Feature/rfc6979

doc/crypt.tex

@@ -5816,6 +5816,7 @@ \subsection{Signature Generation}
 To sign a message digest (hash) use the following function:
 
 \index{ecc\_sign\_hash()}
+\index{ECC\_SET\_RFC6979\_HASH\_ALG()}
 \begin{verbatim}
 int ecc_sign_hash(const unsigned char *in,
                         unsigned long  inlen,
@@ -5827,8 +5828,17 @@ \subsection{Signature Generation}
 \end{verbatim}
 
 This function will \textit{ECDSA} sign the message digest stored in the array pointed to by \code{in} of length \code{inlen} octets.  The signature
-will be stored in the array pointed to by \code{out} of length \code{outlen} octets.  The function requires a properly seeded \textit{PRNG}, and
-the \textit{ECC} \code{key} provided must be a private key.
+will be stored in the array pointed to by \code{out} of length \code{outlen} octets.  The function requires that the \textit{ECC}
+\code{key} provided must be a private key.
+
+In order to execute standard \textit{ECDSA} it requires a properly seeded \textit{PRNG}  which gets passed via \code{prng} and \code{wprng}.
+
+The deterministic signature mechanism according to \textit{RFC6979} is also supported. This does not require a \textit{PRNG}, but
+instead a valid hash function shall be set via the macro
+
+\code{ECC\_SET\_RFC6979\_HASH\_ALG(key, hash\_alg)}
+
+The expected types of the arguments to that macro are \code{(ecc\_key*, const char*)}.
 
 \index{ecc\_sign\_hash\_rfc7518()}
 \begin{verbatim}

libtomcrypt_VS2008.vcproj

@@ -2490,6 +2490,10 @@
 					RelativePath="src\pk\ecc\ecc_recover_key.c"
 					>
 				</File>
+				<File
+					RelativePath="src\pk\ecc\ecc_rfc6979_key.c"
+					>
+				</File>
 				<File
 					RelativePath="src\pk\ecc\ecc_set_curve.c"
 					>

makefile.mingw

@@ -191,9 +191,9 @@ src/pk/ecc/ecc_encrypt_key.o src/pk/ecc/ecc_export.o src/pk/ecc/ecc_export_opens
 src/pk/ecc/ecc_find_curve.o src/pk/ecc/ecc_free.o src/pk/ecc/ecc_get_key.o src/pk/ecc/ecc_get_oid_str.o \
 src/pk/ecc/ecc_get_size.o src/pk/ecc/ecc_import.o src/pk/ecc/ecc_import_openssl.o \
 src/pk/ecc/ecc_import_pkcs8.o src/pk/ecc/ecc_import_x509.o src/pk/ecc/ecc_make_key.o \
-src/pk/ecc/ecc_recover_key.o src/pk/ecc/ecc_set_curve.o src/pk/ecc/ecc_set_curve_internal.o \
-src/pk/ecc/ecc_set_key.o src/pk/ecc/ecc_shared_secret.o src/pk/ecc/ecc_sign_hash.o \
-src/pk/ecc/ecc_sign_hash_eth27.o src/pk/ecc/ecc_sign_hash_internal.o \
+src/pk/ecc/ecc_recover_key.o src/pk/ecc/ecc_rfc6979_key.o src/pk/ecc/ecc_set_curve.o \
+src/pk/ecc/ecc_set_curve_internal.o src/pk/ecc/ecc_set_key.o src/pk/ecc/ecc_shared_secret.o \
+src/pk/ecc/ecc_sign_hash.o src/pk/ecc/ecc_sign_hash_eth27.o src/pk/ecc/ecc_sign_hash_internal.o \
 src/pk/ecc/ecc_sign_hash_rfc5656.o src/pk/ecc/ecc_sign_hash_rfc7518.o src/pk/ecc/ecc_sizes.o \
 src/pk/ecc/ecc_ssh_ecdsa_encode_name.o src/pk/ecc/ecc_verify_hash.o src/pk/ecc/ecc_verify_hash_eth27.o \
 src/pk/ecc/ecc_verify_hash_internal.o src/pk/ecc/ecc_verify_hash_rfc5656.o \

