2011-03-10 09:42:34 -05:00
|
|
|
// Copyright 2011 The Go Authors. All rights reserved.
|
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
|
|
package ecdsa
|
|
|
|
|
|
|
|
|
|
import (
|
2012-05-22 10:33:14 -04:00
|
|
|
"bufio"
|
|
|
|
|
"compress/bzip2"
|
2011-03-10 09:42:34 -05:00
|
|
|
"crypto/elliptic"
|
|
|
|
|
"crypto/rand"
|
2011-11-02 15:54:16 -04:00
|
|
|
"crypto/sha1"
|
2012-05-22 10:33:14 -04:00
|
|
|
"crypto/sha256"
|
|
|
|
|
"crypto/sha512"
|
2011-03-10 09:42:34 -05:00
|
|
|
"encoding/hex"
|
2012-05-22 10:33:14 -04:00
|
|
|
"hash"
|
|
|
|
|
"io"
|
2011-11-08 15:40:58 -08:00
|
|
|
"math/big"
|
2012-05-22 10:33:14 -04:00
|
|
|
"os"
|
|
|
|
|
"strings"
|
2011-03-10 09:42:34 -05:00
|
|
|
"testing"
|
|
|
|
|
)
|
|
|
|
|
|
2012-01-19 08:39:03 -05:00
|
|
|
func testKeyGeneration(t *testing.T, c elliptic.Curve, tag string) {
|
2011-03-10 09:42:34 -05:00
|
|
|
priv, err := GenerateKey(c, rand.Reader)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("%s: error: %s", tag, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if !c.IsOnCurve(priv.PublicKey.X, priv.PublicKey.Y) {
|
2011-03-29 14:03:08 -07:00
|
|
|
t.Errorf("%s: public key invalid: %s", tag, err)
|
2011-03-10 09:42:34 -05:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestKeyGeneration(t *testing.T) {
|
|
|
|
|
testKeyGeneration(t, elliptic.P224(), "p224")
|
2011-03-25 14:50:44 -07:00
|
|
|
if testing.Short() {
|
|
|
|
|
return
|
|
|
|
|
}
|
2011-03-10 09:42:34 -05:00
|
|
|
testKeyGeneration(t, elliptic.P256(), "p256")
|
|
|
|
|
testKeyGeneration(t, elliptic.P384(), "p384")
|
|
|
|
|
testKeyGeneration(t, elliptic.P521(), "p521")
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-17 06:10:35 -07:00
|
|
|
func BenchmarkSignP256(b *testing.B) {
|
|
|
|
|
b.ResetTimer()
|
|
|
|
|
p256 := elliptic.P256()
|
|
|
|
|
hashed := []byte("testing")
|
|
|
|
|
priv, _ := GenerateKey(p256, rand.Reader)
|
|
|
|
|
|
2017-11-29 13:20:08 -06:00
|
|
|
b.ReportAllocs()
|
2016-08-12 13:45:50 -05:00
|
|
|
b.ResetTimer()
|
2017-11-29 13:20:08 -06:00
|
|
|
b.RunParallel(func(pb *testing.PB) {
|
|
|
|
|
for pb.Next() {
|
|
|
|
|
_, _, _ = Sign(rand.Reader, priv, hashed)
|
|
|
|
|
}
|
|
|
|
|
})
|
2016-08-12 13:45:50 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func BenchmarkSignP384(b *testing.B) {
|
|
|
|
|
b.ResetTimer()
|
|
|
|
|
p384 := elliptic.P384()
|
|
|
|
|
hashed := []byte("testing")
|
|
|
|
|
priv, _ := GenerateKey(p384, rand.Reader)
|
|
|
|
|
|
2017-11-29 13:20:08 -06:00
|
|
|
b.ReportAllocs()
|
2015-04-17 06:10:35 -07:00
|
|
|
b.ResetTimer()
|
2017-11-29 13:20:08 -06:00
|
|
|
b.RunParallel(func(pb *testing.PB) {
|
