File: ECC.hs

package info (click to toggle)
haskell-cryptonite 0.30-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 3,372 kB
  • sloc: ansic: 22,009; haskell: 18,423; makefile: 8
file content (408 lines) | stat: -rw-r--r-- 16,334 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
 
-- |
-- Module      : Crypto.ECC
-- License     : BSD-style
-- Maintainer  : Vincent Hanquez <vincent@snarc.org>
-- Stability   : experimental
-- Portability : unknown
--
-- Elliptic Curve Cryptography
--
{-# LANGUAGE DeriveDataTypeable #-}
{-# LANGUAGE FlexibleContexts #-}
{-# LANGUAGE GeneralizedNewtypeDeriving #-}
{-# LANGUAGE TypeFamilies #-}
{-# LANGUAGE ScopedTypeVariables #-}
module Crypto.ECC
    ( Curve_P256R1(..)
    , Curve_P384R1(..)
    , Curve_P521R1(..)
    , Curve_X25519(..)
    , Curve_X448(..)
    , Curve_Edwards25519(..)
    , EllipticCurve(..)
    , EllipticCurveDH(..)
    , EllipticCurveArith(..)
    , EllipticCurveBasepointArith(..)
    , KeyPair(..)
    , SharedSecret(..)
    ) where

import qualified Crypto.PubKey.ECC.P256 as P256
import qualified Crypto.ECC.Edwards25519 as Edwards25519
import qualified Crypto.ECC.Simple.Types as Simple
import qualified Crypto.ECC.Simple.Prim as Simple
import           Crypto.Random
import           Crypto.Error
import           Crypto.Internal.Imports
import           Crypto.Internal.ByteArray (ByteArray, ByteArrayAccess, ScrubbedBytes)
import qualified Crypto.Internal.ByteArray as B
import           Crypto.Number.Basic (numBits)
import           Crypto.Number.Serialize (i2ospOf_, os2ip)
import qualified Crypto.Number.Serialize.LE as LE
import qualified Crypto.PubKey.Curve25519 as X25519
import qualified Crypto.PubKey.Curve448 as X448
import           Data.ByteArray (convert)
import           Data.Data (Data())
import           Data.Kind (Type)
import           Data.Proxy

-- | An elliptic curve key pair composed of the private part (a scalar), and
-- the associated point.
data KeyPair curve = KeyPair
    { keypairGetPublic  :: !(Point curve)
    , keypairGetPrivate :: !(Scalar curve)
    }

newtype SharedSecret = SharedSecret ScrubbedBytes
    deriving (Eq, ByteArrayAccess, NFData)

class EllipticCurve curve where
    -- | Point on an Elliptic Curve
    type Point curve  :: Type

    -- | Scalar in the Elliptic Curve domain
    type Scalar curve :: Type

    -- | Generate a new random scalar on the curve.
    -- The scalar will represent a number between 1 and the order of the curve non included
    curveGenerateScalar :: MonadRandom randomly => proxy curve -> randomly (Scalar curve)

    -- | Generate a new random keypair
    curveGenerateKeyPair :: MonadRandom randomly => proxy curve -> randomly (KeyPair curve)

    -- | Get the curve size in bits
    curveSizeBits :: proxy curve -> Int

    -- | Encode a elliptic curve point into binary form
    encodePoint :: ByteArray bs => proxy curve -> Point curve -> bs

    -- | Try to decode the binary form of an elliptic curve point
    decodePoint :: ByteArray bs => proxy curve -> bs -> CryptoFailable (Point curve)

class EllipticCurve curve => EllipticCurveDH curve where
    -- | Generate a Diffie hellman secret value.
    --
    -- This is generally just the .x coordinate of the resulting point, that
    -- is not hashed.
    --
    -- use `pointSmul` to keep the result in Point format.
    --
    -- /WARNING:/ Curve implementations may return a special value or an
    -- exception when the public point lies in a subgroup of small order.
    -- This function is adequate when the scalar is in expected range and
    -- contributory behaviour is not needed.  Otherwise use 'ecdh'.
    ecdhRaw :: proxy curve -> Scalar curve -> Point curve -> SharedSecret
    ecdhRaw prx s = throwCryptoError . ecdh prx s

