Elligator2 ntor Edwards Fixes (#1)

Edwards rfc9380 tests and elligator representative randomness using tweaks.

Author: jmwample

curve25519-dalek/Cargo.toml

@@ -37,6 +37,8 @@ hex = "0.4.2"
 json = "0.12.4"
 rand = "0.8"
 rand_core = { version = "0.6", default-features = false, features = ["getrandom"] }
+rand_distr = "0.4.3"
+kolmogorov_smirnov = "1.1.0"
 
 [build-dependencies]
 rustc_version = "0.4.0"

curve25519-dalek/src/edwards.rs

@@ -103,8 +103,8 @@ use core::ops::{Mul, MulAssign};
 
 use cfg_if::cfg_if;
 
-#[cfg(feature = "digest")]
-use crate::elligator2::map_to_point;
+#[cfg(feature = "elligator2")]
+use crate::elligator2::{map_fe_to_edwards, MASK_UNSET_BYTE};
 #[cfg(feature = "digest")]
 use digest::{generic_array::typenum::U64, Digest};
 
@@ -598,57 +598,42 @@ impl EdwardsPoint {
 
         let sign_bit = (res[31] & 0x80) >> 7;
 
-        let fe1 = map_to_point(&res);
+        let fe1 = MontgomeryPoint::map_to_point_unbounded(&res);
         let E1_opt = fe1.to_edwards(sign_bit);
 
         E1_opt
             .expect("Montgomery conversion to Edwards point in Elligator failed")
             .mul_by_cofactor()
     }
 
-    #[cfg(elligator2)]
-    /// Build an [`EdwardsPoint`] using the birational mapping from (the
-    /// extended `(u, v)` form of) a montgomery point.
-    pub fn from_uv(u: &[u8; 32], v: &[u8; 32]) -> EdwardsPoint {
-        let u_fe = FieldElement::from_bytes(u);
-        let v_fe = FieldElement::from_bytes(v);
-        let (x, y) = Self::new_edwards_point(&u_fe, &v_fe);
-        Self::from_xy(x, y)
-    }
-
-    #[cfg(elligator2)]
-    fn new_edwards_point(u: &FieldElement, v: &FieldElement) -> (FieldElement, FieldElement) {
-        // Per RFC 7748: (x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))
-
-        let two = &FieldElement::ONE + &FieldElement::ONE;
-        let (_, sqrt_neg_a_plus_two) =
-            FieldElement::sqrt_ratio_i(&(&MONTGOMERY_A_NEG + &two), &FieldElement::ONE);
-
-        let mut x = &(u * &v.invert()) * &sqrt_neg_a_plus_two;
-
-        let u_plus_one = u + &FieldElement::ONE;
-        let u_minus_one = u - &FieldElement::ONE;
-
-        let mut y = &u_minus_one * &u_plus_one.invert();
-
-        // This mapping is undefined when t == 0 or s == -1, i.e., when the
-        // denominator of either of the above rational functions is zero.
-        // Implementations MUST detect exceptional cases and return the value
-        // (v, w) = (0, 1), which is the identity point on all twisted Edwards
-        // curves.
-        let result_undefined = v.is_zero() | u_plus_one.is_zero();
-        x.conditional_assign(&FieldElement::ZERO, result_undefined);
-        y.conditional_assign(&FieldElement::ONE, result_undefined);
-
-        // Convert from Edwards (x, y) to extended (x, y, z, t) coordinates.
-        // new_edwards_from_xy(x, y)
-
-        (x, y)
+    #[cfg(feature = "elligator2")]
+    /// Perform the Elligator2 mapping to an [`EdwardsPoint`].
+    ///
+    /// Calculates a point on elliptic curve E (Curve25519) from an element of
+    /// the finite field F over which E is defined. See section 6.7.1 of the
+    /// RFC.
+    ///
+    /// The input u and output P are elements of the field F. Note that
+    /// the output P is a point on the edwards curve and as such it's byte
+    /// representation is distinguishable from uniform random.
+    ///
+    /// Input:
+    ///     * u -> an element of field F.
+    ///
+    /// Output:
+    ///     * P - a point on the Edwards elliptic curve.
+    ///
+    /// See <https://datatracker.ietf.org/doc/rfc9380/>
+    pub fn map_to_point(r: &[u8; 32]) -> EdwardsPoint {
+        let mut clamped = *r;
+        clamped[31] &= MASK_UNSET_BYTE;
+        let r_0 = FieldElement::from_bytes(&clamped);
+        let (x, y) = map_fe_to_edwards(&r_0);
+        Self::from_xy(&x, &y)
     }
 
-    #[cfg(elligator2)]
+    #[cfg(feature = "elligator2")]
     fn from_xy(x: &FieldElement, y: &FieldElement) -> EdwardsPoint {
-        // Yeah yeah yeah, no where better to put this. :(
         let z = FieldElement::ONE;
         let t = x * y;
 
