Downgrade to 256-bit curve for performance.

Also reduced hash function to 256 bits because our target security level
is now 128 bits.

briar-core/src/org/briarproject/crypto/CryptoComponentImpl.java

@@ -3,7 +3,6 @@ package org.briarproject.crypto;
 import static java.util.logging.Level.INFO;
 import static org.briarproject.api.invitation.InvitationConstants.CODE_BITS;
 import static org.briarproject.api.transport.TransportConstants.TAG_LENGTH;
-import static org.briarproject.crypto.EllipticCurveConstants.P;
 import static org.briarproject.crypto.EllipticCurveConstants.PARAMETERS;
 import static org.briarproject.util.ByteUtils.MAX_32_BIT_UNSIGNED;
 
@@ -35,7 +34,7 @@ import org.spongycastle.crypto.CipherParameters;
 import org.spongycastle.crypto.Digest;
 import org.spongycastle.crypto.Mac;
 import org.spongycastle.crypto.agreement.ECDHCBasicAgreement;
-import org.spongycastle.crypto.digests.SHA384Digest;
+import org.spongycastle.crypto.digests.SHA256Digest;
 import org.spongycastle.crypto.engines.AESLightEngine;
 import org.spongycastle.crypto.generators.ECKeyPairGenerator;
 import org.spongycastle.crypto.generators.PKCS5S2ParametersGenerator;
@@ -51,8 +50,8 @@ class CryptoComponentImpl implements CryptoComponent {
 			Logger.getLogger(CryptoComponentImpl.class.getName());
 
 	private static final int CIPHER_KEY_BYTES = 32; // 256 bits
-	private static final int AGREEMENT_KEY_PAIR_BITS = 384;
-	private static final int SIGNATURE_KEY_PAIR_BITS = 384;
+	private static final int AGREEMENT_KEY_PAIR_BITS = 256;
+	private static final int SIGNATURE_KEY_PAIR_BITS = 256;
 	private static final int STORAGE_IV_BYTES = 16; // 128 bits
 	private static final int PBKDF_SALT_BYTES = 16; // 128 bits
 	private static final int PBKDF_TARGET_MILLIS = 500;
@@ -99,9 +98,9 @@ class CryptoComponentImpl implements CryptoComponent {
 		agreementKeyPairGenerator.init(params);
 		signatureKeyPairGenerator = new ECKeyPairGenerator();
 		signatureKeyPairGenerator.init(params);
-		agreementKeyParser = new Sec1KeyParser(PARAMETERS, P,
+		agreementKeyParser = new Sec1KeyParser(PARAMETERS,
 				AGREEMENT_KEY_PAIR_BITS);
-		signatureKeyParser = new Sec1KeyParser(PARAMETERS, P,
+		signatureKeyParser = new Sec1KeyParser(PARAMETERS,
 				SIGNATURE_KEY_PAIR_BITS);
 	}
 
@@ -112,7 +111,7 @@ class CryptoComponentImpl implements CryptoComponent {
 	}
 
 	public MessageDigest getMessageDigest() {
-		return new DoubleDigest(new SHA384Digest());
+		return new DoubleDigest(new SHA256Digest());
 	}
 
 	public PseudoRandom getPseudoRandom(int seed1, int seed2) {
@@ -405,7 +404,7 @@ class CryptoComponentImpl implements CryptoComponent {
 		if(label[label.length - 1] != '\0')
 			throw new IllegalArgumentException();
 		// Initialise the PRF
-		Mac prf = new HMac(new SHA384Digest());
+		Mac prf = new HMac(new SHA256Digest());
 		KeyParameter k = new KeyParameter(secret);
 		prf.init(k);
 		int macLength = prf.getMacSize();
@@ -426,7 +425,7 @@ class CryptoComponentImpl implements CryptoComponent {
 	// Password-based key derivation function - see PKCS#5 v2.1, section 5.2
 	private byte[] pbkdf2(String password, byte[] salt, int iterations) {
 		byte[] utf8 = StringUtils.toUtf8(password);
-		Digest digest = new SHA384Digest();
+		Digest digest = new SHA256Digest();
 		PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(digest);
 		gen.init(utf8, salt, iterations);
 		int keyLengthInBits = CIPHER_KEY_BYTES * 8;
@@ -468,7 +467,7 @@ class CryptoComponentImpl implements CryptoComponent {
 		byte[] salt = new byte[PBKDF_SALT_BYTES];
 		int keyLengthInBits = CIPHER_KEY_BYTES * 8;
 		long start = System.nanoTime();
-		Digest digest = new SHA384Digest();
+		Digest digest = new SHA256Digest();
 		PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(digest);
 		gen.init(password, salt, iterations);
 		gen.generateDerivedParameters(keyLengthInBits);

