1 #include <stdlib.h>
2 #include <stdio.h>
3 #include <string.h>
4 #include "crypto_hash_sha512.h"
5 #include "keygen.h"
6 #include "curve_sigs.h"
7 #include "xeddsa.h"
8 #include "crypto_additions.h"
9 #include "ge.h"
10 #include "utility.h"
11 #include "gen_x.h"
12 #include "internal_slow_tests.h"
13 #include <assert.h>
14
15
16 #define ERROR(...) do {if (!silent) { printf(__VA_ARGS__); abort(); } else return -1; } while (0)
17 #define INFO(...) do {if (!silent) printf(__VA_ARGS__);} while (0)
18
19 #define TEST(msg, cond) \
20 do { \
21 if ((cond)) { \
22 INFO("%s good\n", msg); \
23 } \
24 else { \
25 ERROR("%s BAD!!!\n", msg); \
26 } \
27 } while (0)
28
29
30
curvesigs_slow_test(int silent,int iterations)31 int curvesigs_slow_test(int silent, int iterations)
32 {
33
34 unsigned char signature_10k_correct[64] = {
35 0xfc, 0xba, 0x55, 0xc4, 0x85, 0x4a, 0x42, 0x25,
36 0x19, 0xab, 0x08, 0x8d, 0xfe, 0xb5, 0x13, 0xb6,
37 0x0d, 0x24, 0xbb, 0x16, 0x27, 0x55, 0x71, 0x48,
38 0xdd, 0x20, 0xb1, 0xcd, 0x2a, 0xd6, 0x7e, 0x35,
39 0xef, 0x33, 0x4c, 0x7b, 0x6d, 0x94, 0x6f, 0x52,
40 0xec, 0x43, 0xd7, 0xe6, 0x35, 0x24, 0xcd, 0x5b,
41 0x5d, 0xdc, 0xb2, 0x32, 0xc6, 0x22, 0x53, 0xf3,
42 0x38, 0x02, 0xf8, 0x28, 0x28, 0xc5, 0x65, 0x05,
43 };
44
45 int count;
46 const int MSG_LEN = 200;
47 unsigned char privkey[32];
48 unsigned char pubkey[32];
49 unsigned char signature[64];
50 unsigned char msg[MSG_LEN];
51 unsigned char random[64];
52
53 memset(privkey, 0, 32);
54 memset(pubkey, 0, 32);
55 memset(signature, 0, 64);
56 memset(msg, 0, MSG_LEN);
57 memset(random, 0, 64);
58
59 /* Signature random test */
60 INFO("Pseudorandom curvesigs...\n");
61 for (count = 1; count <= iterations; count++) {
62 unsigned char b[64];
63 crypto_hash_sha512(b, signature, 64);
64 memmove(privkey, b, 32);
65 crypto_hash_sha512(b, privkey, 32);
66 memmove(random, b, 64);
67
68 sc_clamp(privkey);
69 curve25519_keygen(pubkey, privkey);
70
71 curve25519_sign(signature, privkey, msg, MSG_LEN, random);
72
73 if (curve25519_verify(signature, pubkey, msg, MSG_LEN) != 0)
74 ERROR("Curvesig verify failure #1 %d\n", count);
75
76 if (b[63] & 1)
77 signature[count % 64] ^= 1;
78 else
79 msg[count % MSG_LEN] ^= 1;
80 if (curve25519_verify(signature, pubkey, msg, MSG_LEN) == 0)
81 ERROR("Curvesig verify failure #2 %d\n", count);
82
83 if (count == 10000) {
84 if (memcmp(signature, signature_10k_correct, 64) != 0)
85 ERROR("Curvesig signature 10K doesn't match %d\n", count);
