[crypto] Add pure Ed25519 signing and verification#233
Draft
mkannwischer wants to merge 3 commits intomasterfrom
Draft
[crypto] Add pure Ed25519 signing and verification#233mkannwischer wants to merge 3 commits intomasterfrom
mkannwischer wants to merge 3 commits intomasterfrom
Conversation
mkannwischer
force-pushed
the
mjk/pure-ed25519
branch
3 times, most recently
from
e1e8a92 to
b2679ce
Compare
mkannwischer
force-pushed
the
mjk/pure-ed25519
branch
from
b2679ce to
1fd392b
Compare
Add support for pure Ed25519 (RFC 8032 5.1.7) signature verification alongside the existing HashEd25519 mode. Pure Ed25519 computes k = SHA-512(R || A || M) without a domain separator, while HashEd25519 computes k = SHA-512(dom2(1,ctx) || R || A || PH(M)). The hash k is computed on Ibex using the SHA-2 HW block, so the ACC program does not need changes. Also removes unused message and context parameters from ed25519_verify_start since the ACC verify program only uses the precomputed hash_k. Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
Wire up the existing Wycheproof Ed25519 parser (150 pure Ed25519 verify vectors, 9 skipped due to non-word-aligned signature lengths). Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
Add support for pure Ed25519 signing (RFC 8032 5.1.6) where the raw message is signed directly without pre-hashing. The message is streamed into ACC incrementally via a multi-phase API (INIT/UPDATE/MID/UPDATE/FINAL), allowing arbitrarily large messages. The message appears in both the nonce hash r = SHA-512(prefix || M) and the challenge hash k = SHA-512(R_ || A_ || M), so it must be streamed twice. The message chunk size has been picked as the maximum that still fits in 3 KiB of Ibex-accessible DMEM to make sure this code also works with the smallest configurations. The signing logic is refactored into shared subroutines (_ed25519_sign_compute_r_a, _ed25519_sign_compute_s) used by both the HashEd25519 one-shot path and the pure incremental phases. The functest is extended to a wide range of message lengths for the pure mode, and also some additional context lengths for the pre-hash mode. Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
mkannwischer
force-pushed
the
mjk/pure-ed25519
branch
from
1fd392b to
4cdd216
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds pure Ed25519 signature generation and verification as described in RFC 8032.
Verification is a straightforward extension only touching the C-side as the hash is computed using HMAC prior to invoking ACC - this is fine as all processed data is public.
Signing is more involved as both required hashes are computed in ACC. To be able to support arbitrary message lengths, we have to stream in the message twice resulting in a 5-step API: INIT/UPDATE/MID/UPDATE/FINAL. I tried to share as much code as possible with the pre-hash mode.
This allows us to cover more ACVP test vectors and also support the Wycheproof testvectors.
I have also extended the functest accordingly and cleaned up a few typos on the way.
See the individual commit messages for details.