@@ -2275,10 +2260,6 @@ mod test {
                 "2eb10d432702ea7f79207da95d206f82d5a3b374f5f89f17a199531f78d3bea6",
                 "d8f8b508edffbb8b6dab0f602f86a9dd759f800fe18f782fdcac47c234883e7f",
             ],
-            vec![
-                "84cbe9accdd32b46f4a8ef51c85fd39d028711f77fb00e204a613fc235fd68b9",
-                "93c73e0289afd1d1fc9e4e78a505d5d1b2642fbdf91a1eff7d281930654b1453",
-            ],
             vec![
                 "c85165952490dc1839cb69012a3d9f2cc4b02343613263ab93a26dc89fd58267",
                 "43cbe8685fd3c90665b91835debb89ff1477f906f5170f38a192f6a199556537",
@@ -2291,35 +2272,44 @@ mod test {
                 "1618c08ef0233f94f0f163f9435ec7457cd7a8cd4bb6b160315d15818c30f7a2",
                 "da0b703593b29dbcd28ebd6e7baea17b6f61971f3641cae774f6a5137a12294c",
             ],
-            vec![
-                "48b73039db6fcdcb6030c4a38e8be80b6390d8ae46890e77e623f87254ef149c",
-                "ca11b25acbc80566603eabeb9364ebd50e0306424c61049e1ce9385d9f349966",
-            ],
             vec![
                 "a744d582b3a34d14d311b7629da06d003045ae77cebceeb4e0e72734d63bd07d",
                 "fad25a5ea15d4541258af8785acaf697a886c1b872c793790e60a6837b1adbc0",
             ],
-            vec![
-                "80a6ff33494c471c5eff7efb9febfbcf30a946fe6535b3451cda79f2154a7095",
-                "57ac03913309b3f8cd3c3d4c49d878bb21f4d97dc74a1eaccbe5c601f7f06f47",
-            ],
             vec![
                 "f06fc939bc10551a0fd415aebf107ef0b9c4ee1ef9a164157bdd089127782617",
                 "785b2a6a00a5579cc9da1ff997ce8339b6f9fb46c6f10cf7a12ff2986341a6e0",
             ],
+            // Non Least-Square-Root representative values. (i.e. representative > 2^254-10 )
+            vec![
+                "84cbe9accdd32b46f4a8ef51c85fd39d028711f77fb00e204a613fc235fd68b9",
+                "93c73e0289afd1d1fc9e4e78a505d5d1b2642fbdf91a1eff7d281930654b1453",
+            ],
+            vec![
+                "48b73039db6fcdcb6030c4a38e8be80b6390d8ae46890e77e623f87254ef149c",
+                "ca11b25acbc80566603eabeb9364ebd50e0306424c61049e1ce9385d9f349966",
+            ],
+            vec![
+                "80a6ff33494c471c5eff7efb9febfbcf30a946fe6535b3451cda79f2154a7095",
+                "57ac03913309b3f8cd3c3d4c49d878bb21f4d97dc74a1eaccbe5c601f7f06f47",
+            ],
         ]
     }
 
     #[test]
     #[allow(deprecated)]
     #[cfg(all(feature = "alloc", feature = "digest"))]
     fn elligator_signal_test_vectors() {
-        for vector in test_vectors().iter() {
-            let input = hex::decode(vector[0]).unwrap();
-            let output = hex::decode(vector[1]).unwrap();
+        for (n, vector) in test_vectors().iter().enumerate() {
+            let input = hex::decode(vector[0]).expect("failed to decode hex input");
+            let output = hex::decode(vector[1]).expect("failed to decode hex output");
 
             let point = EdwardsPoint::nonspec_map_to_curve::<sha2::Sha512>(&input);
-            assert_eq!(point.compress().to_bytes(), output[..]);
+            assert_eq!(
+                hex::encode(point.compress().to_bytes()),
+                hex::encode(&output[..]),
+                "signal map_to_curve failed for test {n}"
+            );
         }
     }
 }