|
|
|
|
for pb.Next() {
|
|
|
|
|
_, _, _ = Sign(rand.Reader, priv, hashed)
|
|
|
|
|
}
|
|
|
|
|
})
|
2015-04-17 06:10:35 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func BenchmarkVerifyP256(b *testing.B) {
|
|
|
|
|
b.ResetTimer()
|
|
|
|
|
p256 := elliptic.P256()
|
|
|
|
|
hashed := []byte("testing")
|
|
|
|
|
priv, _ := GenerateKey(p256, rand.Reader)
|
|
|
|
|
r, s, _ := Sign(rand.Reader, priv, hashed)
|
|
|
|
|
|
2017-11-29 13:20:08 -06:00
|
|
|
b.ReportAllocs()
|
2015-04-17 06:10:35 -07:00
|
|
|
b.ResetTimer()
|
2017-11-29 13:20:08 -06:00
|
|
|
b.RunParallel(func(pb *testing.PB) {
|
|
|
|
|
for pb.Next() {
|
|
|
|
|
Verify(&priv.PublicKey, hashed, r, s)
|
|
|
|
|
}
|
|
|
|
|
})
|
2015-04-17 06:10:35 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func BenchmarkKeyGeneration(b *testing.B) {
|
|
|
|
|
b.ResetTimer()
|
|
|
|
|
p256 := elliptic.P256()
|
|
|
|
|
|
2017-11-29 13:20:08 -06:00
|
|
|
b.ReportAllocs()
|
2015-04-17 06:10:35 -07:00
|
|
|
b.ResetTimer()
|
2017-11-29 13:20:08 -06:00
|
|
|
b.RunParallel(func(pb *testing.PB) {
|
|
|
|
|
for pb.Next() {
|
|
|
|
|
GenerateKey(p256, rand.Reader)
|
|
|
|
|
}
|
|
|
|
|
})
|
2015-04-17 06:10:35 -07:00
|
|
|
}
|
|
|
|
|
|
2012-01-19 08:39:03 -05:00
|
|
|
func testSignAndVerify(t *testing.T, c elliptic.Curve, tag string) {
|
2011-03-10 09:42:34 -05:00
|
|
|
priv, _ := GenerateKey(c, rand.Reader)
|
|
|
|
|
|
|
|
|
|
hashed := []byte("testing")
|
|
|
|
|
r, s, err := Sign(rand.Reader, priv, hashed)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("%s: error signing: %s", tag, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !Verify(&priv.PublicKey, hashed, r, s) {
|
|
|
|
|
t.Errorf("%s: Verify failed", tag)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hashed[0] ^= 0xff
|
|
|
|
|
if Verify(&priv.PublicKey, hashed, r, s) {
|
|
|
|
|
t.Errorf("%s: Verify always works!", tag)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestSignAndVerify(t *testing.T) {
|
|
|
|
|
testSignAndVerify(t, elliptic.P224(), "p224")
|
2011-03-25 14:50:44 -07:00
|
|
|
if testing.Short() {
|
|
|
|
|
return
|
|
|
|
|
}
|
2011-03-10 09:42:34 -05:00
|
|
|
testSignAndVerify(t, elliptic.P256(), "p256")
|
|
|
|
|
testSignAndVerify(t, elliptic.P384(), "p384")
|
|
|
|
|
testSignAndVerify(t, elliptic.P521(), "p521")
|
|
|
|
|
}
|
|
|
|
|
|
crypto/ecdsa: make Sign safe with broken entropy sources
ECDSA is unsafe to use if an entropy source produces predictable
output for the ephemeral nonces. E.g., [Nguyen]. A simple
countermeasure is to hash the secret key, the message, and
entropy together to seed a CSPRNG, from which the ephemeral key
is derived.
