ac6", + "669301F724C555D7BB1185C04909E9CACA3EC7A292B3A1C92DDCCD5A5A7DDDD3", + "FFD72C290B98C93A4BCEDC0EDCDF040C35579BE962FE83E6821D4F3CB4B795D2", + "74AAE9C3E069E2806E1B0D890970BE387AEBED8040F37991AACAD70B27895E39", + }, + { + "1234", + "51a2758eed776c40b367364909c8a9c98cc969104f69ff316f7a287495c37c9b", + "A0A1A9B3570AAE963535B8D4376C58A61646C18182C9FDDA5FB13703F88D4D1E", + "99A0CB942C81571B77C682F79CD3CB663CE9E1C55BB425BA24B9F11A0DE84FE2", + "C3C10363E38158BBA20556A36DE9358DFD81A31C180ABC9E7617C1CC1CAF03B3", + }, + { + "12345", + "2685adffdbb4b2c515054cffc25cfcbfe2e462df65bbe82fb50f71e1e68dd285", + "38DE7B3315F201433D271E91FBE62966576CA05CBFEC1770B77D7EC9D6A01D6D", + "28982FA6C2B620CBC550F7EF9EAB605F409C584FBE5A765678877B79AB517086", + "9A0788E5B0947DEDEDE386DF57A006CF3FE43919A74D9CA630F8A1A9D97B4650", + }, + { + "fun", + "7457dc574d927e5dae84b05264a5b637b5a68e34a85b3965084ed6fed5b7f12d", + "E005ABD242C7C602AB5EED080C5083C7C5F8DAEC6D046A54F384A8B8CDECF740", + "51070ABCA039DAC294F6BA3BFC8C36CFC66020EDF66D1ACF1A9B545B0BF09F52", + "330A924525EF722FA20E8E25CB6E8BD7DF4394886FA4414E4A0B6812AA25BBC0", + }, + { + "funny", + "52c395a6d304de1a959e73e4604e32c5ad3f2bf01c8f730af426b38d7d5dd908", + "0CF28B5C40A8830F3195BB99A9F0E2808F576105F41D16ABCF596AC5A8CFE88A", + "3D60FB4664C994AD956378B9402BC68F7B4799D74F4783A6199C0D74865EA2B6", + "5ED5EDEE0314DFFBEE39EE4E9C76DE8BC3EB8CB891AEC32B83957514284B205B", + }, + { + "What is great in man is that he is a bridge and not a goal", + "52c395a6d304de1a959e73e4604e32c5ad3f2bf01c8f730af426b38d7d5dd908", + "000000000000000000000000000000000000000000000000000000000000007B", + "546F70AA1FEE3718C95508240CDC073B9FEFED05959C5319DD8E2BF07A1DD028", + "B8667BE5E10B113608BFE5327C44E9F0462BE26F789177E10DCE53019AA33DAA", + }, + { + "123456789147258369qwertyuiopasdfghjklzxcvbnm,", + "2685adffdbb4b2c515054cffc25cfcbfe2e462df65bbe82fb50f71e1e68dd285", + "1D0CB70310C4D793A4561FE592B7C156771E3E26283B28AB588E968243B52DD0", + "54D7A435E5E3F2811AA542F8895C20CCB760F2713DBDDB7291DAB6DA4E4F927E", + "20A3BDABFFF2C1BF8E2AF709F6CDCAFE70DA9A1DBC22305B6332E36844092984", + }, + { + "11111111111111111111111111111111111111111111111111111111111111111" + "11111111111111111111111111111111111111111111111111111111111111111" + "111111111111111111", + "3382266517e2ebe6df51faf4bfe612236ad46fb8bd59ac982a223b045e080ac6", + "A669F372B3C2EEA351210082CAEC3B96767A7B222D19FF2EE3D814860F0D703A", + "4890F9AC3A8D102EE3A2A473930C01CAD29DCE3860ACB7A5DADAEF16FE808991", + "979F088E58F1814D5E462CB9F935D2924ABD8D32211D8F02DD7E0991726DF573", + }, + { + "qwertyuiop[]asdfghjkl;'zxcvbnm,./1234567890-=", + "7457dc574d927e5dae84b05264a5b637b5a68e34a85b3965084ed6fed5b7f12d", + "000000000000000000000000000000000000000000000000000000000000007C", + "0AA595A649E517133D3448CA657424DD07BBED289030F0C0AA6738D26AB9A910", + "83812632F1443A70B198D112D075D886BE7BBC6EC6275AE52661E52B7358BB8B", + }, + }; + + const ecdsa_curve *curve = &secp256k1; + bignum256 k; + uint8_t priv_key[32], buf_raw[32]; + schnorr_sign_pair result; + for (size_t i = 0; i < sizeof(test_cases) / sizeof(*test_cases); i++) { + memcpy(priv_key, fromhex(test_cases[i].priv_key), 32); + memcpy(&buf_raw, fromhex(test_cases[i].k_hex), 32); + bn_read_be(buf_raw, &k); + schnorr_sign(curve, priv_key, &k, (const uint8_t *)test_cases[i].message, + strlen(test_cases[i].message), &result); + + schnorr_sign_pair expected; + + memcpy(&buf_raw, fromhex(test_cases[i].s_hex), 32); + bn_read_be(buf_raw, &expected.s); + memcpy(&buf_raw, fromhex(test_cases[i].r_hex), 