Merge branch '236-curve25519' into 'master'

Use Curve25519 for key agreement

Closes #236

See merge request akwizgran/briar!693

bramble-core/src/test/java/org/briarproject/bramble/crypto/EllipticCurveMultiplicationTest.java

@@ -13,11 +13,11 @@ import org.spongycastle.crypto.params.ECPrivateKeyParameters;
 import org.spongycastle.crypto.params.ECPublicKeyParameters;
 import org.spongycastle.math.ec.ECCurve;
 import org.spongycastle.math.ec.ECPoint;
+import org.spongycastle.math.ec.MontgomeryLadderMultiplier;
 
 import java.math.BigInteger;
 import java.security.SecureRandom;
 
-import static org.briarproject.bramble.crypto.EllipticCurveConstants.PARAMETERS;
 import static org.junit.Assert.assertEquals;
 
 public class EllipticCurveMultiplicationTest extends BrambleTestCase {
@@ -31,15 +31,11 @@ public class EllipticCurveMultiplicationTest extends BrambleTestCase {
 		ECPoint defaultG = defaultX9Parameters.getG();
 		BigInteger defaultN = defaultX9Parameters.getN();
 		BigInteger defaultH = defaultX9Parameters.getH();
-		// Check that the default parameters are equal to our parameters
-		assertEquals(PARAMETERS.getCurve(), defaultCurve);
-		assertEquals(PARAMETERS.getG(), defaultG);
-		assertEquals(PARAMETERS.getN(), defaultN);
-		assertEquals(PARAMETERS.getH(), defaultH);
-		// ECDomainParameters doesn't have an equals() method, but it's just a
-		// container for the parameters
 		ECDomainParameters defaultParameters = new ECDomainParameters(
 				defaultCurve, defaultG, defaultN, defaultH);
+		// Instantiate an implementation using the Montgomery ladder multiplier
+		ECDomainParameters montgomeryParameters =
+				constantTime(defaultParameters);
 		// Generate two key pairs with each set of parameters, using the same
 		// deterministic PRNG for both sets of parameters
 		byte[] seed = new byte[32];
@@ -47,7 +43,7 @@ public class EllipticCurveMultiplicationTest extends BrambleTestCase {
 		// Montgomery ladder multiplier
 		SecureRandom random = new PseudoSecureRandom(seed);
 		ECKeyGenerationParameters montgomeryGeneratorParams =
-				new ECKeyGenerationParameters(PARAMETERS, random);
+				new ECKeyGenerationParameters(montgomeryParameters, random);
 		ECKeyPairGenerator montgomeryGenerator = new ECKeyPairGenerator();
 		montgomeryGenerator.init(montgomeryGeneratorParams);
 		AsymmetricCipherKeyPair montgomeryKeyPair1 =
@@ -107,4 +103,13 @@ public class EllipticCurveMultiplicationTest extends BrambleTestCase {
 		assertEquals(sharedSecretMontgomeryMontgomery,
 				sharedSecretDefaultDefault);
 	}
+
+	private static ECDomainParameters constantTime(ECDomainParameters in) {
+		ECCurve curve = in.getCurve().configure().setMultiplier(
+				new MontgomeryLadderMultiplier()).create();
+		BigInteger x = in.getG().getAffineXCoord().toBigInteger();
+		BigInteger y = in.getG().getAffineYCoord().toBigInteger();
+		ECPoint g = curve.createPoint(x, y);
+		return new ECDomainParameters(curve, g, in.getN(), in.getH());
+	}
 }

bramble-core/src/test/java/org/briarproject/bramble/crypto/EllipticCurvePerformanceTest.java

@@ -1,17 +1,20 @@
 package org.briarproject.bramble.crypto;
 
+import net.i2p.crypto.eddsa.EdDSASecurityProvider;
+import net.i2p.crypto.eddsa.KeyPairGenerator;
+
 import org.spongycastle.asn1.sec.SECNamedCurves;
 import org.spongycastle.asn1.teletrust.TeleTrusTNamedCurves;
 import org.spongycastle.asn1.x9.X9ECParameters;
 import org.spongycastle.crypto.AsymmetricCipherKeyPair;
+import org.spongycastle.crypto.BasicAgreement;
 import org.spongycastle.crypto.Digest;
+import org.spongycastle.crypto.agreement.ECDHBasicAgreement;
 import org.spongycastle.crypto.agreement.ECDHCBasicAgreement;
 import org.spongycastle.crypto.digests.Blake2bDigest;
 import org.spongycastle.crypto.generators.ECKeyPairGenerator;
 import org.spongycastle.crypto.params.ECDomainParameters;
 import org.spongycastle.crypto.params.ECKeyGenerationParameters;
-import org.spongycastle.crypto.params.ECPrivateKeyParameters;
-import org.spongycastle.crypto.params.ECPublicKeyParameters;
 import org.spongycastle.crypto.params.ParametersWithRandom;
 import org.spongycastle.crypto.signers.DSADigestSigner;
 import org.spongycastle.crypto.signers.DSAKCalculator;
@@ -20,14 +23,22 @@ import org.spongycastle.crypto.signers.HMacDSAKCalculator;
 import org.spongycastle.math.ec.ECCurve;
 import org.spongycastle.math.ec.ECPoint;
 import org.spongycastle.math.ec.MontgomeryLadderMultiplier;
+import org.whispersystems.curve25519.Curve25519;
+import org.whispersystems.curve25519.Curve25519KeyPair;
 