Fixes #9452
--
This is a minimalist (in terms of patch size) solution, though
not the most parsimonious in its use of primitives:
- csprng_key = ChopMD-256(SHA2-512(priv.D||entropy||hash))
- reader = AES-256-CTR(k=csprng_key)
This, however, provides at most 128-bit collision-resistance,
so that Adv will have a term related to the number of messages
signed that is significantly worse than plain ECDSA. This does
not seem to be of any practical importance.
ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for
two sets of reasons:
*Practical:* SHA2-512 has a larger state and 16 more rounds; it
is likely non-generically stronger than SHA2-256. And, AFAIK,
cryptanalysis backs this up. (E.g., [Biryukov] gives a
distinguisher on 47-round SHA2-256 with cost < 2^85.) This is
well below a reasonable security-strength target.
*Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is
indifferentiable from a random oracle for slightly beyond the
birthday barrier. It seems likely that this makes a generic
security proof that this construction remains UF-CMA is
possible in the indifferentiability framework.
--
Many thanks to Payman Mohassel for reviewing this construction;
any mistakes are mine, however. And, as he notes, reusing the
private key in this way means that the generic-group (non-RO)
proof of ECDSA's security given in [Brown] no longer directly
applies.
--
[Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps
"Brown. The exact security of ECDSA. 2000"
[Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf
"Coron et al. Merkle-Damgard revisited. 2005"
[Chang]: https://www.iacr.org/archive/fse2008/50860436/50860436.pdf
"Chang and Nandi. Improved indifferentiability security analysis
of chopMD hash function. 2008"
[Biryukov]: http://www.iacr.org/archive/asiacrypt2011/70730269/70730269.pdf
"Biryukov et al. Second-order differential collisions for reduced
SHA-256. 2011"
[Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps
"Nguyen and Shparlinski. The insecurity of the elliptic curve
digital signature algorithm with partially known nonces. 2003"
New tests:
TestNonceSafety: Check that signatures are safe even with a
broken entropy source.
TestINDCCA: Check that signatures remain non-deterministic
with a functional entropy source.
Updated "golden" KATs in crypto/tls/testdata that use ECDSA suites.
Change-Id: I55337a2fbec2e42a36ce719bd2184793682d678a
Reviewed-on: https://go-review.googlesource.com/3340
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-26 23:00:21 -08:00
|
|
|
func testNonceSafety(t *testing.T, c elliptic.Curve, tag string) {
|
|
|
|
|
priv, _ := GenerateKey(c, rand.Reader)
|
|
|
|
|
|
|
|
|
|
hashed := []byte("testing")
|
|
|
|
|
r0, s0, err := Sign(zeroReader, priv, hashed)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("%s: error signing: %s", tag, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hashed = []byte("testing...")
|
|
|
|
|
r1, s1, err := Sign(zeroReader, priv, hashed)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("%s: error signing: %s", tag, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if s0.Cmp(s1) == 0 {
|
|
|
|
|
// This should never happen.
|
2015-08-11 15:29:40 +10:00
|
|
|
t.Errorf("%s: the signatures on two different messages were the same", tag)
|
crypto/ecdsa: make Sign safe with broken entropy sources
ECDSA is unsafe to use if an entropy source produces predictable
output for the ephemeral nonces. E.g., [Nguyen]. A simple
countermeasure is to hash the secret key, the message, and
entropy together to seed a CSPRNG, from which the ephemeral key
is derived.
Fixes #9452
--
This is a minimalist (in terms of patch size) solution, though
not the most parsimonious in its use of primitives:
- csprng_key = ChopMD-256(SHA2-512(priv.D||entropy||hash))
- reader = AES-256-CTR(k=csprng_key)
This, however, provides at most 128-bit collision-resistance,
so that Adv will have a term related to the number of messages
signed that is significantly worse than plain ECDSA. This does
not seem to be of any practical importance.
ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for
two sets of reasons:
*Practical:* SHA2-512 has a larger state and 16 more rounds; it
is likely non-generically stronger than SHA2-256. And, AFAIK,
cryptanalysis backs this up. (E.g., [Biryukov] gives a
distinguisher on 47-round SHA2-256 with cost < 2^85.) This is
well below a reasonable security-strength target.
*Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is
indifferentiable from a random oracle for slightly beyond the
birthday barrier. It seems likely that this makes a generic
security proof that this construction remains UF-CMA is
possible in the indifferentiability framework.
--
Many thanks to Payman Mohassel for reviewing this construction;
any mistakes are mine, however. And, as he notes, reusing the
private key in this way means that the generic-group (non-RO)
proof of ECDSA's security given in [Brown] no longer directly
applies.
--
[Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps
"Brown. The exact security of ECDSA. 2000"
[Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf
"Coron et al. Merkle-Damgard revisited. 2005"
[Chang]: https://www.iacr.org/archive/fse2008/50860436/50860436.pdf
"Chang and Nandi. Improved indifferentiability security analysis
of chopMD hash function. 2008"
[Biryukov]: http://www.iacr.org/archive/asiacrypt2011/70730269/70730269.pdf
"Biryukov et al. Second-order differential collisions for reduced
SHA-256. 2011"
[Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps
"Nguyen and Shparlinski. The insecurity of the elliptic curve
digital signature algorithm with partially known nonces. 2003"
New tests:
TestNonceSafety: Check that signatures are safe even with a
broken entropy source.
TestINDCCA: Check that signatures remain non-deterministic
with a functional entropy source.
Updated "golden" KATs in crypto/tls/testdata that use ECDSA suites.
Change-Id: I55337a2fbec2e42a36ce719bd2184793682d678a
Reviewed-on: https://go-review.googlesource.com/3340
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-26 23:00:21 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if r0.Cmp(r1) == 0 {
|
2016-02-24 11:55:20 +01:00
|
|
|
t.Errorf("%s: the nonce used for two different messages was the same", tag)
|
crypto/ecdsa: make Sign safe with broken entropy sources
ECDSA is unsafe to use if an entropy source produces predictable
output for the ephemeral nonces. E.g., [Nguyen]. A simple
countermeasure is to hash the secret key, the message, and
entropy together to seed a CSPRNG, from which the ephemeral key
is derived.
Fixes #9452
--
This is a minimalist (in terms of patch size) solution, though
not the most parsimonious in its use of primitives:
- csprng_key = ChopMD-256(SHA2-512(priv.D||entropy||hash))
- reader = AES-256-CTR(k=csprng_key)
This, however, provides at most 128-bit collision-resistance,
so that Adv will have a term related to the number of messages
signed that is significantly worse than plain ECDSA. This does
not seem to be of any practical importance.
ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for
two sets of reasons:
*Practical:* SHA2-512 has a larger state and 16 more rounds; it
is likely non-generically stronger than SHA2-256. And, AFAIK,
cryptanalysis backs this up. (E.g., [Biryukov] gives a
distinguisher on 47-round SHA2-256 with cost < 2^85.) This is
well below a reasonable security-strength target.
*Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is
indifferentiable from a random oracle for slightly beyond the
birthday barrier. It seems likely that this makes a generic
security proof that this construction remains UF-CMA is
possible in the indifferentiability framework.
--
Many thanks to Payman Mohassel for reviewing this construction;
any mistakes are mine, however. And, as he notes, reusing the
private key in this way means that the generic-group (non-RO)
proof of ECDSA's security given in [Brown] no longer directly
applies.
--
[Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps
"Brown. The exact security of ECDSA. 2000"
[Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf
"Coron et al. Merkle-Damgard revisited. 2005"
[Chang]: https://www.iacr.org/archive/fse2008/50860436/50860436.pdf
"Chang and Nandi. Improved indifferentiability security analysis
of chopMD hash function. 2008"
[Biryukov]: http://www.iacr.org/archive/asiacrypt2011/70730269/70730269.pdf
"Biryukov et al. Second-order differential collisions for reduced
SHA-256. 2011"
[Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps
"Nguyen and Shparlinski. The insecurity of the elliptic curve
digital signature algorithm with partially known nonces. 2003"
New tests:
TestNonceSafety: Check that signatures are safe even with a
broken entropy source.
