Merge pull request #3933 from Rohde-Schwarz/ec/448

Feature: x448 and Ed448
randombit · Mar 25, 2024 · 850b267 · 850b267
2 parents 20d372e + a9a3d8b
commit 850b267
Show file tree

Hide file tree

Showing 64 changed files with 6,205 additions and 58 deletions.
diff --git a/doc/api_ref/pubkey.rst b/doc/api_ref/pubkey.rst
@@ -83,11 +83,11 @@ ECDSA
 
 Fast signature scheme based on elliptic curves.
 
-ECDH, DH, and X25519
-~~~~~~~~~~~~~~~~~~~~~~~
+ECDH, DH, X25519 and X448
+~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Key agreement schemes. DH uses arithmetic over finite fields and is slower and
-with larger keys. ECDH and X25519 use elliptic curves instead.
+with larger keys. ECDH, X25519 and X448 use elliptic curves instead.
 
 Dilithium
 ~~~~~~~~~~
@@ -108,10 +108,10 @@ Post-quantum key encapsulation scheme based on (structured) lattices.
 
    The final NIST specification version of Kyber is not yet implemented.
 
-Ed25519
-~~~~~~~~~~
+Ed25519 and Ed448
+~~~~~~~~~~~~~~~~~
 
-Signature scheme based on a specific elliptic curve.
+Signature schemes based on a specific elliptic curve.
 
 XMSS
 ~~~~~~~~~
@@ -770,7 +770,7 @@ Botan implements the following signature algorithms:
    not supporting ``Raw``.
 #. GOST 34.10-2001.
    Requires a :ref:`hash function <sig_with_hash>` as parameter.
-#. Ed25519. See :ref:`Ed25519_variants` for parameters.
+#. Ed25519 and Ed448. See :ref:`Ed25519_Ed448_variants` for parameters.
 #. SM2.
    Takes one of the following as parameter:
 
@@ -928,28 +928,28 @@ Parameters specification:
 - ``Raw``
 - ``Raw(<HashFunction>)``
 
-.. _Ed25519_variants:
+.. _Ed25519_Ed448_variants:
 
-Ed25519 Variants
-~~~~~~~~~~~~~~~~~~
+Ed25519 and Ed448 Variants
+~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Most signature schemes in Botan follow a hash-then-sign paradigm. That is, the
 entire message is digested to a fixed length representative using a collision
-resistant hash function, and then the digest is signed. Ed25519 instead signs
-the message directly. This is beneficial, in that the Ed25519 design should
+resistant hash function, and then the digest is signed. Ed25519 and Ed448 instead sign
+the message directly. This is beneficial, in that the design should
 remain secure even in the (extremely unlikely) event that a collision attack on
 SHA-512 is found. However it means the entire message must be buffered in
 memory, which can be a problem for many applications which might need to sign
-large inputs. To use this variety of Ed25519, use a padding name of "Pure".
+large inputs. To use this variety of Ed25519/Ed448, use a padding name of "Pure".
 
 This is the default mode if no padding name is given.
 
 Parameter specification:
 ``Pure`` / ``Identity``
 
-Ed25519ph (pre-hashed) instead hashes the message with SHA-512 and then signs
-the digest plus a special prefix specified in RFC 8032. To use it, specify
-padding name "Ed25519ph".
+Ed25519ph (or Ed448) (pre-hashed) instead hashes the message with SHA-512 (or SHAKE256(512))
+and then signs the digest plus a special prefix specified in RFC 8032. To use it, specify
+padding name "Ed25519ph" (or "Ed448ph").
 
 Parameter specification:
 ``Ed25519ph``

diff --git a/doc/api_ref/python.rst b/doc/api_ref/python.rst
@@ -344,8 +344,8 @@ Private Key
      Creates a new private key. The parameter type/value depends on
      the algorithm. For "rsa" is is the size of the key in bits.
      For "ecdsa" and "ecdh" it is a group name (for instance
-     "secp256r1"). For "ecdh" there is also a special case for group
-     "curve25519" (which is actually a completely distinct key type
+     "secp256r1"). For "ecdh" there is also a special case for groups
+     "curve25519" and "x448" (which are actually completely distinct key types
      with a non-standard encoding).
 
   .. py:classmethod:: load(val, passphrase="")
@@ -538,7 +538,7 @@ HOTP
 X509Cert
 -----------------------------------------
 
-.. py:class:: X509Cert(filename=None, buf=None) 
+.. py:class:: X509Cert(filename=None, buf=None)
 
    .. py:method:: time_starts()
 
@@ -550,7 +550,7 @@ X509Cert
 
       Return the time the certificate expires, as a string in form
       "YYYYMMDDHHMMSSZ" where Z is a literal character reflecting that this time is
-      relative to UTC.      
+      relative to UTC.
 
    .. py:method:: to_string()
 
@@ -586,7 +586,7 @@ X509Cert
 
       Get a value from the subject DN field.
 