 import java.math.BigInteger;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.Provider;
 import java.security.SecureRandom;
+import java.security.Signature;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 
+import static net.i2p.crypto.eddsa.EdDSAEngine.SIGNATURE_ALGORITHM;
+
 // Not a JUnit test
 public class EllipticCurvePerformanceTest {
 
@@ -38,8 +49,9 @@ public class EllipticCurvePerformanceTest {
 			"secp256k1", "secp256r1", "secp384r1", "secp521r1");
 	private static final List<String> BRAINPOOL_NAMES = Arrays.asList(
 			"brainpoolp256r1", "brainpoolp384r1", "brainpoolp512r1");
+	private static final Provider ED_PROVIDER = new EdDSASecurityProvider();
 
-	public static void main(String[] args) {
+	public static void main(String[] args) throws GeneralSecurityException {
 		for (String name : SEC_NAMES) {
 			ECDomainParameters params =
 					convertParams(SECNamedCurves.getByName(name));
@@ -52,43 +64,31 @@ public class EllipticCurvePerformanceTest {
 			runTest(name + " default", params);
 			runTest(name + " constant", constantTime(params));
 		}
-		runTest("ours", EllipticCurveConstants.PARAMETERS);
+		runCurve25519Test();
+		runEd25519Test();
 	}
 
