This repository has been archived by the owner on Jun 26, 2024. It is now read-only.
forked from paulmillr/noble-curves
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add BrainpoolP256r1, 384r1 and 512r1
Needed for OpenPGP
- Loading branch information
Showing
17 changed files
with
69,985 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
import { createCurve } from './_shortw_utils.js'; | ||
import { sha256 } from '@openpgp/noble-hashes/sha256'; | ||
import { Field } from './abstract/modular.js'; | ||
import { BigInteger } from '@openpgp/noble-hashes/biginteger'; | ||
|
||
// brainpoolP256r1: https://datatracker.ietf.org/doc/html/rfc5639#section-3.4 | ||
|
||
const Fp = Field(BigInteger.new('0xa9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5377')); | ||
const CURVE_A = Fp.create(BigInteger.new('0x7d5a0975fc2c3057eef67530417affe7fb8055c126dc5c6ce94a4b44f330b5d9')); | ||
const CURVE_B = BigInteger.new('0x26dc5c6ce94a4b44f330b5d9bbd77cbf958416295cf7e1ce6bccdc18ff8c07b6'); | ||
|
||
// prettier-ignore | ||
export const brainpoolP256r1 = createCurve({ | ||
a: CURVE_A, // Equation params: a, b | ||
b: CURVE_B, | ||
Fp, | ||
// Curve order (q), total count of valid points in the field | ||
n: BigInteger.new('0xa9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a7'), | ||
// Base (generator) point (x, y) | ||
Gx: BigInteger.new('0x8bd2aeb9cb7e57cb2c4b482ffc81b7afb9de27e1e3bd23c23a4453bd9ace3262'), | ||
Gy: BigInteger.new('0x547ef835c3dac4fd97f8461a14611dc9c27745132ded8e545c1d54c72f046997'), | ||
h: BigInteger.new(1), | ||
lowS: false, | ||
} as const, sha256); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
import { createCurve } from './_shortw_utils.js'; | ||
import { sha384 } from '@openpgp/noble-hashes/sha512'; | ||
import { Field } from './abstract/modular.js'; | ||
import { BigInteger } from '@openpgp/noble-hashes/biginteger'; | ||
|
||
// brainpoolP384 r1: https://datatracker.ietf.org/doc/html/rfc5639#section-3.6 | ||
|
||
const Fp = Field(BigInteger.new('0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53')); | ||
const CURVE_A = Fp.create(BigInteger.new('0x7bc382c63d8c150c3c72080ace05afa0c2bea28e4fb22787139165efba91f90f8aa5814a503ad4eb04a8c7dd22ce2826')); | ||
const CURVE_B = BigInteger.new('0x04a8c7dd22ce28268b39b55416f0447c2fb77de107dcd2a62e880ea53eeb62d57cb4390295dbc9943ab78696fa504c11'); | ||
|
||
// prettier-ignore | ||
export const brainpoolP384r1 = createCurve({ | ||
a: CURVE_A, // Equation params: a, b | ||
b: CURVE_B, | ||
Fp, | ||
// Curve order (q), total count of valid points in the field | ||
n: BigInteger.new('0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b31f166e6cac0425a7cf3ab6af6b7fc3103b883202e9046565'), | ||
// Base (generator) point (x, y) | ||
Gx: BigInteger.new('0x1d1c64f068cf45ffa2a63a81b7c13f6b8847a3e77ef14fe3db7fcafe0cbd10e8e826e03436d646aaef87b2e247d4af1e'), | ||
Gy: BigInteger.new('0x8abe1d7520f9c2a45cb1eb8e95cfd55262b70b29feec5864e19c054ff99129280e4646217791811142820341263c5315'), | ||
h: BigInteger.new(1), | ||
lowS: false, | ||
} as const, sha384); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
import { createCurve } from './_shortw_utils.js'; | ||
import { sha512 } from '@openpgp/noble-hashes/sha512'; | ||
import { Field } from './abstract/modular.js'; | ||
import { BigInteger } from '@openpgp/noble-hashes/biginteger'; | ||
|
||
// brainpoolP512r1: https://datatracker.ietf.org/doc/html/rfc5639#section-3.7 | ||
|
||
const Fp = Field(BigInteger.new('0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca703308717d4d9b009bc66842aecda12ae6a380e62881ff2f2d82c68528aa6056583a48f3')); | ||
const CURVE_A = Fp.create(BigInteger.new('0x7830a3318b603b89e2327145ac234cc594cbdd8d3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94ca')); | ||
const CURVE_B = BigInteger.new('0x3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94cadc083e67984050b75ebae5dd2809bd638016f723'); | ||