TestINDCCA: Check that signatures remain non-deterministic
with a functional entropy source.
Updated "golden" KATs in crypto/tls/testdata that use ECDSA suites.
Change-Id: I55337a2fbec2e42a36ce719bd2184793682d678a
Reviewed-on: https://go-review.googlesource.com/3340
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-26 23:00:21 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestNonceSafety(t *testing.T) {
|
|
|
|
|
testNonceSafety(t, elliptic.P224(), "p224")
|
|
|
|
|
if testing.Short() {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
testNonceSafety(t, elliptic.P256(), "p256")
|
|
|
|
|
testNonceSafety(t, elliptic.P384(), "p384")
|
|
|
|
|
testNonceSafety(t, elliptic.P521(), "p521")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func testINDCCA(t *testing.T, c elliptic.Curve, tag string) {
|
|
|
|
|
priv, _ := GenerateKey(c, rand.Reader)
|
|
|
|
|
|
|
|
|
|
hashed := []byte("testing")
|
|
|
|
|
r0, s0, err := Sign(rand.Reader, priv, hashed)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("%s: error signing: %s", tag, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r1, s1, err := Sign(rand.Reader, priv, hashed)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("%s: error signing: %s", tag, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if s0.Cmp(s1) == 0 {
|
2015-08-11 15:29:40 +10:00
|
|
|
t.Errorf("%s: two signatures of the same message produced the same result", tag)
|
crypto/ecdsa: make Sign safe with broken entropy sources
ECDSA is unsafe to use if an entropy source produces predictable
output for the ephemeral nonces. E.g., [Nguyen]. A simple
countermeasure is to hash the secret key, the message, and
entropy together to seed a CSPRNG, from which the ephemeral key
is derived.
Fixes #9452
--
This is a minimalist (in terms of patch size) solution, though
not the most parsimonious in its use of primitives:
- csprng_key = ChopMD-256(SHA2-512(priv.D||entropy||hash))
- reader = AES-256-CTR(k=csprng_key)
This, however, provides at most 128-bit collision-resistance,
so that Adv will have a term related to the number of messages
signed that is significantly worse than plain ECDSA. This does
not seem to be of any practical importance.
ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for
two sets of reasons:
*Practical:* SHA2-512 has a larger state and 16 more rounds; it
is likely non-generically stronger than SHA2-256. And, AFAIK,
cryptanalysis backs this up. (E.g., [Biryukov] gives a
distinguisher on 47-round SHA2-256 with cost < 2^85.) This is
well below a reasonable security-strength target.
*Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is
indifferentiable from a random oracle for slightly beyond the
birthday barrier. It seems likely that this makes a generic
security proof that this construction remains UF-CMA is
possible in the indifferentiability framework.
--
Many thanks to Payman Mohassel for reviewing this construction;
any mistakes are mine, however. And, as he notes, reusing the
private key in this way means that the generic-group (non-RO)
proof of ECDSA's security given in [Brown] no longer directly
applies.
--
[Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps
"Brown. The exact security of ECDSA. 2000"
[Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf
"Coron et al. Merkle-Damgard revisited. 2005"
[Chang]: https://www.iacr.org/archive/fse2008/50860436/50860436.pdf
"Chang and Nandi. Improved indifferentiability security analysis
of chopMD hash function. 2008"
[Biryukov]: http://www.iacr.org/archive/asiacrypt2011/70730269/70730269.pdf
"Biryukov et al. Second-order differential collisions for reduced
SHA-256. 2011"
[Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps
"Nguyen and Shparlinski. The insecurity of the elliptic curve
digital signature algorithm with partially known nonces. 2003"
New tests:
TestNonceSafety: Check that signatures are safe even with a
broken entropy source.
