ed448_goldilocks/sign/

verifying_key.rs

//! Much of this code is borrowed from Thomas Pornin's [CRRL Project](https://github.com/pornin/crrl/blob/main/src/ed448.rs)
//! and adapted to mirror `ed25519-dalek`'s API.

use crate::edwards::affine::PointBytes;
use crate::sign::{HASH_HEAD, InnerSignature};
use crate::{
    CompressedEdwardsY, Context, EdwardsPoint, EdwardsScalar, PreHash, Signature, SigningError,
    WideEdwardsScalarBytes,
};

#[cfg(feature = "serde")]
use crate::PUBLIC_KEY_LENGTH;

#[cfg(feature = "pkcs8")]
use elliptic_curve::pkcs8;

use core::{
    fmt::{self, Debug, Formatter},
    hash::{Hash, Hasher},
};
use elliptic_curve::Group;
use sha3::{
    Shake256,
    digest::{Digest, ExtendableOutput, Update, XofReader},
};
use signature::Error;

/// Ed448 public key as defined in [RFC8032 § 5.2.5]
#[derive(Copy, Clone, Default, Eq)]
pub struct VerifyingKey {
    pub(crate) compressed: CompressedEdwardsY,
    pub(crate) point: EdwardsPoint,
}

impl Debug for VerifyingKey {
    fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
        write!(f, "VerifyingKey({:?}), {:?}", self.compressed, self.point)
    }
}

impl AsRef<[u8]> for VerifyingKey {
    fn as_ref(&self) -> &[u8] {
        self.compressed.as_bytes()
    }
}

impl Hash for VerifyingKey {
    fn hash<H: Hasher>(&self, state: &mut H) {
        self.compressed.as_bytes().hash(state);
    }
}

impl PartialEq for VerifyingKey {
    fn eq(&self, other: &Self) -> bool {
        self.compressed.as_bytes() == other.compressed.as_bytes()
    }
}

impl signature::Verifier<Signature> for VerifyingKey {
    fn verify(&self, msg: &[u8], signature: &Signature) -> Result<(), Error> {
        self.verify_raw(signature, msg)
    }
}

impl<D> signature::DigestVerifier<D, Signature> for VerifyingKey
where
    D: Digest + Update,
{
    fn verify_digest<F: Fn(&mut D) -> Result<(), Error>>(
        &self,
        f: F,
        signature: &Signature,
    ) -> Result<(), Error> {
        let mut digest = D::new();
        f(&mut digest)?;
        self.verify_inner(signature, 1, &[], &digest.finalize())
    }
}

impl signature::Verifier<Signature> for Context<'_, '_, VerifyingKey> {
    fn verify(&self, msg: &[u8], signature: &Signature) -> Result<(), Error> {
        self.key.verify_ctx(signature, self.value, msg)
    }
}

impl<D> signature::DigestVerifier<D, Signature> for Context<'_, '_, VerifyingKey>
where
    D: Digest + Update,
{
    fn verify_digest<F: Fn(&mut D) -> Result<(), Error>>(
        &self,
        f: F,
        signature: &Signature,
    ) -> Result<(), Error> {
        let mut digest = D::new();
        f(&mut digest)?;
        self.key
            .verify_inner(signature, 1, self.value, &digest.finalize())
    }
}

#[cfg(feature = "pkcs8")]
pub use ed448::pkcs8::PublicKeyBytes;

#[cfg(feature = "pkcs8")]
impl TryFrom<PublicKeyBytes> for VerifyingKey {
    type Error = pkcs8::spki::Error;

    fn try_from(value: PublicKeyBytes) -> Result<Self, Self::Error> {
        VerifyingKey::try_from(&value)
    }
}

#[cfg(feature = "pkcs8")]
impl TryFrom<&PublicKeyBytes> for VerifyingKey {
    type Error = pkcs8::spki::Error;

    fn try_from(value: &PublicKeyBytes) -> Result<Self, Self::Error> {
        VerifyingKey::from_bytes(&value.0).map_err(|_| pkcs8::spki::Error::KeyMalformed)
    }
}

