repo-sync-2024-06-06T16:28:31+0800 (#337)

yacl/crypto/ecc/FourQlib/BUILD.bazel

@@ -29,6 +29,7 @@ yacl_cc_library(
     hdrs = ["FourQ_group.h"],
     deps = [
         "//yacl/crypto/ecc:spi",
+        "//yacl/crypto/hash:ssl_hash",
         "@com_github_microsoft_FourQlib//:FourQlib",
     ],
 )

yacl/crypto/ecc/FourQlib/FourQ_group.cc

@@ -14,20 +14,30 @@
 
 #include "yacl/crypto/ecc/FourQlib/FourQ_group.h"
 
+#include "absl/types/span.h"
+
+#include "yacl/crypto/hash/ssl_hash.h"
+
 namespace yacl::crypto::FourQ {
 
 // Elements (a+b*i) over GF(p^2), where a and b are defined over GF(p), are
 // encoded as a||b, with a in the least significant position.
 MPInt F2elm2MPInt(const f2elm_t f2elm) {
+  f2elm_t c;
+  fp2copy1271(const_cast<felm_t*>(f2elm), c);
+  mod1271(c[0]);
+  mod1271(c[1]);
   MPInt r(0, 256);
-  r.FromMagBytes(yacl::ByteContainerView(f2elm, 32), Endian::little);
+  r.FromMagBytes(yacl::ByteContainerView(c, 32), Endian::little);
   return r;
 }
 
 // Reverse operation of F2elm2MPInt
 void MPIntToF2elm(const MPInt& x, f2elm_t f2elm) {
   memset(f2elm, 0, 32);
   x.ToMagBytes(reinterpret_cast<unsigned char*>(f2elm), 32, Endian::little);
+  mod1271(f2elm[0]);
+  mod1271(f2elm[1]);
 }
 
 FourQGroup::FourQGroup(const CurveMeta& meta) : EcGroupSketch(meta) {
@@ -257,8 +267,28 @@ EcPoint FourQGroup::DeserializePoint(ByteContainerView buf,
   return r;
 }
 
-EcPoint FourQGroup::HashToCurve(HashToCurveStrategy, std::string_view) const {
-  YACL_THROW("not impl");
+EcPoint FourQGroup::HashToCurve(HashToCurveStrategy strategy,
+                                std::string_view input) const {
+  YACL_ENFORCE(strategy == HashToCurveStrategy::Autonomous,
+               "FourQlib only supports Autonomous strategy now. select={}",
+               static_cast<int>(strategy));
+
+  std::vector<uint8_t> sha_bytes =
+      SslHash(HashAlgorithm::SHA512)
+          .Update(absl::Span(input.data(), input.size()))
+          .CumulativeHash();
+  auto* f2elmt = reinterpret_cast<f2elm_t*>(sha_bytes.data());
+  mod1271(reinterpret_cast<felm_t*>(f2elmt)[0]);
+  mod1271(reinterpret_cast<felm_t*>(f2elmt)[1]);
+
+  point_t p;
+  ECCRYPTO_STATUS status = ::HashToCurve(reinterpret_cast<felm_t*>(f2elmt), p);
+  YACL_ENFORCE(status == ECCRYPTO_SUCCESS, FourQ_get_error_message(status));
+
+  EcPoint r(std::in_place_type<Array160>);
+  point_setup(p, CastR1(r));
+
+  return r;
 }
 
 size_t FourQGroup::HashPoint(const EcPoint& point) const {
@@ -295,6 +325,10 @@ bool FourQGroup::PointEqual(const EcPoint& p1, const EcPoint& p2) const {
   f2elm_t b;
   fp2mul1271(p1p->x, p2p->z, a);
   fp2mul1271(p1p->z, p2p->x, b);
+  mod1271(a[0]);
+  mod1271(a[1]);
+  mod1271(b[0]);
+  mod1271(b[1]);
   auto* pa = reinterpret_cast<digit_t*>(a);
   auto* pb = reinterpret_cast<digit_t*>(b);
   for (size_t i = 0; i < 2 * NWORDS_FIELD; ++i) {
@@ -305,6 +339,10 @@ bool FourQGroup::PointEqual(const EcPoint& p1, const EcPoint& p2) const {
 
   fp2mul1271(p1p->y, p2p->z, a);
   fp2mul1271(p1p->z, p2p->y, b);
+  mod1271(a[0]);
+  mod1271(a[1]);
+  mod1271(b[0]);
+  mod1271(b[1]);
   pa = reinterpret_cast<digit_t*>(a);
   pb = reinterpret_cast<digit_t*>(b);
   for (size_t i = 0; i < 2 * NWORDS_FIELD; ++i) {
@@ -331,7 +369,10 @@ bool FourQGroup::IsInfinity(const EcPoint& point) const {
       const_cast<digit_t*>(reinterpret_cast<const digit_t*>(CastR1(point)->x));
   auto* z =
       const_cast<digit_t*>(reinterpret_cast<const digit_t*>(CastR1(point)->z));
-
+  mod1271(x);
+  mod1271(x + 2);
+  mod1271(z);
+  mod1271(z + 2);
   return is_zero_ct(x, 2 * NWORDS_FIELD) || is_zero_ct(z, 2 * NWORDS_FIELD);
 }
 
@@ -347,4 +388,4 @@ point_extproj* FourQGroup::CastR1(EcPoint& p) {
   return reinterpret_cast<point_extproj*>(std::get<Array160>(p).data());
 }
 