86 }
87 if (count == 100000)
88 print_bytes("100K curvesigs", signature, 64);
89 if (count == 1000000)
90 print_bytes("1M curvesigs", signature, 64);
91 if (count == 10000000)
92 print_bytes("10M curvesigs", signature, 64);
93 }
94 INFO("good\n");
95 return 0;
96 }
97
xeddsa_slow_test(int silent,int iterations)98 int xeddsa_slow_test(int silent, int iterations)
99 {
100
101 unsigned char signature_10k_correct[64] = {
102 0x15, 0x29, 0x03, 0x38, 0x66, 0x16, 0xcd, 0x26,
103 0xbb, 0x3e, 0xec, 0xe2, 0x9f, 0x72, 0xa2, 0x5c,
104 0x7d, 0x05, 0xc9, 0xcb, 0x84, 0x3f, 0x92, 0x96,
105 0xb3, 0xfb, 0xb9, 0xdd, 0xd6, 0xed, 0x99, 0x04,
106 0xc1, 0xa8, 0x02, 0x16, 0xcf, 0x49, 0x3f, 0xf1,
107 0xbe, 0x69, 0xf9, 0xf1, 0xcc, 0x16, 0xd7, 0xdc,
108 0x6e, 0xd3, 0x78, 0xaa, 0x04, 0xeb, 0x71, 0x51,
109 0x9d, 0xe8, 0x7a, 0x5b, 0xd8, 0x49, 0x7b, 0x05,
110 };
111
112 int count;
113 const int MSG_LEN = 200;
114 unsigned char privkey[32];
115 unsigned char pubkey[32];
116 unsigned char signature[96];
117 unsigned char msg[MSG_LEN];
118 unsigned char random[64];
119
120 memset(privkey, 0, 32);
121 memset(pubkey, 0, 32);
122 memset(signature, 1, 64);
123 memset(msg, 0, MSG_LEN);
124 memset(random, 0, 64);
125
126 /* Signature random test */
127 INFO("Pseudorandom XEdDSA...\n");
128 for (count = 1; count <= iterations; count++) {
129 unsigned char b[64];
130 crypto_hash_sha512(b, signature, 64);
131 memmove(privkey, b, 32);
132 crypto_hash_sha512(b, privkey, 32);
133 memmove(random, b, 64);
134
135 sc_clamp(privkey);
136 curve25519_keygen(pubkey, privkey);
137
138 xed25519_sign(signature, privkey, msg, MSG_LEN, random);
139
140 if (xed25519_verify(signature, pubkey, msg, MSG_LEN) != 0)
141 ERROR("XEdDSA verify failure #1 %d\n", count);
142
143 if (b[63] & 1)
144 signature[count % 64] ^= 1;
145 else
146 msg[count % MSG_LEN] ^= 1;
147 if (xed25519_verify(signature, pubkey, msg, MSG_LEN) == 0)
148 ERROR("XEdDSA verify failure #2 %d\n", count);
149
150 if (count == 10000) {
151 if (memcmp(signature, signature_10k_correct, 64) != 0)
152 ERROR("XEDSA signature 10K doesn't match %d\n", count);
153 }
154 if (count == 100000)
155 print_bytes("100K XEdDSA", signature, 64);
156 if (count == 1000000)
157 print_bytes("1M XEdDSA", signature, 64);
158 if (count == 10000000)
159 print_bytes("10M XEdDSA", signature, 64);
160 }
161 INFO("good\n");
162 return 0;
163 }
164
xeddsa_to_curvesigs_slow_test(int silent,int iterations)165 int xeddsa_to_curvesigs_slow_test(int silent, int iterations)