#[cfg(feature = "pkcs8")]
impl From<VerifyingKey> for PublicKeyBytes {
    fn from(key: VerifyingKey) -> Self {
        Self(key.compressed.to_bytes())
    }
}

#[cfg(all(feature = "alloc", feature = "pkcs8"))]
impl pkcs8::EncodePublicKey for VerifyingKey {
    fn to_public_key_der(&self) -> pkcs8::spki::Result<pkcs8::Document> {
        PublicKeyBytes::from(*self).to_public_key_der()
    }
}

#[cfg(all(feature = "alloc", feature = "pkcs8"))]
impl pkcs8::spki::DynSignatureAlgorithmIdentifier for VerifyingKey {
    fn signature_algorithm_identifier(
        &self,
    ) -> pkcs8::spki::Result<pkcs8::spki::AlgorithmIdentifierOwned> {
        // From https://datatracker.ietf.org/doc/html/rfc8410
        Ok(pkcs8::spki::AlgorithmIdentifierOwned {
            oid: super::ALGORITHM_OID,
            parameters: None,
        })
    }
}

#[cfg(feature = "pkcs8")]
impl TryFrom<pkcs8::spki::SubjectPublicKeyInfoRef<'_>> for VerifyingKey {
    type Error = pkcs8::spki::Error;

    fn try_from(public_key: pkcs8::spki::SubjectPublicKeyInfoRef<'_>) -> pkcs8::spki::Result<Self> {
        PublicKeyBytes::try_from(public_key)?.try_into()
    }
}

#[cfg(feature = "serde")]
impl serdect::serde::Serialize for VerifyingKey {
    fn serialize<S: serdect::serde::Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
        serdect::array::serialize_hex_lower_or_bin(self.compressed.as_bytes(), s)
    }
}

#[cfg(feature = "serde")]
impl<'de> serdect::serde::Deserialize<'de> for VerifyingKey {
    fn deserialize<D: serdect::serde::Deserializer<'de>>(d: D) -> Result<Self, D::Error> {
        let mut bytes = [0u8; PUBLIC_KEY_LENGTH];
        serdect::array::deserialize_hex_or_bin(&mut bytes, d)?;
        VerifyingKey::from_bytes(&bytes).map_err(serdect::serde::de::Error::custom)
    }
}

impl VerifyingKey {
    /// Convert this verifying key into byte slice
    pub fn to_bytes(&self) -> PointBytes {
        self.compressed.to_bytes()
    }

    /// View this public key as a byte slice.
    pub fn as_bytes(&self) -> &PointBytes {
        self.compressed.as_bytes()
    }

    /// Construct a `VerifyingKey` from a slice of bytes.
    pub fn from_bytes(bytes: &PointBytes) -> Result<Self, Error> {
        let compressed = CompressedEdwardsY(*bytes);
        let point = compressed
            .decompress()
            .into_option()
            .map(|point| point.to_edwards())
            .ok_or(SigningError::InvalidPublicKeyBytes)?;
        if point.is_identity().into() {
            return Err(SigningError::InvalidPublicKeyBytes.into());
        }
        Ok(Self { compressed, point })
    }

    /// Create a context for this verifying key that can be used with [`signature::DigestVerifier`].
    pub fn with_context<'k, 'v>(&'k self, context: &'v [u8]) -> Context<'k, 'v, Self> {
        Context {
            key: self,
            value: context,
        }
    }

    /// Return the verifying key in Edwards form.
    pub fn to_edwards(self) -> EdwardsPoint {
        self.point
    }

    /// Verifies a signature on a message.
    ///
    /// This is the "Ed448" mode of RFC 8032 (no pre-hashing, a
    /// context is provided). This is equivalent to `verify_ctx()`
    /// with an empty (zero-length) context.
    ///
    /// Note: this function is not constant-time; it assumes that the
    /// public key and signature value are public data.
    pub fn verify_raw(&self, signature: &Signature, message: &[u8]) -> Result<(), Error> {
        self.verify_inner(signature, 0, &[], message)
    }

