Add BrainpoolP256r1, 384r1 and 512r1

Needed for OpenPGP
openpgpjs · Oct 4, 2023 · 3468281 · 3468281
1 parent d345123
commit 3468281
Show file tree

Hide file tree

Showing 17 changed files with 69,985 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # noble-curves
 
-> This fork adds support for legacy browsers without BigInt (e.g. Safari 13 or less), and only includes hash algorithms needed by openpgpjs: Curve25519, Curve448, NIST curves and Secp256k1.<br>
+> This fork adds support for legacy browsers without BigInt (e.g. Safari 13 or less), and only includes hash algorithms needed by openpgpjs: Curve25519, Curve448, NIST curves and Secp256k1. It also adds some Brainpool curves.<br>
 We recommend you use the upstream repo. The rest of the README refers to the upstream library.
 
 <hr>

diff --git a/src/brainpoolP256r1.ts b/src/brainpoolP256r1.ts
@@ -0,0 +1,24 @@
+import { createCurve } from './_shortw_utils.js';
+import { sha256 } from '@openpgp/noble-hashes/sha256';
+import { Field } from './abstract/modular.js';
+import { BigInteger } from '@openpgp/noble-hashes/biginteger';
+
+// brainpoolP256r1: https://datatracker.ietf.org/doc/html/rfc5639#section-3.4
+
+const Fp = Field(BigInteger.new('0xa9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5377'));
+const CURVE_A = Fp.create(BigInteger.new('0x7d5a0975fc2c3057eef67530417affe7fb8055c126dc5c6ce94a4b44f330b5d9'));
+const CURVE_B = BigInteger.new('0x26dc5c6ce94a4b44f330b5d9bbd77cbf958416295cf7e1ce6bccdc18ff8c07b6');
+
+// prettier-ignore
+export const brainpoolP256r1 = createCurve({
+  a: CURVE_A, // Equation params: a, b
+  b: CURVE_B,
+  Fp,
+  // Curve order (q), total count of valid points in the field
+  n: BigInteger.new('0xa9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a7'),
+  // Base (generator) point (x, y)
+  Gx: BigInteger.new('0x8bd2aeb9cb7e57cb2c4b482ffc81b7afb9de27e1e3bd23c23a4453bd9ace3262'),
+  Gy: BigInteger.new('0x547ef835c3dac4fd97f8461a14611dc9c27745132ded8e545c1d54c72f046997'),
+  h: BigInteger.new(1),
+  lowS: false,
+} as const, sha256);
diff --git a/src/brainpoolP384r1.ts b/src/brainpoolP384r1.ts
@@ -0,0 +1,24 @@
+import { createCurve } from './_shortw_utils.js';
+import { sha384 } from '@openpgp/noble-hashes/sha512';
+import { Field } from './abstract/modular.js';
+import { BigInteger } from '@openpgp/noble-hashes/biginteger';
+
+// brainpoolP384 r1: https://datatracker.ietf.org/doc/html/rfc5639#section-3.6
+
+const Fp = Field(BigInteger.new('0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53'));
+const CURVE_A = Fp.create(BigInteger.new('0x7bc382c63d8c150c3c72080ace05afa0c2bea28e4fb22787139165efba91f90f8aa5814a503ad4eb04a8c7dd22ce2826'));
+const CURVE_B = BigInteger.new('0x04a8c7dd22ce28268b39b55416f0447c2fb77de107dcd2a62e880ea53eeb62d57cb4390295dbc9943ab78696fa504c11');
+
+// prettier-ignore
+export const brainpoolP384r1 = createCurve({
+  a: CURVE_A, // Equation params: a, b
+  b: CURVE_B,
+  Fp,
+  // Curve order (q), total count of valid points in the field
+  n: BigInteger.new('0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b31f166e6cac0425a7cf3ab6af6b7fc3103b883202e9046565'),
+  // Base (generator) point (x, y)
+  Gx: BigInteger.new('0x1d1c64f068cf45ffa2a63a81b7c13f6b8847a3e77ef14fe3db7fcafe0cbd10e8e826e03436d646aaef87b2e247d4af1e'),
+  Gy: BigInteger.new('0x8abe1d7520f9c2a45cb1eb8e95cfd55262b70b29feec5864e19c054ff99129280e4646217791811142820341263c5315'),
+  h: BigInteger.new(1),
+  lowS: false,
+} as const, sha384);
diff --git a/src/brainpoolP512r1.ts b/src/brainpoolP512r1.ts
@@ -0,0 +1,24 @@
+import { createCurve } from './_shortw_utils.js';
+import { sha512 } from '@openpgp/noble-hashes/sha512';