166 {
167 unsigned char signature_10k_correct[64] = {
168 0x33, 0x50, 0xa8, 0x68, 0xcd, 0x9e, 0x74, 0x99,
169 0xa3, 0x5c, 0x33, 0x75, 0x2b, 0x22, 0x03, 0xf8,
170 0xb5, 0x0f, 0xea, 0x8c, 0x33, 0x1c, 0x68, 0x8b,
171 0xbb, 0xf3, 0x31, 0xcf, 0x7c, 0x42, 0x37, 0x35,
172 0xa0, 0x0e, 0x15, 0xb8, 0x5d, 0x2b, 0xe1, 0xa2,
173 0x03, 0x77, 0x94, 0x3d, 0x13, 0x5c, 0xd4, 0x9b,
174 0x6a, 0x31, 0xf4, 0xdc, 0xfe, 0x24, 0xad, 0x54,
175 0xeb, 0xd2, 0x98, 0x47, 0xf1, 0xcc, 0xbf, 0x0d
176
177 };
178
179 int count;
180 const int MSG_LEN = 200;
181 unsigned char privkey[32];
182 unsigned char pubkey[32];
183 unsigned char signature[96];
184 unsigned char msg[MSG_LEN];
185 unsigned char random[64];
186
187 memset(privkey, 0, 32);
188 memset(pubkey, 0, 32);
189 memset(signature, 2, 64);
190 memset(msg, 0, MSG_LEN);
191 memset(random, 0, 64);
192
193 /* Signature random test */
194 INFO("Pseudorandom XEdDSA/Curvesigs...\n");
195 for (count = 1; count <= iterations; count++) {
196 unsigned char b[64];
197 crypto_hash_sha512(b, signature, 64);
198 memmove(privkey, b, 32);
199 crypto_hash_sha512(b, privkey, 32);
200 memmove(random, b, 64);
201
202 sc_clamp(privkey);
203 curve25519_keygen(pubkey, privkey);
204
205 xed25519_sign(signature, privkey, msg, MSG_LEN, random);
206
207 if (curve25519_verify(signature, pubkey, msg, MSG_LEN) != 0)
208 ERROR("XEdDSA/Curvesigs verify failure #1 %d\n", count);
209
210 if (b[63] & 1)
211 signature[count % 64] ^= 1;
212 else
213 msg[count % MSG_LEN] ^= 1;
214 if (curve25519_verify(signature, pubkey, msg, MSG_LEN) == 0)
215 ERROR("XEdDSA/Curvesigs verify failure #2 %d\n", count);
216
217 if (count == 10000) {
218 if (memcmp(signature, signature_10k_correct, 64) != 0)
219 ERROR("XEdDSA/Curvesigs signature 10K doesn't match %d\n", count);
220 }
221 if (count == 100000)
222 print_bytes("100K XEdDSA/C", signature, 64);
223 if (count == 1000000)
224 print_bytes("1M XEdDSA/C", signature, 64);
225 if (count == 10000000)
226 print_bytes("10M XEdDSA/C", signature, 64);
227 }
228 INFO("good\n");
229 return 0;
230 }
231
generalized_xveddsa_slow_test(int silent,int iterations)232 int generalized_xveddsa_slow_test(int silent, int iterations)
233 {
234 unsigned char signature_10k_correct[96] = {
235 0x89, 0x21, 0xf5, 0x2f, 0x37, 0x72, 0x08, 0x55,
236 0x18, 0x9d, 0x24, 0xed, 0x86, 0xb1, 0x7a, 0x02,
237 0xbf, 0x29, 0x5e, 0xa7, 0x45, 0xdc, 0x80, 0x03,
