Constant-time scalars in ed25519, and variable-time option flag

.travis.yml

@@ -10,6 +10,7 @@ install:
   - go get golang.org/x/tools/cmd/cover
   - go get github.com/mattn/goveralls
 
+
 script:
   - make test
 

Makefile

@@ -40,4 +40,4 @@ test_verbose:
 test_goverall:
 	${GOPATH}/bin/goveralls -service=travis-ci
 
-test: test_goverall
+test: test_fmt test_goverall

cipher.go

@@ -132,11 +132,13 @@ type option struct{ name string }
 
 func (o *option) String() string { return o.name }
 
-// Pass NoKey to a Cipher constructor to create an unkeyed Cipher.
+// NoKey is given to a Cipher constructor to create an unkeyed
+// Cipher.
 var NoKey = []byte{}
 
-// Pass RandomKey to a Cipher constructor to create a randomly seeded Cipher.
-var RandomKey []byte = nil
+// RandomKey is given to a Cipher constructor to create a
+// randomly seeded Cipher.
+var RandomKey []byte
 
 // Cipher represents a general-purpose symmetric message cipher.
 // A Cipher instance embodies a scalar that may be used to encrypt/decrypt data

cipher/aead.go

@@ -13,7 +13,7 @@ type cipherAEAD struct {
 	kyber.Cipher
 }
 
-// Wrap an kyber.message Cipher to implement
+// NewAEAD wraps an kyber.message Cipher to implement
 // the Authenticated Encryption with Associated Data (AEAD) interface.
 func NewAEAD(c kyber.Cipher) cipher.AEAD {
 	return &cipherAEAD{c}

cipher/bench/cipher_test.go

@@ -5,13 +5,13 @@ import (
 	"crypto/rc4"
 	"testing"
 
+	"golang.org/x/crypto/blowfish"
+	"golang.org/x/crypto/salsa20"
+	"golang.org/x/crypto/twofish"
 	"gopkg.in/dedis/kyber.v1"
 	"gopkg.in/dedis/kyber.v1/cipher/aes"
 	"gopkg.in/dedis/kyber.v1/cipher/norx"
 	"gopkg.in/dedis/kyber.v1/cipher/sha3"
-	"golang.org/x/crypto/blowfish"
-	"golang.org/x/crypto/salsa20"
-	"golang.org/x/crypto/twofish"
 )
 
 var buf = make([]byte, 1024*1024)

cipher/bench/doc.go

@@ -1,3 +1,3 @@
-// This package exists runs comparative benchmarks
+// Package bench runs comparative benchmarks
 // across several alternative Cipher implementations.
 package bench

cipher/block.go

@@ -7,7 +7,7 @@ import (
 	"gopkg.in/dedis/kyber.v1"
 )
 
-// Construct a general message Cipher
+// FromBlock constructs  a general message Cipher
 // from a Block cipher and a cryptographic Hash.
 func FromBlock(newCipher func(key []byte) (cipher.Block, error),
 	newHash func() hash.Hash, blockLen, keyLen, hashLen int,

cipher/cipher.go

@@ -4,5 +4,8 @@ import (
 	"crypto/cipher"
 )
 
+// Stream is just an alias for cipher.Stream
 type Stream cipher.Stream
+
+// Block is just an alias for cipher.Block
 type Block cipher.Block

cipher/hash.go

@@ -20,6 +20,7 @@ type cipherBlockSize interface {
 	BlockSize() int
 }
 
+// NewHash returns a new cipher-based hash
 func NewHash(cipher func(key []byte, options ...interface{}) kyber.Cipher, size int) hash.Hash {
 	ch := &cipherHash{}
 	ch.cipher = cipher

cipher/sponge.go

@@ -65,7 +65,7 @@ type spongeCipher struct {
 	pos int
 }
 
-// SpongeCipher builds a general message Cipher from a Sponge function.
+// FromSponge builds a general message Cipher from a Sponge function.
 func FromSponge(sponge Sponge, key []byte, options ...interface{}) kyber.Cipher {
 	sc := spongeCipher{}
 	sc.sponge = sponge
@@ -87,7 +87,7 @@ func FromSponge(sponge Sponge, key []byte, options ...interface{}) kyber.Cipher
 	// Setup normal-case domain-separation byte used for message payloads
 	sc.setDomain(domainPayload, 0)
 