makefile.msvc

@@ -184,9 +184,9 @@ src/pk/ecc/ecc_encrypt_key.obj src/pk/ecc/ecc_export.obj src/pk/ecc/ecc_export_o
 src/pk/ecc/ecc_find_curve.obj src/pk/ecc/ecc_free.obj src/pk/ecc/ecc_get_key.obj src/pk/ecc/ecc_get_oid_str.obj \
 src/pk/ecc/ecc_get_size.obj src/pk/ecc/ecc_import.obj src/pk/ecc/ecc_import_openssl.obj \
 src/pk/ecc/ecc_import_pkcs8.obj src/pk/ecc/ecc_import_x509.obj src/pk/ecc/ecc_make_key.obj \
-src/pk/ecc/ecc_recover_key.obj src/pk/ecc/ecc_set_curve.obj src/pk/ecc/ecc_set_curve_internal.obj \
-src/pk/ecc/ecc_set_key.obj src/pk/ecc/ecc_shared_secret.obj src/pk/ecc/ecc_sign_hash.obj \
-src/pk/ecc/ecc_sign_hash_eth27.obj src/pk/ecc/ecc_sign_hash_internal.obj \
+src/pk/ecc/ecc_recover_key.obj src/pk/ecc/ecc_rfc6979_key.obj src/pk/ecc/ecc_set_curve.obj \
+src/pk/ecc/ecc_set_curve_internal.obj src/pk/ecc/ecc_set_key.obj src/pk/ecc/ecc_shared_secret.obj \
+src/pk/ecc/ecc_sign_hash.obj src/pk/ecc/ecc_sign_hash_eth27.obj src/pk/ecc/ecc_sign_hash_internal.obj \
 src/pk/ecc/ecc_sign_hash_rfc5656.obj src/pk/ecc/ecc_sign_hash_rfc7518.obj src/pk/ecc/ecc_sizes.obj \
 src/pk/ecc/ecc_ssh_ecdsa_encode_name.obj src/pk/ecc/ecc_verify_hash.obj src/pk/ecc/ecc_verify_hash_eth27.obj \
 src/pk/ecc/ecc_verify_hash_internal.obj src/pk/ecc/ecc_verify_hash_rfc5656.obj \

makefile.unix

@@ -205,9 +205,9 @@ src/pk/ecc/ecc_encrypt_key.o src/pk/ecc/ecc_export.o src/pk/ecc/ecc_export_opens
 src/pk/ecc/ecc_find_curve.o src/pk/ecc/ecc_free.o src/pk/ecc/ecc_get_key.o src/pk/ecc/ecc_get_oid_str.o \
 src/pk/ecc/ecc_get_size.o src/pk/ecc/ecc_import.o src/pk/ecc/ecc_import_openssl.o \
 src/pk/ecc/ecc_import_pkcs8.o src/pk/ecc/ecc_import_x509.o src/pk/ecc/ecc_make_key.o \
-src/pk/ecc/ecc_recover_key.o src/pk/ecc/ecc_set_curve.o src/pk/ecc/ecc_set_curve_internal.o \
-src/pk/ecc/ecc_set_key.o src/pk/ecc/ecc_shared_secret.o src/pk/ecc/ecc_sign_hash.o \
-src/pk/ecc/ecc_sign_hash_eth27.o src/pk/ecc/ecc_sign_hash_internal.o \
+src/pk/ecc/ecc_recover_key.o src/pk/ecc/ecc_rfc6979_key.o src/pk/ecc/ecc_set_curve.o \
+src/pk/ecc/ecc_set_curve_internal.o src/pk/ecc/ecc_set_key.o src/pk/ecc/ecc_shared_secret.o \
+src/pk/ecc/ecc_sign_hash.o src/pk/ecc/ecc_sign_hash_eth27.o src/pk/ecc/ecc_sign_hash_internal.o \
 src/pk/ecc/ecc_sign_hash_rfc5656.o src/pk/ecc/ecc_sign_hash_rfc7518.o src/pk/ecc/ecc_sizes.o \
 src/pk/ecc/ecc_ssh_ecdsa_encode_name.o src/pk/ecc/ecc_verify_hash.o src/pk/ecc/ecc_verify_hash_eth27.o \
 src/pk/ecc/ecc_verify_hash_internal.o src/pk/ecc/ecc_verify_hash_rfc5656.o \

