fixed

Author: deatil

elliptic/ed521/params.go

@@ -5,6 +5,8 @@ import (
     "crypto/elliptic"
 )
 
+var one = big.NewInt(1)
+
 // Ed521 curve
 type Ed521Curve struct {
     Name    string
@@ -280,7 +282,12 @@ func (curve *Ed521Curve) UnmarshalPoint(data []byte) (x, y *big.Int) {
         return
     }
 
-    if byte(sign) != data[0]&1 {
+    if sign > 0 {
+        sign = 1
+    }
+
+    xx := new(big.Int).Set(x)
+    if xx.And(xx, one).Cmp(big.NewInt(int64(sign))) != 0 {
         x.Sub(p, x)
         x.Mod(x, p)
     }
@@ -341,11 +348,9 @@ func MarshalPoint(curve elliptic.Curve, x, y *big.Int) []byte {
 
     compressed = Reverse(compressed)
 
-    one := big.NewInt(1)
-
     xx := new(big.Int).Set(x)
     if xx.And(xx, one).Cmp(one) == 0 {
-        compressed[byteLen-1] |= 0x80
+        compressed[len(compressed)-1] |= 0x80
     }
 
     return compressed
@@ -371,6 +376,24 @@ func panicIfNotOnCurve(curve elliptic.Curve, x, y *big.Int) {
     }
 }
 
+func GetPrivateScalar(buffer []byte) []byte {
+    a := pruningBuffer(buffer)
+    s := Reverse(a)
+
+    return s
+}
+
+func pruningBuffer(b []byte) []byte {
+    buffer := make([]byte, len(b))
+    copy(buffer, b)
+
+    buffer[0] &= 0xFC
+    buffer[len(buffer) - 1] = 0
+    buffer[len(buffer) - 2] |= 0x80
+
+    return buffer
+}
+
 // Reverse bytes
 func Reverse(b []byte) []byte {
     d := make([]byte, len(b))

pubkey/ed448/ed448_test.go

@@ -2,10 +2,12 @@ package ed448
 
 import (
     "bytes"
+    "testing"
     "crypto"
     "crypto/rand"
     "encoding/hex"
-    "testing"
+
+    cryptobin_test "github.com/deatil/go-cryptobin/tool/test"
 )
 
 type zeroReader struct{}
@@ -17,6 +19,11 @@ func (zeroReader) Read(buf []byte) (int, error) {
     return len(buf), nil
 }
 
+func fromHex(s string) []byte {
+    h, _ := hex.DecodeString(s)
+    return h
+}
+
 func decodeHex(t testing.TB, s string) []byte {
     t.Helper()
     data, err := hex.DecodeString(s)
@@ -326,6 +333,21 @@ func TestEqual(t *testing.T) {
     }
 }
 
+var privBytes = "c4eab05d357007c632f3dbb48489924d552b08fe0c353a0d4a1f00acda2c463afbea67c5e8d2877c5e3bc397a659949ef8021e954e0a12274e"
+var pubBytes = "43ba28f430cdff456ae531545f7ecd0ac834a55d9358c0372bfa0c6c6798c0866aea01eb00742802b8438ea4cb82169c235160627b4c3a9480"
+
+func Test_Key(t *testing.T) {
+    privPlain := fromHex(privBytes)
+    pubPlain := fromHex(pubBytes)
+
+    priv := NewKeyFromSeed(privPlain)
+    pub0 := priv.Public()
+
+    pub1 := PublicKey(pubPlain)
+
+    cryptobin_test.Equal(t, pub0, pub1)
+}
+
 func TestVerify(t *testing.T) {
     public, private, _ := GenerateKey(rand.Reader)
 

pubkey/ed521/ed521.go

@@ -26,7 +26,7 @@ const (
     // ContextMaxSize is the maximum length (in bytes) allowed for context.
     ContextMaxSize = 255
     // PublicKeySize is the size, in bytes, of public keys as used in this package.
-    PublicKeySize = 133
+    PublicKeySize = 66
     // PrivateKeySize is the size, in bytes, of private keys as used in this package.
     PrivateKeySize = 66
     // SignatureSize is the size, in bytes, of signatures generated and verified by this package.
@@ -107,6 +107,11 @@ func (priv *PrivateKey) Equal(x crypto.PrivateKey) bool {
         bigIntEqual(priv.D, xx.D)
 }
 
+func (priv *PrivateKey) Seed() []byte {
+    seed := make([]byte, SeedSize)
+    return priv.D.FillBytes(seed)
+}
+
 // Sign creates a signature for message
 func (priv *PrivateKey) Sign(rand io.Reader, message []byte, opts crypto.SignerOpts) ([]byte, error) {
     var context string
@@ -149,34 +154,37 @@ func GenerateKey(rand io.Reader) (*PrivateKey, error) {
         return nil, err
     }
 