|
||
// prettier-ignore | ||
export const brainpoolP512r1 = createCurve({ | ||
a: CURVE_A, // Equation params: a, b | ||
b: CURVE_B, | ||
Fp, | ||
// Curve order (q), total count of valid points in the field | ||
n: BigInteger.new('0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca70330870553e5c414ca92619418661197fac10471db1d381085ddaddb58796829ca90069'), | ||
// Base (generator) point (x, y) | ||
Gx: BigInteger.new('0x81aee4bdd82ed9645a21322e9c4c6a9385ed9f70b5d916c1b43b62eef4d0098eff3b1f78e2d0d48d50d1687b93b97d5f7c6d5047406a5e688b352209bcb9f822'), | ||
Gy: BigInteger.new('0x7dde385d566332ecc0eabfa9cf7822fdf209f70024a57b1aa000c55b881f8111b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892'), | ||
h: BigInteger.new(1), | ||
lowS: false, | ||
} as const, sha512); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,286 @@ | ||
import { BigInteger } from '@openpgp/noble-hashes/biginteger'; | ||
|
||
import { deepStrictEqual, ok } from 'assert'; | ||
import { describe, should } from 'micro-should'; | ||
import { brainpoolP256r1 } from '../esm/brainpoolP256r1.js'; | ||
import { brainpoolP384r1 } from '../esm/brainpoolP384r1.js'; | ||
import { brainpoolP512r1 } from '../esm/brainpoolP512r1.js'; | ||
import { hexToBytes, bytesToHex } from '../esm/abstract/utils.js'; | ||
import { default as ecdsa } from './wycheproof/ecdsa_test.json' assert { type: 'json' }; | ||
import { default as ecdh } from './wycheproof/ecdh_test.json' assert { type: 'json' }; | ||
import { default as rfc7027 } from './vectors/rfc7027.json' assert { type: 'json' }; | ||
|
||
import { default as ecdh_brainpoolP256r1_test } from './wycheproof/ecdh_brainpoolP256r1_test.json' assert { type: 'json' }; | ||
import { default as ecdh_brainpoolP384r1_test } from './wycheproof/ecdh_brainpoolP384r1_test.json' assert { type: 'json' }; | ||
import { default as ecdh_brainpoolP512r1_test } from './wycheproof/ecdh_brainpoolP512r1_test.json' assert { type: 'json' }; | ||
|
||
import { default as brainpoolP256r1_sha256_test } from './wycheproof/ecdsa_brainpoolP256r1_sha256_test.json' assert { type: 'json' }; | ||
import { default as brainpoolP256r1_sha3_256_test } from './wycheproof/ecdsa_brainpoolP256r1_sha3_256_test.json' assert { type: 'json' }; | ||
import { default as brainpoolP384r1_sha384_test } from './wycheproof/ecdsa_brainpoolP384r1_sha384_test.json' assert { type: 'json' }; | ||
import { default as brainpoolP384r1_sha3_384_test } from './wycheproof/ecdsa_brainpoolP384r1_sha3_384_test.json' assert { type: 'json' }; | ||
import { default as brainpoolP512r1_sha512_test } from './wycheproof/ecdsa_brainpoolP512r1_sha512_test.json' assert { type: 'json' }; | ||
import { default as brainpoolP512r1_sha3_512_test } from './wycheproof/ecdsa_brainpoolP512r1_sha3_512_test.json' assert { type: 'json' }; | ||
|
||
import { sha3_256, sha3_384, sha3_512 } from '@openpgp/noble-hashes/sha3'; | ||
import { sha512, sha384 } from '@openpgp/noble-hashes/sha512'; | ||
import { sha256 } from '@openpgp/noble-hashes/sha256'; | ||
|
||
const hex = bytesToHex; | ||
const equalBigInteger = (actual, expected, msg) => ok(actual.toString() === expected.toString(), msg); | ||
|
||
// prettier-ignore | ||
const BRAINPOOL = { | ||
brainpoolP256r1, | ||
brainpoolP384r1, | ||
brainpoolP512r1 | ||
}; | ||
|
||
describe('Brainpool curves', () => {}); | ||
should('fields', () => { | ||
const vectors = { | ||
brainpoolP256r1: BigInteger.new('0xa9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5377'), | ||
brainpoolP384r1: BigInteger.new('0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53'), | ||
brainpoolP512r1: BigInteger.new('0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca703308717d4d9b009bc66842aecda12ae6a380e62881ff2f2d82c68528aa6056583a48f3') | ||
}; | ||
for (const n in vectors) deepStrictEqual(BRAINPOOL[n].CURVE.Fp.ORDER, vectors[n]); | ||