-	return kyber.Cipher{&sc}
+	return kyber.Cipher{CipherState: &sc}
 }
 
 func (sc *spongeCipher) parseOptions(options []interface{}) bool {

cipher/stream.go

@@ -27,7 +27,7 @@ const bufLen = 1024
 
 var zeroBytes = make([]byte, bufLen)
 
-// Construct a general message Cipher
+// FromStream constructs a general message Cipher
 // from a Stream cipher and a cryptographic Hash.
 func FromStream(newStream func(key []byte) cipher.Stream,
 	newHash func() hash.Hash, blockLen, keyLen, hashLen int,
@@ -52,7 +52,7 @@ func FromStream(newStream func(key []byte) cipher.Stream,
 		panic("no FromStream options supported yet")
 	}
 
-	return kyber.Cipher{&sc}
+	return kyber.Cipher{CipherState: &sc}
 }
 
 func (sc *streamCipher) Partial(dst, src, key []byte) {
@@ -80,10 +80,11 @@ func (sc *streamCipher) Partial(dst, src, key []byte) {
 	// absorb cryptographic input (which may overlap with dst)
 	if key != nil {
 		nkey := ints.Min(n, len(key)) // # key bytes available
-		sc.h.Write(key[:nkey])
+		// XXX check return error ?
+		_, _ = sc.h.Write(key[:nkey])
 		if n > nkey {
 			buf := make([]byte, n-nkey)
-			sc.h.Write(buf)
+			_, _ = sc.h.Write(buf)
 		}
 	}
 }

doc.go

@@ -1,5 +1,5 @@
 /*
-Package crypto provides a toolbox of advanced cryptographic primitives,
+Package kyber provides a toolbox of advanced cryptographic primitives,
 for applications that need more than straightforward signing and encryption.
 The cornerstone of this toolbox is the 'kyber. sub-package,
 which defines kyber.interfaces to cryptographic primitives

encoding.go

@@ -4,7 +4,6 @@ import (
 	"crypto/cipher"
 	"encoding"
 	"encoding/binary"
-	"errors"
 	"fmt"
 	"io"
 	"reflect"
@@ -143,7 +142,7 @@ type decoder struct {
 	r io.Reader
 }
 
-var int32Type reflect.Type = reflect.TypeOf(int32(0))
+var int32Type = reflect.TypeOf(int32(0))
 
 // Read a series of binary objects from an io.Reader.
 // The objs must be a list of pointers.
@@ -217,7 +216,7 @@ func (de *decoder) value(v reflect.Value, depth int) error {
 		var i int32
 		err := binary.Read(de.r, binary.BigEndian, &i)
 		if err != nil {
-			return errors.New(fmt.Sprintf("Error converting int to int32 ( %v )", err))
+			return fmt.Errorf("Error converting int to int32 ( %v )", err)
 		}
 		v.SetInt(int64(i))
 		return err
@@ -314,7 +313,7 @@ func (en *encoder) value(obj interface{}, depth int) error {
 	return nil
 }
 
-// Default implementation of reflective constructor for ciphersuites
+// SuiteNew is the Default implementation of reflective constructor for ciphersuites
 func SuiteNew(g Group, t reflect.Type) interface{} {
 	switch t {
 	case tScalar:
@@ -325,12 +324,12 @@ func SuiteNew(g Group, t reflect.Type) interface{} {
 	return nil
 }
 
-// Default implementation of Encoding interface Read for ciphersuites
+// SuiteRead is the default implementation of Encoding interface Read for ciphersuites
 func SuiteRead(s Constructor, r io.Reader, objs ...interface{}) error {
 	return BinaryEncoding{Constructor: s}.Read(r, objs)
 }
 
-// Default implementation of Encoding interface Write for ciphersuites
+// SuiteWrite is the default implementation of Encoding interface Write for ciphersuites
 func SuiteWrite(s Constructor, w io.Writer, objs ...interface{}) error {
 	return BinaryEncoding{Constructor: s}.Write(w, objs)
 }

examples/dh_test.go

@@ -1,7 +1,7 @@
 package examples
 
 import (
-	"gopkg.in/dedis/kyber.v1/group/nist"
+	"gopkg.in/dedis/kyber.v1/group/edwards25519"
 	"gopkg.in/dedis/kyber.v1/util/random"
 )
 
