SharedSecretCalculation.java
/*******************************************************************************
* Copyright (c) 2023 RISE SICS and others.
*
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* and Eclipse Distribution License v1.0 which accompany this distribution.
*
* The Eclipse Public License is available at
* http://www.eclipse.org/legal/epl-v10.html
* and the Eclipse Distribution License is available at
* http://www.eclipse.org/org/documents/edl-v10.html.
*
* Contributors:
* Rikard Höglund (RISE SICS)
*
******************************************************************************/
package org.eclipse.californium.oscore.group;
import java.math.BigInteger;
import java.util.Arrays;
import org.eclipse.californium.cose.CoseException;
import org.eclipse.californium.cose.OneKey;
import org.eclipse.californium.elements.util.StringUtil;
import net.i2p.crypto.eddsa.EdDSAPrivateKey;
import net.i2p.crypto.eddsa.math.Field;
import net.i2p.crypto.eddsa.math.FieldElement;
import net.i2p.crypto.eddsa.math.bigint.BigIntegerFieldElement;
import net.i2p.crypto.eddsa.math.bigint.BigIntegerLittleEndianEncoding;
/**
* Class implementing the X25519 function, supporting functionality, tests and
* shared secret calculation.
*
*/
public class SharedSecretCalculation {
/*
* Useful links:
* https://crypto.stackexchange.com/questions/63732/curve-25519-x25519-
* ed25519-convert-coordinates-between-montgomery-curve-and-t/63734
*
* https://tools.ietf.org/html/rfc7748
*
* https://tools.ietf.org/html/rfc8032
*
* https://github.com/bifurcation/fourq
*
* https://blog.mozilla.org/warner/2011/11/29/ed25519-keys/
*
* See java-test.py I made.
*/
// Create the ed25519 field
private static Field ed25519Field = new Field(256, // b
StringUtil.hex2ByteArray("edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f"), // q(2^255-19)
new BigIntegerLittleEndianEncoding());
/**
* Calculate the shared secret from a COSE OneKey using EdDSA. It is first
* converted to Montgomery coordinates and after that the X25519 function is
* used to perform the shared secret calculation.
*
* @param publicKey the public key (of the other party)
* @param privateKey the private key (your own)
* @return the shared secret calculated
* @throws CoseException on failure
*/
public static byte[] calculateSharedSecret(OneKey publicKey, OneKey privateKey) throws CoseException {
/* Calculate u coordinate from public key */
FieldElement public_y = KeyRemapping.extractCOSE_y(publicKey);
FieldElement public_u = KeyRemapping.calcCurve25519_u(public_y);
byte[] public_u_array = public_u.toByteArray();
/* Get private scalar from private key */
byte[] private_hash = ((EdDSAPrivateKey) privateKey.AsPrivateKey()).getH();
byte[] private_scalar = Arrays.copyOf(private_hash, 32);
/* -- Calculated shared secret -- */
// secret = X25519(my private scalar, your public key U)
byte[] sharedSecret = X25519(private_scalar, public_u_array);
return sharedSecret;
}
static byte[] X25519(byte[] k, byte[] u) {
k = k.clone(); // Needed?
u = u.clone(); // Needed?
BigInteger kn = decodeScalar(k);
BigInteger un = decodeUCoordinate(u);
BigIntegerFieldElement kn_bif = new BigIntegerFieldElement(ed25519Field, kn);
BigIntegerFieldElement un_bif = new BigIntegerFieldElement(ed25519Field, un);
FieldElement res = X25519_calculate(kn_bif, un_bif);
BigInteger res_bi = new BigInteger(invertArray(res.toByteArray()));
return encodeUCoordinate(res_bi);
}
// Skips decoding the scalar k
// Since it may not be encoded in the first place
// But in the end it seems decoding multiple times changes nothing
@SuppressWarnings("unused")
private static byte[] X25519_noDecodeScalar(byte[] k, byte[] u) {
k = k.clone(); // Needed?
u = u.clone(); // Needed?