    /// Verifies a signature on a message (with context).
    ///
    /// This is the "Ed448" mode of RFC 8032 (no pre-hashing, a
    /// context is provided). The context string MUST have length at most
    /// 255 bytes. Return value is `Ok` on a valid signature, `Error`
    /// otherwise.
    ///
    /// Note: this function is not constant-time; it assumes that the
    /// public key and signature value are public data.
    pub fn verify_ctx(self, sig: &Signature, ctx: &[u8], message: &[u8]) -> Result<(), Error> {
        self.verify_inner(sig, 0, ctx, message)
    }

    /// Verifies a signature on a hashed message.
    ///
    /// This is the "Ed448ph" mode of RFC 8032 (message is pre-hashed),
    /// also known as "HashEdDSA on Curve448". The hashed message `prehashed_message`
    /// is provided (presumably, that hash value was obtained with
    /// SHAKE256 and a 64-byte output; the caller does the hashing itself).
    /// A context string `ctx` is
    /// also provided; it MUST have length at most 255 bytes. Return
    /// value is `Ok` on a valid signature, `Error` otherwise.
    ///
    /// Note: this function is not constant-time; it assumes that the
    /// public key and signature value are public data.
    pub fn verify_prehashed<D>(
        self,
        sig: &Signature,
        ctx: Option<&[u8]>,
        mut prehashed_message: D,
    ) -> Result<(), Error>
    where
        D: PreHash,
    {
        let mut m = [0u8; 64];
        prehashed_message.fill_bytes(&mut m);
        self.verify_inner(sig, 1, ctx.unwrap_or_default(), &m)
    }

    fn verify_inner(
        &self,
        signature: &Signature,
        phflag: u8,
        ctx: &[u8],
        m: &[u8],
    ) -> Result<(), Error> {
        // `signature` should already be valid but check to make sure
        // Note that the scalar itself uses only 56 bytes; the extra
        // 57th byte must be 0x00.
        if signature.s_bytes()[56] != 0x00 {
            return Err(SigningError::InvalidSignatureSComponent.into());
        }
        if self.point.is_identity().into() {
            return Err(SigningError::InvalidPublicKeyBytes.into());
        }

        let inner_signature = InnerSignature::try_from(signature)?;
        if inner_signature.r.is_identity().into() {
            return Err(SigningError::InvalidSignatureRComponent.into());
        }

        if inner_signature.s.is_zero().into() {
            return Err(SigningError::InvalidSignatureSComponent.into());
        }

        // SHAKE256(dom4(F, C) || R || A || PH(M), 114) -> scalar k
        let mut bytes = WideEdwardsScalarBytes::default();
        let ctx_len = ctx.len() as u8;
        let mut reader = Shake256::default()
            .chain(HASH_HEAD)
            .chain([phflag])
            .chain([ctx_len])
            .chain(ctx)
            .chain(signature.r_bytes())
            .chain(self.compressed.as_bytes())
            .chain(m)
            .finalize_xof();
        reader.read(&mut bytes);
        let k = EdwardsScalar::from_bytes_mod_order_wide(&bytes);
        // Check the verification equation [S]B = R + [k]A.
        let lhs = EdwardsPoint::GENERATOR * inner_signature.s;
        let rhs = inner_signature.r + (self.point * k);
        if lhs == rhs {
            Ok(())
        } else {
            Err(SigningError::Verify.into())
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::{PUBLIC_KEY_LENGTH, PreHasherXof, SecretKey, SigningKey};

    struct Ed448TestVector<'a> {
        s: &'a str,
        q: &'a str,
        m: &'a str,
        ph: bool,
        ctx: &'a str,
        sig: &'a str,
    }