+import { Field } from './abstract/modular.js';
+import { BigInteger } from '@openpgp/noble-hashes/biginteger';
+
+// brainpoolP512r1: https://datatracker.ietf.org/doc/html/rfc5639#section-3.7
+
+const Fp = Field(BigInteger.new('0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca703308717d4d9b009bc66842aecda12ae6a380e62881ff2f2d82c68528aa6056583a48f3'));
+const CURVE_A = Fp.create(BigInteger.new('0x7830a3318b603b89e2327145ac234cc594cbdd8d3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94ca'));
+const CURVE_B = BigInteger.new('0x3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94cadc083e67984050b75ebae5dd2809bd638016f723');
+
+// prettier-ignore
+export const brainpoolP512r1 = createCurve({
+  a: CURVE_A, // Equation params: a, b
+  b: CURVE_B,
+  Fp,
+  // Curve order (q), total count of valid points in the field
+  n: BigInteger.new('0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca70330870553e5c414ca92619418661197fac10471db1d381085ddaddb58796829ca90069'),
+  // Base (generator) point (x, y)
+  Gx: BigInteger.new('0x81aee4bdd82ed9645a21322e9c4c6a9385ed9f70b5d916c1b43b62eef4d0098eff3b1f78e2d0d48d50d1687b93b97d5f7c6d5047406a5e688b352209bcb9f822'),
+  Gy: BigInteger.new('0x7dde385d566332ecc0eabfa9cf7822fdf209f70024a57b1aa000c55b881f8111b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892'),
+  h: BigInteger.new(1),
+  lowS: false,
+} as const, sha512);
diff --git a/test/basic.test.js b/test/basic.test.js
@@ -13,6 +13,9 @@ import { secp521r1 } from '../esm/p521.js';
 import { secp256k1 } from '../esm/secp256k1.js';
 import { ed25519, ed25519ctx, ed25519ph, x25519 } from '../esm/ed25519.js';
 import { ed448, ed448ph } from '../esm/ed448.js';
+import { brainpoolP256r1 } from '../esm/brainpoolP256r1.js';
+import { brainpoolP384r1 } from '../esm/brainpoolP384r1.js';
+import { brainpoolP512r1 } from '../esm/brainpoolP512r1.js';
 // import { pallas, vesta } from '../esm/pasta.js';
 // import { bn254 } from '../esm/bn254.js';
 // import { jubjub } from '../esm/jubjub.js';
@@ -50,6 +53,10 @@ const FIELDS = {
   // jubjub: { Fp: [jubjub.CURVE.Fp] },
   ed25519: { Fp: [ed25519.CURVE.Fp] },
   ed448: { Fp: [ed448.CURVE.Fp] },
+  brainpoolP256r1: { Fp: [ brainpoolP256r1.CURVE.Fp ]},
+  brainpoolP384r1: { Fp: [ brainpoolP384r1.CURVE.Fp ]},
+  brainpoolP512r1: { Fp: [ brainpoolP512r1.CURVE.Fp ]}
+
   // bn254: { Fp: [bn254.CURVE.Fp] },
   // pallas: { Fp: [pallas.CURVE.Fp] },
   // vesta: { Fp: [vesta.CURVE.Fp] },
@@ -336,6 +343,7 @@ const CURVES = {
   secp256k1,
   ed25519, ed25519ctx, ed25519ph,
   ed448, ed448ph,
+  brainpoolP256r1, brainpoolP384r1, brainpoolP512r1
   // pallas, vesta,
   // bn254,
   // jubjub,

diff --git a/test/brainpool.test.js b/test/brainpool.test.js
@@ -0,0 +1,286 @@
+import { BigInteger } from '@openpgp/noble-hashes/biginteger';
+
+import { deepStrictEqual, ok } from 'assert';
+import { describe, should } from 'micro-should';
+import { brainpoolP256r1 } from '../esm/brainpoolP256r1.js';
+import { brainpoolP384r1 } from '../esm/brainpoolP384r1.js';
+import { brainpoolP512r1 } from '../esm/brainpoolP512r1.js';
+import { hexToBytes, bytesToHex } from '../esm/abstract/utils.js';
+import { default as ecdsa } from './wycheproof/ecdsa_test.json' assert { type: 'json' };
+import { default as ecdh } from './wycheproof/ecdh_test.json' assert { type: 'json' };
+import { default as rfc7027 } from './vectors/rfc7027.json' assert { type: 'json' };
+
+import { default as ecdh_brainpoolP256r1_test } from './wycheproof/ecdh_brainpoolP256r1_test.json' assert { type: 'json' };
+import { default as ecdh_brainpoolP384r1_test } from './wycheproof/ecdh_brainpoolP384r1_test.json' assert { type: 'json' };