briar-core/src/org/briarproject/crypto/EllipticCurveConstants.java

@@ -2,68 +2,29 @@ package org.briarproject.crypto;
 
 import java.math.BigInteger;
 
+import org.spongycastle.asn1.teletrust.TeleTrusTNamedCurves;
+import org.spongycastle.asn1.x9.X9ECParameters;
 import org.spongycastle.crypto.params.ECDomainParameters;
 import org.spongycastle.math.ec.ECCurve;
+import org.spongycastle.math.ec.ECMultiplier;
 import org.spongycastle.math.ec.ECPoint;
 import org.spongycastle.math.ec.MontgomeryLadderMultiplier;
 
-/** Parameters for curve brainpoolP384r1 - see RFC 5639. */
-interface EllipticCurveConstants {
+/** Parameters for curve brainpoolp256r1 - see RFC 5639. */
+class EllipticCurveConstants {
 
-	/**
-	 * The prime specifying the finite field. (This is called p in RFC 5639 and
-	 * q in SEC 2.)
-	 */
-	BigInteger P = new BigInteger("8CB91E82" + "A3386D28" + "0F5D6F7E" +
-			"50E641DF" + "152F7109" + "ED5456B4" + "12B1DA19" + "7FB71123" +
-			"ACD3A729" + "901D1A71" + "87470013" + "3107EC53", 16);
+	static final ECDomainParameters PARAMETERS;
 
-	/**
-	 * A coefficient of the equation y^2 = x^3 + A*x + B defining the elliptic
-	 * curve. (This is called A in RFC 5639 and a in SEC 2.)
-	 */
-	BigInteger A = new BigInteger("7BC382C6" + "3D8C150C" + "3C72080A" +
-			"CE05AFA0" + "C2BEA28E" + "4FB22787" + "139165EF" + "BA91F90F" +
-			"8AA5814A" + "503AD4EB" + "04A8C7DD" + "22CE2826", 16);
-
-	/**
-	 * A coefficient of the equation y^2 = x^3 + A*x + B defining the elliptic
-	 * curve. (This is called B in RFC 5639 b in SEC 2.)
-	 */
-	BigInteger B = new BigInteger("04A8C7DD" + "22CE2826" + "8B39B554" +
-			"16F0447C" + "2FB77DE1" + "07DCD2A6" + "2E880EA5" + "3EEB62D5" +
-			"7CB43902" + "95DBC994" + "3AB78696" + "FA504C11", 16);
-
-	/**
-	 * The x co-ordinate of the base point G. (This is called x in RFC 5639 and
-	 * SEC 2.)
-	 */
-	BigInteger X = new BigInteger("1D1C64F0" + "68CF45FF" + "A2A63A81" +
-			"B7C13F6B" + "8847A3E7" + "7EF14FE3" + "DB7FCAFE" + "0CBD10E8" +
-			"E826E034" + "36D646AA" + "EF87B2E2" + "47D4AF1E", 16);
-
-	/**
-	 * The y co-ordinate of the base point G. (This is called y in RFC 5639 and
-	 * SEC 2.)
-	 */
-	BigInteger Y = new BigInteger("8ABE1D75" + "20F9C2A4" + "5CB1EB8E" +
-			"95CFD552" + "62B70B29" + "FEEC5864" + "E19C054F" + "F9912928" +
-			"0E464621" + "77918111" + "42820341" + "263C5315", 16);
-
-	/**
-	 * The order of the base point G. (This is called q in RFC 5639 and n in
-	 * SEC 2.)
-	 */
-	BigInteger Q = new BigInteger("8CB91E82" + "A3386D28" + "0F5D6F7E" +
-			"50E641DF" + "152F7109" + "ED5456B3" + "1F166E6C" + "AC0425A7" +
-			"CF3AB6AF" + "6B7FC310" + "3B883202" + "E9046565", 16);
-
-	/** The cofactor of G. (This is called h in RFC 5639 and SEC 2.) */
-	BigInteger H = BigInteger.ONE;
-
-	// Static parameter objects derived from the above parameters
-	ECCurve CURVE = new ECCurve.Fp(P, A, B).configure().setMultiplier(
-			new MontgomeryLadderMultiplier()).create();
-	ECPoint G = CURVE.createPoint(X, Y);
-	ECDomainParameters PARAMETERS = new ECDomainParameters(CURVE, G, Q, H);
+	static {
+		// Start with the default implementation of the curve
+		X9ECParameters x9 = TeleTrusTNamedCurves.getByName("brainpoolp256r1");
+		// Use a constant-time multiplier
+		ECMultiplier monty = new MontgomeryLadderMultiplier();
+		ECCurve curve = x9.getCurve().configure().setMultiplier(monty).create();
+		BigInteger gX = x9.getG().getAffineXCoord().toBigInteger();
+		BigInteger gY = x9.getG().getAffineYCoord().toBigInteger();
+		ECPoint g = curve.createPoint(gX, gY);
+		// Convert to ECDomainParameters using the new multiplier
+		PARAMETERS = new ECDomainParameters(curve, g, x9.getN(), x9.getH());
+	}
 }