BigInteger kn = decodeLittleEndian(k, 255);
BigInteger un = decodeUCoordinate(u);
BigIntegerFieldElement kn_bif = new BigIntegerFieldElement(ed25519Field, kn);
BigIntegerFieldElement un_bif = new BigIntegerFieldElement(ed25519Field, un);
FieldElement res = X25519_calculate(kn_bif, un_bif);
BigInteger res_bi = new BigInteger(invertArray(res.toByteArray()));
return encodeUCoordinate(res_bi);
}
/**
* Implements the XX25519 function.
*
* See https://tools.ietf.org/html/rfc7748#section-5
*/
private static FieldElement X25519_calculate(FieldElement k, FieldElement u) {
// Set bits
// https://tools.ietf.org/html/rfc7748#page-7
int bits = 255;
// Initialize starting values
FieldElement x_1 = u;
FieldElement x_2 = new BigIntegerFieldElement(ed25519Field, new BigInteger("1"));
FieldElement z_2 = new BigIntegerFieldElement(ed25519Field, new BigInteger("0"));
FieldElement x_3 = u;
FieldElement z_3 = new BigIntegerFieldElement(ed25519Field, new BigInteger("1"));
BigInteger swap = new BigInteger("0");
// https://tools.ietf.org/html/rfc7748#page-8
FieldElement a24 = new BigIntegerFieldElement(ed25519Field, new BigInteger("121665"));
// Uninitialized variables used in loop
FieldElement A;
FieldElement AA;
FieldElement B;
FieldElement BB;
FieldElement E;
FieldElement C;
FieldElement D;
FieldElement DA;
FieldElement CB;
// For loop here
for (int t = bits - 1; t >= 0; t--) {
// Swap step
BigInteger k_bi = new BigInteger(invertArray(k.toByteArray()));
// k_t = (k >> t) & 1
BigInteger k_t = (k_bi.shiftRight(t)).and(BigInteger.ONE);
swap = swap.xor(k_t); // swap ^= k_t
// Swapping
Tuple result = cswap(swap, x_2, x_3);
x_2 = result.a;
x_3 = result.b;
// End swapping
// Swapping
Tuple result2 = cswap(swap, z_2, z_3);
z_2 = result2.a;
z_3 = result2.b;
// End swapping
swap = k_t; // swap = k_t
// Calculation step
A = x_2.add(z_2); // A = x_2 + z_2
AA = A.multiply(A); // AA = A^2
B = x_2.subtract(z_2); // B = x_2 - z_2
BB = B.multiply(B); // B = B^2
E = AA.subtract(BB); // E = AA - BB
C = x_3.add(z_3); // C = x_3 + z_3
D = x_3.subtract(z_3); // D = x_3 - z_3
DA = D.multiply(A); // DA = D * A
CB = C.multiply(B); // CB = C * B
FieldElement DA_a_CB = DA.add(CB);
x_3 = DA_a_CB.multiply(DA_a_CB); // x_3 = (DA + CB)^2
FieldElement DA_s_CB = DA.subtract(CB);
FieldElement DA_s_CB__x__DA_s_CB = DA_s_CB.multiply(DA_s_CB);
z_3 = x_1.multiply(DA_s_CB__x__DA_s_CB); // z_3 = x_1 * (DA - CB)^2
x_2 = AA.multiply(BB); // x_2 = AA * BB
FieldElement a24_x_E = a24.multiply(E);
FieldElement AA__a__a24_x_E = AA.add(a24_x_E);
z_2 = E.multiply(AA__a__a24_x_E); // z_2 = E * (AA + a24 * E)
}
// Final swap step
// Swapping
Tuple result = cswap(swap, x_2, x_3);
x_2 = result.a;
x_3 = result.b;
// End swapping
// Swapping
Tuple result2 = cswap(swap, z_2, z_3);
z_2 = result2.a;
z_3 = result2.b;
// End swapping
// Return step
// Calculate p
BigInteger pow = new BigInteger("2").pow(255);
BigInteger p_bi = pow.subtract(new BigInteger("19"));