-}  // namespace yacl::crypto::FourQ
+}  // namespace yacl::crypto::FourQ

yacl/crypto/ecc/ec_point.h

@@ -30,6 +30,11 @@ enum class PointOctetFormat {
   // The format is determined by the library itself.
   Autonomous,
 
+  // Uncompressed format
+  // The point is encoded as x||y
+  // For X25519, only need the x value
+  Uncompressed,
+
   // ANSI X9.62 compressed format
   // The point is encoded as z||x, where the octet z specifies which solution of
   // the quadratic equation y is.

yacl/crypto/ecc/lib25519/ed25519_group.cc

@@ -17,9 +17,10 @@
 namespace yacl::crypto::lib25519 {
 
 MPInt Fe25519ToMPInt(const fe25519& x) {
-  // TODO: whether to freeze x first?
+  fe25519 t = x;
+  fe25519_freeze(&t);
   MPInt r(0, 255);
-  r.FromMagBytes(yacl::ByteContainerView(&x, 32), Endian::little);
+  r.FromMagBytes(yacl::ByteContainerView(&t, 32), Endian::little);
   return r;
 }
 

yacl/crypto/ecc/lib25519/lib25519_group.cc

@@ -118,15 +118,12 @@ size_t Lib25519Group::HashPoint(const EcPoint& point) const {
   const auto* p3 = CastP3(point);
   fe25519 recip;
   fe25519 x;
-
   fe25519_invert(&recip, &p3->z);
   fe25519_mul(&x, &p3->x, &recip);
-
-  uint64_t buf[4];  // x is always 255 bits
-  fe25519_pack(reinterpret_cast<unsigned char*>(buf), &x);
+  fe25519_freeze(&x);
 
   std::hash<uint64_t> h;
-  return h(buf[0]) ^ h(buf[1]) ^ h(buf[2]) ^ h(buf[3]);
+  return h(x.v[0]) ^ h(x.v[1]) ^ h(x.v[2]) ^ h(x.v[3]);
 }
 
 bool Lib25519Group::PointEqual(const EcPoint& p1, const EcPoint& p2) const {
@@ -143,19 +140,13 @@ bool Lib25519Group::PointEqual(const EcPoint& p1, const EcPoint& p2) const {
   fe25519 b;
   fe25519_mul(&a, &p1p->x, &p2p->z);
   fe25519_mul(&b, &p1p->z, &p2p->x);
-  for (size_t i = 0; i < sizeof(fe25519) / sizeof(a.v[0]); ++i) {
-    if (a.v[i] != b.v[i]) {
-      return false;
-    }
+  if (!fe25519_iseq_vartime(&a, &b)) {
+    return false;
   }
 
   fe25519_mul(&a, &p1p->y, &p2p->z);
   fe25519_mul(&b, &p1p->z, &p2p->y);
-  uint128_t buf_a[2];
-  uint128_t buf_b[2];
-  fe25519_pack(reinterpret_cast<unsigned char*>(buf_a), &a);
-  fe25519_pack(reinterpret_cast<unsigned char*>(buf_b), &b);
-  return buf_a[0] == buf_b[0] && buf_a[1] == buf_b[1];
+  return fe25519_iseq_vartime(&a, &b);
 }
 
 const ge25519_p3* Lib25519Group::CastP3(const yacl::crypto::EcPoint& p) {

yacl/crypto/ecc/libsodium/BUILD.bazel

@@ -23,6 +23,7 @@ yacl_cc_library(
     ],
     deps = [
         ":ed25519_group",
+        ":x25519_group",
     ],
     alwayslink = 1,
 )
@@ -57,6 +58,20 @@ yacl_cc_library(
     ],
 )
 
+yacl_cc_library(
+    name = "x25519_group",
+    srcs = [
+        "x25519_group.cc",
+    ],
+    hdrs = [
+        "x25519_group.h",
+    ],
+    deps = [
+        ":sodium_group",
+        "//yacl/crypto/hash:hash_utils",
+    ],
+)
+
 yacl_cc_test(
     name = "ed25519_test",
     srcs = ["ed25519_test.cc"],

yacl/crypto/ecc/libsodium/sodium_factory.cc

@@ -15,6 +15,7 @@
 #include <map>
 
 #include "yacl/crypto/ecc/libsodium/ed25519_group.h"
+#include "yacl/crypto/ecc/libsodium/x25519_group.h"
 
 namespace yacl::crypto::sodium {
 
@@ -23,6 +24,12 @@ const std::string kLibName = "libsodium";
 
 std::map<CurveName, CurveParam> kPredefinedCurves = {
     {"ed25519",
+     {
+         (2_mp).Pow(255) - 19_mp,  // p = 2^255 - 19
+         (2_mp).Pow(252) + "0x14def9dea2f79cd65812631a5cf5d3ed"_mp,  // n
+         "8"_mp                                                      // h
+     }},
+    {"curve25519",
      {
          (2_mp).Pow(255) - 19_mp,  // p = 2^255 - 19
          (2_mp).Pow(252) + "0x14def9dea2f79cd65812631a5cf5d3ed"_mp,  // n
@@ -36,6 +43,8 @@ std::unique_ptr<EcGroup> Create(const CurveMeta &meta) {
 
   if (meta.LowerName() == "ed25519") {
     return std::make_unique<Ed25519Group>(meta, conf);
+  } else if (meta.LowerName() == "curve25519") {
+    return std::make_unique<X25519Group>(meta, conf);
   } else {
     YACL_THROW("unexpected curve {}", meta.name);
   }