+import { default as ecdh_brainpoolP512r1_test } from './wycheproof/ecdh_brainpoolP512r1_test.json' assert { type: 'json' };
+
+import { default as brainpoolP256r1_sha256_test } from './wycheproof/ecdsa_brainpoolP256r1_sha256_test.json' assert { type: 'json' };
+import { default as brainpoolP256r1_sha3_256_test } from './wycheproof/ecdsa_brainpoolP256r1_sha3_256_test.json' assert { type: 'json' };
+import { default as brainpoolP384r1_sha384_test } from './wycheproof/ecdsa_brainpoolP384r1_sha384_test.json' assert { type: 'json' };
+import { default as brainpoolP384r1_sha3_384_test } from './wycheproof/ecdsa_brainpoolP384r1_sha3_384_test.json' assert { type: 'json' };
+import { default as brainpoolP512r1_sha512_test } from './wycheproof/ecdsa_brainpoolP512r1_sha512_test.json' assert { type: 'json' };
+import { default as brainpoolP512r1_sha3_512_test } from './wycheproof/ecdsa_brainpoolP512r1_sha3_512_test.json' assert { type: 'json' };
+
+import { sha3_256, sha3_384, sha3_512 } from '@openpgp/noble-hashes/sha3';
+import { sha512, sha384 } from '@openpgp/noble-hashes/sha512';
+import { sha256 } from '@openpgp/noble-hashes/sha256';
+
+const hex = bytesToHex;
+const equalBigInteger = (actual, expected, msg) => ok(actual.toString() === expected.toString(), msg);
+
+// prettier-ignore
+const BRAINPOOL = {
+  brainpoolP256r1,
+  brainpoolP384r1,
+  brainpoolP512r1
+};
+
+describe('Brainpool curves', () => {});
+should('fields', () => {
+  const vectors = {
+    brainpoolP256r1: BigInteger.new('0xa9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5377'),
+    brainpoolP384r1: BigInteger.new('0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53'),
+    brainpoolP512r1: BigInteger.new('0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca703308717d4d9b009bc66842aecda12ae6a380e62881ff2f2d82c68528aa6056583a48f3')
+  };
+  for (const n in vectors) deepStrictEqual(BRAINPOOL[n].CURVE.Fp.ORDER, vectors[n]);
+});
+
+describe('wycheproof ECDH', () => {
+  for (const group of ecdh.testGroups) {
+    const CURVE = BRAINPOOL[group.curve];
+    if (!CURVE) continue;
+    should(group.curve, () => {
+      for (const test of group.tests) {
+        if (test.result === 'valid' || test.result === 'acceptable') {
+          try {
+            const pub = CURVE.ProjectivePoint.fromHex(test.public);
+          } catch (e) {
+            // Our strict validation filter doesn't let weird-length DER vectors
+            if (e.message.startsWith('Point of length')) continue;
+            throw e;
+          }
+          const shared = CURVE.getSharedSecret(test.private, test.public);
+          deepStrictEqual(shared, test.shared, 'valid');
+        } else if (test.result === 'invalid') {
+          let failed = false;
+          try {
+            CURVE.getSharedSecret(test.private, test.public);
+          } catch (error) {
+            failed = true;
+          }
+          deepStrictEqual(failed, true, 'invalid');
+        } else throw new Error('unknown test result');
+      }
+    });
+  }
+
+  // More per curve tests
+  const WYCHEPROOF_ECDH = {
+    brainpoolP256r1: {
+      curve: brainpoolP256r1,
+      tests: [ecdh_brainpoolP256r1_test],
+    },
+    brainpoolP384r1: {
+      curve: brainpoolP384r1,
+      tests: [ecdh_brainpoolP384r1_test],
+    },
+    brainpoolP512r1: {
+      curve: brainpoolP512r1,
+      tests: [ecdh_brainpoolP512r1_test],
+    },
+  };
+
+  for (const name in WYCHEPROOF_ECDH) {
+    const { curve, tests } = WYCHEPROOF_ECDH[name];
+    for (let i = 0; i < tests.length; i++) {
+      const test = tests[i];
+      for (let j = 0; j < test.testGroups.length; j++) {
+        const group = test.testGroups[j];
+        should(`additional ${name} (${i}/${j})`, () => {
