Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
oid
/
obfs4
zrkadlo https://git.torproject.org/pluggable-transports/obfs4.git/
Pridať medzi pozorované 1
Hviezda 0
Fork 0
Súbory Issues 0 Wiki
Branch: main
Branche Tagy
obfs4
/
internal
/
x25519ell2
/
x25519ell2.go

x25519ell2.go 6.1 KB
Permanentný odkaz História Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182 
  1. // Copyright (c) 2021 Yawning Angel <yawning at schwanenlied dot me>
    2. 

  2. //
    3. 

  3. // This program is free software: you can redistribute it and/or modify
    4. 

  4. // it under the terms of the GNU General Public License as published by
    5. 

  5. // the Free Software Foundation, either version 3 of the License, or
    6. 

  6. // (at your option) any later version.
    7. 

  7. //
    8. 

  8. // This program is distributed in the hope that it will be useful,
    9. 

  9. // but WITHOUT ANY WARRANTY; without even the implied warranty of
    10. 

  10. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    11. 

  11. // GNU General Public License for more details.
    12. 

  12. //
    13. 

  13. // You should have received a copy of the GNU General Public License
    14. 

  14. // along with this program.  If not, see <https://www.gnu.org/licenses/>.
    15. 

  15. 

  16. // Package x25519ell2 implements obfuscated X25519 ECDH, via the Elligator2
    17. 

  17. // mapping.
    18. 

  18. package x25519ell2 // import "gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/internal/x25519ell2"
    19. 

  19. 

  20. import (
    21. 

  21. 	"encoding/binary"
    22. 

  22. 

  23. 	"filippo.io/edwards25519"
    24. 

  24. 	"filippo.io/edwards25519/field"
    25. 

  25. 

  26. 	"gitlab.com/yawning/edwards25519-extra/elligator2"
    27. 

  27. )
    28. 

  28. 

  29. // The corrected version of this that solves the implementation errors
    30. 

  30. // present in the historical implementation by agl is derived from
    31. 

  31. // Monocypher (CC-0 or BSD-2) by Loup Vaillant.  Without their efforts
    32. 

  32. // and prodding, this would likely have stayed broken forever.
    33. 

  33. 

  34. var (
    35. 

  35. 	feOne = new(field.Element).One()
    36. 

  36. 

  37. 	feNegTwo = mustFeFromBytes([]byte{
    38. 

  38. 		0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
    39. 

  39. 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f,
    40. 

  40. 	})
    41. 

  41. 

  42. 	feA = mustFeFromUint64(486662)
    43. 

  43. 

  44. 	feSqrtM1 = mustFeFromBytes([]byte{
    45. 

  45. 		0xb0, 0xa0, 0x0e, 0x4a, 0x27, 0x1b, 0xee, 0xc4, 0x78, 0xe4, 0x2f, 0xad, 0x06, 0x18, 0x43, 0x2f,
    46. 

  46. 		0xa7, 0xd7, 0xfb, 0x3d, 0x99, 0x00, 0x4d, 0x2b, 0x0b, 0xdf, 0xc1, 0x4f, 0x80, 0x24, 0x83, 0x2b,
    47. 

  47. 	})
    48. 

  48. 

  49. 	// Low order point Edwards x-coordinate `sqrt((sqrt(d + 1) + 1) / d)`.
    50. 

  50. 	feLopX = mustFeFromBytes([]byte{
    51. 

  51. 		0x4a, 0xd1, 0x45, 0xc5, 0x46, 0x46, 0xa1, 0xde, 0x38, 0xe2, 0xe5, 0x13, 0x70, 0x3c, 0x19, 0x5c,
    52. 

  52. 		0xbb, 0x4a, 0xde, 0x38, 0x32, 0x99, 0x33, 0xe9, 0x28, 0x4a, 0x39, 0x06, 0xa0, 0xb9, 0xd5, 0x1f,
    53. 

  53. 	})
    54. 