238 0x7f, 0x4f, 0xca, 0x79, 0xe0, 0x95, 0xd0, 0xa1,
239 0xb5, 0x99, 0xbe, 0xbd, 0xef, 0xbe, 0xa4, 0xdc,
240 0x0c, 0x07, 0x6a, 0xf7, 0x7f, 0xe1, 0x1c, 0xb8,
241 0x18, 0x84, 0xb8, 0xb4, 0xcf, 0x38, 0x7d, 0x98,
242 0x37, 0xd8, 0x40, 0x23, 0x42, 0x12, 0x70, 0x06,
243 0xb0, 0xd1, 0x0c, 0xc0, 0x1c, 0xa6, 0x9a, 0x2f,
244 0xb4, 0x02, 0xd6, 0x37, 0x22, 0xe9, 0xfb, 0x00,
245 0x22, 0x02, 0x5a, 0xf4, 0x40, 0x43, 0xb8, 0xe9,
246 0xf4, 0x13, 0x44, 0x16, 0x19, 0x8d, 0x7e, 0x02,
247 };
248 unsigned char signature_100k_correct[96] = {
249 0xc4, 0x99, 0x64, 0x1f, 0x94, 0x95, 0xf4, 0x57,
250 0xa0, 0xb9, 0x3d, 0xc3, 0xb5, 0x2e, 0x1e, 0xdd,
251 0x92, 0xf2, 0x4c, 0xb2, 0x01, 0x36, 0x3d, 0xf2,
252 0xea, 0x2c, 0xdc, 0x32, 0x21, 0x5f, 0xc5, 0xd2,
253 0xff, 0x16, 0x41, 0x71, 0x3a, 0x77, 0x79, 0xeb,
254 0x67, 0x20, 0xc4, 0xec, 0x39, 0xe1, 0x54, 0x2d,
255 0x40, 0x10, 0xf9, 0xca, 0xc5, 0x21, 0x0a, 0x47,
256 0x63, 0x99, 0x23, 0x04, 0x9d, 0x03, 0x1a, 0x06,
257 0x00, 0xb9, 0x56, 0x7e, 0xef, 0xee, 0x0b, 0x40,
258 0x59, 0xc1, 0x86, 0xd9, 0xa7, 0x87, 0x70, 0xec,
259 0x05, 0x89, 0xbe, 0x71, 0x43, 0xd1, 0xf5, 0x61,
260 0x5e, 0x00, 0x41, 0xde, 0x1f, 0x41, 0x2d, 0x0e,
261 };
262
263
264 /*
265 unsigned char signature_1m_correct[96] = {
266 0xf8, 0xb1, 0x20, 0xf2, 0x1e, 0x5c, 0xbf, 0x5f,
267 0xea, 0x07, 0xcb, 0xb5, 0x77, 0xb8, 0x03, 0xbc,
268 0xcb, 0x6d, 0xf1, 0xc1, 0xa5, 0x03, 0x05, 0x7b,
269 0x01, 0x63, 0x9b, 0xf9, 0xed, 0x3e, 0x57, 0x47,
270 0xd2, 0x5b, 0xf4, 0x7e, 0x7c, 0x45, 0xce, 0xfc,
271 0x06, 0xb3, 0xf4, 0x05, 0x81, 0x9f, 0x53, 0xb0,
272 0x18, 0xe3, 0xfa, 0xcb, 0xb2, 0x52, 0x3e, 0x57,
273 0xcb, 0x34, 0xcc, 0x81, 0x60, 0xb9, 0x0b, 0x04,
274 0x07, 0x79, 0xc0, 0x53, 0xad, 0xc4, 0x4b, 0xd0,
275 0xb5, 0x7d, 0x95, 0x4e, 0xbe, 0xa5, 0x75, 0x0c,
276 0xd4, 0xbf, 0xa7, 0xc0, 0xcf, 0xba, 0xe7, 0x7c,
277 0xe2, 0x90, 0xef, 0x61, 0xa9, 0x29, 0x66, 0x0d,
278 };
279
280 unsigned char signature_10m_correct[96] = {
281 0xf5, 0xa4, 0xbc, 0xec, 0xc3, 0x3d, 0xd0, 0x43,
282 0xd2, 0x81, 0x27, 0x9e, 0xf0, 0x4c, 0xbe, 0xf3,
283 0x77, 0x01, 0x56, 0x41, 0x0e, 0xff, 0x0c, 0xb9,
284 0x66, 0xec, 0x4d, 0xe0, 0xb7, 0x25, 0x63, 0x6b,
285 0x5c, 0x08, 0x39, 0x80, 0x4e, 0x37, 0x1b, 0x2c,
286 0x46, 0x6f, 0x86, 0x99, 0x1c, 0x4e, 0x31, 0x60,
287 0xdb, 0x4c, 0xfe, 0xc5, 0xa2, 0x4d, 0x71, 0x2b,
288 0xd6, 0xd0, 0xc3, 0x98, 0x88, 0xdb, 0x0e, 0x0c,
289 0x68, 0x4a, 0xd3, 0xc7, 0x56, 0xac, 0x8d, 0x95,
290 0x7b, 0xbd, 0x99, 0x50, 0xe8, 0xd3, 0xea, 0xf3,
291 0x7b, 0x26, 0xf2, 0xa2, 0x2b, 0x02, 0x58, 0xca,