makefile_include.mk

@@ -367,9 +367,9 @@ src/pk/ecc/ecc_encrypt_key.o src/pk/ecc/ecc_export.o src/pk/ecc/ecc_export_opens
 src/pk/ecc/ecc_find_curve.o src/pk/ecc/ecc_free.o src/pk/ecc/ecc_get_key.o src/pk/ecc/ecc_get_oid_str.o \
 src/pk/ecc/ecc_get_size.o src/pk/ecc/ecc_import.o src/pk/ecc/ecc_import_openssl.o \
 src/pk/ecc/ecc_import_pkcs8.o src/pk/ecc/ecc_import_x509.o src/pk/ecc/ecc_make_key.o \
-src/pk/ecc/ecc_recover_key.o src/pk/ecc/ecc_set_curve.o src/pk/ecc/ecc_set_curve_internal.o \
-src/pk/ecc/ecc_set_key.o src/pk/ecc/ecc_shared_secret.o src/pk/ecc/ecc_sign_hash.o \
-src/pk/ecc/ecc_sign_hash_eth27.o src/pk/ecc/ecc_sign_hash_internal.o \
+src/pk/ecc/ecc_recover_key.o src/pk/ecc/ecc_rfc6979_key.o src/pk/ecc/ecc_set_curve.o \
+src/pk/ecc/ecc_set_curve_internal.o src/pk/ecc/ecc_set_key.o src/pk/ecc/ecc_shared_secret.o \
+src/pk/ecc/ecc_sign_hash.o src/pk/ecc/ecc_sign_hash_eth27.o src/pk/ecc/ecc_sign_hash_internal.o \
 src/pk/ecc/ecc_sign_hash_rfc5656.o src/pk/ecc/ecc_sign_hash_rfc7518.o src/pk/ecc/ecc_sizes.o \
 src/pk/ecc/ecc_ssh_ecdsa_encode_name.o src/pk/ecc/ecc_verify_hash.o src/pk/ecc/ecc_verify_hash_eth27.o \
 src/pk/ecc/ecc_verify_hash_internal.o src/pk/ecc/ecc_verify_hash_rfc5656.o \

sources.cmake

@@ -421,6 +421,7 @@ src/pk/ecc/ecc_import_pkcs8.c
 src/pk/ecc/ecc_import_x509.c
 src/pk/ecc/ecc_make_key.c
 src/pk/ecc/ecc_recover_key.c
+src/pk/ecc/ecc_rfc6979_key.c
 src/pk/ecc/ecc_set_curve.c
 src/pk/ecc/ecc_set_curve_internal.c
 src/pk/ecc/ecc_set_key.c

src/headers/tomcrypt_pk.h

@@ -281,8 +281,18 @@ typedef struct {
 
     /** The private key */
     void *k;
+
+    /** The hash algorithm to use when creating a signature.
+     *  Setting this will enable RFC6979 compatible signature generation.
+     *  The macro ECC_SET_RFC6979_HASH_ALG() is provided as a helper
+     *  to set this.*/
+    const char *rfc6979_hash_alg;
 } ecc_key;
 