  54. 

  55. 	// Low order point Edwards y-coordinate `-lop_x * sqrtm1`
    56. 

  56. 	feLopY = mustFeFromBytes([]byte{
    57. 

  57. 		0x26, 0xe8, 0x95, 0x8f, 0xc2, 0xb2, 0x27, 0xb0, 0x45, 0xc3, 0xf4, 0x89, 0xf2, 0xef, 0x98, 0xf0,
    58. 

  58. 		0xd5, 0xdf, 0xac, 0x05, 0xd3, 0xc6, 0x33, 0x39, 0xb1, 0x38, 0x02, 0x88, 0x6d, 0x53, 0xfc, 0x05,
    59. 

  59. 	})
    60. 

  60. )
    61. 

  61. 

  62. func mustFeFromBytes(b []byte) *field.Element {
    63. 

  63. 	fe, err := new(field.Element).SetBytes(b)
    64. 

  64. 	if err != nil {
    65. 

  65. 		panic("internal/x25519ell2: failed to deserialize constant: " + err.Error())
    66. 

  66. 	}
    67. 

  67. 	return fe
    68. 

  68. }
    69. 

  69. 

  70. func mustFeFromUint64(x uint64) *field.Element {
    71. 

  71. 	var b [32]byte
    72. 

  72. 	binary.LittleEndian.PutUint64(b[:], x)
    73. 

  73. 	return mustFeFromBytes(b[:])
    74. 

  74. }
    75. 

  75. 

  76. func selectLowOrderPoint(out, x, k *field.Element, cofactor uint8) {
    77. 

  77. 	out.Zero()
    78. 

  78. 	out.Select(k, out, int((cofactor>>1)&1)) // bit 1
    79. 

  79. 	out.Select(x, out, int((cofactor>>0)&1)) // bit 0
    80. 

  80. 	var tmp field.Element
    81. 

  81. 	tmp.Negate(out)
    82. 

  82. 	out.Select(&tmp, out, int((cofactor>>2)&1)) // bit 2
    83. 

  83. }
    84. 

  84. 

  85. func scalarBaseMultDirty(privateKey *[32]byte) *field.Element {
    86. 

  86. 	// Compute clean scalar multiplication
    87. 

  87. 	scalar, err := new(edwards25519.Scalar).SetBytesWithClamping(privateKey[:])
    88. 

  88. 	if err != nil {
    89. 

  89. 		panic("internal/x25519ell2: failed to deserialize scalar: " + err.Error())
    90. 

  90. 	}
    91. 

  91. 	pk := new(edwards25519.Point).ScalarBaseMult(scalar)
    92. 

  92. 

  93. 	// Compute low order point
    94. 

  94. 	var lopX, lopY, lopT field.Element
    95. 

  95. 	selectLowOrderPoint(&lopX, feLopX, feSqrtM1, privateKey[0])
    96. 

  96. 	selectLowOrderPoint(&lopY, feLopY, feOne, privateKey[0]+2)
    97. 

  97. 	// Z = one
    98. 

  98. 	lopT.Multiply(&lopX, &lopY)
    99. 

  99. 	lop, err := new(edwards25519.Point).SetExtendedCoordinates(&lopX, &lopY, feOne, &lopT)
    100. 

  100. 	if err != nil {
    101. 

  101. 		panic("interal/x25519ell2: failed to create edwards point from x, y: " + err.Error())
    102. 

  102. 	}
    103. 

  103. 

  104. 	// Add low order point to the public key
    105. 

  105. 	pk.Add(pk, lop)
    106. 

  106. 

  107. 	// Convert to Montgomery u coordinate (we ignore the sign)
    108. 

  108. 	_, yExt, zExt, _ := pk.ExtendedCoordinates()
    109. 

  109. 	var t1, t2 field.Element
    110. 

  110. 	t1.Add(zExt, yExt)
    111. 

  111. 	t2.Subtract(zExt, yExt)
    112. 