-    return newKeyFromSeed(k.Bytes())
+    bytes := make([]byte, SeedSize)
+    return newKeyFromSeed(k.FillBytes(bytes))
 }
 
 func newKeyFromSeed(seed []byte) (*PrivateKey, error) {
-    if l := len(seed); l > SeedSize {
+    if l := len(seed); l != SeedSize {
         panic("go-cryptobin/ed521: bad seed length: " + strconv.Itoa(l))
     }
 
     curve := ed521.ED521()
 
-    k := new(big.Int).SetBytes(seed)
+    h := make([]byte, 132)
+    sha3.ShakeSum256(h, seed)
 
-    n := new(big.Int).Sub(curve.Params().N, one)
-    if k.Cmp(n) >= 0 {
-        return nil, errors.New("go-cryptobin/ed521: privateKey's seed is overflow")
-    }
+    k := new(big.Int).SetBytes(seed)
 
-    h := make([]byte, 132)
-    sha3.ShakeSum256(h, k.Bytes())
+    scalar := ed521.GetPrivateScalar(h[:66])
 
     priv := new(PrivateKey)
     priv.PublicKey.Curve = curve
     priv.D = k
-    priv.PublicKey.X, priv.PublicKey.Y = curve.ScalarBaseMult(h[:66])
+    priv.PublicKey.X, priv.PublicKey.Y = curve.ScalarBaseMult(scalar)
 
     return priv, nil
 }
 
+// New a private key from seed bytes
+func NewKeyFromSeed(seed []byte) (*PrivateKey, error) {
+    return newKeyFromSeed(seed)
+}
+
 // New a private key from key data bytes
 func NewPrivateKey(d []byte) (*PrivateKey, error) {
     return newKeyFromSeed(d)
@@ -192,7 +200,7 @@ func PrivateKeyTo(key *PrivateKey) []byte {
 func NewPublicKey(data []byte) (*PublicKey, error) {
     curve := ed521.ED521()
 
-    x, y := elliptic.Unmarshal(curve, data)
+    x, y := ed521.UnmarshalPoint(curve, data)
     if x == nil || y == nil {
         return nil, errors.New("go-cryptobin/ed521: incorrect public key")
     }
@@ -208,7 +216,7 @@ func NewPublicKey(data []byte) (*PublicKey, error) {
 
 // return PublicKey data
 func PublicKeyTo(key *PublicKey) []byte {
-    return ed521.Marshal(key.Curve, key.X, key.Y)
+    return ed521.MarshalPoint(key.Curve, key.X, key.Y)
 }
 
 // sign data and return marshal plain data
@@ -253,15 +261,14 @@ func sign(privateKey *PrivateKey, message []byte, domPre, context string) ([]byt
     n := params.N
     byteLen := (params.BitSize + 7) / 8
 
-    var tmpBuf []byte
-
-    seed := privateKey.D.Bytes()
+    seed := privateKey.Seed()
     publicKeyBytes := ed521.MarshalPoint(privateKey.Curve, privateKey.X, privateKey.Y)
 
     h := make([]byte, 132)
     sha3.ShakeSum256(h, seed)
 
-    s := new(big.Int).SetBytes(h[:66])
+    scalar := ed521.GetPrivateScalar(h[:66])
+    s := new(big.Int).SetBytes(scalar)
     s.Mod(s, n)
 
     prefix := h[66:]
@@ -280,19 +287,14 @@ func sign(privateKey *PrivateKey, message []byte, domPre, context string) ([]byt
     r := new(big.Int).SetBytes(messageDigest)
     r.Mod(r, n)
 
-    _, R := privateKey.Curve.ScalarBaseMult(r.Bytes())
-
-    buf := make([]byte, 2*byteLen)
-    R.FillBytes(buf[:byteLen])
-
-    tmpBuf = ed521.Reverse(buf[:byteLen])
-    copy(buf[:byteLen], tmpBuf)
+    Rx, Ry := privateKey.Curve.ScalarBaseMult(r.Bytes())
+    R := ed521.MarshalPoint(privateKey.Curve, Rx, Ry)
 
     kh := sha3.NewShake256()
     kh.Write([]byte(domPre))
     kh.Write([]byte{byte(len(context))})
     kh.Write([]byte(context))
-    kh.Write(buf[:byteLen])
+    kh.Write(R)
     kh.Write(publicKeyBytes)
     kh.Write(PHM)
     hramDigest := make([]byte, 132)
@@ -308,11 +310,13 @@ func sign(privateKey *PrivateKey, message []byte, domPre, context string) ([]byt
     S.Add(S, r)
     S.Mod(S, n)
 