TestINDCCA: Check that signatures remain non-deterministic
with a functional entropy source.
Updated "golden" KATs in crypto/tls/testdata that use ECDSA suites.
Change-Id: I55337a2fbec2e42a36ce719bd2184793682d678a
Reviewed-on: https://go-review.googlesource.com/3340
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-26 23:00:21 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if r0.Cmp(r1) == 0 {
|
2015-08-11 15:29:40 +10:00
|
|
|
t.Errorf("%s: two signatures of the same message produced the same nonce", tag)
|
crypto/ecdsa: make Sign safe with broken entropy sources
ECDSA is unsafe to use if an entropy source produces predictable
output for the ephemeral nonces. E.g., [Nguyen]. A simple
countermeasure is to hash the secret key, the message, and
entropy together to seed a CSPRNG, from which the ephemeral key
is derived.
Fixes #9452
--
This is a minimalist (in terms of patch size) solution, though
not the most parsimonious in its use of primitives:
- csprng_key = ChopMD-256(SHA2-512(priv.D||entropy||hash))
- reader = AES-256-CTR(k=csprng_key)
This, however, provides at most 128-bit collision-resistance,
so that Adv will have a term related to the number of messages
signed that is significantly worse than plain ECDSA. This does
not seem to be of any practical importance.
ChopMD-256(SHA2-512(x)) is used, rather than SHA2-256(x), for
two sets of reasons:
*Practical:* SHA2-512 has a larger state and 16 more rounds; it
is likely non-generically stronger than SHA2-256. And, AFAIK,
cryptanalysis backs this up. (E.g., [Biryukov] gives a
distinguisher on 47-round SHA2-256 with cost < 2^85.) This is
well below a reasonable security-strength target.
*Theoretical:* [Coron] and [Chang] show that Chop-MD(F(x)) is
indifferentiable from a random oracle for slightly beyond the
birthday barrier. It seems likely that this makes a generic
security proof that this construction remains UF-CMA is
possible in the indifferentiability framework.
--
Many thanks to Payman Mohassel for reviewing this construction;
any mistakes are mine, however. And, as he notes, reusing the
private key in this way means that the generic-group (non-RO)
proof of ECDSA's security given in [Brown] no longer directly
applies.
--
[Brown]: http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-54.ps
"Brown. The exact security of ECDSA. 2000"
[Coron]: https://www.cs.nyu.edu/~puniya/papers/merkle.pdf
"Coron et al. Merkle-Damgard revisited. 2005"
[Chang]: https://www.iacr.org/archive/fse2008/50860436/50860436.pdf
"Chang and Nandi. Improved indifferentiability security analysis
of chopMD hash function. 2008"
[Biryukov]: http://www.iacr.org/archive/asiacrypt2011/70730269/70730269.pdf
"Biryukov et al. Second-order differential collisions for reduced
SHA-256. 2011"
[Nguyen]: ftp://ftp.di.ens.fr/pub/users/pnguyen/PubECDSA.ps
"Nguyen and Shparlinski. The insecurity of the elliptic curve
digital signature algorithm with partially known nonces. 2003"
New tests:
TestNonceSafety: Check that signatures are safe even with a
broken entropy source.
TestINDCCA: Check that signatures remain non-deterministic
with a functional entropy source.
Updated "golden" KATs in crypto/tls/testdata that use ECDSA suites.