+          for (const test of group.tests) {
+            if (test.result === 'valid' || test.result === 'acceptable') {
+              try {
+                const pub = curve.ProjectivePoint.fromHex(test.public);
+              } catch (e) {
+                // Our strict validation filter doesn't let weird-length DER vectors
+                if (e.message.includes('Point of length')) continue;
+                throw e;
+              }
+              const shared = curve.getSharedSecret(test.private, test.public);
+              deepStrictEqual(hex(shared), test.shared, 'valid');
+            } else if (test.result === 'invalid') {
+              let failed = false;
+              try {
+                curve.getSharedSecret(test.private, test.public);
+              } catch (error) {
+                failed = true;
+              }
+              deepStrictEqual(failed, true, 'invalid');
+            } else throw new Error('unknown test result');
+          }
+        });
+      }
+    }
+  }
+});
+
+const WYCHEPROOF_ECDSA = {
+  brainpoolP256r1: {
+    curve: brainpoolP256r1,
+    hashes: {
+      sha256: {
+        hash: sha256,
+        tests: [brainpoolP256r1_sha256_test],
+      },
+      sha3_256: {
+        hash: sha3_256,
+        tests: [brainpoolP256r1_sha3_256_test],
+      },
+    },
+  },
+  brainpoolP384r1: {
+    curve: brainpoolP384r1,
+    hashes: {
+      sha384: {
+        hash: sha384,
+        tests: [brainpoolP384r1_sha384_test],
+      },
+      sha3_384: {
+        hash: sha3_384,
+        tests: [brainpoolP384r1_sha3_384_test],
+      },
+    },
+  },
+  brainpoolP512r1: {
+    curve: brainpoolP512r1,
+    hashes: {
+      sha384: {
+        hash: sha512,
+        tests: [brainpoolP512r1_sha512_test],
+      },
+      sha3_512: {
+        hash: sha3_512,
+        tests: [brainpoolP512r1_sha3_512_test],
+      },
+    },
+  },
+};
+
+function runWycheproof(name, CURVE, group, index) {
+  const key = group.publicKey;
+  const pubKey = CURVE.ProjectivePoint.fromHex(key.uncompressed);
+  equalBigInteger(pubKey.x, BigInt(`0x${key.wx}`));
+  equalBigInteger(pubKey.y, BigInt(`0x${key.wy}`));
+  const pubR = pubKey.toRawBytes();
+  for (const test of group.tests) {
+    const m = CURVE.CURVE.hash(hexToBytes(test.msg));
+    const { sig } = test;
+    if (test.result === 'valid' || test.result === 'acceptable') {
+      try {
+        CURVE.Signature.fromDER(sig);
+      } catch (e) {
+        // Some tests has invalid signature which we don't accept
+        if (e.message.includes('Invalid signature: incorrect length')) continue;
+        throw e;
+      }
+      const verified = CURVE.verify(sig, m, pubR);
+      deepStrictEqual(verified, true, `${index}: valid`);
+    } else if (test.result === 'invalid') {
+      let failed = false;
+      try {
+        failed = !CURVE.verify(sig, m, pubR);
+      } catch (error) {
+        failed = true;
+      }
+      deepStrictEqual(failed, true, `${index}: invalid`);
+    } else throw new Error('unknown test result');
+  }
+}
+
+describe('wycheproof ECDSA', () => {
+  should('generic', () => {
+    for (const group of ecdsa.testGroups) {
+      let CURVE = BRAINPOOL[group.key.curve];
+      if (!CURVE) continue;
+      const pubKey = CURVE.ProjectivePoint.fromHex(group.key.uncompressed);
+      equalBigInteger(pubKey.x, BigInt(`0x${group.key.wx}`));
+      equalBigInteger(pubKey.y, BigInt(`0x${group.key.wy}`));
+      for (const test of group.tests) {
+        if (['Hash weaker than DL-group'].includes(test.comment)) {
+          continue;
+        }
+        // These old Wycheproof vectors which still accept missing zero, new one is not.