curve25519-dalek/src/elligator2.rs

@@ -248,9 +248,61 @@ impl MontgomeryPoint {
     }
 
     #[cfg(feature = "elligator2")]
-    /// This decodes an elligator2 hidden point to a curve point on Curve25519.
-    pub fn from_representative(&self) -> MontgomeryPoint {
-        elligator2::map_to_point(&self.0)
+    /// Perform the Elligator2 mapping to a [`MontgomeryPoint`].
+    ///
+    /// Calculates a point on elliptic curve E (Curve25519) from an element of
+    /// the finite field F over which E is defined. See section 6.7.1 of the
+    /// RFC. The unbounded variant does NOT assume that input values are always
+    /// going to be the least-square-root representation of the field element.
+    /// This is divergent from both the elligator2 specification and RFC9380,
+    /// however, some implementations miss this detail. This allows us to be
+    /// compatible with those alternate implementations if necessary, since the
+    /// resulting point will be different for inputs with either of the
+    /// high-order two bits set.
+    ///
+    /// The input u and output P are elements of the field F. Note that
+    /// the output P is a point on the Montgomery curve and as such it's byte
+    /// representation is distinguishable from uniform random.
+    ///
+    /// Input:
+    ///     * u -> an element of field F.
+    ///
+    /// Output:
+    ///     * P - a point on the Montgomery elliptic curve.
+    ///
+    /// See <https://datatracker.ietf.org/doc/rfc9380/>
+    pub fn map_to_point_unbounded(r: &[u8; 32]) -> MontgomeryPoint {
+        let r_0 = FieldElement::from_bytes(r);
+        let (p, _) = elligator2::map_fe_to_montgomery(&r_0);
+        MontgomeryPoint(p.as_bytes())
+    }
+
+    #[cfg(feature = "elligator2")]
+    /// Perform the Elligator2 mapping to a [`MontgomeryPoint`].
+    ///
+    /// Calculates a point on elliptic curve E (Curve25519) from an element of
+    /// the finite field F over which E is defined. See section 6.7.1 of the
+    /// RFC. It is assumed that input values are always going to be the
+    /// least-square-root representation of the field element in allignment
+    /// with both the elligator2 specification and RFC9380.
+    ///
+    /// The input u and output P are elements of the field F. Note that
+    /// the output P is a point on the Montgomery curve and as such it's byte
+    /// representation is distinguishable from uniform random.
+    ///
+    /// Input:
+    ///     * u -> an element of field F.
+    ///
+    /// Output:
+    ///     * P - a point on the Montgomery elliptic curve.
+    ///
+    /// See <https://datatracker.ietf.org/doc/rfc9380/>
+    pub fn map_to_point(r: &[u8; 32]) -> MontgomeryPoint {
+        let mut clamped = *r;
+        clamped[31] &= elligator2::MASK_UNSET_BYTE;
+        let r_0 = FieldElement::from_bytes(&clamped);
+        let (p, _) = elligator2::map_fe_to_montgomery(&r_0);
+        MontgomeryPoint(p.as_bytes())
     }
 }
 
@@ -408,6 +460,7 @@ mod test {
     use crate::constants;
 
     #[cfg(feature = "alloc")]
+    #[cfg(feature = "elligator2")]
     use alloc::vec::Vec;
 
     use rand_core::{CryptoRng, RngCore};
@@ -625,15 +678,15 @@ mod test {
         let bytes: Vec<u8> = (0u8..32u8).collect();
         let bits_in: [u8; 32] = (&bytes[..]).try_into().expect("Range invariant broken");
 
-        let eg = elligator2::map_to_point(&bits_in);
+        let eg = MontgomeryPoint::map_to_point(&bits_in);
         assert_eq!(eg.0, ELLIGATOR_CORRECT_OUTPUT);
     }
 
     #[test]
     #[cfg(feature = "elligator2")]
     fn montgomery_elligator_zero_zero() {
         let zero = [0u8; 32];
-        let eg = elligator2::map_to_point(&zero);
+        let eg = MontgomeryPoint::map_to_point(&zero);
         assert_eq!(eg.0, zero);
     }
 }

curve25519-dalek/src/montgomery.rs

@@ -72,7 +72,7 @@ impl AsRef<[u8]> for PublicKey {
 /// secret is used at most once.
 #[cfg_attr(feature = "zeroize", derive(Zeroize))]
 #[cfg_attr(feature = "zeroize", zeroize(drop))]
-pub struct EphemeralSecret(pub(crate) [u8; 32]);
+pub struct EphemeralSecret(pub(crate) [u8; 32], pub(crate) u8);
 
 impl EphemeralSecret {
     /// Perform a Diffie-Hellman key agreement between `self` and
@@ -94,8 +94,10 @@ impl EphemeralSecret {
     pub fn random_from_rng<T: RngCore + CryptoRng>(mut csprng: T) -> Self {
         // The secret key is random bytes. Clamping is done later.
         let mut bytes = [0u8; 32];
+        let mut tweak = [0u8; 1];
         csprng.fill_bytes(&mut bytes);
-        EphemeralSecret(bytes)
+        csprng.fill_bytes(&mut tweak);
+        EphemeralSecret(bytes, tweak[0])
     }
 
     /// Generate a new [`EphemeralSecret`].
@@ -134,7 +136,7 @@ impl<'a> From<&'a EphemeralSecret> for PublicKey {
 #[cfg_attr(feature = "zeroize", derive(Zeroize))]
 #[cfg_attr(feature = "zeroize", zeroize(drop))]
 #[derive(Clone)]
-pub struct ReusableSecret(pub(crate) [u8; 32]);
+pub struct ReusableSecret(pub(crate) [u8; 32], pub(crate) u8);
 