+#define ECC_SET_RFC6979_HASH_ALG(key, alg) do { \
+   (key)->rfc6979_hash_alg = (alg);             \
+} while(0)
+
 /** Formats of ECC signatures */
 typedef enum ecc_signature_type_ {
    /* ASN.1 encoded, ANSI X9.62 */

src/headers/tomcrypt_private.h

@@ -441,6 +441,8 @@ int ecc_verify_hash_internal(void *r, void *s,
                              const unsigned char *hash, unsigned long hashlen,
                              int *stat, const ecc_key *key);
 
+int ecc_rfc6979_key(const ecc_key *priv, const unsigned char *in, unsigned long inlen, ecc_key *key);
+
 #ifdef LTC_SSH
 int ecc_ssh_ecdsa_encode_name(char *buffer, unsigned long *buflen, const ecc_key *key);
 #endif

src/pk/ecc/ecc_make_key.c

@@ -59,6 +59,7 @@ int ecc_generate_key(prng_state *prng, int wprng, ecc_key *key)
       goto error;
    }
    key->type = PK_PRIVATE;
+   key->rfc6979_hash_alg = NULL;
 
    /* success */
    err = CRYPT_OK;

src/pk/ecc/ecc_rfc6979_key.c

@@ -0,0 +1,162 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis */
+/* SPDX-License-Identifier: Unlicense */
+
+#include "tomcrypt_private.h"
+
+/**
+  @file ecc_rfc6979_key.c
+  ECC Crypto, Russ Williams
+*/
+
+#ifdef LTC_MECC
+#ifdef LTC_SHA256
+
+/**
+  Make deterministic ECC key using the RFC6979 method
+  @param priv         [in] Private key for HMAC
+  @param in           Message to sign for HMAC
+  @param inlen        Length of the message
+  @param key          [out] Newly created deterministic key
+  @return CRYPT_OK if successful, upon error all allocated memory will be freed
+*/
+int ecc_rfc6979_key(const ecc_key *priv, const unsigned char *in, unsigned long inlen, ecc_key *key)
+{
+   int            err, hash = -1;
+   unsigned char  v[MAXBLOCKSIZE], k[MAXBLOCKSIZE];
+   unsigned char  buffer[256], sep[1], privkey[128];
+   unsigned long  order_bits, len_diff, pk_len, zero_extend, outlen, klen, vlen, buflen, qlen, hashsize;
+   void *r, *d;
+
+   LTC_ARGCHK(ltc_mp.name != NULL);
+   LTC_ARGCHK(priv        != NULL);
+   LTC_ARGCHK(key         != NULL);
+   LTC_ARGCHK(key->dp.size > 0);
+
+   if (priv->rfc6979_hash_alg == NULL) {
+      return CRYPT_INVALID_ARG;
+   }
+   hash = find_hash(priv->rfc6979_hash_alg);
+   if ((err = hash_is_valid(hash)) != CRYPT_OK) {
+      return err;
+   }
+
+   hashsize = hash_descriptor[hash].hashsize;
+
+   if ((err = ltc_mp_init_multi(&r, &d, NULL)) != CRYPT_OK) {
+      return err;
+   }
+
+   /* Length, in bytes, of key */
+   order_bits = ltc_mp_count_bits(key->dp.order);
+   qlen = (order_bits+7) >> 3;
+   len_diff = qlen > inlen ? qlen - inlen : 0;
+   pk_len = (ltc_mp_count_bits(priv->k)+7) >> 3;
+   zero_extend = qlen - pk_len;
+   XMEMSET(buffer, 0x00, len_diff + zero_extend);
+
+   /* RFC6979 3.2b, set V */
+   XMEMSET(v, 0x01, hashsize);
+
+   /* RFC6979 3.2c, set K */
+   XMEMSET(k, 0x00, hashsize);
+
+   if ((err = ltc_mp_to_unsigned_bin(priv->k, privkey) != CRYPT_OK))                                     { goto error; }
+   /* RFC6979 3.2d, set K to HMAC_K(V::0x00::priv::in) */
+   sep[0] = 0;
+   klen = sizeof(k);
+   if((err = hmac_memory_multi(hash,
+                               k, hashsize,
+                               k, &klen,
+                               v, hashsize,
+                               sep, 1,
+                               buffer, zero_extend,
+                               privkey, qlen - zero_extend,
+                               buffer, len_diff,
+                               in, qlen - len_diff,
+                               LTC_NULL)) != CRYPT_OK)                                                   { goto error; }