 	private static void runTest(String name, ECDomainParameters params) {
 		// Generate two key pairs using the given parameters
-		ECKeyGenerationParameters generatorParams =
-				new ECKeyGenerationParameters(params, random);
 		ECKeyPairGenerator generator = new ECKeyPairGenerator();
-		generator.init(generatorParams);
+		generator.init(new ECKeyGenerationParameters(params, random));
 		AsymmetricCipherKeyPair keyPair1 = generator.generateKeyPair();
-		ECPublicKeyParameters public1 =
-				(ECPublicKeyParameters) keyPair1.getPublic();
-		ECPrivateKeyParameters private1 =
-				(ECPrivateKeyParameters) keyPair1.getPrivate();
 		AsymmetricCipherKeyPair keyPair2 = generator.generateKeyPair();
-		ECPublicKeyParameters public2 =
-				(ECPublicKeyParameters) keyPair2.getPublic();
-		// Time some ECDH key agreements
-		List<Long> samples = new ArrayList<>();
-		for (int i = 0; i < SAMPLES; i++) {
-			ECDHCBasicAgreement agreement = new ECDHCBasicAgreement();
-			long start = System.nanoTime();
-			agreement.init(private1);
-			agreement.calculateAgreement(public2);
-			samples.add(System.nanoTime() - start);
-		}
-		long agreementMedian = median(samples);
+		// Time some ECDH and ECDHC key agreements
+		long agreementMedian = runAgreementTest(keyPair1, keyPair2, false);
+		long agreementWithCofactorMedian =
+				runAgreementTest(keyPair1, keyPair2, true);
 		// Time some signatures
+		List<Long> samples = new ArrayList<>();
 		List<byte[]> signatures = new ArrayList<>();
-		samples.clear();
 		for (int i = 0; i < SAMPLES; i++) {
 			Digest digest = new Blake2bDigest(256);
 			DSAKCalculator calculator = new HMacDSAKCalculator(digest);
 			DSADigestSigner signer = new DSADigestSigner(new ECDSASigner(
 					calculator), digest);
 			long start = System.nanoTime();
-			signer.init(true, new ParametersWithRandom(private1, random));
+			signer.init(true,
+					new ParametersWithRandom(keyPair1.getPrivate(), random));
 			signer.update(new byte[BYTES_TO_SIGN], 0, BYTES_TO_SIGN);
 			signatures.add(signer.generateSignature());
 			samples.add(System.nanoTime() - start);
@@ -102,17 +102,83 @@ public class EllipticCurvePerformanceTest {
 			DSADigestSigner signer = new DSADigestSigner(new ECDSASigner(
 					calculator), digest);
 			long start = System.nanoTime();
-			signer.init(false, public1);
+			signer.init(false, keyPair1.getPublic());
 			signer.update(new byte[BYTES_TO_SIGN], 0, BYTES_TO_SIGN);
 			if (!signer.verifySignature(signatures.get(i)))
 				throw new AssertionError();
 			samples.add(System.nanoTime() - start);
 		}
 		long verificationMedian = median(samples);
-		System.out.println(name + ": "
-				+ agreementMedian + " "
-				+ signatureMedian + " "
-				+ verificationMedian);
+		System.out.println(String.format("%s: %,d %,d %,d %,d", name,
+				agreementMedian, agreementWithCofactorMedian,
+				signatureMedian, verificationMedian));
+	}
+
+	private static long runAgreementTest(AsymmetricCipherKeyPair keyPair1,
+			AsymmetricCipherKeyPair keyPair2, boolean withCofactor) {
+		List<Long> samples = new ArrayList<>();
+		for (int i = 0; i < SAMPLES; i++) {
+			BasicAgreement agreement = createAgreement(withCofactor);
+			long start = System.nanoTime();
+			agreement.init(keyPair1.getPrivate());
+			agreement.calculateAgreement(keyPair2.getPublic());
+			samples.add(System.nanoTime() - start);
+		}
+		return median(samples);
+	}
+
+	private static BasicAgreement createAgreement(boolean withCofactor) {
+		if (withCofactor) return new ECDHCBasicAgreement();
+		else return new ECDHBasicAgreement();
+	}
+
+	private static void runCurve25519Test() {
+		Curve25519 curve25519 = Curve25519.getInstance("java");
+		Curve25519KeyPair keyPair1 = curve25519.generateKeyPair();
+		Curve25519KeyPair keyPair2 = curve25519.generateKeyPair();
+		// Time some key agreements
+		List<Long> samples = new ArrayList<>();
+		for (int i = 0; i < SAMPLES; i++) {
+			long start = System.nanoTime();
+			curve25519.calculateAgreement(keyPair1.getPublicKey(),
+					keyPair2.getPrivateKey());
+			samples.add(System.nanoTime() - start);
+		}
+		long agreementMedian = median(samples);
+		System.out.println(String.format("Curve25519: %,d - - -",
+				agreementMedian));
+	}
+
+	private static void runEd25519Test() throws GeneralSecurityException {
+		KeyPair keyPair = new KeyPairGenerator().generateKeyPair();
+		// Time some signatures
+		List<Long> samples = new ArrayList<>();
+		List<byte[]> signatures = new ArrayList<>();
+		for (int i = 0; i < SAMPLES; i++) {
+			Signature signature =
+					Signature.getInstance(SIGNATURE_ALGORITHM, ED_PROVIDER);
+			long start = System.nanoTime();
+			signature.initSign(keyPair.getPrivate(), random);
+			signature.update(new byte[BYTES_TO_SIGN], 0, BYTES_TO_SIGN);
+			signatures.add(signature.sign());
+			samples.add(System.nanoTime() - start);
+		}
+		long signatureMedian = median(samples);
+		// Time some signature verifications
+		samples.clear();
+		for (int i = 0; i < SAMPLES; i++) {
+			Signature signature =
+					Signature.getInstance(SIGNATURE_ALGORITHM, ED_PROVIDER);
+			long start = System.nanoTime();
+			signature.initVerify(keyPair.getPublic());
+			signature.update(new byte[BYTES_TO_SIGN], 0, BYTES_TO_SIGN);
+			if (!signature.verify(signatures.get(i)))
+				throw new AssertionError();
+			samples.add(System.nanoTime() - start);
+		}
+		long verificationMedian = median(samples);
+		System.out.println(String.format("Ed25519: - - %,d %,d",
+				signatureMedian, verificationMedian));
 	}
 
 	private static long median(List<Long> list) {

bramble-core/src/test/java/org/briarproject/bramble/crypto/KeyAgreementTest.java

@@ -2,33 +2,80 @@ package org.briarproject.bramble.crypto;
 
 import org.briarproject.bramble.api.crypto.CryptoComponent;
 import org.briarproject.bramble.api.crypto.KeyPair;
+import org.briarproject.bramble.api.crypto.PublicKey;
 import org.briarproject.bramble.api.crypto.SecretKey;
 import org.briarproject.bramble.test.BrambleTestCase;
 import org.briarproject.bramble.test.TestSecureRandomProvider;
 import org.junit.Test;
+import org.whispersystems.curve25519.Curve25519;
 