 #[cfg(feature = "reusable_secrets")]
 impl ReusableSecret {
@@ -157,8 +159,10 @@ impl ReusableSecret {
     pub fn random_from_rng<T: RngCore + CryptoRng>(mut csprng: T) -> Self {
         // The secret key is random bytes. Clamping is done later.
         let mut bytes = [0u8; 32];
+        let mut tweak = [0u8; 1];
         csprng.fill_bytes(&mut bytes);
-        ReusableSecret(bytes)
+        csprng.fill_bytes(&mut tweak);
+        ReusableSecret(bytes, tweak[0])
     }
 
     /// Generate a new [`ReusableSecret`].
@@ -195,7 +199,7 @@ impl<'a> From<&'a ReusableSecret> for PublicKey {
 #[cfg_attr(feature = "zeroize", derive(Zeroize))]
 #[cfg_attr(feature = "zeroize", zeroize(drop))]
 #[derive(Clone)]
-pub struct StaticSecret([u8; 32]);
+pub struct StaticSecret([u8; 32], u8);
 
 #[cfg(feature = "static_secrets")]
 impl StaticSecret {
@@ -218,8 +222,10 @@ impl StaticSecret {
     pub fn random_from_rng<T: RngCore + CryptoRng>(mut csprng: T) -> Self {
         // The secret key is random bytes. Clamping is done later.
         let mut bytes = [0u8; 32];
+        let mut tweak = [0u8; 1];
         csprng.fill_bytes(&mut bytes);
-        StaticSecret(bytes)
+        csprng.fill_bytes(&mut tweak);
+        StaticSecret(bytes, tweak[0])
     }
 
     /// Generate a new [`StaticSecret`].
@@ -245,7 +251,7 @@ impl StaticSecret {
 impl From<[u8; 32]> for StaticSecret {
     /// Load a secret key from a byte array.
     fn from(bytes: [u8; 32]) -> StaticSecret {
-        StaticSecret(bytes)
+        StaticSecret(bytes, 0u8)
     }
 }
 
@@ -473,7 +479,7 @@ impl<'a> From<&'a [u8; 32]> for PublicRepresentative {
 impl<'a> From<&'a EphemeralSecret> for Option<PublicRepresentative> {
     /// Given an x25519 [`EphemeralSecret`] key, compute its corresponding [`PublicRepresentative`].
     fn from(secret: &'a EphemeralSecret) -> Option<PublicRepresentative> {
-        let repres = curve25519_dalek::elligator2::representative_from_privkey(&secret.0);
+        let repres = curve25519_dalek::elligator2::representative_from_privkey(&secret.0, secret.1);
         let res: Option<[u8; 32]> = repres;
         Some(PublicRepresentative(res?))
     }
@@ -484,7 +490,7 @@ impl<'a> From<&'a EphemeralSecret> for Option<PublicRepresentative> {
 impl<'a> From<&'a ReusableSecret> for Option<PublicRepresentative> {
     /// Given an x25519 [`ReusableSecret`] key, compute its corresponding [`PublicRepresentative`].
     fn from(secret: &'a ReusableSecret) -> Option<PublicRepresentative> {
-        let repres = curve25519_dalek::elligator2::representative_from_privkey(&secret.0);
+        let repres = curve25519_dalek::elligator2::representative_from_privkey(&secret.0, secret.1);
         let res: Option<[u8; 32]> = repres;
         Some(PublicRepresentative(res?))
     }
@@ -495,7 +501,7 @@ impl<'a> From<&'a ReusableSecret> for Option<PublicRepresentative> {
 impl<'a> From<&'a StaticSecret> for Option<PublicRepresentative> {
     /// Given an x25519 [`StaticSecret`] key, compute its corresponding [`PublicRepresentative`].
     fn from(secret: &'a StaticSecret) -> Option<PublicRepresentative> {
-        let repres = curve25519_dalek::elligator2::representative_from_privkey(&secret.0);
+        let repres = curve25519_dalek::elligator2::representative_from_privkey(&secret.0, secret.1);
         let res: Option<[u8; 32]> = repres;
         Some(PublicRepresentative(res?))
     }
@@ -505,7 +511,8 @@ impl<'a> From<&'a StaticSecret> for Option<PublicRepresentative> {
 impl<'a> From<&'a PublicRepresentative> for PublicKey {
     /// Given an elligator2 [`PublicRepresentative`], compute its corresponding [`PublicKey`].
     fn from(representative: &'a PublicRepresentative) -> PublicKey {
-        let point = curve25519_dalek::elligator2::map_to_point(&representative.0);
+        let point = MontgomeryPoint::map_to_point(&representative.0);
         PublicKey(point)
     }
 }
+