1 /* $OpenBSD: schnorr.c,v 1.4 2010/09/20 04:50:53 djm Exp $ */
3 * Copyright (c) 2008 Damien Miller. All rights reserved.
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 * Implementation of Schnorr signatures / zero-knowledge proofs, based on
22 * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling",
23 * 16th Workshop on Security Protocols, Cambridge, April 2008
25 * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
30 #include <sys/types.h>
36 #include <openssl/evp.h>
37 #include <openssl/bn.h>
45 #include "openbsd-compat/openssl-compat.h"
47 /* #define SCHNORR_DEBUG */ /* Privacy-violating debugging */
48 /* #define SCHNORR_MAIN */ /* Include main() selftest */
51 # define SCHNORR_DEBUG_BN(a)
52 # define SCHNORR_DEBUG_BUF(a)
54 # define SCHNORR_DEBUG_BN(a) debug3_bn a
55 # define SCHNORR_DEBUG_BUF(a) debug3_buf a
56 #endif /* SCHNORR_DEBUG */
59 * Calculate hash component of Schnorr signature H(g || g^v || g^x || id)
60 * using the hash function defined by "evp_md". Returns signature as
61 * bignum or NULL on error.
64 schnorr_hash(const BIGNUM
*p
, const BIGNUM
*q
, const BIGNUM
*g
,
65 const EVP_MD
*evp_md
, const BIGNUM
*g_v
, const BIGNUM
*g_x
,
66 const u_char
*id
, u_int idlen
)
74 if ((h
= BN_new()) == NULL
) {
75 error("%s: BN_new", __func__
);
81 /* h = H(g || p || q || g^v || g^x || id) */
82 buffer_put_bignum2(&b
, g
);
83 buffer_put_bignum2(&b
, p
);
84 buffer_put_bignum2(&b
, q
);
85 buffer_put_bignum2(&b
, g_v
);
86 buffer_put_bignum2(&b
, g_x
);
87 buffer_put_string(&b
, id
, idlen
);
89 SCHNORR_DEBUG_BUF((buffer_ptr(&b
), buffer_len(&b
),
90 "%s: hashblob", __func__
));
91 if (hash_buffer(buffer_ptr(&b
), buffer_len(&b
), evp_md
,
92 &digest
, &digest_len
) != 0) {
93 error("%s: hash_buffer", __func__
);
96 if (BN_bin2bn(digest
, (int)digest_len
, h
) == NULL
) {
97 error("%s: BN_bin2bn", __func__
);
101 SCHNORR_DEBUG_BN((h
, "%s: h = ", __func__
));
104 bzero(digest
, digest_len
);
114 * Generate Schnorr signature to prove knowledge of private value 'x' used
115 * in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g'
116 * using the hash function "evp_md".
117 * 'idlen' bytes from 'id' will be included in the signature hash as an anti-
120 * On success, 0 is returned. The signature values are returned as *e_p
121 * (g^v mod p) and *r_p (v - xh mod q). The caller must free these values.
122 * On failure, -1 is returned.
