src/crypto/ecdh/x25519.go - go - Git at Google

 // Copyright 2022 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 package ecdh

 import (
 	"bytes"
 	"crypto/internal/fips140/edwards25519/field"
 	"crypto/internal/fips140only"
 	"crypto/internal/randutil"
 	"errors"
 	"io"
 )

 var (
 	x25519PublicKeySize    = 32
 	x25519PrivateKeySize   = 32
 	x25519SharedSecretSize = 32
 )

 // X25519 returns a [Curve] which implements the X25519 function over Curve25519
 // (RFC 7748, Section 5).
 //
 // Multiple invocations of this function will return the same value, so it can
 // be used for equality checks and switch statements.
 func X25519() Curve { return x25519 }

 var x25519 = &x25519Curve{}

 type x25519Curve struct{}

 func (c *x25519Curve) String() string {
 	return "X25519"
 }

 func (c *x25519Curve) GenerateKey(rand io.Reader) (*PrivateKey, error) {
 	if fips140only.Enabled {
 		return nil, errors.New("crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode")
 	}
 	key := make([]byte, x25519PrivateKeySize)
 	randutil.MaybeReadByte(rand)
 	if _, err := io.ReadFull(rand, key); err != nil {
 		return nil, err
 	}
 	return c.NewPrivateKey(key)
 }

 func (c *x25519Curve) NewPrivateKey(key []byte) (*PrivateKey, error) {
 	if fips140only.Enabled {
 		return nil, errors.New("crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode")
 	}
 	if len(key) != x25519PrivateKeySize {
 		return nil, errors.New("crypto/ecdh: invalid private key size")
 	}
 	publicKey := make([]byte, x25519PublicKeySize)
 	x25519Basepoint := [32]byte{9}
 	x25519ScalarMult(publicKey, key, x25519Basepoint[:])
 	// We don't check for the all-zero public key here because the scalar is
 	// never zero because of clamping, and the basepoint is not the identity in
 	// the prime-order subgroup(s).
 	return &PrivateKey{
 		curve:      c,
 		privateKey: bytes.Clone(key),
 		publicKey:  &PublicKey{curve: c, publicKey: publicKey},
 	}, nil
 }

 func (c *x25519Curve) NewPublicKey(key []byte) (*PublicKey, error) {
 	if fips140only.Enabled {
 		return nil, errors.New("crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode")
 	}
 	if len(key) != x25519PublicKeySize {
 		return nil, errors.New("crypto/ecdh: invalid public key")
 	}
 	return &PublicKey{
 		curve:     c,
 		publicKey: bytes.Clone(key),
 	}, nil
 }

 func (c *x25519Curve) ecdh(local *PrivateKey, remote *PublicKey) ([]byte, error) {
 	out := make([]byte, x25519SharedSecretSize)
 	x25519ScalarMult(out, local.privateKey, remote.publicKey)
 	if isZero(out) {
 		return nil, errors.New("crypto/ecdh: bad X25519 remote ECDH input: low order point")
 	}
 	return out, nil
 }

 func x25519ScalarMult(dst, scalar, point []byte) {
 	var e [32]byte

 	copy(e[:], scalar[:])
 	e[0] &= 248
 	e[31] &= 127
 	e[31] |= 64

 	var x1, x2, z2, x3, z3, tmp0, tmp1 field.Element
 	x1.SetBytes(point[:])
 	x2.One()
 	x3.Set(&x1)
 	z3.One()

 	swap := 0
 	for pos := 254; pos >= 0; pos-- {
 		b := e[pos/8] >> uint(pos&7)
 		b &= 1
 		swap ^= int(b)
 		x2.Swap(&x3, swap)
 		z2.Swap(&z3, swap)
 		swap = int(b)

 		tmp0.Subtract(&x3, &z3)
 		tmp1.Subtract(&x2, &z2)
 		x2.Add(&x2, &z2)
 		z2.Add(&x3, &z3)
 		z3.Multiply(&tmp0, &x2)
 		z2.Multiply(&z2, &tmp1)
 		tmp0.Square(&tmp1)
 		tmp1.Square(&x2)
 		x3.Add(&z3, &z2)
 		z2.Subtract(&z3, &z2)
 		x2.Multiply(&tmp1, &tmp0)
 		tmp1.Subtract(&tmp1, &tmp0)
 		z2.Square(&z2)

 		z3.Mult32(&tmp1, 121666)
 		x3.Square(&x3)
 		tmp0.Add(&tmp0, &z3)
 		z3.Multiply(&x1, &z2)
 		z2.Multiply(&tmp1, &tmp0)
 	}

 	x2.Swap(&x3, swap)
 	z2.Swap(&z3, swap)

 	z2.Invert(&z2)
 	x2.Multiply(&x2, &z2)
 	copy(dst[:], x2.Bytes())
 }

 // isZero reports whether x is all zeroes in constant time.
 func isZero(x []byte) bool {
 	var acc byte
 	for _, b := range x {
 		acc |= b
 	}
 	return acc == 0
 }
	// Copyright 2022 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package ecdh

	import (
	"bytes"
	"crypto/internal/fips140/edwards25519/field"
	"crypto/internal/fips140only"
	"crypto/internal/randutil"
	"errors"
	"io"
	)

	var (
	x25519PublicKeySize = 32
	x25519PrivateKeySize = 32
	x25519SharedSecretSize = 32
	)

