diff --git a/crypto/Makefile b/crypto/Makefile index d6bf4f1344..b0573776b9 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -42,7 +42,9 @@ ZKP_CFLAGS = \ -DUSE_FIELD_10X26 \ -DUSE_SCALAR_8X32 \ -DECMULT_GEN_PREC_BITS=4 \ - -DECMULT_WINDOW_SIZE=8 + -DECMULT_WINDOW_SIZE=8 \ + -DENABLE_MODULE_GENERATOR \ + -DENABLE_MODULE_RECOVERY ZKP_PATH = ../vendor/secp256k1-zkp CFLAGS += -DSECP256K1_CONTEXT_SIZE=73952 @@ -94,6 +96,7 @@ SRCS += rfc6979.c SRCS += slip39.c SRCS += schnorr.c SRCS += zkp_context.c +SRCS += zkp_ecdsa.c OBJS = $(SRCS:.c=.o) OBJS += secp256k1-zkp.o diff --git a/crypto/zkp_ecdsa.c b/crypto/zkp_ecdsa.c new file mode 100644 index 0000000000..b126c5957e --- /dev/null +++ b/crypto/zkp_ecdsa.c @@ -0,0 +1,313 @@ +/** + * Copyright (c) SatoshiLabs + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included + * in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES + * OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, + * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR + * OTHER DEALINGS IN THE SOFTWARE. + */ + +#include +#include +#include + +#include "memzero.h" +#include "secp256k1.h" +#include "zkp_context.h" + +#include "vendor/secp256k1-zkp/include/secp256k1.h" +#include "vendor/secp256k1-zkp/include/secp256k1_extrakeys.h" +#include "vendor/secp256k1-zkp/include/secp256k1_preallocated.h" +#include "vendor/secp256k1-zkp/include/secp256k1_recovery.h" + +#include "zkp_ecdsa.h" + +static bool is_zero_digest(const uint8_t *digest) { + const uint8_t zeroes[32] = {0}; + return memcmp(digest, zeroes, 32) == 0; +} + +// ECDSA compressed public key derivation +// curve has to be &secp256k1 +// private_key_bytes has 32 bytes +// public_key_bytes has 33 bytes +void zkp_ecdsa_get_public_key33(const ecdsa_curve *curve, + const uint8_t *private_key_bytes, + uint8_t *public_key_bytes) { + assert(curve == &secp256k1); + int result = 0; + + secp256k1_pubkey public_key = {0}; + + if (result == 0) { + secp256k1_context *context_writable = zkp_context_acquire_writable(); + secp256k1_context_writable_randomize(context_writable); + if (secp256k1_ec_pubkey_create(context_writable, &public_key, + private_key_bytes) != 1) { + result = 1; + } + zkp_context_release_writable(); + } + + if (result == 0) { + size_t written = 33; + const secp256k1_context *context_read_only = zkp_context_get_read_only(); + int returned = secp256k1_ec_pubkey_serialize( + context_read_only, public_key_bytes, &written, &public_key, + SECP256K1_EC_COMPRESSED); + + if (returned != 1 || written != 33) { + result = 1; + } + } + + memzero(&public_key, sizeof(public_key)); + assert(result == 0); +} + +// ECDSA uncompressed public key derivation +// curve has to be &secp256k1 +// private_key_bytes has 32 bytes +// public_key_bytes has 65 bytes +void zkp_ecdsa_get_public_key65(const ecdsa_curve *curve, + const uint8_t *private_key_bytes, + uint8_t *public_key_bytes) { + assert(curve == &secp256k1); + int result = 0; + + secp256k1_pubkey public_key = {0}; + + if (result == 0) { + secp256k1_context *context_writable = zkp_context_acquire_writable(); + secp256k1_context_writable_randomize(context_writable); + if (secp256k1_ec_pubkey_create(context_writable, &public_key, + private_key_bytes) != 1) { + result = 1; + } + zkp_context_release_writable(); + } + + if (result == 0) { + size_t written = 65; + const secp256k1_context *context_read_only = zkp_context_get_read_only(); + int returned = secp256k1_ec_pubkey_serialize( + context_read_only, public_key_bytes, &written, &public_key, + SECP256K1_EC_UNCOMPRESSED); + + if (returned != 1 || written != 65) { + result = 1; + } + } + + memzero(&public_key, sizeof(public_key)); + assert(result == 0); +} + +// ECDSA signing +// curve has to be &secp256k1 +// private_key_bytes has 32 bytes +// digest has 32 bytes +// signature_bytes has 64 bytes +// pby is one byte +// is_canonical has to be NULL +// returns 0 on success +int zkp_ecdsa_sign_digest( + const ecdsa_curve *curve, const uint8_t *private_key_bytes, + const uint8_t *digest, uint8_t *signature_bytes, uint8_t *pby, + int (*is_canonical)(uint8_t by, uint8_t signature_bytes[64])) { + assert(curve == &secp256k1); + assert(is_canonical == NULL); + int result = 0; + + if (result == 0) { + if (is_zero_digest(digest)) { + // The probability of the digest being all-zero by chance is + // infinitesimal, so this is most likely an indication of a bug. + // Furthermore, the signature has no value, because in this case it can be + // easily forged for any public key, see zkp_ecdsa_verify_digest(). + result = 1; + } + } + + secp256k1_ecdsa_recoverable_signature recoverable_signature = {0}; + + if (result == 0) { + secp256k1_context *ctx_writable = zkp_context_acquire_writable(); + secp256k1_context_writable_randomize(ctx_writable); + if (secp256k1_ecdsa_sign_recoverable(ctx_writable, &recoverable_signature, + digest, private_key_bytes, NULL, + NULL) != 1) { + result = 1; + } + zkp_context_release_writable(); + } + + if (result == 0) { + int recid = 0; + const secp256k1_context *context_read_only = zkp_context_get_read_only(); + if (secp256k1_ecdsa_recoverable_signature_serialize_compact( + context_read_only, signature_bytes, &recid, + &recoverable_signature) != 1) { + result = 1; + } + if (pby != NULL) { + *pby = (uint8_t)recid; + } + } + + memzero(&recoverable_signature, sizeof(recoverable_signature)); + + return result; +} + +// ECDSA public key recovery +// public_key_bytes has 65 bytes +// signature_bytes has 64 bytes +// digest has 32 bytes +// recid is 0, 1, 2 or 3 +// returns 0 on success +int zkp_ecdsa_recover_pub_from_sig(const ecdsa_curve *curve, + uint8_t *public_key_bytes, + const uint8_t *signature_bytes, + const uint8_t *digest, int recid) { + assert(curve == &secp256k1); + int result = 0; + + const secp256k1_context *context_read_only = zkp_context_get_read_only(); + secp256k1_ecdsa_recoverable_signature recoverable_signature = {0}; + + if (result == 0) { + if (secp256k1_ecdsa_recoverable_signature_parse_compact( + context_read_only, &recoverable_signature, signature_bytes, + recid) != 1) { + result = 1; + } + } + + secp256k1_pubkey public_key = {0}; + + if (result == 0) { + if (secp256k1_ecdsa_recover(context_read_only, &public_key, + &recoverable_signature, digest) != 1) { + result = 1; + } + } + + memzero(&recoverable_signature, sizeof(recoverable_signature)); + + if (result == 0) { + size_t written = 65; + int returned = secp256k1_ec_pubkey_serialize( + context_read_only, public_key_bytes, &written, &public_key, + SECP256K1_EC_UNCOMPRESSED); + if (returned != 1 || written != 65) { + result = 1; + } + } + + memzero(&public_key, sizeof(public_key)); + + return result; +} + +// ECDSA verification +// curve has to be &secp256k1 +// public_key_bytes has 33 or 65 bytes +// signature_bytes has 64 bytes +// digest has 32 bytes +// returns 0 if verification succeeded +int zkp_ecdsa_verify_digest(const ecdsa_curve *curve, + const uint8_t *public_key_bytes, + const uint8_t *signature_bytes, + const uint8_t *digest) { + assert(curve == &secp256k1); + int result = 0; + + int public_key_length = 0; + + if (result == 0) { + if (public_key_bytes[0] == 0x04) { + public_key_length = 65; + } else if (public_key_bytes[0] == 0x02 || public_key_bytes[0] == 0x03) { + public_key_length = 33; + } else { + result = 1; + } + } + + if (result == 0) { + if (is_zero_digest(digest)) { + // The digest was all-zero. The probability of this happening by chance is + // infinitesimal, but it could be induced by a fault injection. In this + // case the signature (r,s) can be forged by taking r := (t * Q).x mod n + // and s := r * t^-1 mod n for any t in [1, n-1]. We fail verification, + // because there is no guarantee that the signature was created by the + // owner of the private key. + result = 3; + } + } + + const secp256k1_context *context_read_only = zkp_context_get_read_only(); + secp256k1_pubkey public_key = {0}; + + if (result == 0) { + if (secp256k1_ec_pubkey_parse(context_read_only, &public_key, + public_key_bytes, public_key_length) != 1) { + result = 1; + } + } + + secp256k1_ecdsa_signature signature = {0}; + + if (result == 0) { + if (secp256k1_ecdsa_signature_parse_compact(context_read_only, &signature, + signature_bytes) != 1) { + result = 2; + } + } + + if (result == 0) { + secp256k1_ecdsa_signature_normalize(context_read_only, &signature, + &signature); + + if (secp256k1_ecdsa_verify(context_read_only, &signature, digest, + &public_key) != 1) { + result = 5; + } + } + + memzero(&public_key, sizeof(public_key)); + memzero(&signature, sizeof(signature)); + + return result; +} + +// ECDSA verification +// curve has to be &secp256k1 +// public_key_bytes has 33 or 65 bytes +// signature_bytes has 64 bytes +// returns 0 if verification succeeded +int zkp_ecdsa_verify(const ecdsa_curve *curve, HasherType hasher_type, + const uint8_t *public_key_bytes, + const uint8_t *signature_bytes, const uint8_t *message, + uint32_t message_length) { + uint8_t hash[32] = {0}; + hasher_Raw(hasher_type, message, message_length, hash); + int result = + zkp_ecdsa_verify_digest(curve, public_key_bytes, signature_bytes, hash); + memzero(hash, sizeof(hash)); + return result; +} diff --git a/crypto/zkp_ecdsa.h b/crypto/zkp_ecdsa.h new file mode 100644 index 0000000000..e9f50cf908 --- /dev/null +++ b/crypto/zkp_ecdsa.h @@ -0,0 +1,30 @@ +#ifndef __ZKP_ECDSA_H__ +#define __ZKP_ECDSA_H__ + +#include + +#include "hasher.h" + +void zkp_ecdsa_get_public_key33(const ecdsa_curve *curve, + const uint8_t *private_key_bytes, + uint8_t *public_key_bytes); +void zkp_ecdsa_get_public_key65(const ecdsa_curve *curve, + const uint8_t *private_key_bytes, + uint8_t *public_key_bytes); +int zkp_ecdsa_sign_digest(const ecdsa_curve *curve, + const uint8_t *private_key_bytes, + const uint8_t *digest, uint8_t *signature_bytes, + uint8_t *pby, + int (*is_canonical)(uint8_t by, uint8_t sig[64])); +int zkp_ecdsa_recover_pub_from_sig(const ecdsa_curve *curve, + uint8_t *public_key_bytes, + const uint8_t *signature_bytes, + const uint8_t *digest, int recid); +int zkp_ecdsa_verify_digest(const ecdsa_curve *curve, + const uint8_t *public_key_bytes, + const uint8_t *signature_bytes, + const uint8_t *digest); +int zkp_ecdsa_verify(const ecdsa_curve *curve, HasherType hasher_sign, + const uint8_t *pub_key, const uint8_t *sig, + const uint8_t *msg, uint32_t msg_len); +#endif