125 schnorr_sign(const BIGNUM
*grp_p
, const BIGNUM
*grp_q
, const BIGNUM
*grp_g
,
126 const EVP_MD
*evp_md
, const BIGNUM
*x
, const BIGNUM
*g_x
,
127 const u_char
*id
, u_int idlen
, BIGNUM
**r_p
, BIGNUM
**e_p
)
130 BIGNUM
*h
, *tmp
, *v
, *g_v
, *r
;
133 SCHNORR_DEBUG_BN((x
, "%s: x = ", __func__
));
134 SCHNORR_DEBUG_BN((g_x
, "%s: g_x = ", __func__
));
136 /* Avoid degenerate cases: g^0 yields a spoofable signature */
137 if (BN_cmp(g_x
, BN_value_one()) <= 0) {
138 error("%s: g_x < 1", __func__
);
141 if (BN_cmp(g_x
, grp_p
) >= 0) {
142 error("%s: g_x > g", __func__
);
146 h
= g_v
= r
= tmp
= v
= NULL
;
147 if ((bn_ctx
= BN_CTX_new()) == NULL
) {
148 error("%s: BN_CTX_new", __func__
);
151 if ((g_v
= BN_new()) == NULL
||
152 (r
= BN_new()) == NULL
||
153 (tmp
= BN_new()) == NULL
) {
154 error("%s: BN_new", __func__
);
159 * v must be a random element of Zq, so 1 <= v < q
160 * we also exclude v = 1, since g^1 looks dangerous
162 if ((v
= bn_rand_range_gt_one(grp_p
)) == NULL
) {
163 error("%s: bn_rand_range2", __func__
);
166 SCHNORR_DEBUG_BN((v
, "%s: v = ", __func__
));
168 /* g_v = g^v mod p */
169 if (BN_mod_exp(g_v
, grp_g
, v
, grp_p
, bn_ctx
) == -1) {
170 error("%s: BN_mod_exp (g^v mod p)", __func__
);
173 SCHNORR_DEBUG_BN((g_v
, "%s: g_v = ", __func__
));
175 /* h = H(g || g^v || g^x || id) */
176 if ((h
= schnorr_hash(grp_p
, grp_q
, grp_g
, evp_md
, g_v
, g_x
,
177 id
, idlen
)) == NULL
) {
178 error("%s: schnorr_hash failed", __func__
);
182 /* r = v - xh mod q */
183 if (BN_mod_mul(tmp
, x
, h
, grp_q
, bn_ctx
) == -1) {
184 error("%s: BN_mod_mul (tmp = xv mod q)", __func__
);
187 if (BN_mod_sub(r
, v
, tmp
, grp_q
, bn_ctx
) == -1) {
188 error("%s: BN_mod_mul (r = v - tmp)", __func__
);
191 SCHNORR_DEBUG_BN((g_v
, "%s: e = ", __func__
));
192 SCHNORR_DEBUG_BN((r
, "%s: r = ", __func__
));
210 * Generate Schnorr signature to prove knowledge of private value 'x' used
211 * in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g'
212 * using a SHA256 hash.
213 * 'idlen' bytes from 'id' will be included in the signature hash as an anti-
215 * On success, 0 is returned and *siglen bytes of signature are returned in
216 * *sig (caller to free). Returns -1 on failure.
219 schnorr_sign_buf(const BIGNUM
*grp_p
, const BIGNUM
*grp_q
, const BIGNUM
*grp_g
,
220 const BIGNUM
*x
, const BIGNUM
*g_x
, const u_char
*id
, u_int idlen
,
221 u_char
**sig
, u_int
*siglen
)
226 if (schnorr_sign(grp_p
, grp_q
, grp_g
, EVP_sha256(),
227 x
, g_x
, id
, idlen
, &r
, &e
) != 0)
230 /* Signature is (e, r) */
232 /* XXX sigtype-hash as string? */
233 buffer_put_bignum2(&b
, e
);
234 buffer_put_bignum2(&b
, r
);
235 *siglen
= buffer_len(&b
);
236 *sig
= xmalloc(*siglen
);
237 memcpy(*sig
, buffer_ptr(&b
), *siglen
);
238 SCHNORR_DEBUG_BUF((buffer_ptr(&b
), buffer_len(&b
),
239 "%s: sigblob", __func__
));
249 * Verify Schnorr signature { r (v - xh mod q), e (g^v mod p) } against
250 * public exponent g_x (g^x) under group defined by 'grp_p', 'grp_q' and
251 * 'grp_g' using hash "evp_md".
252 * Signature hash will be salted with 'idlen' bytes from 'id'.
253 * Returns -1 on failure, 0 on incorrect signature or 1 on matching signature.
