commit a1d5d9726e3653f58035c76420582059b0c86d13 Author: Damian Johnson atagar@torproject.org Date: Fri Nov 22 13:22:50 2019 -0800
Faster ed25519 blinding
Thanks to Paul ed25519 blinding is now fully two orders of magnitude faster!
https://github.com/pyca/cryptography/issues/5068
Replaced slow_ed25519.py with an optimized implementation from...
https://github.com/pyca/ed25519/
This changes the runtime of test_blinding as follows:
Python 2.7: 2.25s => 20 ms Python 3.5: 1.83s => 19 ms --- stem/descriptor/hidden_service.py | 44 ++--- stem/util/ed25519.py | 311 ++++++++++++++++++++++++++++++ stem/util/slow_ed25519.py | 171 ---------------- stem/util/test_tools.py | 11 ++ test/settings.cfg | 4 +- test/unit/descriptor/hidden_service_v3.py | 4 +- 6 files changed, 347 insertions(+), 198 deletions(-)
diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index 94edeba4..ea1ae739 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -51,7 +51,6 @@ import stem.util.tor_tools
from stem.client.datatype import CertType from stem.descriptor.certificate import ExtensionType, Ed25519Extension, Ed25519Certificate, Ed25519CertificateV1 -from stem.util import slow_ed25519
from stem.descriptor import ( PGP_BLOCK_END, @@ -917,10 +916,8 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): Construction through this method can supply any or none of these, with omitted parameters populated with randomized defaults.
- `Ed25519 key blinding takes several seconds - https://github.com/pyca/cryptography/issues/5068`_, and as such is - disabled if a **blinding_nonce** is not provided. To blind with a random - nonce simply call... + Ed25519 key blinding adds an additional ~20 ms, and as such is disabled by + default. To blind with a random nonce simply call...
::
@@ -1302,13 +1299,16 @@ class InnerLayer(Descriptor):
def _blinded_pubkey(identity_key, blinding_nonce): - mult = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(blinding_nonce, i) for i in range(3, slow_ed25519.b - 2)) - P = slow_ed25519.decodepoint(stem.util._pubkey_bytes(identity_key)) - return slow_ed25519.encodepoint(slow_ed25519.scalarmult(P, mult)) + from stem.util import ed25519 + + mult = 2 ** (ed25519.b - 2) + sum(2 ** i * ed25519.bit(blinding_nonce, i) for i in range(3, ed25519.b - 2)) + P = ed25519.decodepoint(stem.util._pubkey_bytes(identity_key)) + return ed25519.encodepoint(ed25519.scalarmult(P, mult))
def _blinded_sign(msg, identity_key, blinded_key, blinding_nonce): from cryptography.hazmat.primitives import serialization + from stem.util import ed25519
identity_key_bytes = identity_key.private_bytes( encoding = serialization.Encoding.Raw, @@ -1318,28 +1318,28 @@ def _blinded_sign(msg, identity_key, blinded_key, blinding_nonce):
# pad private identity key into an ESK (encrypted secret key)
- h = slow_ed25519.H(identity_key_bytes) - a = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(h, i) for i in range(3, slow_ed25519.b - 2)) - k = b''.join([h[i:i + 1] for i in range(slow_ed25519.b // 8, slow_ed25519.b // 4)]) - esk = slow_ed25519.encodeint(a) + k + h = ed25519.H(identity_key_bytes) + a = 2 ** (ed25519.b - 2) + sum(2 ** i * ed25519.bit(h, i) for i in range(3, ed25519.b - 2)) + k = b''.join([h[i:i + 1] for i in range(ed25519.b // 8, ed25519.b // 4)]) + esk = ed25519.encodeint(a) + k
# blind the ESK with this nonce
- mult = 2 ** (slow_ed25519.b - 2) + sum(2 ** i * slow_ed25519.bit(blinding_nonce, i) for i in range(3, slow_ed25519.b - 2)) - s = slow_ed25519.decodeint(esk[:32]) - s_prime = (s * mult) % slow_ed25519.l + mult = 2 ** (ed25519.b - 2) + sum(2 ** i * ed25519.bit(blinding_nonce, i) for i in range(3, ed25519.b - 2)) + s = ed25519.decodeint(esk[:32]) + s_prime = (s * mult) % ed25519.l k = esk[32:] - k_prime = slow_ed25519.H(b'Derive temporary signing key hash input' + k)[:32] - blinded_esk = slow_ed25519.encodeint(s_prime) + k_prime + k_prime = ed25519.H(b'Derive temporary signing key hash input' + k)[:32] + blinded_esk = ed25519.encodeint(s_prime) + k_prime