-    S.FillBytes(buf[byteLen:])
-    tmpBuf = ed521.Reverse(buf[byteLen:])
-    copy(buf[byteLen:], tmpBuf)
+    SBytes := ed521.Reverse(S.FillBytes(make([]byte, byteLen)))
 
-    return buf, nil
+    sig := make([]byte, 2*byteLen)
+    copy(sig[:byteLen], R)
+    copy(sig[byteLen:], SBytes)
+
+    return sig, nil
 }
 
 // VerifyWithOptions reports whether sig is a valid signature of message by
@@ -374,10 +378,14 @@ func verify(publicKey *PublicKey, message, sig []byte, domPre, context string) b
         return false
     }
 
-    RBytes := ed521.Reverse(sig[:byteLen])
-    SBytes := ed521.Reverse(sig[byteLen:])
+    R := sig[:byteLen]
 
-    R := new(big.Int).SetBytes(RBytes)
+    Rx, Ry := ed521.UnmarshalPoint(curve, R)
+    if Rx == nil && Ry == nil {
+        return false
+    }
+
+    SBytes := ed521.Reverse(sig[byteLen:])
     S := new(big.Int).SetBytes(SBytes)
 
     publicKeyBytes := ed521.MarshalPoint(publicKey.Curve, publicKey.X, publicKey.Y)
@@ -386,7 +394,7 @@ func verify(publicKey *PublicKey, message, sig []byte, domPre, context string) b
     kh.Write([]byte(domPre))
     kh.Write([]byte{byte(len(context))})
     kh.Write([]byte(context))
-    kh.Write(sig[:byteLen])
+    kh.Write(R)
     kh.Write(publicKeyBytes)
     kh.Write(PHM)
     hramDigest := make([]byte, 132)
@@ -401,26 +409,26 @@ func verify(publicKey *PublicKey, message, sig []byte, domPre, context string) b
     // r = S - k * pub
     x21, y21 := curve.ScalarMult(publicKey.X, publicKey.Y, k.Bytes())
     x22, y22 := curve.ScalarBaseMult(S.Bytes())
-    _, y2 := curve.Add(x21, y21, x22, y22)
+    y1, y2 := curve.Add(x21, y21, x22, y22)
 
-    return bigIntEqual(R, y2)
+    return bigIntEqual(Rx, y1) &&
+        bigIntEqual(Ry, y2)
 }
 
 func randFieldElement(rand io.Reader, curve elliptic.Curve) (*big.Int, error) {
     N := curve.Params().N
 
-    byteLen := (N.BitLen() + 7) / 8
-    bytes := make([]byte, byteLen)
+    bytes := make([]byte, SeedSize)
 
     for {
         _, err := io.ReadFull(rand, bytes)
         if err != nil {
             return nil, err
         }
 
-        num := new(big.Int).SetBytes(bytes)
-        if num.Cmp(N) < 0 {
-            return num, nil
+        k := new(big.Int).SetBytes(bytes)
+        if k.Cmp(N) < 0 {
+            return k, nil
         }
     }
 }

pubkey/ed521/ed521_test.go

@@ -84,7 +84,7 @@ func Test_NewPrivateKey(t *testing.T) {
     }
 }
 
-func aTest_Public(t *testing.T) {
+func Test_Public(t *testing.T) {
     priv, err := GenerateKey(rand.Reader)
     if err != nil {
         t.Fatal(err)
@@ -271,6 +271,28 @@ func Test_Marshal(t *testing.T) {
     cryptobin_test.Equal(t, pub, pub3)
 }
 
+var privBytes = "2367b29bceaca04d6fe50d959dee3d706f3a5f605ce5aac0205c54cdda59145c573b932814c7405770cd46171a0eb44c911f8e851adeefcc77e5841bf86e0b6486dd"
+var pubBytes = "72c86f2d561e5d3db6e350a92b0287a2434207b3869cd013ccbf1034c82b647b7548bc927975da76e750c991a443a11d23a264888b36c73e6a48a2602f777d3ff081"
+
+func Test_Key(t *testing.T) {
+    privPlain := fromHex(privBytes)
+    pubPlain := fromHex(pubBytes)
+
+    priv, err := NewKeyFromSeed(privPlain)
+    if err != nil {
+        t.Fatal(err)
+    }
+
+    pub0 := &priv.PublicKey
+
+    pub1, err := NewPublicKey(pubPlain)
+    if err != nil {
+        t.Fatal(err)
+    }
+
+    cryptobin_test.Equal(t, pub0, pub1)
+}
+
 func Test_Vec_Check(t *testing.T) {
     for i, td := range testSigVec {
         t.Run(fmt.Sprintf("index %d", i), func(t *testing.T) {
@@ -316,7 +338,7 @@ func Test_Vec_Check(t *testing.T) {
 
             veri := pubkey.Verify(td.message, td.signature)
             if veri != td.verification {
-                t.Error("VerifyASN1 fail")
+                t.Error("Verify fail")
             }
 