256 schnorr_verify(const BIGNUM
*grp_p
, const BIGNUM
*grp_q
, const BIGNUM
*grp_g
,
257 const EVP_MD
*evp_md
, const BIGNUM
*g_x
, const u_char
*id
, u_int idlen
,
258 const BIGNUM
*r
, const BIGNUM
*e
)
261 BIGNUM
*h
, *g_xh
, *g_r
, *expected
;
264 SCHNORR_DEBUG_BN((g_x
, "%s: g_x = ", __func__
));
266 /* Avoid degenerate cases: g^0 yields a spoofable signature */
267 if (BN_cmp(g_x
, BN_value_one()) <= 0) {
268 error("%s: g_x < 1", __func__
);
271 if (BN_cmp(g_x
, grp_p
) >= 0) {
272 error("%s: g_x >= p", __func__
);
276 h
= g_xh
= g_r
= expected
= NULL
;
277 if ((bn_ctx
= BN_CTX_new()) == NULL
) {
278 error("%s: BN_CTX_new", __func__
);
281 if ((g_xh
= BN_new()) == NULL
||
282 (g_r
= BN_new()) == NULL
||
283 (expected
= BN_new()) == NULL
) {
284 error("%s: BN_new", __func__
);
288 SCHNORR_DEBUG_BN((e
, "%s: e = ", __func__
));
289 SCHNORR_DEBUG_BN((r
, "%s: r = ", __func__
));
291 /* h = H(g || g^v || g^x || id) */
292 if ((h
= schnorr_hash(grp_p
, grp_q
, grp_g
, evp_md
, e
, g_x
,
293 id
, idlen
)) == NULL
) {
294 error("%s: schnorr_hash failed", __func__
);
299 if (BN_mod_exp(g_xh
, g_x
, h
, grp_p
, bn_ctx
) == -1) {
300 error("%s: BN_mod_exp (g_x^h mod p)", __func__
);
303 SCHNORR_DEBUG_BN((g_xh
, "%s: g_xh = ", __func__
));
306 if (BN_mod_exp(g_r
, grp_g
, r
, grp_p
, bn_ctx
) == -1) {
307 error("%s: BN_mod_exp (g_x^h mod p)", __func__
);
310 SCHNORR_DEBUG_BN((g_r
, "%s: g_r = ", __func__
));
312 /* expected = g^r * g_xh */
313 if (BN_mod_mul(expected
, g_r
, g_xh
, grp_p
, bn_ctx
) == -1) {
314 error("%s: BN_mod_mul (expected = g_r mod p)", __func__
);
317 SCHNORR_DEBUG_BN((expected
, "%s: expected = ", __func__
));
319 /* Check e == expected */
320 success
= BN_cmp(expected
, e
) == 0;
327 BN_clear_free(expected
);
332 * Verify Schnorr signature 'sig' of length 'siglen' against public exponent
333 * g_x (g^x) under group defined by 'grp_p', 'grp_q' and 'grp_g' using a
335 * Signature hash will be salted with 'idlen' bytes from 'id'.
336 * Returns -1 on failure, 0 on incorrect signature or 1 on matching signature.
339 schnorr_verify_buf(const BIGNUM
*grp_p
, const BIGNUM
*grp_q
,
341 const BIGNUM
*g_x
, const u_char
*id
, u_int idlen
,
342 const u_char
*sig
, u_int siglen
)
350 if ((e
= BN_new()) == NULL
||
351 (r
= BN_new()) == NULL
) {
352 error("%s: BN_new", __func__
);
356 /* Extract g^v and r from signature blob */
358 buffer_append(&b
, sig
, siglen
);
359 SCHNORR_DEBUG_BUF((buffer_ptr(&b
), buffer_len(&b
),
360 "%s: sigblob", __func__
));
361 buffer_get_bignum2(&b
, e
);
362 buffer_get_bignum2(&b
, r
);
363 rlen
= buffer_len(&b
);
366 error("%s: remaining bytes in signature %d", __func__
, rlen
);
370 ret
= schnorr_verify(grp_p
, grp_q
, grp_g
, EVP_sha256(),
371 g_x
, id
, idlen
, r
, e
);
379 /* Helper functions */
382 * Generate uniformly distributed random number in range (1, high).