+import java.security.GeneralSecurityException;
 import java.util.Random;
 
 import static org.briarproject.bramble.api.keyagreement.KeyAgreementConstants.SHARED_SECRET_LABEL;
 import static org.briarproject.bramble.test.TestUtils.getRandomBytes;
+import static org.briarproject.bramble.util.StringUtils.fromHexString;
 import static org.junit.Assert.assertArrayEquals;
 
 public class KeyAgreementTest extends BrambleTestCase {
 
-	@Test
-	public void testDeriveSharedSecret() throws Exception {
-		CryptoComponent crypto =
-				new CryptoComponentImpl(new TestSecureRandomProvider(), null);
-		KeyPair aPair = crypto.generateAgreementKeyPair();
-		KeyPair bPair = crypto.generateAgreementKeyPair();
+	// Test vector from RFC 7748: Alice's private and public keys, Bob's
+	// private and public keys, and the shared secret
+	// https://tools.ietf.org/html/rfc7748#section-6.1
+	private static final String ALICE_PRIVATE =
+			"77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a";
+	private static final String ALICE_PUBLIC =
+			"8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a";
+	private static final String BOB_PRIVATE =
+			"5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb";
+	private static final String BOB_PUBLIC =
+			"de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f";
+	private static final String SHARED_SECRET =
+			"4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742";
+
+	private final CryptoComponent crypto =
+			new CryptoComponentImpl(new TestSecureRandomProvider(), null);
+	private final byte[][] inputs;
+
+	public KeyAgreementTest() {
 		Random random = new Random();
-		byte[][] inputs = new byte[random.nextInt(10) + 1][];
+		inputs = new byte[random.nextInt(10) + 1][];
 		for (int i = 0; i < inputs.length; i++)
 			inputs[i] = getRandomBytes(random.nextInt(256));
+	}
+
+	@Test
+	public void testDerivesSharedSecret() throws Exception {
+		KeyPair aPair = crypto.generateAgreementKeyPair();
+		KeyPair bPair = crypto.generateAgreementKeyPair();
 		SecretKey aShared = crypto.deriveSharedSecret(SHARED_SECRET_LABEL,
 				bPair.getPublic(), aPair, inputs);
 		SecretKey bShared = crypto.deriveSharedSecret(SHARED_SECRET_LABEL,
 				aPair.getPublic(), bPair, inputs);
 		assertArrayEquals(aShared.getBytes(), bShared.getBytes());
 	}
+
+	@Test(expected = GeneralSecurityException.class)
+	public void testRejectsInvalidPublicKey() throws Exception {
+		KeyPair keyPair = crypto.generateAgreementKeyPair();
+		PublicKey invalid = new Curve25519PublicKey(new byte[32]);
+		crypto.deriveSharedSecret(SHARED_SECRET_LABEL, invalid, keyPair,
+				inputs);
+	}
+
+	@Test
+	public void testRfc7748TestVector() throws Exception {
+		// Private keys need to be clamped because curve25519-java does the
+		// clamping at key generation time, not multiplication time
+		byte[] aPriv = Curve25519KeyParser.clamp(fromHexString(ALICE_PRIVATE));
+		byte[] aPub = fromHexString(ALICE_PUBLIC);
+		byte[] bPriv = Curve25519KeyParser.clamp(fromHexString(BOB_PRIVATE));
+		byte[] bPub = fromHexString(BOB_PUBLIC);
+		byte[] sharedSecret = fromHexString(SHARED_SECRET);
+		Curve25519 curve25519 = Curve25519.getInstance("java");
+		assertArrayEquals(sharedSecret,
+				curve25519.calculateAgreement(aPub, bPriv));
+		assertArrayEquals(sharedSecret,
+				curve25519.calculateAgreement(bPub, aPriv));
+	}
 }

bramble-core/src/test/java/org/briarproject/bramble/crypto/KeyEncodingAndParsingTest.java

@@ -26,7 +26,7 @@ public class KeyEncodingAndParsingTest extends BrambleTestCase {
 	public void testAgreementPublicKeyLength() throws Exception {
 		// Generate 10 agreement key pairs
 		for (int i = 0; i < 10; i++) {
-			KeyPair keyPair = crypto.generateSignatureKeyPair();
+			KeyPair keyPair = crypto.generateAgreementKeyPair();
 			// Check the length of the public key
 			byte[] publicKey = keyPair.getPublic().getEncoded();
 			assertTrue(publicKey.length <= MAX_AGREEMENT_PUBLIC_KEY_BYTES);