FieldElement p = new BigIntegerFieldElement(ed25519Field, p_bi);
// Calculate p minus 2
FieldElement p_s_2 = p.subtractOne().subtractOne();
// Calculate z_2^(p - 2)
BigInteger z_2_bi = new BigInteger(invertArray(z_2.toByteArray()));
BigIntegerFieldElement z_2_bif = new BigIntegerFieldElement(ed25519Field, z_2_bi);
FieldElement val = z_2_bif.pow(p_s_2);
// Calculate return vale
FieldElement ret = x_2.multiply(val);
return ret;
}
static BigInteger decodeLittleEndian(byte[] b, int bits) {
byte[] cutArray = Arrays.copyOf(b, (bits + 7) / 8);
BigInteger res = new BigInteger(1, invertArray(cutArray));
return res;
}
static BigInteger decodeScalar(byte[] b) {
b[0] &= 248;
b[31] &= 127;
b[31] |= 64;
return decodeLittleEndian(b, 255);
}
static BigInteger decodeUCoordinate(byte[] u) {
int bits = 255;
for (int i = 0; i < u.length; i++) {
if ((u[i] % 8) != 0) {
u[u.length - 1] &= (1 << (bits % 8)) - 1;
}
}
return decodeLittleEndian(u, bits);
}
// TODO: Optimize
static byte[] encodeUCoordinate(BigInteger u) {
int bits = 255;
BigInteger pow = new BigInteger("2").pow(255);
BigInteger p_bi = pow.subtract(new BigInteger("19"));
u = u.mod(p_bi); // u = u % p
byte[] res = new byte[(bits + 7) / 8];
for (int i = 0; i < ((bits + 7) / 8); i++) {
BigInteger temp = u.shiftRight(8 * i);
byte[] temp2 = temp.toByteArray();
res[i] = temp2[temp2.length - 1];
}
return res;
}
// TODO: Do I really need to make new objects?
static class Tuple {
public FieldElement a;
public FieldElement b;
Tuple(FieldElement a, FieldElement b) {
BigInteger a_bi = new BigInteger(invertArray(a.toByteArray()));
BigInteger b_bi = new BigInteger(invertArray(b.toByteArray()));
this.a = new BigIntegerFieldElement(ed25519Field, a_bi);
this.b = new BigIntegerFieldElement(ed25519Field, b_bi);
}
}
/**
* Potentially swaps values of two FieldElements. Will swap values if the
* BigInteger swap equals 1.
*
* @return the original or swapped Tuple depending on the input value of
* swap
*/
static Tuple cswap(BigInteger swap, FieldElement a, FieldElement b) {
byte[] aBytes = a.toByteArray();
byte[] bBytes = b.toByteArray();
byte[] mask = new byte[aBytes.length];
byte[] dummy = new byte[aBytes.length];
byte[] swapBytes = swap.toByteArray();
byte swapValue = (byte) (-swapBytes[0]);
Arrays.fill(mask, swapValue);
for (int i = 0; i < aBytes.length; i++) {
dummy[i] = (byte) (mask[i] & (aBytes[i] ^ bBytes[i]));
aBytes[i] ^= dummy[i];
bBytes[i] ^= dummy[i];
}
FieldElement newA = new BigIntegerFieldElement(ed25519Field, new BigInteger(invertArray(aBytes)));
FieldElement newB = new BigIntegerFieldElement(ed25519Field, new BigInteger(invertArray(bBytes)));
return new Tuple(newA, newB);
}
/**
* Invert a byte array
*
* Needed to handle endianness
*
* @param input the input byte array
* @return the inverted byte array
*/
private static byte[] invertArray(byte[] input) {
byte[] output = input.clone();
for (int i = 0; i < input.length; i++) {
output[i] = input[input.length - i - 1];
}
return output;
}
}