    -- | Generate a Diffie hellman secret value and verify that the result
    -- is not the point at infinity.
    --
    -- This additional test avoids risks existing with function 'ecdhRaw'.
    -- Implementations always return a 'CryptoError' instead of a special
    -- value or an exception.
    ecdh :: proxy curve -> Scalar curve -> Point curve -> CryptoFailable SharedSecret

class (EllipticCurve curve, Eq (Point curve)) => EllipticCurveArith curve where
    -- | Add points on a curve
    pointAdd :: proxy curve -> Point curve -> Point curve -> Point curve

    -- | Negate a curve point
    pointNegate :: proxy curve -> Point curve -> Point curve

    -- | Scalar Multiplication on a curve
    pointSmul :: proxy curve -> Scalar curve -> Point curve -> Point curve

--   -- | Scalar Inverse
--   scalarInverse :: Scalar curve -> Scalar curve

class (EllipticCurveArith curve, Eq (Scalar curve)) => EllipticCurveBasepointArith curve where
    -- | Get the curve order size in bits
    curveOrderBits :: proxy curve -> Int

    -- | Multiply a scalar with the curve base point
    pointBaseSmul :: proxy curve -> Scalar curve -> Point curve

    -- | Multiply the point @p@ with @s2@ and add a lifted to curve value @s1@
    pointsSmulVarTime :: proxy curve -> Scalar curve -> Scalar curve -> Point curve -> Point curve
    pointsSmulVarTime prx s1 s2 p = pointAdd prx (pointBaseSmul prx s1) (pointSmul prx s2 p)

    -- | Encode an elliptic curve scalar into big-endian form
    encodeScalar :: ByteArray bs => proxy curve -> Scalar curve -> bs

    -- | Try to decode the big-endian form of an elliptic curve scalar
    decodeScalar :: ByteArray bs => proxy curve -> bs -> CryptoFailable (Scalar curve)

    -- | Convert an elliptic curve scalar to an integer
    scalarToInteger :: proxy curve -> Scalar curve -> Integer

    -- | Try to create an elliptic curve scalar from an integer
    scalarFromInteger :: proxy curve -> Integer -> CryptoFailable (Scalar curve)

    -- | Add two scalars and reduce modulo the curve order
    scalarAdd :: proxy curve -> Scalar curve -> Scalar curve -> Scalar curve

    -- | Multiply two scalars and reduce modulo the curve order
    scalarMul :: proxy curve -> Scalar curve -> Scalar curve -> Scalar curve

-- | P256 Curve
--
-- also known as P256
data Curve_P256R1 = Curve_P256R1
    deriving (Show,Data)

instance EllipticCurve Curve_P256R1 where
    type Point Curve_P256R1 = P256.Point
    type Scalar Curve_P256R1 = P256.Scalar
    curveSizeBits _ = 256
    curveGenerateScalar _ = P256.scalarGenerate
    curveGenerateKeyPair _ = toKeyPair <$> P256.scalarGenerate
      where toKeyPair scalar = KeyPair (P256.toPoint scalar) scalar
    encodePoint _ p = mxy
      where
        mxy :: forall bs. ByteArray bs => bs
        mxy = B.concat [uncompressed, xy]
          where
            uncompressed, xy :: bs
            uncompressed = B.singleton 4
            xy = P256.pointToBinary p
    decodePoint _ mxy = case B.uncons mxy of
        Nothing -> CryptoFailed CryptoError_PointSizeInvalid
        Just (m,xy)
            -- uncompressed
            | m == 4 -> P256.pointFromBinary xy
            | otherwise -> CryptoFailed CryptoError_PointFormatInvalid

instance EllipticCurveArith Curve_P256R1 where
    pointAdd  _ a b = P256.pointAdd a b
    pointNegate _ p = P256.pointNegate p
    pointSmul _ s p = P256.pointMul s p