+
+   /* RFC6979 3.2e, set V = HMAC_K(V) */
+   vlen = sizeof(v);
+   if((err = hmac_memory(hash, k, klen, v, hashsize, v, &vlen)) != CRYPT_OK)                             { goto error; }
+
+   /* RFC6979 3.2f, set K to HMAC_K(V::0x01::priv::in) */
+   sep[0] = 0x01;
+   outlen = sizeof(k);
+   if((err = hmac_memory_multi(hash,
+                               k, klen,
+                               k, &klen,
+                               v, hashsize,
+                               sep, 1,
+                               buffer, zero_extend,
+                               privkey, qlen - zero_extend,
+                               buffer, len_diff,
+                               in, qlen - len_diff,
+                               LTC_NULL)) != CRYPT_OK)                                                   { goto error; }
+
+   /* RFC6979 3.2g, set V = HMAC_K(V) */
+   outlen = sizeof(v);
+   if((err = hmac_memory(hash, k, klen, v, hashsize, v, &outlen)) != CRYPT_OK)                           { goto error; }
+
+   /* RFC6979 3.2h, generate and check key */
+   do {
+      /* concatenate hash bits into T */
+      buflen = 0;
+      while (buflen < qlen) {
+         outlen = sizeof(v);
+         if((err = hmac_memory(hash, k, klen, v, hashsize, v, &outlen)) != CRYPT_OK)                     { goto error; }
+         XMEMCPY(&buffer[buflen], v, hashsize);
+         buflen += hashsize;
+      }
+
+      /* key->k = bits2int(T) */
+      if ((err = ltc_mp_read_unsigned_bin(r, buffer, qlen)) != CRYPT_OK)                                 { goto error; }
+      if ((qlen * 8) > order_bits) {
+         if ((err = ltc_mp_2expt(d, (qlen * 8) - order_bits)) != CRYPT_OK)                               { goto error; }
+         if ((err = ltc_mp_div(r, d, r, NULL)) != CRYPT_OK)                                              { goto error; }
+         if ((err = ltc_mp_to_unsigned_bin(r, buffer)) != CRYPT_OK)                                      { goto error; }
+         qlen = ltc_mp_unsigned_bin_size(r);
+      }
+
+      if ((err = ecc_set_key(buffer, qlen, PK_PRIVATE, key))!= CRYPT_OK)                                 { goto error; }
+
+      /* check that k is in range [1,q-1] */
+      if (ltc_mp_cmp_d(key->k, 0) == LTC_MP_GT && ltc_mp_cmp(key->k, key->dp.order) == LTC_MP_LT) {
+         /* Check that pubkey.x != 0 (mod p) */
+         if ((err = ltc_mp_mod(key->pubkey.x, key->dp.order, r)) != CRYPT_OK)                            { goto error; }
+
+         /* if we have a valid key, exit loop */
+         if (ltc_mp_iszero(r) == LTC_MP_NO)
+            break;
+      } else {
+         if (hashsize == sizeof(buffer)) {
+            err = CRYPT_BUFFER_OVERFLOW;
+            goto error;
+         }
+         /* K = HMAC_K(V::0x00) */
+         buffer[0] = 0x0;
+         outlen = sizeof(k);
+         if((err = hmac_memory_multi(hash, k, klen, k, &klen, v, hashsize, buffer, 1, LTC_NULL)) != CRYPT_OK)  { goto error; }
+
+         /* V = HMAC_K(V) */
+         outlen = sizeof(v);
+         if((err = hmac_memory(hash, k, klen, v, hashsize, v, &outlen)) != CRYPT_OK)                           { goto error; }
+
+         /* ... and try again! */
+      }
+   } while (1);
+
+   key->type = PK_PRIVATE;
+
+   /* success */
+   err = CRYPT_OK;
+   goto cleanup;
+
+error:
+   ecc_free(key);
+cleanup:
+   ltc_mp_cleanup_multi(&d, &r, NULL);
+   return err;
+}
+
+#endif
+#endif

src/pk/ecc/ecc_set_curve.c

@@ -19,6 +19,8 @@ int ecc_set_curve(const ltc_ecc_curve *cu, ecc_key *key)
       return err;
    }
 