}); | ||
|
||
describe('wycheproof ECDH', () => { | ||
for (const group of ecdh.testGroups) { | ||
const CURVE = BRAINPOOL[group.curve]; | ||
if (!CURVE) continue; | ||
should(group.curve, () => { | ||
for (const test of group.tests) { | ||
if (test.result === 'valid' || test.result === 'acceptable') { | ||
try { | ||
const pub = CURVE.ProjectivePoint.fromHex(test.public); | ||
} catch (e) { | ||
// Our strict validation filter doesn't let weird-length DER vectors | ||
if (e.message.startsWith('Point of length')) continue; | ||
throw e; | ||
} | ||
const shared = CURVE.getSharedSecret(test.private, test.public); | ||
deepStrictEqual(shared, test.shared, 'valid'); | ||
} else if (test.result === 'invalid') { | ||
let failed = false; | ||
try { | ||
CURVE.getSharedSecret(test.private, test.public); | ||
} catch (error) { | ||
failed = true; | ||
} | ||
deepStrictEqual(failed, true, 'invalid'); | ||
} else throw new Error('unknown test result'); | ||
} | ||
}); | ||
} | ||
|
||
// More per curve tests | ||
const WYCHEPROOF_ECDH = { | ||
brainpoolP256r1: { | ||
curve: brainpoolP256r1, | ||
tests: [ecdh_brainpoolP256r1_test], | ||
}, | ||
brainpoolP384r1: { | ||
curve: brainpoolP384r1, | ||
tests: [ecdh_brainpoolP384r1_test], | ||
}, | ||
brainpoolP512r1: { | ||
curve: brainpoolP512r1, | ||
tests: [ecdh_brainpoolP512r1_test], | ||
}, | ||
}; | ||
|
||
for (const name in WYCHEPROOF_ECDH) { | ||
const { curve, tests } = WYCHEPROOF_ECDH[name]; | ||
for (let i = 0; i < tests.length; i++) { | ||
const test = tests[i]; | ||
for (let j = 0; j < test.testGroups.length; j++) { | ||
const group = test.testGroups[j]; | ||
should(`additional ${name} (${i}/${j})`, () => { | ||
for (const test of group.tests) { | ||
if (test.result === 'valid' || test.result === 'acceptable') { | ||
try { | ||
const pub = curve.ProjectivePoint.fromHex(test.public); | ||
} catch (e) { | ||
// Our strict validation filter doesn't let weird-length DER vectors | ||
if (e.message.includes('Point of length')) continue; | ||
throw e; | ||
} | ||
const shared = curve.getSharedSecret(test.private, test.public); | ||
deepStrictEqual(hex(shared), test.shared, 'valid'); | ||
} else if (test.result === 'invalid') { | ||
let failed = false; | ||
try { | ||
curve.getSharedSecret(test.private, test.public); | ||
} catch (error) { | ||
failed = true; | ||
} | ||
deepStrictEqual(failed, true, 'invalid'); | ||
} else throw new Error('unknown test result'); | ||
} | ||
}); | ||
} | ||
} | ||
} | ||
}); | ||
|
||
const WYCHEPROOF_ECDSA = { | ||
brainpoolP256r1: { | ||
curve: brainpoolP256r1, | ||
hashes: { | ||
sha256: { | ||
hash: sha256, | ||
tests: [brainpoolP256r1_sha256_test], | ||
}, | ||
sha3_256: { | ||
hash: sha3_256, | ||
tests: [brainpoolP256r1_sha3_256_test], | ||
}, | ||
}, | ||
}, | ||
brainpoolP384r1: { | ||
curve: brainpoolP384r1, | ||
hashes: { | ||
sha384: { | ||
hash: sha384, | ||
tests: [brainpoolP384r1_sha384_test], | ||
}, | ||
sha3_384: { | ||
hash: sha3_384, | ||
tests: [brainpoolP384r1_sha3_384_test], | ||
}, | ||
}, | ||
}, | ||
brainpoolP512r1: { | ||
curve: brainpoolP512r1, | ||
hashes: { | ||
sha384: { | ||
hash: sha512, | ||
tests: [brainpoolP512r1_sha512_test], | ||
}, | ||
sha3_512: { | ||
hash: sha3_512, | ||
tests: [brainpoolP512r1_sha3_512_test], | ||
}, | ||
}, | ||
}, | ||
}; | ||
|
||
function runWycheproof(name, CURVE, group, index) { | ||
const key = group.publicKey; | ||
const pubKey = CURVE.ProjectivePoint.fromHex(key.uncompressed); | ||
equalBigInteger(pubKey.x, BigInt(`0x${key.wx}`)); | ||
equalBigInteger(pubKey.y, BigInt(`0x${key.wy}`)); | ||
const pubR = pubKey.toRawBytes(); | ||
for (const test of group.tests) { | ||
const m = CURVE.CURVE.hash(hexToBytes(test.msg)); | ||
const { sig } = test; | ||
if (test.result === 'valid' || test.result === 'acceptable') { | ||
try { | ||
CURVE.Signature.fromDER(sig); | ||