instance EllipticCurveDH Curve_P256R1 where
    ecdhRaw _ s p = SharedSecret $ P256.pointDh s p
    ecdh  prx s p = checkNonZeroDH (ecdhRaw prx s p)

instance EllipticCurveBasepointArith Curve_P256R1 where
    curveOrderBits _ = 256
    pointBaseSmul _ = P256.toPoint
    pointsSmulVarTime _ = P256.pointsMulVarTime
    encodeScalar _ = P256.scalarToBinary
    decodeScalar _ = P256.scalarFromBinary
    scalarToInteger _ = P256.scalarToInteger
    scalarFromInteger _ = P256.scalarFromInteger
    scalarAdd _ = P256.scalarAdd
    scalarMul _ = P256.scalarMul

data Curve_P384R1 = Curve_P384R1
    deriving (Show,Data)

instance EllipticCurve Curve_P384R1 where
    type Point Curve_P384R1 = Simple.Point Simple.SEC_p384r1
    type Scalar Curve_P384R1 = Simple.Scalar Simple.SEC_p384r1
    curveSizeBits _ = 384
    curveGenerateScalar _ = Simple.scalarGenerate
    curveGenerateKeyPair _ = toKeyPair <$> Simple.scalarGenerate
      where toKeyPair scalar = KeyPair (Simple.pointBaseMul scalar) scalar
    encodePoint _ point = encodeECPoint point
    decodePoint _ bs = decodeECPoint bs

instance EllipticCurveArith Curve_P384R1 where
    pointAdd _ a b = Simple.pointAdd a b
    pointNegate _ p = Simple.pointNegate p
    pointSmul _ s p = Simple.pointMul s p

instance EllipticCurveDH Curve_P384R1 where
    ecdh _ s p = encodeECShared prx (Simple.pointMul s p)
      where
        prx = Proxy :: Proxy Simple.SEC_p384r1

instance EllipticCurveBasepointArith Curve_P384R1 where
    curveOrderBits _ = 384
    pointBaseSmul _ = Simple.pointBaseMul
    pointsSmulVarTime _ = ecPointsMulVarTime
    encodeScalar _ = ecScalarToBinary
    decodeScalar _ = ecScalarFromBinary
    scalarToInteger _ = ecScalarToInteger
    scalarFromInteger _ = ecScalarFromInteger
    scalarAdd _ = ecScalarAdd
    scalarMul _ = ecScalarMul

data Curve_P521R1 = Curve_P521R1
    deriving (Show,Data)

instance EllipticCurve Curve_P521R1 where
    type Point Curve_P521R1 = Simple.Point Simple.SEC_p521r1
    type Scalar Curve_P521R1 = Simple.Scalar Simple.SEC_p521r1
    curveSizeBits _ = 521
    curveGenerateScalar _ = Simple.scalarGenerate
    curveGenerateKeyPair _ = toKeyPair <$> Simple.scalarGenerate
      where toKeyPair scalar = KeyPair (Simple.pointBaseMul scalar) scalar
    encodePoint _ point = encodeECPoint point
    decodePoint _ bs = decodeECPoint bs

instance EllipticCurveArith Curve_P521R1 where
    pointAdd _ a b = Simple.pointAdd a b
    pointNegate _ p = Simple.pointNegate p
    pointSmul _ s p = Simple.pointMul s p

instance EllipticCurveDH Curve_P521R1 where
    ecdh _ s p = encodeECShared prx (Simple.pointMul s p)
      where
        prx = Proxy :: Proxy Simple.SEC_p521r1

instance EllipticCurveBasepointArith Curve_P521R1 where
    curveOrderBits _ = 521
    pointBaseSmul _ = Simple.pointBaseMul
    pointsSmulVarTime _ = ecPointsMulVarTime
    encodeScalar _ = ecScalarToBinary
    decodeScalar _ = ecScalarFromBinary
    scalarToInteger _ = ecScalarToInteger
    scalarFromInteger _ = ecScalarFromInteger
    scalarAdd _ = ecScalarAdd
    scalarMul _ = ecScalarMul