    // Test vectors from RFC 8032.
    const TEST_VECTORS: [Ed448TestVector; 6] = [
        // Empty message, empty context.
        Ed448TestVector {
            s: "6c82a562cb808d10d632be89c8513ebf6c929f34ddfa8c9f63c9960ef6e348a3528c8a3fcc2f044e39a3fc5b94492f8f032e7549a20098f95b",
            q: "5fd7449b59b461fd2ce787ec616ad46a1da1342485a70e1f8a0ea75d80e96778edf124769b46c7061bd6783df1e50f6cd1fa1abeafe8256180",
            m: "",
            ph: false,
            ctx: "",
            sig: "533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652600",
        },
        // 1-byte message, empty context.
        Ed448TestVector {
            s: "c4eab05d357007c632f3dbb48489924d552b08fe0c353a0d4a1f00acda2c463afbea67c5e8d2877c5e3bc397a659949ef8021e954e0a12274e",
            q: "43ba28f430cdff456ae531545f7ecd0ac834a55d9358c0372bfa0c6c6798c0866aea01eb00742802b8438ea4cb82169c235160627b4c3a9480",
            m: "03",
            ph: false,
            ctx: "",
            sig: "26b8f91727bd62897af15e41eb43c377efb9c610d48f2335cb0bd0087810f4352541b143c4b981b7e18f62de8ccdf633fc1bf037ab7cd779805e0dbcc0aae1cbcee1afb2e027df36bc04dcecbf154336c19f0af7e0a6472905e799f1953d2a0ff3348ab21aa4adafd1d234441cf807c03a00",
        },
        // 1-byte message, 3-byte context.
        Ed448TestVector {
            s: "c4eab05d357007c632f3dbb48489924d552b08fe0c353a0d4a1f00acda2c463afbea67c5e8d2877c5e3bc397a659949ef8021e954e0a12274e",
            q: "43ba28f430cdff456ae531545f7ecd0ac834a55d9358c0372bfa0c6c6798c0866aea01eb00742802b8438ea4cb82169c235160627b4c3a9480",
            m: "03",
            ph: false,
            ctx: "666f6f",
            sig: "d4f8f6131770dd46f40867d6fd5d5055de43541f8c5e35abbcd001b32a89f7d2151f7647f11d8ca2ae279fb842d607217fce6e042f6815ea000c85741de5c8da1144a6a1aba7f96de42505d7a7298524fda538fccbbb754f578c1cad10d54d0d5428407e85dcbc98a49155c13764e66c3c00",
        },
        // 256-byte message, empty context.
        Ed448TestVector {
            s: "2ec5fe3c17045abdb136a5e6a913e32ab75ae68b53d2fc149b77e504132d37569b7e766ba74a19bd6162343a21c8590aa9cebca9014c636df5",
            q: "79756f014dcfe2079f5dd9e718be4171e2ef2486a08f25186f6bff43a9936b9bfe12402b08ae65798a3d81e22e9ec80e7690862ef3d4ed3a00",
            m: "15777532b0bdd0d1389f636c5f6b9ba734c90af572877e2d272dd078aa1e567cfa80e12928bb542330e8409f3174504107ecd5efac61ae7504dabe2a602ede89e5cca6257a7c77e27a702b3ae39fc769fc54f2395ae6a1178cab4738e543072fc1c177fe71e92e25bf03e4ecb72f47b64d0465aaea4c7fad372536c8ba516a6039c3c2a39f0e4d832be432dfa9a706a6e5c7e19f397964ca4258002f7c0541b590316dbc5622b6b2a6fe7a4abffd96105eca76ea7b98816af0748c10df048ce012d901015a51f189f3888145c03650aa23ce894c3bd889e030d565071c59f409a9981b51878fd6fc110624dcbcde0bf7a69ccce38fabdf86f3bef6044819de11",
            ph: false,
            ctx: "",
            sig: "c650ddbb0601c19ca11439e1640dd931f43c518ea5bea70d3dcde5f4191fe53f00cf966546b72bcc7d58be2b9badef28743954e3a44a23f880e8d4f1cfce2d7a61452d26da05896f0a50da66a239a8a188b6d825b3305ad77b73fbac0836ecc60987fd08527c1a8e80d5823e65cafe2a3d00",
        },
        // 3-byte message, pre-hashed, empty context.
        Ed448TestVector {
            s: "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42ef7822e0d5104127dc05d6dbefde69e3ab2cec7c867c6e2c49",
            q: "259b71c19f83ef77a7abd26524cbdb3161b590a48f7d17de3ee0ba9c52beb743c09428a131d6b1b57303d90d8132c276d5ed3d5d01c0f53880",
            m: "616263",
            ph: true,
            ctx: "",
            sig: "822f6901f7480f3d5f562c592994d9693602875614483256505600bbc281ae381f54d6bce2ea911574932f52a4e6cadd78769375ec3ffd1b801a0d9b3f4030cd433964b6457ea39476511214f97469b57dd32dbc560a9a94d00bff07620464a3ad203df7dc7ce360c3cd3696d9d9fab90f00",
        },
        Ed448TestVector {
            s: "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42ef7822e0d5104127dc05d6dbefde69e3ab2cec7c867c6e2c49",
            q: "259b71c19f83ef77a7abd26524cbdb3161b590a48f7d17de3ee0ba9c52beb743c09428a131d6b1b57303d90d8132c276d5ed3d5d01c0f53880",
            m: "616263",
            ph: true,
            ctx: "666f6f",
            sig: "c32299d46ec8ff02b54540982814dce9a05812f81962b649d528095916a2aa481065b1580423ef927ecf0af5888f90da0f6a9a85ad5dc3f280d91224ba9911a3653d00e484e2ce232521481c8658df304bb7745a73514cdb9bf3e15784ab71284f8d0704a608c54a6b62d97beb511d132100",
        },
    ];