# finally, sign the message
- a = slow_ed25519.decodeint(blinded_esk[:32]) - r = slow_ed25519.Hint(b''.join([blinded_esk[i:i + 1] for i in range(slow_ed25519.b // 8, slow_ed25519.b // 4)]) + msg) - R = slow_ed25519.scalarmult(slow_ed25519.B, r) - S = (r + slow_ed25519.Hint(slow_ed25519.encodepoint(R) + blinded_key + msg) * a) % slow_ed25519.l + a = ed25519.decodeint(blinded_esk[:32]) + r = ed25519.Hint(b''.join([blinded_esk[i:i + 1] for i in range(ed25519.b // 8, ed25519.b // 4)]) + msg) + R = ed25519.scalarmult(ed25519.B, r) + S = (r + ed25519.Hint(ed25519.encodepoint(R) + blinded_key + msg) * a) % ed25519.l
- return slow_ed25519.encodepoint(R) + slow_ed25519.encodeint(S) + return ed25519.encodepoint(R) + ed25519.encodeint(S)
# TODO: drop this alias in stem 2.x diff --git a/stem/util/ed25519.py b/stem/util/ed25519.py new file mode 100644 index 00000000..67b2db3c --- /dev/null +++ b/stem/util/ed25519.py @@ -0,0 +1,311 @@ +# The following is copied from... +# +# https://github.com/pyca/ed25519 +# +# This is under the CC0 license. For more information please see... +# +# https://github.com/pyca/cryptography/issues/5068 + + +# ed25519.py - Optimized version of the reference implementation of Ed25519 +# +# Written in 2011? by Daniel J. Bernstein djb@cr.yp.to +# 2013 by Donald Stufft donald@stufft.io +# 2013 by Alex Gaynor alex.gaynor@gmail.com +# 2013 by Greg Price price@mit.edu +# +# To the extent possible under law, the author(s) have dedicated all copyright +# and related and neighboring rights to this software to the public domain +# worldwide. This software is distributed without any warranty. +# +# You should have received a copy of the CC0 Public Domain Dedication along +# with this software. If not, see +# http://creativecommons.org/publicdomain/zero/1.0/. + +""" +NB: This code is not safe for use with secret keys or secret data. +The only safe use of this code is for verifying signatures on public messages. + +Functions for computing the public key of a secret key and for signing +a message are included, namely publickey_unsafe and signature_unsafe, +for testing purposes only. + +The root of the problem is that Python's long-integer arithmetic is +not designed for use in cryptography. Specifically, it may take more +or less time to execute an operation depending on the values of the +inputs, and its memory access patterns may also depend on the inputs. +This opens it to timing and cache side-channel attacks which can +disclose data to an attacker. We rely on Python's long-integer +arithmetic, so we cannot handle secrets without risking their disclosure. +""" + +import hashlib +import operator +import sys + + +__version__ = "1.0.dev0" + + +# Useful for very coarse version differentiation. +PY3 = sys.version_info[0] == 3 + +if PY3: + indexbytes = operator.getitem + intlist2bytes = bytes + int2byte = operator.methodcaller("to_bytes", 1, "big") +else: + int2byte = chr + range = xrange + + def indexbytes(buf, i): + return ord(buf[i]) + + def intlist2bytes(l): + return b"".join(chr(c) for c in l) + + +b = 256 +q = 2 ** 255 - 19 +l = 2 ** 252 + 27742317777372353535851937790883648493 + + +def H(m): + return hashlib.sha512(m).digest() + + +def pow2(x, p): + """== pow(x, 2**p, q)""" + while p > 0: + x = x * x % q + p -= 1 + return x + + +def inv(z): + """$= z^{-1} \mod q$, for z != 0""" + # Adapted from curve25519_athlon.c in djb's Curve25519. + z2 = z * z % q # 2 + z9 = pow2(z2, 2) * z % q # 9 + z11 = z9 * z2 % q # 11 + z2_5_0 = (z11 * z11) % q * z9 % q # 31 == 2^5 - 2^0 + z2_10_0 = pow2(z2_5_0, 5) * z2_5_0 % q # 2^10 - 2^0 + z2_20_0 = pow2(z2_10_0, 10) * z2_10_0 % q # ... + z2_40_0 = pow2(z2_20_0, 20) * z2_20_0 % q + z2_50_0 = pow2(z2_40_0, 10) * z2_10_0 % q + z2_100_0 = pow2(z2_50_0, 50) * z2_50_0 % q + z2_200_0 = pow2(z2_100_0, 100) * z2_100_0 % q + z2_250_0 = pow2(z2_200_0, 50) * z2_50_0 % q # 2^250 - 2^0 + return pow2(z2_250_0, 5) * z11 % q # 2^255 - 2^5 + 11 = q - 2 + + +d = -121665 * inv(121666) % q +I = pow(2, (q - 1) // 4, q) + + +def xrecover(y): + xx = (y * y - 1) * inv(d * y * y + 1) + x = pow(xx, (q + 3) // 8, q) + + if (x * x - xx) % q != 0: + x = (x * I) % q + + if x % 2 != 0: + x = q-x + + return x + + +By = 4 * inv(5) +Bx = xrecover(By) +B = (Bx % q, By % q, 1, (Bx * By) % q) +ident = (0, 1, 1, 0) + + +def edwards_add(P, Q): + # This is formula sequence 'addition-add-2008-hwcd-3' from + # http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html + (x1, y1, z1, t1) = P + (x2, y2, z2, t2) = Q + + a = (y1-x1)*(y2-x2) % q + b = (y1+x1)*(y2+x2) % q + c = t1*2*d*t2 % q + dd = z1*2*z2 % q + e = b - a + f = dd - c + g = dd + c + h = b + a + x3 = e*f + y3 = g*h + t3 = e*h + z3 = f*g + + return (x3 % q, y3 % q, z3 % q, t3 % q) + + +def edwards_double(P): + # This is formula sequence 'dbl-2008-hwcd' from + # http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html + (x1, y1, z1, t1) = P + + a = x1*x1 % q + b = y1*y1 % q + c = 2*z1*z1 % q + # dd = -a + e = ((x1+y1)*(x1+y1) - a - b) % q + g = -a + b # dd + b + f = g - c + h = -a - b # dd - b + x3 = e*f + y3 = g*h + t3 = e*h + z3 = f*g + + return (x3 % q, y3 % q, z3 % q, t3 % q) + + +def scalarmult(P, e): + if e == 0: + return ident + Q = scalarmult(P, e // 2) + Q = edwards_double(Q) + if e & 1: + Q = edwards_add(Q, P) + return Q + + +# Bpow[i] == scalarmult(B, 2**i) +Bpow = [] + + +def make_Bpow(): + P = B + for i in range(253): + Bpow.append(P) + P = edwards_double(P) +make_Bpow() + + +def scalarmult_B(e): + """ + Implements scalarmult(B, e) more efficiently. + """ + # scalarmult(B, l) is the identity + e = e % l + P = ident + for i in range(253): + if e & 1: + P = edwards_add(P, Bpow[i]) + e = e // 2 + assert e == 0, e + return P + + +def encodeint(y): + bits = [(y >> i) & 1 for i in range(b)] + return b''.join([ + int2byte(sum([bits[i * 8 + j] << j for j in range(8)])) + for i in range(b//8) + ]) + + +def encodepoint(P): + (x, y, z, t) = P + zi = inv(z) + x = (x * zi) % q + y = (y * zi) % q + bits = [(y >> i) & 1 for i in range(b - 1)] + [x & 1] + return b''.join([ + int2byte(sum([bits[i * 8 + j] << j for j in range(8)])) + for i in range(b // 8) + ]) + + +def bit(h, i): + return (indexbytes(h, i // 8) >> (i % 8)) & 1 + + +def publickey_unsafe(sk): + """ + Not safe to use with secret keys or secret data. + + See module docstring. This function should be used for testing only. + """ + h = H(sk) + a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2)) + A = scalarmult_B(a) + return encodepoint(A) + + +def Hint(m): + h = H(m) + return sum(2 ** i * bit(h, i) for i in range(2 * b)) + + +def signature_unsafe(m, sk, pk): + """ + Not safe to use with secret keys or secret data. + + See module docstring. This function should be used for testing only. + """ + h = H(sk) + a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2)) + r = Hint( + intlist2bytes([indexbytes(h, j) for j in range(b // 8, b // 4)]) + m + ) + R = scalarmult_B(r) + S = (r + Hint(encodepoint(R) + pk + m) * a) % l + return encodepoint(R) + encodeint(S) + + +def isoncurve(P): + (x, y, z, t) = P + return (z % q != 0 and + x*y % q == z*t % q and + (y*y - x*x - z*z - d*t*t) % q == 0) + + +def decodeint(s): + return sum(2 ** i * bit(s, i) for i in range(0, b)) + + +def decodepoint(s): + y = sum(2 ** i * bit(s, i) for i in range(0, b - 1)) + x = xrecover(y) + if x & 1 != bit(s, b-1): + x = q - x + P = (x, y, 1, (x*y) % q) + if not isoncurve(P): + raise ValueError("decoding point that is not