} catch (e) { | ||
// Some tests has invalid signature which we don't accept | ||
if (e.message.includes('Invalid signature: incorrect length')) continue; | ||
throw e; | ||
} | ||
const verified = CURVE.verify(sig, m, pubR); | ||
deepStrictEqual(verified, true, `${index}: valid`); | ||
} else if (test.result === 'invalid') { | ||
let failed = false; | ||
try { | ||
failed = !CURVE.verify(sig, m, pubR); | ||
} catch (error) { | ||
failed = true; | ||
} | ||
deepStrictEqual(failed, true, `${index}: invalid`); | ||
} else throw new Error('unknown test result'); | ||
} | ||
} | ||
|
||
describe('wycheproof ECDSA', () => { | ||
should('generic', () => { | ||
for (const group of ecdsa.testGroups) { | ||
let CURVE = BRAINPOOL[group.key.curve]; | ||
if (!CURVE) continue; | ||
const pubKey = CURVE.ProjectivePoint.fromHex(group.key.uncompressed); | ||
equalBigInteger(pubKey.x, BigInt(`0x${group.key.wx}`)); | ||
equalBigInteger(pubKey.y, BigInt(`0x${group.key.wy}`)); | ||
for (const test of group.tests) { | ||
if (['Hash weaker than DL-group'].includes(test.comment)) { | ||
continue; | ||
} | ||
// These old Wycheproof vectors which still accept missing zero, new one is not. | ||
if (test.flags.includes('MissingZero') && test.result === 'acceptable') | ||
test.result = 'invalid'; | ||
const m = CURVE.CURVE.hash(hexToBytes(test.msg)); | ||
if (test.result === 'valid' || test.result === 'acceptable') { | ||
try { | ||
CURVE.Signature.fromDER(test.sig); | ||
} catch (e) { | ||
// Some test has invalid signature which we don't accept | ||
if (e.message.includes('Invalid signature: incorrect length')) continue; | ||
throw e; | ||
} | ||
const verified = CURVE.verify(test.sig, m, pubKey.toHex()); | ||
deepStrictEqual(verified, true, `valid`); | ||
} else if (test.result === 'invalid') { | ||
let failed = false; | ||
try { | ||
failed = !CURVE.verify(test.sig, m, pubKey.toHex()); | ||
} catch (error) { | ||
failed = true; | ||
} | ||
deepStrictEqual(failed, true, 'invalid'); | ||
} else throw new Error('unknown test result'); | ||
} | ||
} | ||
}); | ||
for (const name in WYCHEPROOF_ECDSA) { | ||
const { curve, hashes } = WYCHEPROOF_ECDSA[name]; | ||
describe(name, () => { | ||
for (const hName in hashes) { | ||
const { hash, tests } = hashes[hName]; | ||
const CURVE = curve.create(hash); | ||
should(`${name}/${hName}`, () => { | ||
for (let i = 0; i < tests.length; i++) { | ||
const groups = tests[i].testGroups; | ||
for (let j = 0; j < groups.length; j++) { | ||
const group = groups[j]; | ||
runWycheproof(name, CURVE, group, `${i}/${j}`); | ||
} | ||
} | ||
}); | ||
} | ||
}); | ||
} | ||
}); | ||
|
||
const hexToBigint = (hex) => BigInteger.new(`0x${hex}`); | ||
describe('RFC7027', () => { | ||
for (const v of rfc7027) { | ||
should(v.curve, () => { | ||
const curve = BRAINPOOL[v.curve]; | ||
const secKeyA = hexToBigint(v.dA); | ||
const pubKeyA = curve.getPublicKey(secKeyA); | ||
const pubPointA = curve.ProjectivePoint.fromHex(pubKeyA); | ||
equalBigInteger(pubPointA.x, hexToBigint(v.QAx)); | ||
equalBigInteger(pubPointA.y, hexToBigint(v.QAy)); | ||
const secKeyB = hexToBigint(v.dB); | ||
const pubKeyB = curve.getPublicKey(secKeyB); | ||
const pubPointB = curve.ProjectivePoint.fromHex(pubKeyB); | ||
equalBigInteger(pubPointB.x, hexToBigint(v.QBx)); | ||
equalBigInteger(pubPointB.y, hexToBigint(v.QBy)); | ||
const shared = curve.getSharedSecret(secKeyA, pubKeyB); | ||
const sharedPoint = curve.ProjectivePoint.fromHex(shared); | ||
equalBigInteger(sharedPoint.x, hexToBigint(v.Zx)); | ||
equalBigInteger(sharedPoint.y, hexToBigint(v.Zy)); | ||
deepStrictEqual(shared, curve.getSharedSecret(secKeyB, pubKeyA)); | ||
}); | ||
} | ||
}); | ||
|
||
// ESM is broken. | ||
import url from 'url'; | ||
if (import.meta.url === url.pathToFileURL(process.argv[1]).href) { | ||
should.run(); | ||
} |
Oops, something went wrong.