  112. 	t2.Invert(&t2)
    113. 

  113. 	t1.Multiply(&t1, &t2)
    114. 

  114. 

  115. 	return &t1
    116. 

  116. }
    117. 

  117. 

  118. func uToRepresentative(representative *[32]byte, u *field.Element, tweak byte) bool {
    119. 

  119. 	t1 := new(field.Element).Set(u)
    120. 

  120. 

  121. 	t2 := new(field.Element).Add(t1, feA)
    122. 

  122. 	t3 := new(field.Element).Multiply(t1, t2)
    123. 

  123. 	t3.Multiply(t3, feNegTwo)
    124. 

  124. 	if _, isSquare := t3.SqrtRatio(feOne, t3); isSquare == 1 {
    125. 

  125. 		t1.Select(t2, t1, int(tweak&1))
    126. 

  126. 		t3.Multiply(t1, t3)
    127. 

  127. 		t1.Mult32(t3, 2)
    128. 

  128. 		t2.Negate(t3)
    129. 

  129. 		tmp := t1.Bytes()
    130. 

  130. 		t3.Select(t2, t3, int(tmp[0]&1))
    131. 

  131. 		copy(representative[:], t3.Bytes())
    132. 

  132. 

  133. 		// Pad with two random bits
    134. 

  134. 		representative[31] |= tweak & 0xc0
    135. 

  135. 

  136. 		return true
    137. 

  137. 	}
    138. 

  138. 

  139. 	return false
    140. 

  140. }
    141. 

  141. 

  142. // ScalarBaseMult computes a curve25519 public key from a private
    143. 

  143. // key and also a uniform representative for that public key.
    144. 

  144. // Note that this function will fail and return false for about
    145. 

  145. // half of private keys.
    146. 

  146. //
    147. 

  147. // The `privateKey` input MUST be the full 32-bytes of entropy
    148. 

  148. // (X25519-style "clamping" will result in non-uniformly distributed
    149. 

  149. // representatives).
    150. 

  150. //
    151. 

  151. // WARNING: The underlying scalar multiply explicitly does not clear
    152. 

  152. // the cofactor, and thus the public keys will be different from
    153. 

  153. // those produced by normal implementations.
    154. 

  154. func ScalarBaseMult(publicKey, representative, privateKey *[32]byte, tweak byte) bool {
    155. 

  155. 	u := scalarBaseMultDirty(privateKey)
    156. 

  156. 	if !uToRepresentative(representative, u, tweak) {
    157. 

  157. 		// No representative.
    158. 

  158. 		return false
    159. 

  159. 	}
    160. 

  160. 	copy(publicKey[:], u.Bytes())
    161. 

  161. 	return true
    162. 

  162. }
    163. 

  163. 

  164. // RepresentativeToPublicKey converts a uniform representative value for
    165. 

  165. // a curve25519 public key, as produced by ScalarBaseMult, to a curve25519
    166. 

  166. // public key.
    167. 

  167. func RepresentativeToPublicKey(publicKey, representative *[32]byte) {
    168. 

  168. 	// Representatives are encoded in 254 bits.
    169. 

  169. 	var clamped [32]byte
    170. 

  170. 	copy(clamped[:], representative[:])
    171. 

  171. 	clamped[31] &= 63
    172. 

  172. 

  173. 	var fe field.Element
    174. 

  174. 	if _, err := fe.SetBytes(clamped[:]); err != nil {
    175. 

  175. 		// Panic is fine, the only way this fails is if the representative
    176. 

  176. 		// is not 32-bytes.
    177. 

  177. 		panic("internal/x25519ell2: failed to deserialize representative: " + err.Error())
    178. 

  178. 	}
    179. 

  179. 	u, _ := elligator2.MontgomeryFlavor(&fe)
    180. 

  180. 	copy(publicKey[:], u.Bytes())
    181. 

  181. }
    182. 

  182.