on curve") + return P + + +class SignatureMismatch(Exception): + pass + + +def checkvalid(s, m, pk): + """ + Not safe to use when any argument is secret. + + See module docstring. This function should be used only for + verifying public signatures of public messages. + """ + if len(s) != b // 4: + raise ValueError("signature length is wrong") + + if len(pk) != b // 8: + raise ValueError("public-key length is wrong") + + R = decodepoint(s[:b // 8]) + A = decodepoint(pk) + S = decodeint(s[b // 8:b // 4]) + h = Hint(encodepoint(R) + pk + m) + + (x1, y1, z1, t1) = P = scalarmult_B(S) + (x2, y2, z2, t2) = Q = edwards_add(R, scalarmult(A, h)) + + if (not isoncurve(P) or not isoncurve(Q) or + (x1*z2 - x2*z1) % q != 0 or (y1*z2 - y2*z1) % q != 0): + raise SignatureMismatch("signature does not pass verification") diff --git a/stem/util/slow_ed25519.py b/stem/util/slow_ed25519.py deleted file mode 100644 index b23bf57c..00000000 --- a/stem/util/slow_ed25519.py +++ /dev/null @@ -1,171 +0,0 @@ -# Public domain ed25519 implementation from... -# -# http://ed25519.cr.yp.to/python/ed25519.py -# -# It isn't constant-time. Don't use it except for testing. Also, see -# warnings about how very slow it is. Only use this for generating -# test vectors, I'd suggest. -# -# Cryptography replacement of this is pending... -# -# https://github.com/pyca/cryptography/issues/5068 - -import hashlib -import stem.prereq - -b = 256 -q = 2 ** 255 - 19 -l = 2 ** 252 + 27742317777372353535851937790883648493 - - -def int_to_byte(val): - """ - Convert an integer to its byte value in an interpreter agnostic way. - """ - - return bytes([val]) if stem.prereq.is_python_3() else chr(val) - - -def H(m): - return hashlib.sha512(m).digest() - - -def expmod(b, e, m): - if e == 0: - return 1 - - t = expmod(b, e // 2, m) ** 2 % m - - if e & 1: - t = (t * b) % m - - return t - - -def inv(x): - return expmod(x, q - 2, q) - - -d = -121665 * inv(121666) -I = expmod(2, (q - 1) // 4, q) - - -def xrecover(y): - xx = (y * y - 1) * inv(d * y * y + 1) - x = expmod(xx, (q + 3) // 8, q) - - if (x * x - xx) % q != 0: - x = (x * I) % q - - if x % 2 != 0: - x = q - x - - return x - - -By = 4 * inv(5) -Bx = xrecover(By) -B = [Bx % q, By % q] - - -def edwards(P, Q): - x1 = P[0] - y1 = P[1] - x2 = Q[0] - y2 = Q[1] - x3 = (x1 * y2 + x2 * y1) * inv(1 + d * x1 * x2 * y1 * y2) - y3 = (y1 * y2 + x1 * x2) * inv(1 - d * x1 * x2 * y1 * y2) - return [x3 % q, y3 % q] - - -def scalarmult(P, e): - if e == 0: - return [0, 1] - - Q = scalarmult(P, e // 2) - Q = edwards(Q, Q) - - if e & 1: - Q = edwards(Q, P) - - return Q - - -def encodeint(y): - bits = [(y >> i) & 1 for i in range(b)] - return b''.join([int_to_byte(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b // 8)]) - - -def encodepoint(P): - x = P[0] - y = P[1] - bits = [(y >> i) & 1 for i in range(b - 1)] + [x & 1] - - return b''.join([int_to_byte(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b // 8)]) - - -def bit(h, i): - return (ord(h[i // 8:i // 8 + 1]) >> (i % 8)) & 1 - - -def publickey(sk): - h = H(sk) - a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2)) - A = scalarmult(B, a) - - return encodepoint(A) - - -def Hint(m): - h = H(m) - return sum(2 ** i * bit(h, i) for i in range(2 * b)) - - -def signature(m, sk, pk): - h = H(sk) - a = 2 ** (b - 2) + sum(2 ** i * bit(h, i) for i in range(3, b - 2)) - r = Hint(b''.join([h[i:i + 1] for i in range(b // 8, b // 4)]) + m) - R = scalarmult(B, r) - S = (r + Hint(encodepoint(R) + pk + m) * a) % l - return encodepoint(R) + encodeint(S) - - -def isoncurve(P): - x = P[0] - y = P[1] - return (-x * x + y * y - 1 - d * x * x * y * y) % q == 0 - - -def decodeint(s): - return sum(2 ** i * bit(s, i) for i in range(0, b)) - - -def decodepoint(s): - y = sum(2 ** i * bit(s, i) for i in range(0, b - 1)) - x = xrecover(y) - - if x & 1 != bit(s, b - 1): - x = q - x - - P = [x, y] - - if not isoncurve(P): - raise Exception('decoding point that is not on curve') - - return P - - -def checkvalid(s, m, pk): - if len(s) != b // 4: - raise Exception('signature length is wrong') - - if len(pk) != b // 8: - raise Exception('public-key length is wrong') - - R = decodepoint(s[0:b // 8]) - A = decodepoint(pk) - S = decodeint(s[b // 8:b // 4]) - h = Hint(encodepoint(R) + pk + m) - - if scalarmult(B, S) != edwards(R, scalarmult(A, h)): - raise Exception('signature does not pass verification') diff --git a/stem/util/test_tools.py b/stem/util/test_tools.py index 03741d98..36c88f6a 100644 --- a/stem/util/test_tools.py +++ b/stem/util/test_tools.py @@ -455,6 +455,7 @@ def stylistic_issues(paths, check_newlines = False, check_exception_keyword = Fa
ignore_rules = [] ignore_for_file = [] + ignore_all_for_files = []
for rule in CONFIG['pycodestyle.ignore'] + CONFIG['pep8.ignore']: if '=>' in rule: @@ -463,6 +464,8 @@ def stylistic_issues(paths, check_newlines = False, check_exception_keyword = Fa if ':' in rule_entry: rule, code = rule_entry.split(':', 1) ignore_for_file.append((path.strip(), rule.strip(), code.strip())) + elif rule_entry.strip() == '*': + ignore_all_for_files.append(path.strip()) else: ignore_rules.append(rule)
@@ -471,6 +474,10 @@ def stylistic_issues(paths, check_newlines = False, check_exception_keyword = Fa if path.endswith(ignored_path) and ignored_rule == rule and code.strip().startswith(ignored_code): return True
+ for ignored_path in ignore_all_for_files: + if path.endswith(ignored_path): + return True + return False
if is_pycodestyle_available(): @@ -488,6 +495,10 @@ def stylistic_issues(paths, check_newlines = False, check_exception_keyword = Fa
is_block_comment = False
+ for ignored_path in ignore_all_for_files: + if filename.endswith(ignored_path): + return + for index, line in enumerate(lines): content = line.split('#', 1)[0].strip()
diff --git a/test/settings.cfg b/test/settings.cfg index 5443df41..2e7b7a80 100644 --- a/test/settings.cfg +++ b/test/settings.cfg @@ -169,6 +169,8 @@ pycodestyle.ignore E127 pycodestyle.ignore E131 pycodestyle.ignore E722
+pycodestyle.ignore stem/util/ed25519.py => * + pycodestyle.ignore stem/__init__.py => E402: import stem.util.connection pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.bandwidth_file pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.extrainfo_descriptor @@ -177,8 +179,6 @@ pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.m pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.networkstatus pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.server_descriptor pycodestyle.ignore stem/descriptor/__init__.py => E402: import stem.descriptor.tordnsel -pycodestyle.ignore stem/util/slow_ed25519.py => E741: l = 2 ** 252 + 27742317777372353535851937790883648493 -pycodestyle.ignore stem/util/slow_ed25519.py => E741: I = expmod(2, (q - 1) // 4, q) pycodestyle.ignore test/unit/util/connection.py => W291: _tor tor 15843 10 pipe 0x0 state: pycodestyle.ignore test/unit/util/connection.py => W291: _tor tor 15843 11 pipe 0x0 state:
diff --git a/test/unit/descriptor/hidden_service_v3.py b/test/unit/descriptor/hidden_service_v3.py index 715a2b65..cb1e9c68 100644 --- a/test/unit/descriptor/hidden_service_v3.py +++ b/test/unit/descriptor/hidden_service_v3.py @@ -463,9 +463,7 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): @test.require.ed25519_support def test_blinding(self): """ - Create a descriptor with key blinding. `This takes a while - https://github.com/pyca/cryptography/issues/5068`_, so we should not do - this more than once. + Create a descriptor with key blinding. """
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
tor-commits@lists.torproject.org
-
atagar@torproject.org