	// X25519 returns a [Curve] which implements the X25519 function over Curve25519
	// (RFC 7748, Section 5).
	//
	// Multiple invocations of this function will return the same value, so it can
	// be used for equality checks and switch statements.
	func X25519() Curve { return x25519 }

	var x25519 = &x25519Curve{}

	type x25519Curve struct{}

	func (c *x25519Curve) String() string {
	return "X25519"
	}

	func (c x25519Curve) GenerateKey(rand io.Reader) (PrivateKey, error) {
	if fips140only.Enabled {
	return nil, errors.New("crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode")
	}
	key := make([]byte, x25519PrivateKeySize)
	randutil.MaybeReadByte(rand)
	if _, err := io.ReadFull(rand, key); err != nil {
	return nil, err
	}
	return c.NewPrivateKey(key)
	}

	func (c x25519Curve) NewPrivateKey(key []byte) (PrivateKey, error) {
	if fips140only.Enabled {
	return nil, errors.New("crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode")
	}
	if len(key) != x25519PrivateKeySize {
	return nil, errors.New("crypto/ecdh: invalid private key size")
	}
	publicKey := make([]byte, x25519PublicKeySize)
	x25519Basepoint := [32]byte{9}
	x25519ScalarMult(publicKey, key, x25519Basepoint[:])
	// We don't check for the all-zero public key here because the scalar is
	// never zero because of clamping, and the basepoint is not the identity in
	// the prime-order subgroup(s).
	return &PrivateKey{
	curve: c,
	privateKey: bytes.Clone(key),
	publicKey: &PublicKey{curve: c, publicKey: publicKey},
	}, nil
	}

	func (c x25519Curve) NewPublicKey(key []byte) (PublicKey, error) {
	if fips140only.Enabled {
	return nil, errors.New("crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode")
	}
	if len(key) != x25519PublicKeySize {
	return nil, errors.New("crypto/ecdh: invalid public key")
	}
	return &PublicKey{
	curve: c,
	publicKey: bytes.Clone(key),
	}, nil
	}

	func (c x25519Curve) ecdh(local PrivateKey, remote *PublicKey) ([]byte, error) {
	out := make([]byte, x25519SharedSecretSize)
	x25519ScalarMult(out, local.privateKey, remote.publicKey)
	if isZero(out) {
	return nil, errors.New("crypto/ecdh: bad X25519 remote ECDH input: low order point")
	}
	return out, nil
	}

	func x25519ScalarMult(dst, scalar, point []byte) {
	var e [32]byte

	copy(e[:], scalar[:])
	e[0] &= 248
	e[31] &= 127
	e[31] \|= 64

	var x1, x2, z2, x3, z3, tmp0, tmp1 field.Element
	x1.SetBytes(point[:])
	x2.One()
	x3.Set(&x1)
	z3.One()

	swap := 0
	for pos := 254; pos >= 0; pos-- {
	b := e[pos/8] >> uint(pos&7)
	b &= 1
	swap ^= int(b)
	x2.Swap(&x3, swap)
	z2.Swap(&z3, swap)
	swap = int(b)

	tmp0.Subtract(&x3, &z3)
	tmp1.Subtract(&x2, &z2)
	x2.Add(&x2, &z2)
	z2.Add(&x3, &z3)
	z3.Multiply(&tmp0, &x2)
	z2.Multiply(&z2, &tmp1)
	tmp0.Square(&tmp1)
	tmp1.Square(&x2)
	x3.Add(&z3, &z2)
	z2.Subtract(&z3, &z2)
	x2.Multiply(&tmp1, &tmp0)
	tmp1.Subtract(&tmp1, &tmp0)
	z2.Square(&z2)

	z3.Mult32(&tmp1, 121666)
	x3.Square(&x3)
	tmp0.Add(&tmp0, &z3)
	z3.Multiply(&x1, &z2)
	z2.Multiply(&tmp1, &tmp0)
	}

	x2.Swap(&x3, swap)
	z2.Swap(&z3, swap)

	z2.Invert(&z2)
	x2.Multiply(&x2, &z2)
	copy(dst[:], x2.Bytes())
	}

	// isZero reports whether x is all zeroes in constant time.
	func isZero(x []byte) bool {
	var acc byte
	for _, b := range x {
	acc \|= b
	}
	return acc == 0
	}