briar-core/src/org/briarproject/crypto/Sec1KeyParser.java

@@ -29,10 +29,10 @@ class Sec1KeyParser implements KeyParser {
 	private final BigInteger modulus;
 	private final int keyBits, bytesPerInt, publicKeyBytes, privateKeyBytes;
 
-	Sec1KeyParser(ECDomainParameters params, BigInteger modulus, int keyBits) {
+	Sec1KeyParser(ECDomainParameters params, int keyBits) {
 		this.params = params;
-		this.modulus = modulus;
 		this.keyBits = keyBits;
+		modulus = ((ECCurve.Fp) params.getCurve()).getQ();
 		bytesPerInt = (keyBits + 7) / 8;
 		publicKeyBytes = 1 + 2 * bytesPerInt;
 		privateKeyBytes = bytesPerInt;

briar-core/src/org/briarproject/crypto/SignatureImpl.java

@@ -7,7 +7,7 @@ import org.briarproject.api.crypto.PrivateKey;
 import org.briarproject.api.crypto.PublicKey;
 import org.briarproject.api.crypto.Signature;
 import org.spongycastle.crypto.Digest;
-import org.spongycastle.crypto.digests.SHA384Digest;
+import org.spongycastle.crypto.digests.SHA256Digest;
 import org.spongycastle.crypto.params.ECPrivateKeyParameters;
 import org.spongycastle.crypto.params.ECPublicKeyParameters;
 import org.spongycastle.crypto.params.ParametersWithRandom;
@@ -23,7 +23,7 @@ class SignatureImpl implements Signature {
 
 	SignatureImpl(SecureRandom secureRandom) {
 		this.secureRandom = secureRandom;
-		Digest digest = new SHA384Digest();
+		Digest digest = new SHA256Digest();
 		DSAKCalculator calculator = new HMacDSAKCalculator(digest);
 		signer = new DSADigestSigner(new ECDSASigner(calculator), digest);
 	}

briar-core/src/org/briarproject/db/JdbcDatabase.java

@@ -62,8 +62,8 @@ import org.briarproject.api.transport.TemporarySecret;
  */
 abstract class JdbcDatabase implements Database<Connection> {
 
-	private static final int SCHEMA_VERSION = 7;
-	private static final int MIN_SCHEMA_VERSION = 7;
+	private static final int SCHEMA_VERSION = 8;
+	private static final int MIN_SCHEMA_VERSION = 8;
 
 	private static final String CREATE_SETTINGS =
 			"CREATE TABLE settings"