@@ -15,7 +15,7 @@ simply by changing the first line that picks the suite.
 func Example_diffieHellman() {
 
 	// Crypto setup: NIST-standardized P256 curve with AES-128 and SHA-256
-	suite := nist.NewAES128SHA256P256()
+	suite := edwards25519.NewAES128SHA256Ed25519(false)
 
 	// Alice's public/private keypair
 	a := suite.Scalar().Pick(random.Stream) // Alice's private key

examples/enc_test.go

@@ -2,7 +2,7 @@ package examples
 
 import (
 	"gopkg.in/dedis/kyber.v1"
-	"gopkg.in/dedis/kyber.v1/group/nist"
+	"gopkg.in/dedis/kyber.v1/group/edwards25519"
 	"gopkg.in/dedis/kyber.v1/util/random"
 )
 
@@ -58,7 +58,7 @@ see for example anon.Encrypt, which encrypts a message for
 one of several possible receivers forming an explicit anonymity set.
 */
 func Example_elGamalEncryption() {
-	group := nist.NewAES128SHA256P256()
+	group := edwards25519.NewAES128SHA256Ed25519(false)
 
 	// Create a public/private keypair
 	a := group.Scalar().Pick(random.Stream) // Alice's private key

examples/main.go

@@ -1,4 +1,4 @@
-// This package provides a suite of tests showing how to use the different
+// Package examples provides a suite of tests showing how to use the different
 // abstraction and protocols provided by the dedis/kyber library. To run the
 // tests, simply do `go test -v`.
 //

examples/sig_test.go

@@ -8,7 +8,7 @@ import (
 	"fmt"
 
 	"gopkg.in/dedis/kyber.v1"
-	"gopkg.in/dedis/kyber.v1/group/nist"
+	"gopkg.in/dedis/kyber.v1/group/edwards25519"
 )
 
 type Suite interface {
@@ -54,7 +54,7 @@ func SchnorrSign(suite Suite, random cipher.Stream, message []byte,
 	// And check that hashElgamal for T and the message == c
 	buf := bytes.Buffer{}
 	sig := basicSig{c, r}
-	suite.Write(&buf, &sig)
+	_ = suite.Write(&buf, &sig)
 	return buf.Bytes()
 }
 
@@ -87,9 +87,9 @@ func SchnorrVerify(suite Suite, message []byte, publicKey kyber.Point,
 }
 
 // Example of using Schnorr
-func ExampleSchnorr() {
+func Example_schnorr() {
 	// Crypto setup
-	group := nist.NewAES128SHA256P256()
+	group := edwards25519.NewAES128SHA256Ed25519(false)
 	rand := group.Cipher([]byte("example"))
 
 	// Create a public/private keypair (X,x)
@@ -110,9 +110,9 @@ func ExampleSchnorr() {
 
 	// Output:
 	// Signature:
-	// 00000000  c1 7a 91 74 06 48 5d 53  d4 92 27 71 58 07 eb d5  |.z.t.H]S..'qX...|
-	// 00000010  75 a5 89 92 78 67 fc b1  eb 36 55 63 d1 32 12 20  |u...xg...6Uc.2. |
-	// 00000020  2c 78 84 81 04 0d 2a a8  fa 80 d0 e8 c3 14 65 e3  |,x....*.......e.|
-	// 00000030  7f f2 7c 55 c5 d2 c6 70  51 89 40 cd 63 50 bf c6  |..|U...[email protected]..|
+	// 00000000  d4 64 bd ac 8a 06 d9 71  f4 ae a1 da e1 c5 55 d5  |.d.....q......U.|
+	// 00000010  f7 89 50 10 a5 d9 99 52  b0 c4 f2 ba f9 37 67 02  |..P....R.....7g.|
+	// 00000020  35 3e 9b ac e6 dd d1 98  f6 19 88 37 4d e3 4f 5c  |5>.........7M.O\|
+	// 00000030  36 de a7 bf b9 f0 06 2b  72 6f 81 b7 59 19 c6 00  |6......+ro..Y...|
 	// Signature verified against correct message.
 }

group.go

@@ -53,11 +53,18 @@ type Scalar interface {
 	// Set to a fresh random or pseudo-random scalar
 	Pick(rand cipher.Stream) Scalar
 