    #[test]
    fn signatures() {
        for tv in TEST_VECTORS.iter() {
            let mut seed = SecretKey::default();
            hex::decode_to_slice(tv.s, &mut seed).unwrap();
            let mut q_enc = [0u8; PUBLIC_KEY_LENGTH];
            hex::decode_to_slice(tv.q, &mut q_enc).unwrap();
            let msg = hex::decode(tv.m).unwrap();
            let ctx = hex::decode(tv.ctx).unwrap();
            let mut sig = [0u8; 114];
            hex::decode_to_slice(tv.sig, &mut sig[..]).unwrap();
            let sig = Signature::try_from(&sig[..]).unwrap();

            let skey = SigningKey::from(&seed);
            assert_eq!(&q_enc[..], skey.verifying_key().as_bytes());
            if tv.ph {
                assert_eq!(
                    skey.sign_prehashed::<PreHasherXof<Shake256>>(
                        Some(&ctx[..]),
                        Shake256::default().chain(&msg).into(),
                    )
                    .unwrap(),
                    sig
                );
            } else {
                assert_eq!(skey.sign_ctx(&ctx[..], &msg[..]).unwrap(), sig);
                if ctx.is_empty() {
                    assert_eq!(skey.sign_raw(&msg[..]), sig);
                }
            }

            let pkey = VerifyingKey::from_bytes(&q_enc).unwrap();
            if tv.ph {
                let mut reader = Shake256::default().chain(&msg).finalize_xof();
                let mut hm = [0u8; 64];
                reader.read(&mut hm);
                assert!(pkey.verify_inner(&sig, 1, &ctx[..], &hm).is_ok());
                assert!(pkey.verify_inner(&sig, 1, &[1u8], &hm).is_err());
                hm[42] ^= 0x08;
                assert!(pkey.verify_inner(&sig, 1, &ctx[..], &hm).is_err());
            } else {
                assert!(pkey.verify_ctx(&sig, &ctx[..], &msg[..]).is_ok());
                assert!(pkey.verify_ctx(&sig, &[1u8], &msg[..]).is_err());
                assert!(pkey.verify_ctx(&sig, &ctx[..], &[0u8]).is_err());
                if ctx.is_empty() {
                    assert!(pkey.verify_raw(&sig, &msg[..]).is_ok());
                }
            }
        }
    }

    #[cfg(feature = "serde")]
    #[test]
    fn serialization() {
        use rand_chacha::ChaCha8Rng;
        use rand_core::SeedableRng;

        let mut rng = ChaCha8Rng::from_seed([0u8; 32]);
        let signing_key = SigningKey::generate(&mut rng);
        let verifying_key = signing_key.verifying_key();

        let bytes = serde_bare::to_vec(&verifying_key).unwrap();
        let verifying_key2: VerifyingKey = serde_bare::from_slice(&bytes).unwrap();
        assert_eq!(verifying_key, verifying_key2);

        let string = serde_json::to_string(&verifying_key).unwrap();
        let verifying_key3: VerifyingKey = serde_json::from_str(&string).unwrap();
        assert_eq!(verifying_key, verifying_key3);
    }
}