/* * Copyright (C) 2017 - This file is part of libecc project * * Authors: * Ryad BENADJILA <ryadbenadjila@gmail.com> * Arnaud EBALARD <arnaud.ebalard@ssi.gouv.fr> * Jean-Pierre FLORI <jean-pierre.flori@ssi.gouv.fr> * * Contributors: * Nicolas VIVET <nicolas.vivet@ssi.gouv.fr> * Karim KHALFALLAH <karim.khalfallah@ssi.gouv.fr> * * This software is licensed under a dual BSD and GPL v2 license. * See LICENSE file at the root folder of the project. */ #include <libecc/lib_ecc_config.h> #include <libecc/libec.h> /* We include the printf external dependency for printf output */ #include <libecc/external_deps/print.h> /* * The purpose of this example is to implement a 'toy' * ECDH (Elliptic curve Diffie-Hellman) protocol. Alice * and Bob want to derive a secret 'x' without sharing the * same secret key (using asymmetric cryptography). In order * to do this, they agree upon a public Elliptic Curve with * a generator G. Alice (resp. Bob) generates a private value * d_Alice (resp. d_Bob) < q, where q is the order of G. * Alice (resp. Bob) computes and shares Q_Alice = d_Alice x G * (resp. Q_Bob = d_Bob x G) over a public channel. Alice * and Bob now both can compute the same point Q such that * Q = d_Alice x Q_Bob = d_Bob x Q_Alice, and the shared * secret 'x' is the first coordinate of the curve point Q. * External passive observers cannot compute 'x'. * * NOTE: We don't seek for communication bandwidth * optimization here, this is why we use arrays to * exchange affine coordinates points (and not * the compressed x coordinate since the * curve equation can be used). * * XXX NOTE: for a robust implementation of the ECDH * primitives, please use the APIs provided in src/ecdh * of libecc as they are suitable for "production". The * purpose of the current toy example is only to show how * one can manipulate the curve level APIs. * */ /* Zero buffer to detect empty buffers */ static u8 zero[2 * NN_MAX_BYTE_LEN] = { 0 }; /* * The following global variables simulate our shared "data bus" * where Alice and Bob exchange data. */ /* Global array holding Alice to Bob public value * Q_Alice = d_Alice x G. * This is a serialized affine EC point, holding * 2 coordinates, meaning that its maximum size is * 2 * NN_MAX_BYTE_LEN (i.e. this will work for * all our curves). */ static u8 Alice_to_Bob[2 * NN_MAX_BYTE_LEN] = { 0 }; /* Global array holding Bob to Alice public value * Q_Bob = d_Bob x G. * This is a serialized affine EC point, holding * 2 coordinates, meaning that its maximum size is * 2 * NN_MAX_BYTE_LEN. (i.e. this will work for * all our curves). */ static u8 Bob_to_Alice[2 * NN_MAX_BYTE_LEN] = { 0 }; static const u8 Alice[] = "Alice"; static const u8 Bob[] = "Bob"; #define CHECK_SIZE LOCAL_MIN(sizeof(Alice), sizeof(Bob)) ATTRIBUTE_WARN_UNUSED_RET int ECDH_helper(const u8 *curve_name, const u8 *role); int ECDH_helper(const u8 *curve_name, const u8 *role) { int ret, check1, check2; /* The projective point we will use */ prj_pt Q; /* The private scalar value for Alice and Bob, as well as their * respective shared secrets. * These are 'static' in order to keep them across multiple calls * of the function. */ static nn d_Alice, d_Bob; nn_t d = NULL; static fp x_Alice, x_Bob; fp_t x = NULL; const char *x_str; /* Pointers to the communication buffers */ u8 *our_public_buffer, *other_public_buffer; u32 len; const ec_str_params *the_curve_const_parameters; /* libecc internal structure holding the curve parameters */ ec_params curve_params; Q.magic = WORD(0); MUST_HAVE((curve_name != NULL) && (role != NULL), ret, err); /****** Alice => Bob *********************************************************/ ret = are_equal(role, Alice, CHECK_SIZE, &check1); EG(ret, err); ret = are_equal(role, Bob, CHECK_SIZE, &check2); EG(ret, err); if (check1) { our_public_buffer = Alice_to_Bob; other_public_buffer = Bob_to_Alice; d = &d_Alice; x = &x_Alice; x_str = " x_Alice"; } /****** Bob => Alice *********************************************************/ else if (check2) { our_public_buffer = Bob_to_Alice; other_public_buffer = Alice_to_Bob; d = &d_Bob; x = &x_Bob; x_str = " x_Bob "; } else { /* Unknown role, get out */ ext_printf(" Error: unknown role %s for ECDH\n", role); ret = -1; goto err; } /* Importing specific curve parameters from the constant static * buffers describing it: * It is possible to import a curve set of parameters by its name. */ ret = local_strnlen((const char *)curve_name, MAX_CURVE_NAME_LEN, &len); EG(ret, err); len += 1; MUST_HAVE((len < 256), ret, err); ret = ec_get_curve_params_by_name(curve_name, (u8)len, &the_curve_const_parameters); EG(ret, err); /* Get out if getting the parameters went wrong */ if (the_curve_const_parameters == NULL) { ext_printf(" Error: error when importing curve %s " "parameters ...