1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161
//! Low-level ECDSA primitives. //! //! # ⚠️ Warning: Hazmat! //! //! YOU PROBABLY DON'T WANT TO USE THESE! //! //! These primitives are easy-to-misuse low-level interfaces intended to be //! implemented by elliptic curve crates and consumed only by this crate! //! //! If you are an end user / non-expert in cryptography, do not use these! //! Failure to use them correctly can lead to catastrophic failures including //! FULL PRIVATE KEY RECOVERY! #[cfg(feature = "arithmetic")] use { crate::{Result, SignatureSize}, core::borrow::Borrow, elliptic_curve::{ops::Invert, ProjectiveArithmetic, Scalar}, }; #[cfg(feature = "digest")] use { crate::signature::{digest::Digest, PrehashSignature}, elliptic_curve::FieldSize, }; #[cfg(any(feature = "arithmetic", feature = "digest"))] use crate::{ elliptic_curve::{generic_array::ArrayLength, weierstrass::Curve}, Signature, }; /// Try to sign the given prehashed message using ECDSA. /// /// This trait is intended to be implemented on a type with access /// to the secret scalar via `&self`, such as particular curve's `Scalar` type, /// or potentially a key handle to a hardware device. #[cfg(feature = "arithmetic")] #[cfg_attr(docsrs, doc(cfg(feature = "arithmetic")))] pub trait SignPrimitive<C> where C: Curve + ProjectiveArithmetic, SignatureSize<C>: ArrayLength<u8>, { /// Try to sign the prehashed message. /// /// Accepts the following arguments: /// /// - `ephemeral_scalar`: ECDSA `k` value. MUST BE UNIFORMLY RANDOM!!! /// - `hashed_msg`: scalar computed from a hashed message digest to be signed. /// MUST BE OUTPUT OF A CRYPTOGRAPHICALLY SECURE DIGEST ALGORITHM!!! fn try_sign_prehashed<K: Borrow<Scalar<C>> + Invert<Output = Scalar<C>>>( &self, ephemeral_scalar: &K, hashed_msg: &Scalar<C>, ) -> Result<Signature<C>>; } /// [`SignPrimitive`] for signature implementations that can provide public key /// recovery implementation. #[cfg(feature = "arithmetic")] #[cfg_attr(docsrs, doc(cfg(feature = "arithmetic")))] pub trait RecoverableSignPrimitive<C> where C: Curve + ProjectiveArithmetic, SignatureSize<C>: ArrayLength<u8>, { /// Try to sign the prehashed message. /// /// Accepts the same arguments as [`SignPrimitive::try_sign_prehashed`] /// but returns a boolean flag which indicates whether or not the /// y-coordinate of the computed 𝐑 = 𝑘×𝑮 point is odd, which can be /// incorporated into recoverable signatures. fn try_sign_recoverable_prehashed<K: Borrow<Scalar<C>> + Invert<Output = Scalar<C>>>( &self, ephemeral_scalar: &K, hashed_msg: &Scalar<C>, ) -> Result<(Signature<C>, bool)>; } #[cfg(feature = "arithmetic")] impl<C, T> SignPrimitive<C> for T where C: Curve + ProjectiveArithmetic, T: RecoverableSignPrimitive<C>, SignatureSize<C>: ArrayLength<u8>, { fn try_sign_prehashed<K: Borrow<Scalar<C>> + Invert<Output = Scalar<C>>>( &self, ephemeral_scalar: &K, hashed_msg: &Scalar<C>, ) -> Result<Signature<C>> { self.try_sign_recoverable_prehashed(ephemeral_scalar, hashed_msg) .map(|res| res.0) } } /// Verify the given prehashed message using ECDSA. /// /// This trait is intended to be implemented on type which can access /// the affine point represeting the public key via `&self`, such as a /// particular curve's `AffinePoint` type. #[cfg(feature = "arithmetic")] #[cfg_attr(docsrs, doc(cfg(feature = "arithmetic")))] pub trait VerifyPrimitive<C> where C: Curve + ProjectiveArithmetic, SignatureSize<C>: ArrayLength<u8>, { /// Verify the prehashed message against the provided signature /// /// Accepts the following arguments: /// /// - `hashed_msg`: prehashed message to be verified /// - `signature`: signature to be verified against the key and message fn verify_prehashed(&self, hashed_msg: &Scalar<C>, signature: &Signature<C>) -> Result<()>; } /// Bind a preferred [`Digest`] algorithm to an elliptic curve type. /// /// Generally there is a preferred variety of the SHA-2 family used with ECDSA /// for a particular elliptic curve. /// /// This trait can be used to specify it, and with it receive a blanket impl of /// [`PrehashSignature`], used by [`signature_derive`][1]) for the [`Signature`] /// type for a particular elliptic curve. /// /// [1]: https://github.com/RustCrypto/traits/tree/master/signature/derive #[cfg(feature = "digest")] #[cfg_attr(docsrs, doc(cfg(feature = "digest")))] pub trait DigestPrimitive: Curve { /// Preferred digest to use when computing ECDSA signatures for this /// elliptic curve. This should be a member of the SHA-2 family. type Digest: Digest; } /// Instantiate this type from the output of a digest. /// /// This trait is intended for use in ECDSA and should perform a conversion /// which is compatible with the rules for calculating `h` from `H(M)` set out /// in RFC6979 section 2.4. This conversion cannot fail. /// /// This trait may also be useful for other hash-to-scalar or hash-to-curve /// use cases. #[cfg(feature = "digest")] #[cfg_attr(docsrs, doc(cfg(feature = "digest")))] pub trait FromDigest<C: Curve> { /// Instantiate this type from a [`Digest`] instance fn from_digest<D>(digest: D) -> Self where D: Digest<OutputSize = FieldSize<C>>; } #[cfg(feature = "digest")] impl<C> PrehashSignature for Signature<C> where C: DigestPrimitive, <FieldSize<C> as core::ops::Add>::Output: ArrayLength<u8>, { type Digest = C::Digest; }