383 * Return number on success, NULL on failure.
386 bn_rand_range_gt_one(const BIGNUM
*high
)
391 if ((tmp
= BN_new()) == NULL
) {
392 error("%s: BN_new", __func__
);
395 if ((r
= BN_new()) == NULL
) {
396 error("%s: BN_new failed", __func__
);
399 if (BN_set_word(tmp
, 2) != 1) {
400 error("%s: BN_set_word(tmp, 2)", __func__
);
403 if (BN_sub(tmp
, high
, tmp
) == -1) {
404 error("%s: BN_sub failed (tmp = high - 2)", __func__
);
407 if (BN_rand_range(r
, tmp
) == -1) {
408 error("%s: BN_rand_range failed", __func__
);
411 if (BN_set_word(tmp
, 2) != 1) {
412 error("%s: BN_set_word(tmp, 2)", __func__
);
415 if (BN_add(r
, r
, tmp
) == -1) {
416 error("%s: BN_add failed (r = r + 2)", __func__
);
429 * Hash contents of buffer 'b' with hash 'md'. Returns 0 on success,
430 * with digest via 'digestp' (caller to free) and length via 'lenp'.
431 * Returns -1 on failure.
434 hash_buffer(const u_char
*buf
, u_int len
, const EVP_MD
*md
,
435 u_char
**digestp
, u_int
*lenp
)
437 u_char digest
[EVP_MAX_MD_SIZE
];
439 EVP_MD_CTX evp_md_ctx
;
442 EVP_MD_CTX_init(&evp_md_ctx
);
444 if (EVP_DigestInit_ex(&evp_md_ctx
, md
, NULL
) != 1) {
445 error("%s: EVP_DigestInit_ex", __func__
);
448 if (EVP_DigestUpdate(&evp_md_ctx
, buf
, len
) != 1) {
449 error("%s: EVP_DigestUpdate", __func__
);
452 if (EVP_DigestFinal_ex(&evp_md_ctx
, digest
, &digest_len
) != 1) {
453 error("%s: EVP_DigestFinal_ex", __func__
);
456 *digestp
= xmalloc(digest_len
);
458 memcpy(*digestp
, digest
, *lenp
);
461 EVP_MD_CTX_cleanup(&evp_md_ctx
);
462 bzero(digest
, sizeof(digest
));
467 /* print formatted string followed by bignum */
469 debug3_bn(const BIGNUM
*n
, const char *fmt
, ...)
476 vasprintf(&out
, fmt
, args
);
479 fatal("%s: vasprintf failed", __func__
);
482 debug3("%s(null)", out
);
485 debug3("%s0x%s", out
, h
);
491 /* print formatted string followed by buffer contents in hex */
493 debug3_buf(const u_char
*buf
, u_int len
, const char *fmt
, ...)