Change-Id: I55337a2fbec2e42a36ce719bd2184793682d678a
Reviewed-on: https://go-review.googlesource.com/3340
Reviewed-by: Adam Langley <agl@golang.org>
2015-01-26 23:00:21 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestINDCCA(t *testing.T) {
|
|
|
|
|
testINDCCA(t, elliptic.P224(), "p224")
|
|
|
|
|
if testing.Short() {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
testINDCCA(t, elliptic.P256(), "p256")
|
|
|
|
|
testINDCCA(t, elliptic.P384(), "p384")
|
|
|
|
|
testINDCCA(t, elliptic.P521(), "p521")
|
|
|
|
|
}
|
|
|
|
|
|
2011-03-10 09:42:34 -05:00
|
|
|
func fromHex(s string) *big.Int {
|
|
|
|
|
r, ok := new(big.Int).SetString(s, 16)
|
|
|
|
|
if !ok {
|
|
|
|
|
panic("bad hex")
|
|
|
|
|
}
|
|
|
|
|
return r
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestVectors(t *testing.T) {
|
2012-05-22 10:33:14 -04:00
|
|
|
// This test runs the full set of NIST test vectors from
|
2018-06-01 17:29:59 -03:00
|
|
|
// https://csrc.nist.gov/groups/STM/cavp/documents/dss/186-3ecdsatestvectors.zip
|
2012-05-22 10:33:14 -04:00
|
|
|
//
|
|
|
|
|
// The SigVer.rsp file has been edited to remove test vectors for
|
|
|
|
|
// unsupported algorithms and has been compressed.
|
|
|
|
|
|
|
|
|
|
if testing.Short() {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
f, err := os.Open("testdata/SigVer.rsp.bz2")
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
buf := bufio.NewReader(bzip2.NewReader(f))
|
|
|
|
|
|
|
|
|
|
lineNo := 1
|
|
|
|
|
var h hash.Hash
|
|
|
|
|
var msg []byte
|
|
|
|
|
var hashed []byte
|
|
|
|
|
var r, s *big.Int
|
|
|
|
|
pub := new(PublicKey)
|
2011-03-10 09:42:34 -05:00
|
|
|
|
2012-05-22 10:33:14 -04:00
|
|
|
for {
|
|
|
|
|
line, err := buf.ReadString('\n')
|
|
|
|
|
if len(line) == 0 {
|
|
|
|
|
if err == io.EOF {
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
t.Fatalf("error reading from input: %s", err)
|
2011-03-10 09:42:34 -05:00
|
|
|
}
|
2012-05-22 10:33:14 -04:00
|
|
|
lineNo++
|
|
|
|
|
// Need to remove \r\n from the end of the line.
|
|
|
|
|
if !strings.HasSuffix(line, "\r\n") {
|
|
|
|
|
t.Fatalf("bad line ending (expected \\r\\n) on line %d", lineNo)
|
2011-03-10 09:42:34 -05:00
|
|
|
}
|
2012-05-22 10:33:14 -04:00
|
|
|
line = line[:len(line)-2]
|
|
|
|
|
|
|
|
|
|
if len(line) == 0 || line[0] == '#' {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if line[0] == '[' {
|
|
|
|
|
line = line[1 : len(line)-1]
|
|
|
|
|
parts := strings.SplitN(line, ",", 2)
|
|
|
|
|
|
|
|
|
|
switch parts[0] {
|
|
|
|
|
case "P-224":
|
|
|
|
|
pub.Curve = elliptic.P224()
|
|
|
|
|
case "P-256":
|
|
|
|
|
pub.Curve = elliptic.P256()
|
|
|
|
|
case "P-384":
|
|
|
|
|
pub.Curve = elliptic.P384()
|
|
|
|
|
case "P-521":
|
|
|
|
|
pub.Curve = elliptic.P521()
|
|
|
|
|
default:
|
|
|
|
|
pub.Curve = nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch parts[1] {
|
|
|
|
|
case "SHA-1":
|
|
|
|
|
h = sha1.New()
|
|
|
|
|
case "SHA-224":
|
|
|
|
|
h = sha256.New224()
|
|