+        if (test.flags.includes('MissingZero') && test.result === 'acceptable')
+          test.result = 'invalid';
+        const m = CURVE.CURVE.hash(hexToBytes(test.msg));
+        if (test.result === 'valid' || test.result === 'acceptable') {
+          try {
+            CURVE.Signature.fromDER(test.sig);
+          } catch (e) {
+            // Some test has invalid signature which we don't accept
+            if (e.message.includes('Invalid signature: incorrect length')) continue;
+            throw e;
+          }
+          const verified = CURVE.verify(test.sig, m, pubKey.toHex());
+          deepStrictEqual(verified, true, `valid`);
+        } else if (test.result === 'invalid') {
+          let failed = false;
+          try {
+            failed = !CURVE.verify(test.sig, m, pubKey.toHex());
+          } catch (error) {
+            failed = true;
+          }
+          deepStrictEqual(failed, true, 'invalid');
+        } else throw new Error('unknown test result');
+      }
+    }
+  });
+  for (const name in WYCHEPROOF_ECDSA) {
+    const { curve, hashes } = WYCHEPROOF_ECDSA[name];
+    describe(name, () => {
+      for (const hName in hashes) {
+        const { hash, tests } = hashes[hName];
+        const CURVE = curve.create(hash);
+        should(`${name}/${hName}`, () => {
+          for (let i = 0; i < tests.length; i++) {
+            const groups = tests[i].testGroups;
+            for (let j = 0; j < groups.length; j++) {
+              const group = groups[j];
+              runWycheproof(name, CURVE, group, `${i}/${j}`);
+            }
+          }
+        });
+      }
+    });
+  }
+});
+
+const hexToBigint = (hex) => BigInteger.new(`0x${hex}`);
+describe('RFC7027', () => {
+  for (const v of rfc7027) {
+    should(v.curve, () => {
+      const curve = BRAINPOOL[v.curve];
+      const secKeyA = hexToBigint(v.dA);
+      const pubKeyA = curve.getPublicKey(secKeyA);
+      const pubPointA = curve.ProjectivePoint.fromHex(pubKeyA);
+      equalBigInteger(pubPointA.x, hexToBigint(v.QAx));
+      equalBigInteger(pubPointA.y, hexToBigint(v.QAy));
+      const secKeyB = hexToBigint(v.dB);
+      const pubKeyB = curve.getPublicKey(secKeyB);
+      const pubPointB = curve.ProjectivePoint.fromHex(pubKeyB);
+      equalBigInteger(pubPointB.x, hexToBigint(v.QBx));
+      equalBigInteger(pubPointB.y, hexToBigint(v.QBy));
+      const shared = curve.getSharedSecret(secKeyA, pubKeyB);
+      const sharedPoint = curve.ProjectivePoint.fromHex(shared);
+      equalBigInteger(sharedPoint.x, hexToBigint(v.Zx));
+      equalBigInteger(sharedPoint.y, hexToBigint(v.Zy));
+      deepStrictEqual(shared, curve.getSharedSecret(secKeyB, pubKeyA));
+    });
+  }
+});
+
+// ESM is broken.
+import url from 'url';
+if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
+  should.run();
+}