292 0xbd, 0x2c, 0x2b, 0xf7, 0x77, 0x58, 0xfe, 0x09,
293 };
294 */
295
296 int count;
297 const int MSG_LEN = 200;
298 unsigned char privkey[32];
299 unsigned char pubkey[32];
300 unsigned char signature[96];
301 unsigned char msg[MSG_LEN];
302 unsigned char random[64];
303 unsigned char vrf_out[32];
304
305 memset(privkey, 0, 32);
306 memset(pubkey, 0, 32);
307 memset(signature, 3, 96);
308 memset(msg, 0, MSG_LEN);
309 memset(random, 0, 64);
310
311 INFO("Pseudorandom XVEdDSA...\n");
312 for (count = 1; count <= iterations; count++) {
313 unsigned char b[64];
314 crypto_hash_sha512(b, signature, 96);
315 memmove(privkey, b, 32);
316 crypto_hash_sha512(b, privkey, 32);
317 memmove(random, b, 64);
318
319 sc_clamp(privkey);
320 curve25519_keygen(pubkey, privkey);
321
322 generalized_xveddsa_25519_sign(signature, privkey, msg, MSG_LEN, random, NULL, 0);
323
324 if (generalized_xveddsa_25519_verify(vrf_out, signature, pubkey, msg, MSG_LEN, NULL, 0) != 0)
325 ERROR("XVEdDSA verify failure #1 %d\n", count);
326
327 if (b[63] & 1)
328 signature[count % 96] ^= 1;
329 else
330 msg[count % MSG_LEN] ^= 1;
331
332 if (generalized_xveddsa_25519_verify(vrf_out, signature, pubkey, msg, MSG_LEN, NULL, 0) == 0)
333 ERROR("XVEdDSA verify failure #2 %d\n", count);
334
335 if (count == 10000)
336 print_bytes("10K XVEdDSA", signature, 96);
337 if (count == 100000)
338 print_bytes("100K XVEdDSA", signature, 96);
339 if (count == 1000000)
340 print_bytes("1M XVEdDSA", signature, 96);
341 if (count == 10000000)
342 print_bytes("10M XVEdDSA", signature, 96);
343 if (count == 100000000)
344 print_bytes("100M XVEdDSA", signature, 96);
345
346 if (count == 10000) {
347 if (memcmp(signature, signature_10k_correct, 96) != 0)
348 ERROR("XVEDDSA 10K doesn't match %d\n", count);
349 }
350 if (count == 100000) {
351 if (memcmp(signature, signature_100k_correct, 96) != 0)
352 ERROR("XVEDDSA 100K doesn't match %d\n", count);
353 }
354 /*
355 if (count == 1000000) {
356 if (memcmp(signature, signature_1m_correct, 96) != 0)
357 ERROR("XVEDDSA 1m doesn't match %d\n", count);
358 }
359 if (count == 10000000) {
360 if (memcmp(signature, signature_10m_correct, 96) != 0)
361 ERROR("XVEDDSA 10m doesn't match %d\n", count);
362 }
363 if (count == 100000000) {
364 if (memcmp(signature, signature_100m_correct, 96) != 0)
365 ERROR("XVEDDSA 100m doesn't match %d\n", count);
366 }
367 */
368 }
369 INFO("good\n");
370 return 0;
371 }
372