\n", curve_name); ret = -1; goto err; } /* Now map the curve parameters to our libecc internal representation */ ret = import_params(&curve_params, the_curve_const_parameters); EG(ret, err); /* Initialize our projective point with the curve parameters */ ret = prj_pt_init(&Q, &(curve_params.ec_curve)); EG(ret, err); ret = are_equal(our_public_buffer, zero, sizeof(zero), &check1); EG(ret, err); if (!check1) { /* We have already generated and sent our parameters, skip to * the state where we wait for the other party to generate and * send us data. */ goto generate_shared_secret; } /* Generate our ECDH parameters: a private scalar d and a public value Q = dG where G is the * curve generator. * d = random mod (q) where q is the order of the generator G. */ ret = nn_init(d, 0); EG(ret, err); ret = nn_get_random_mod(d, &(curve_params.ec_gen_order)); EG(ret, err); /* Q = dG */ ret = prj_pt_mul(&Q, d, &(curve_params.ec_gen)); EG(ret, err); /* Now send the public value Q to the other party, get the other party * public value and compute the shared secret. * Our export size is exactly 2 coordinates in Fp (affine point representation), * so this should be 2 times the size of an element in Fp. */ ret = prj_pt_export_to_aff_buf(&Q, our_public_buffer, (u32)(2 * BYTECEIL(curve_params.ec_fp.p_bitlen))); EG(ret, err); generate_shared_secret: /* Now (non blocking) wait for the other party to send us its public value */ ret = are_equal(other_public_buffer, zero, sizeof(zero), &check1); EG(ret, err); if (check1) { /* Other party has not sent its public value yet! */ ret = 0; goto err; } /* If our private value d is not initialized, this means that we have already * done the job of computing the shared secret! */ if (nn_check_initialized(d)) { ret = 1; goto err; } /* Import the shared value as a projective point from an affine point buffer */ ret = prj_pt_import_from_aff_buf(&Q, other_public_buffer, (u16)(2 * BYTECEIL(curve_params.ec_fp.p_bitlen)), &(curve_params.ec_curve)); EG(ret, err); /* Compute the shared value = first coordinate of dQ */ ret = prj_pt_mul(&Q, d, &Q); EG(ret, err); /* Move to the unique representation */ /* Compute the affine coordinates to get the unique (x, y) representation * (projective points are equivalent by a z scalar) */ ret = prj_pt_unique(&Q, &Q); EG(ret, err); ext_printf(" ECDH shared secret computed by %s:\n", role); /* The shared secret 'x' is the first coordinate of Q */ ret = fp_init(x, &(curve_params.ec_fp)); EG(ret, err); ret = fp_copy(x, &(Q.X)); EG(ret, err); fp_print(x_str, x); ret = 1; /* Uninit local variables */ prj_pt_uninit(&Q); if(x != NULL){ fp_uninit(x); } if(d != NULL){ nn_uninit(d); } err: return ret; } #ifdef CURVE_ECDH int main(int argc, char *argv[]) { unsigned int i; u8 curve_name[MAX_CURVE_NAME_LEN] = { 0 }; int ret; FORCE_USED_VAR(argc); FORCE_USED_VAR(argv); /* Traverse all the possible curves we have at our disposal (known curves and * user defined curves). */ for (i = 0; i < EC_CURVES_NUM; i++) { ret = local_memset(Alice_to_Bob, 0, sizeof(Alice_to_Bob)); EG(ret, err); ret = local_memset(Bob_to_Alice, 0, sizeof(Bob_to_Alice)); EG(ret, err); /* All our possible curves are in ../curves/curves_list.h * We can get the curve name from its internal type. */ if(ec_get_curve_name_by_type(ec_maps[i].type, curve_name, sizeof(curve_name))){ ret = -1; ext_printf("Error: error when treating %s\n", curve_name); goto err; } /* Perform ECDH between Alice and Bob! */ ext_printf("[+] ECDH on curve %s\n", curve_name); if(ECDH_helper(curve_name, Alice) != 0){ ret = -1; ext_printf("Error: error in ECDH_helper\n"); goto err; } if(ECDH_helper(curve_name, Bob) != 1){ ret = -1; ext_printf("Error: error in ECDH_helper\n"); goto err; } /* We have to call our ECDH helper again for Alice * since she was waiting for Bob to send his public data. * This is our loose way of dealing with 'concurrency' * without threads ... */ if(ECDH_helper(curve_name, Alice) != 1){ ret = -1; ext_printf("Error: error in ECDH_helper\n"); goto err; } ext_printf("==================================\n"); } ret = 0; err: return ret; } #endif /* CURVE_ECDH */