-	// SetBytes will take bytes and create a scalar out of it
+	// SetBytes sets the scalar from a big-endian byte-slice,
+	// reducing if necessary to the appropriate modulus.
 	SetBytes([]byte) Scalar
 
-	// Bytes returns the raw internal representation
+	// Bytes returns a big-Endian representation of the scalar
 	Bytes() []byte
+
+	// Allow or disallow use of faster variable-time implementations
+	// of operations on this Point, returning the old flag value.
+	// This flag always defaults to false (constant-time only)
+	// in implementations that can provide constant-time operations.
+	SetVarTime(varTime bool) bool
 }
 
 /*
@@ -111,13 +118,19 @@ type Point interface {
 	// Set to the negation of point a
 	Neg(a Point) Point
 
-	// Encrypt point p by multiplying with scalar s.
-	// If p == nil, encrypt the standard base point Base().
+	// Multiply point p by the scalar s.
+	// If p == nil, multiply with the standard base point Base().
 	Mul(s Scalar, p Point) Point
+
+	// Allow or disallow use of faster variable-time implementations
+	// of operations on this Point.  Returns the old flag value.
+	// This flag always defaults to false (constant-time only)
+	// in implementations that can provide constant-time operations.
+	SetVarTime(varTime bool) bool
 }
 
 /*
-This interface represents an kyber.cryptographic group
+Group interface represents an kyber.cryptographic group
 usable for Diffie-Hellman key exchange, ElGamal encryption,
 and the related body of public-key cryptographic algorithms
 and zero-knowledge proof methods.

group/curve25519/basic.go

@@ -1,4 +1,4 @@
-// +build experimental
+// +build experimental vartime
 
 package curve25519
 
@@ -86,6 +86,12 @@ func (P *basicPoint) Set(P2 kyber.Point) kyber.Point {
 	return P
 }
 
+func (P *basicPoint) Clone() kyber.Point {
+	p2 := new(basicPoint)
+	p2.Set(P)
+	return p2
+}
+
 // Set to the neutral element, which is (0,1) for twisted Edwards curves.
 func (P *basicPoint) Null() kyber.Point {
 	P.Set(&P.c.null)
@@ -98,19 +104,28 @@ func (P *basicPoint) Base() kyber.Point {
 	return P
 }
 
-func (P *basicPoint) PickLen() int {
-	return P.c.pickLen()
+func (P *basicPoint) EmbedLen() int {
+	return P.c.embedLen()
+}
+
+func (P *basicPoint) Embed(data []byte, rand cipher.Stream) kyber.Point {
+	P.c.embed(P, data, rand)
+	return P
 }
 
-func (P *basicPoint) Pick(data []byte, rand cipher.Stream) (kyber.Point, []byte) {
-	return P, P.c.pickPoint(P, data, rand)
+func (P *basicPoint) Pick(rand cipher.Stream) kyber.Point {
+	return P.Embed(nil, rand)
 }
 
 // Extract embedded data from a point group element
 func (P *basicPoint) Data() ([]byte, error) {
 	return P.c.data(&P.x, &P.y)
 }
 
+func (P *basicPoint) SetVarTime(varTime bool) bool {
+	return true
+}
+
 // Add two points using the basic unified addition laws for Edwards curves:
 //
 //	x' = ((x1*y2 + x2*y1) / (1 + d*x1*x2*y1*y2))
@@ -167,7 +182,7 @@ func (P *basicPoint) Neg(A kyber.Point) kyber.Point {
 func (P *basicPoint) Mul(s kyber.Scalar, G kyber.Point) kyber.Point {
 	v := s.(*mod.Int).V
 	if G == nil {
-		return P.Base().Mul(P, s)
+		return P.Base().Mul(s, P)
 	}
 	T := P
 	if G == P { // Must use temporary in case G == P
@@ -206,6 +221,10 @@ func (c *BasicCurve) Point() kyber.Point {
 	return P
 }
 
+func (c *BasicCurve) NewKey(r cipher.Stream) kyber.Scalar {
+	return c.Scalar().Pick(r)
+}
+
 // Initialize the curve with given parameters.
 func (c *BasicCurve) Init(p *Param, fullGroup bool) *BasicCurve {
 	c.curve.init(c, p, fullGroup, &c.null, &c.base)