32); + bn_read_be(buf_raw, &expected.r); + + ck_assert_mem_eq(&expected.r, &result.r, 32); + ck_assert_mem_eq(&expected.s, &result.s, 32); + + uint8_t pub_key[33]; + ecdsa_get_public_key33(curve, priv_key, pub_key); + int res = + schnorr_verify(curve, pub_key, (const uint8_t *)test_cases[i].message, + strlen(test_cases[i].message), &result); + ck_assert_int_eq(res, 0); + } +} +END_TEST + +// vectors generated using Schnorr::Sign function defined in +// https://github.com/Zilliqa/Zilliqa/blob/master/src/libCrypto/Schnorr.cpp#L88 +START_TEST(test_schnorr_fail_verify) { + static struct { + const char *message; + const char *priv_key; + const char *k_hex; + const char *s_hex; + const char *r_hex; + } test_case = { + "123", + "3382266517e2ebe6df51faf4bfe612236ad46fb8bd59ac982a223b045e080ac6", + "669301F724C555D7BB1185C04909E9CACA3EC7A292B3A1C92DDCCD5A5A7DDDD3", + "FFD72C290B98C93A4BCEDC0EDCDF040C35579BE962FE83E6821D4F3CB4B795D2", + "74AAE9C3E069E2806E1B0D890970BE387AEBED8040F37991AACAD70B27895E39", + }; + + const ecdsa_curve *curve = &secp256k1; + bignum256 k; + uint8_t priv_key[32], buf_raw[32]; + memcpy(priv_key, fromhex(test_case.priv_key), 32); + memcpy(&buf_raw, fromhex(test_case.k_hex), 32); + bn_read_be(buf_raw, &k); + + schnorr_sign_pair result; + schnorr_sign(curve, priv_key, &k, (const uint8_t *)test_case.message, + strlen(test_case.message), &result); + uint8_t pub_key[33]; + ecdsa_get_public_key33(curve, priv_key, pub_key); + + // OK + int res = schnorr_verify(curve, pub_key, (const uint8_t *)test_case.message, + strlen(test_case.message), &result); + ck_assert_int_eq(res, 0); + + res = schnorr_verify(curve, pub_key, (const uint8_t *)test_case.message, 0, + &result); + ck_assert_int_eq(res, 1); + + schnorr_sign_pair bad_result; + + bn_copy(&result.s, &bad_result.s); + bn_zero(&bad_result.r); + // r == 0 + res = schnorr_verify(curve, pub_key, (const uint8_t *)test_case.message, + strlen(test_case.message), &bad_result); + ck_assert_int_eq(res, 2); + + bn_copy(&result.r, &bad_result.r); + bn_zero(&bad_result.s); + // s == 0 + res = schnorr_verify(curve, pub_key, (const uint8_t *)test_case.message, + strlen(test_case.message), &bad_result); + ck_assert_int_eq(res, 3); + + bn_copy(&result.s, &bad_result.s); + bn_copy(&curve->order, &bad_result.r); + bn_addi(&bad_result.r, 1); + // r == curve->order + 1 + res = schnorr_verify(curve, pub_key, (const uint8_t *)test_case.message, + strlen(test_case.message), &bad_result); + ck_assert_int_eq(res, 4); + + bn_copy(&result.r, &bad_result.r); + bn_copy(&curve->order, &bad_result.s); + bn_addi(&bad_result.s, 1); + // s == curve->order + 1 + res = schnorr_verify(curve, pub_key, (const uint8_t *)test_case.message, + strlen(test_case.message), &bad_result); + ck_assert_int_eq(res, 5); + + bn_copy(&result.r, &bad_result.r); + bn_copy(&result.s, &bad_result.s); + // change message + test_case.message = "12"; + res = schnorr_verify(curve, pub_key, (const uint8_t *)test_case.message, + strlen(test_case.message), &bad_result); + ck_assert_int_eq(res, 10); +} +END_TEST + static int my_strncasecmp(const char *s1, const char *s2, size_t n) { size_t i = 0; while (i < n) { @@ -8624,6 +8814,11 @@ Suite *test_suite(void) { tcase_add_test(tc, test_compress_coords); suite_add_tcase(s, tc); + tc = tcase_create("schnorr"); + tcase_add_test(tc, test_schnorr_sign_verify); + tcase_add_test(tc, test_schnorr_fail_verify); + suite_add_tcase(s, tc); + #if USE_CARDANO tc = tcase_create("bip32-cardano");