|
|
|
case "SHA-256":
|
|
|
|
|
h = sha256.New()
|
|
|
|
|
case "SHA-384":
|
|
|
|
|
h = sha512.New384()
|
|
|
|
|
case "SHA-512":
|
|
|
|
|
h = sha512.New()
|
|
|
|
|
default:
|
|
|
|
|
h = nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if h == nil || pub.Curve == nil {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch {
|
|
|
|
|
case strings.HasPrefix(line, "Msg = "):
|
|
|
|
|
if msg, err = hex.DecodeString(line[6:]); err != nil {
|
|
|
|
|
t.Fatalf("failed to decode message on line %d: %s", lineNo, err)
|
|
|
|
|
}
|
|
|
|
|
case strings.HasPrefix(line, "Qx = "):
|
|
|
|
|
pub.X = fromHex(line[5:])
|
|
|
|
|
case strings.HasPrefix(line, "Qy = "):
|
|
|
|
|
pub.Y = fromHex(line[5:])
|
|
|
|
|
case strings.HasPrefix(line, "R = "):
|
|
|
|
|
r = fromHex(line[4:])
|
|
|
|
|
case strings.HasPrefix(line, "S = "):
|
|
|
|
|
s = fromHex(line[4:])
|
|
|
|
|
case strings.HasPrefix(line, "Result = "):
|
|
|
|
|
expected := line[9] == 'P'
|
|
|
|
|
h.Reset()
|
|
|
|
|
h.Write(msg)
|
|
|
|
|
hashed := h.Sum(hashed[:0])
|
|
|
|
|
if Verify(pub, hashed, r, s) != expected {
|
|
|
|
|
t.Fatalf("incorrect result on line %d", lineNo)
|
|
|
|
|
}
|
|
|
|
|
default:
|
|
|
|
|
t.Fatalf("unknown variable on line %d: %s", lineNo, line)
|
2011-03-25 14:50:44 -07:00
|
|
|
}
|
2011-03-10 09:42:34 -05:00
|
|
|
}
|
|
|
|
|
}
|
2016-04-14 13:52:56 -07:00
|
|
|
|
|
|
|
|
func testNegativeInputs(t *testing.T, curve elliptic.Curve, tag string) {
|
|
|
|
|
key, err := GenerateKey(curve, rand.Reader)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("failed to generate key for %q", tag)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var hash [32]byte
|
|
|
|
|
r := new(big.Int).SetInt64(1)
|
|
|
|
|
r.Lsh(r, 550 /* larger than any supported curve */)
|
|
|
|
|
r.Neg(r)
|
|
|
|
|
|
|
|
|
|
if Verify(&key.PublicKey, hash[:], r, r) {
|
|
|
|
|
t.Errorf("bogus signature accepted for %q", tag)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestNegativeInputs(t *testing.T) {
|
|
|
|
|
testNegativeInputs(t, elliptic.P224(), "p224")
|
|
|
|
|
testNegativeInputs(t, elliptic.P256(), "p256")
|
|
|
|
|
testNegativeInputs(t, elliptic.P384(), "p384")
|
|
|
|
|
testNegativeInputs(t, elliptic.P521(), "p521")
|
|
|
|
|
}
|
2017-05-03 18:20:12 -07:00
|
|
|
|
|
|
|
|
func TestZeroHashSignature(t *testing.T) {
|
|
|
|
|
zeroHash := make([]byte, 64)
|
|
|
|
|
|
|
|
|
|
for _, curve := range []elliptic.Curve{elliptic.P224(), elliptic.P256(), elliptic.P384(), elliptic.P521()} {
|
|
|
|
|
privKey, err := GenerateKey(curve, rand.Reader)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Sign a hash consisting of all zeros.
|
|
|
|
|
r, s, err := Sign(rand.Reader, privKey, zeroHash)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Confirm that it can be verified.
|
|
|
|
|
if !Verify(&privKey.PublicKey, zeroHash, r, s) {
|
|
|
|
|
t.Errorf("zero hash signature verify failed for %T", curve)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|