data Curve_X25519 = Curve_X25519
    deriving (Show,Data)

instance EllipticCurve Curve_X25519 where
    type Point Curve_X25519 = X25519.PublicKey
    type Scalar Curve_X25519 = X25519.SecretKey
    curveSizeBits _ = 255
    curveGenerateScalar _ = X25519.generateSecretKey
    curveGenerateKeyPair _ = do
        s <- X25519.generateSecretKey
        return $ KeyPair (X25519.toPublic s) s
    encodePoint _ p = B.convert p
    decodePoint _ bs = X25519.publicKey bs

instance EllipticCurveDH Curve_X25519 where
    ecdhRaw _ s p = SharedSecret $ convert secret
      where secret = X25519.dh p s
    ecdh prx s p = checkNonZeroDH (ecdhRaw prx s p)

data Curve_X448 = Curve_X448
    deriving (Show,Data)

instance EllipticCurve Curve_X448 where
    type Point Curve_X448 = X448.PublicKey
    type Scalar Curve_X448 = X448.SecretKey
    curveSizeBits _ = 448
    curveGenerateScalar _ = X448.generateSecretKey
    curveGenerateKeyPair _ = do
        s <- X448.generateSecretKey
        return $ KeyPair (X448.toPublic s) s
    encodePoint _ p = B.convert p
    decodePoint _ bs = X448.publicKey bs

instance EllipticCurveDH Curve_X448 where
    ecdhRaw _ s p = SharedSecret $ convert secret
      where secret = X448.dh p s
    ecdh prx s p = checkNonZeroDH (ecdhRaw prx s p)

data Curve_Edwards25519 = Curve_Edwards25519
    deriving (Show,Data)

instance EllipticCurve Curve_Edwards25519 where
    type Point Curve_Edwards25519 = Edwards25519.Point
    type Scalar Curve_Edwards25519 = Edwards25519.Scalar
    curveSizeBits _ = 255
    curveGenerateScalar _ = Edwards25519.scalarGenerate
    curveGenerateKeyPair _ = toKeyPair <$> Edwards25519.scalarGenerate
      where toKeyPair scalar = KeyPair (Edwards25519.toPoint scalar) scalar
    encodePoint _ point = Edwards25519.pointEncode point
    decodePoint _ bs = Edwards25519.pointDecode bs

instance EllipticCurveArith Curve_Edwards25519 where
    pointAdd _ a b = Edwards25519.pointAdd a b
    pointNegate _ p = Edwards25519.pointNegate p
    pointSmul _ s p = Edwards25519.pointMul s p

instance EllipticCurveBasepointArith Curve_Edwards25519 where
    curveOrderBits _ = 253
    pointBaseSmul _ = Edwards25519.toPoint
    pointsSmulVarTime _ = Edwards25519.pointsMulVarTime
    encodeScalar _ = B.reverse . Edwards25519.scalarEncode
    decodeScalar _ bs
        | B.length bs == 32 = Edwards25519.scalarDecodeLong (B.reverse bs)
        | otherwise         = CryptoFailed CryptoError_SecretKeySizeInvalid
    scalarToInteger _ s = LE.os2ip (Edwards25519.scalarEncode s :: B.Bytes)
    scalarFromInteger _ i =
        case LE.i2ospOf 32 i of
            Nothing -> CryptoFailed CryptoError_SecretKeySizeInvalid
            Just bs -> Edwards25519.scalarDecodeLong (bs :: B.Bytes)
    scalarAdd _ = Edwards25519.scalarAdd
    scalarMul _ = Edwards25519.scalarMul

checkNonZeroDH :: SharedSecret -> CryptoFailable SharedSecret
checkNonZeroDH s@(SharedSecret b)
    | B.constAllZero b = CryptoFailed CryptoError_ScalarMultiplicationInvalid
    | otherwise        = CryptoPassed s