501 vasprintf(&out
, fmt
, args
);
504 fatal("%s: vasprintf failed", __func__
);
506 debug3("%s length %u%s", out
, len
, buf
== NULL
? " (null)" : "");
512 for (i
= j
= 0; i
< len
; i
++) {
513 snprintf(h
+ j
, sizeof(h
) - j
, "%02x", buf
[i
]);
515 if (j
>= sizeof(h
) - 1 || i
== len
- 1) {
524 * Construct a MODP group from hex strings p (which must be a safe
525 * prime) and g, automatically calculating subgroup q as (p / 2)
528 modp_group_from_g_and_safe_p(const char *grp_g
, const char *grp_p
)
530 struct modp_group
*ret
;
532 ret
= xmalloc(sizeof(*ret
));
533 ret
->p
= ret
->q
= ret
->g
= NULL
;
534 if (BN_hex2bn(&ret
->p
, grp_p
) == 0 ||
535 BN_hex2bn(&ret
->g
, grp_g
) == 0)
536 fatal("%s: BN_hex2bn", __func__
);
537 /* Subgroup order is p/2 (p is a safe prime) */
538 if ((ret
->q
= BN_new()) == NULL
)
539 fatal("%s: BN_new", __func__
);
540 if (BN_rshift1(ret
->q
, ret
->p
) != 1)
541 fatal("%s: BN_rshift1", __func__
);
547 modp_group_free(struct modp_group
*grp
)
550 BN_clear_free(grp
->g
);
552 BN_clear_free(grp
->p
);
554 BN_clear_free(grp
->q
);
555 bzero(grp
, sizeof(*grp
));
559 /* main() function for self-test */
563 schnorr_selftest_one(const BIGNUM
*grp_p
, const BIGNUM
*grp_q
,
564 const BIGNUM
*grp_g
, const BIGNUM
*x
)
571 if ((bn_ctx
= BN_CTX_new()) == NULL
)
572 fatal("%s: BN_CTX_new", __func__
);
573 if ((g_x
= BN_new()) == NULL
)
574 fatal("%s: BN_new", __func__
);
576 if (BN_mod_exp(g_x
, grp_g
, x
, grp_p
, bn_ctx
) == -1)
577 fatal("%s: g_x", __func__
);
578 if (schnorr_sign_buf(grp_p
, grp_q
, grp_g
, x
, g_x
, "junk", 4,
580 fatal("%s: schnorr_sign", __func__
);
581 if (schnorr_verify_buf(grp_p
, grp_q
, grp_g
, g_x
, "junk", 4,
583 fatal("%s: verify fail", __func__
);
584 if (schnorr_verify_buf(grp_p
, grp_q
, grp_g
, g_x
, "JUNK", 4,
586 fatal("%s: verify should have failed (bad ID)", __func__
);
588 if (schnorr_verify_buf(grp_p
, grp_q
, grp_g
, g_x
, "junk", 4,
590 fatal("%s: verify should have failed (bit error)", __func__
);
597 schnorr_selftest(void)
600 struct modp_group
*grp
;
604 grp
= jpake_default_group();
605 if ((x
= BN_new()) == NULL
)
606 fatal("%s: BN_new", __func__
);
607 SCHNORR_DEBUG_BN((grp
->p
, "%s: grp->p = ", __func__
));
608 SCHNORR_DEBUG_BN((grp
->q
, "%s: grp->q = ", __func__
));
609 SCHNORR_DEBUG_BN((grp
->g
, "%s: grp->g = ", __func__
));
612 for (i
= 1; i
< 20; i
++) {
613 printf("x = %u\n", i
);
615 if (BN_set_word(x
, i
) != 1)
616 fatal("%s: set x word", __func__
);
617 schnorr_selftest_one(grp
->p
, grp
->q
, grp
->g
, x
);
620 /* 100 x random [0, p) */
621 for (i
= 0; i
< 100; i
++) {
622 if (BN_rand_range(x
, grp
->p
) != 1)
623 fatal("%s: BN_rand_range", __func__
);
625 printf("x = (random) 0x%s\n", hh
);
628 schnorr_selftest_one(grp
->p
, grp
->q
, grp
->g
, x
);
632 if (BN_set_word(x
, 20) != 1)
633 fatal("%s: BN_set_word (x = 20)", __func__
);
634 if (BN_sub(x
, grp
->q
, x
) != 1)
635 fatal("%s: BN_sub (q - x)", __func__
);
636 for (i
= 0; i
< 19; i
++) {
638 printf("x = (q - %d) 0x%s\n", 20 - i
, hh
);
641 schnorr_selftest_one(grp
->p
, grp
->q
, grp
->g
, x
);
642 if (BN_add(x
, x
, BN_value_one()) != 1)
643 fatal("%s: BN_add (x + 1)", __func__
);
649 main(int argc
, char **argv
)
651 log_init(argv
[0], SYSLOG_LEVEL_DEBUG3
, SYSLOG_FACILITY_USER
, 1);