         })
@@ -334,19 +356,19 @@ type testVec struct {
 
 var testSigVec = []testVec{
     {
-        secretKey: fromHex("313e78bd2f5eb3f0a9ee0120496cb3c891a3d4f79d1b8c01f81cd7d70bcadefbb941a3058dabe6b5dbe559b6f5331cc0087af6a367d47555d5cb95a8dacea4d167"),
-        publicKey: fromHex("03015c5b1c1dbdb4e81225cfd8bbfa14b01148b3d3741e9dc0d16c4d40ac8d72eb6752a9015c6aa5c87239491d1d49f292b67a78987283f430af271572e030f9d7f862"),
+        secretKey: fromHex("22713dc2f3d8a4611e9266d8a2a9e3d237505dc34c65d87d598b9a4e6c41b35e3d090458e66c8213a4af011e5614377960c99d9f84e379fdd1f1e168b163b5d93012"),
+        publicKey: fromHex("020006be6a2ea17441c94e25799154b049ebae2fedcedfb27355ab03f9eb802d239677c340392fe113ffb18138b95dc8ba3efd766401cabfc4cc30d0ccdce7b178d954"),
         message:   fromHex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"),
-        signature: fromHex("a6659ed7213f736f46c10c983329523cf246fd0126406bd533783f80b33893b52c899c37e5f8012b378214b983fad7cde1b1d528977a4892cb8abc4872a59d18c500782fdeafb0c93ea7a4f8b16028df15ff05644ede3698ca88c1602ede83c68342aaa013cec1ea2e8d65d4bed0764f8b42e9548a2e41d49786aa0ad2ed782d6c353200"),
+        signature: fromHex("e6309d7d752de236179d694954f9345a73b1abcbe7ebde16e5e0fa1a4ed60003839a13f03fe1fccfecdac66614b8aff731e7956678be247b8f19795b20351a578301780dd7e6d41db086ef9bdc4658cbcc3d86d259b7e36ea399b075da86f2559489c64f59d196c5a439b3c5442609912dee28721d82dd08c71884b7f406961510110e00"),
         verification: true,
     },
 
     // fail
     {
-        secretKey: fromHex("22713dc2f3d8a4611e9266d8a2a9e3d237505dc34c65d87d598b9a4e6c41b35e3d090458e66c8213a4af011e5614377960c99d9f84e379fdd1f1e168b163b5d930"),
-        publicKey: fromHex("0300d4a01d6c5cd88d226e33ab966991d6939c72d7012f209a7fc7006d0b9f93df99e8ab5543cb5d27a2818f27cad1648bfecdd49e7772ded70ee7043444a518683019"),
+        secretKey: fromHex("22713dc2f3d8a4611e9266d8a2a9e3d237505dc34c65d87d598b9a4e6c41b35e3d090458e66c8213a4af011e5614377960c99d9f84e379fdd1f1e168b163b5d93012"),
+        publicKey: fromHex("020006be6a2ea17441c94e25799154b049ebae2fedcedfb27355ab03f9eb802d239677c340392fe113ffb18138b95dc8ba3efd766401cabfc4cc30d0ccdce7b178d954"),
         message:   fromHex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"),
-        signature: fromHex("a6659ed7213f736f46c10c983329523cf246fd0126406bd533783f80b33893b52c899c37e5f8012b378214b983fad7cde1b1d528977a4892cb8abc4872a59d18c500782fdeafb0c93ea7a4f8b16028df15ff05644ede3698ca88c1602ede83c68342aaa013cec1ea2e8d65d4bed0764f8b42e9548a2e41d49786aa0ad2ed782d6c353200"),
+        signature: fromHex("3bd0454bd7a48f25fa40e0ebd76c1eb48e7fff63f606f35f9a8de9fc6d8fde0f75c10c0d97b7dc3001c5da6da681ff95d1a6ace65c19134ca727b99b1c349752ee01e8c9d1f325ab430511bcbf1e009d37418f56f132383ed55e43d97c04feff5a6f875fa64458ab73f9e4d1ad93cc978a7939a9afe532e8e6162b7bcb986f04a2282a00"),
         verification: false,
     },
 }