encodeECShared :: Simple.Curve curve => Proxy curve -> Simple.Point curve -> CryptoFailable SharedSecret
encodeECShared _   Simple.PointO      = CryptoFailed CryptoError_ScalarMultiplicationInvalid
encodeECShared prx (Simple.Point x _) = CryptoPassed . SharedSecret $ i2ospOf_ (Simple.curveSizeBytes prx) x

encodeECPoint :: forall curve bs . (Simple.Curve curve, ByteArray bs) => Simple.Point curve -> bs
encodeECPoint Simple.PointO      = error "encodeECPoint: cannot serialize point at infinity"
encodeECPoint (Simple.Point x y) = B.concat [uncompressed,xb,yb]
  where
    size = Simple.curveSizeBytes (Proxy :: Proxy curve)
    uncompressed, xb, yb :: bs
    uncompressed = B.singleton 4
    xb = i2ospOf_ size x
    yb = i2ospOf_ size y

decodeECPoint :: (Simple.Curve curve, ByteArray bs) => bs -> CryptoFailable (Simple.Point curve)
decodeECPoint mxy = case B.uncons mxy of
    Nothing     -> CryptoFailed CryptoError_PointSizeInvalid
    Just (m,xy)
        -- uncompressed
        | m == 4 ->
            let siz = B.length xy `div` 2
                (xb,yb) = B.splitAt siz xy
                x = os2ip xb
                y = os2ip yb
             in Simple.pointFromIntegers (x,y)
        | otherwise -> CryptoFailed CryptoError_PointFormatInvalid

ecPointsMulVarTime :: forall curve . Simple.Curve curve
                   => Simple.Scalar curve
                   -> Simple.Scalar curve -> Simple.Point curve
                   -> Simple.Point curve
ecPointsMulVarTime n1 = Simple.pointAddTwoMuls n1 g
  where g = Simple.curveEccG $ Simple.curveParameters (Proxy :: Proxy curve)

ecScalarFromBinary :: forall curve bs . (Simple.Curve curve, ByteArrayAccess bs)
                   => bs -> CryptoFailable (Simple.Scalar curve)
ecScalarFromBinary ba
    | B.length ba /= size = CryptoFailed CryptoError_SecretKeySizeInvalid
    | otherwise           = CryptoPassed (Simple.Scalar $ os2ip ba)
  where size = ecCurveOrderBytes (Proxy :: Proxy curve)

ecScalarToBinary :: forall curve bs . (Simple.Curve curve, ByteArray bs)
                 => Simple.Scalar curve -> bs
ecScalarToBinary (Simple.Scalar s) = i2ospOf_ size s
  where size = ecCurveOrderBytes (Proxy :: Proxy curve)

ecScalarFromInteger :: forall curve . Simple.Curve curve
                    => Integer -> CryptoFailable (Simple.Scalar curve)
ecScalarFromInteger s
    | numBits s > nb = CryptoFailed CryptoError_SecretKeySizeInvalid
    | otherwise      = CryptoPassed (Simple.Scalar s)
  where nb = 8 * ecCurveOrderBytes (Proxy :: Proxy curve)

ecScalarToInteger :: Simple.Scalar curve -> Integer
ecScalarToInteger (Simple.Scalar s) = s

ecCurveOrderBytes :: Simple.Curve c => proxy c -> Int
ecCurveOrderBytes prx = (numBits n + 7) `div` 8
  where n = Simple.curveEccN $ Simple.curveParameters prx

ecScalarAdd :: forall curve . Simple.Curve curve
            => Simple.Scalar curve -> Simple.Scalar curve -> Simple.Scalar curve
ecScalarAdd (Simple.Scalar a) (Simple.Scalar b) = Simple.Scalar ((a + b) `mod` n)
  where n = Simple.curveEccN $ Simple.curveParameters (Proxy :: Proxy curve)

ecScalarMul :: forall curve . Simple.Curve curve
            => Simple.Scalar curve -> Simple.Scalar curve -> Simple.Scalar curve
ecScalarMul (Simple.Scalar a) (Simple.Scalar b) = Simple.Scalar ((a * b) `mod` n)
  where n = Simple.curveEccN $ Simple.curveParameters (Proxy :: Proxy curve)