+   key->rfc6979_hash_alg = NULL;
+
    /* A, B, order, prime, Gx, Gy */
    if ((err = ltc_mp_read_radix(key->dp.prime, cu->prime, 16)) != CRYPT_OK) { goto error; }
    if ((err = ltc_mp_read_radix(key->dp.order, cu->order, 16)) != CRYPT_OK) { goto error; }

src/pk/ecc/ecc_set_key.c

@@ -33,7 +33,7 @@ int ecc_set_key(const unsigned char *in, unsigned long inlen, int type, ecc_key
    else if (type == PK_PUBLIC) {
       /* load public key */
       if ((err = ltc_ecc_import_point(in, inlen, prime, a, b, key->pubkey.x, key->pubkey.y)) != CRYPT_OK) { goto error; }
-      if ((err = ltc_mp_set(key->pubkey.z, 1)) != CRYPT_OK)                                                   { goto error; }
+      if ((err = ltc_mp_set(key->pubkey.z, 1)) != CRYPT_OK)                                               { goto error; }
    }
    else {
       err = CRYPT_INVALID_PACKET;
@@ -46,6 +46,7 @@ int ecc_set_key(const unsigned char *in, unsigned long inlen, int type, ecc_key
    }
 
    key->type = type;
+   key->rfc6979_hash_alg = NULL;
    return CRYPT_OK;
 
 error:

src/pk/ecc/ecc_sign_hash_internal.c

@@ -57,8 +57,12 @@ int ecc_sign_hash_internal(const unsigned char *in,  unsigned long inlen,
 
    /* make up a key and export the public copy */
    do {
-      if ((err = ecc_copy_curve(key, &pubkey)) != CRYPT_OK)                { goto errnokey; }
-      if ((err = ecc_generate_key(prng, wprng, &pubkey)) != CRYPT_OK)      { goto errnokey; }
+      if ((err = ecc_copy_curve(key, &pubkey)) != CRYPT_OK)                    { goto errnokey; }
+      if (key->rfc6979_hash_alg != NULL) {
+         if ((err = ecc_rfc6979_key(key, in, inlen, &pubkey)) != CRYPT_OK)     { goto errnokey; }
+      } else {
+         if ((err = ecc_generate_key(prng, wprng, &pubkey)) != CRYPT_OK)       { goto errnokey; }
+      }
 
       /* find r = x1 mod n */
       if ((err = ltc_mp_mod(pubkey.pubkey.x, p, r)) != CRYPT_OK)               { goto error; }
@@ -78,7 +82,7 @@ int ecc_sign_hash_internal(const unsigned char *in,  unsigned long inlen,
       if (ltc_mp_iszero(r) == LTC_MP_YES) {
          ecc_free(&pubkey);
       } else {
-         if ((err = rand_bn_upto(b, p, prng, wprng)) != CRYPT_OK)          { goto error; } /* b = blinding value */
+         if ((err = rand_bn_upto(b, p, prng, wprng)) != CRYPT_OK)              { goto error; } /* b = blinding value */
          /* find s = (e + xr)/k */
          if ((err = ltc_mp_mulmod(pubkey.k, b, p, pubkey.k)) != CRYPT_OK)      { goto error; } /* k = kb */
          if ((err = ltc_mp_invmod(pubkey.k, p, pubkey.k)) != CRYPT_OK)         { goto error; } /* k = 1/kb */