-      ``key`` specifies a value to get, for instance ``"Name"`` or `"Country"`.  
+      ``key`` specifies a value to get, for instance ``"Name"`` or `"Country"`.
 
    .. py:method:: issuer_dn(key, index)
 
@@ -600,7 +600,7 @@ X509Cert
 
    .. py:method:: not_before()
 
-      Return the time the certificate becomes valid, as seconds since epoch.   
+      Return the time the certificate becomes valid, as seconds since epoch.
 
    .. py:method:: not_after()
 
@@ -620,7 +620,7 @@ X509Cert
                   reference_time=0 \
                   crls=None)
 
-      Verify a certificate. Returns 0 if validation was successful, returns a positive error code 
+      Verify a certificate. Returns 0 if validation was successful, returns a positive error code
       if the validation was unsuccesful.
 
       ``intermediates`` is a list of untrusted subauthorities.

diff --git a/readme.rst b/readme.rst
@@ -99,7 +99,7 @@ Public Key Cryptography
 
 * RSA signatures and encryption
 * DH and ECDH key agreement
-* Signature schemes ECDSA, DSA, Ed25519, ECGDSA, ECKCDSA, SM2, GOST 34.10
+* Signature schemes ECDSA, DSA, Ed25519, Ed448, ECGDSA, ECKCDSA, SM2, GOST 34.10
 * Post-quantum signature schemes Dilithium, SPHINCS+, and XMSS
 * Post-quantum key agreement schemes McEliece, Kyber and FrodoKEM
 * ElGamal encryption

diff --git a/src/build-data/oids.txt b/src/build-data/oids.txt
@@ -11,7 +11,9 @@
 1.3.6.1.4.1.3029.1.2.1 = ElGamal
 1.3.6.1.4.1.25258.1.3 = McEliece
 1.3.101.110 = Curve25519
+1.3.101.111 = X448
 1.3.101.112 = Ed25519
+1.3.101.113 = Ed448
 
 # FrodoKEM OIDs are currently in Botan's private arc
 1.3.6.1.4.1.25258.1.14.1 = FrodoKEM-640-SHAKE

diff --git a/src/build-data/policy/bsi.txt b/src/build-data/policy/bsi.txt
@@ -147,6 +147,7 @@ sp800_56a
 
 # pubkey
 curve25519
+x448
 ec_h2c
 ed25519
 elgamal

diff --git a/src/build-data/policy/modern.txt b/src/build-data/policy/modern.txt
@@ -29,7 +29,9 @@ bcrypt
 pbes2
 
 ed25519
+ed448
 curve25519
+x448
 ecdh
 ecdsa
 rsa
@@ -47,7 +49,6 @@ ffi
 
 tls
 prf_tls
-ed25519
 
 ghash_cpu
 ghash_vperm

diff --git a/src/build-data/policy/nist.txt b/src/build-data/policy/nist.txt
@@ -128,7 +128,9 @@ prf_x942
 
 # pubkey
 curve25519
+x448
 ed25519
+ed448
 ecgdsa
 eckcdsa
 elgamal

diff --git a/src/cli/speed.cpp b/src/cli/speed.cpp
@@ -405,7 +405,9 @@ class Speed final : public Command {
             "ECDH",
             "ECDSA",
             "Ed25519",
+            "Ed448",
             "Curve25519",
+            "X448",
             "McEliece",
             "Kyber",
             "SPHINCS+",
@@ -569,6 +571,11 @@ class Speed final : public Command {
                bench_ed25519(provider, msec);
             }
 #endif
+#if defined(BOTAN_HAS_ED448)
+            else if(algo == "Ed448") {
+               bench_ed448(provider, msec);
+            }
+#endif
 #if defined(BOTAN_HAS_DIFFIE_HELLMAN)
             else if(algo == "DH") {
                bench_dh(provider, msec);
@@ -594,6 +601,11 @@ class Speed final : public Command {
                bench_curve25519(provider, msec);
             }
 #endif
+#if defined(BOTAN_HAS_X448)
+            else if(algo == "X448") {
+               bench_x448(provider, msec);
+            }
+#endif
 #if defined(BOTAN_HAS_MCELIECE)
             else if(algo == "McEliece") {
                bench_mceliece(provider, msec);
@@ -1851,6 +1863,12 @@ class Speed final : public Command {
       }
 #endif
 
+#if defined(BOTAN_HAS_ED448)
+      void bench_ed448(const std::string& provider, std::chrono::milliseconds msec) {
+         return bench_pk_sig_ecc("Ed448", "Pure", provider, std::vector<std::string>{""}, msec);
+      }
+#endif
+
 #if defined(BOTAN_HAS_DIFFIE_HELLMAN)
       void bench_dh(const std::string& provider, std::chrono::milliseconds msec) {
          for(size_t bits : {2048, 3072, 4096, 6144, 8192}) {
@@ -1913,6 +1931,12 @@ class Speed final : public Command {
       }
 #endif
 
+#if defined(BOTAN_HAS_X448)
+      void bench_x448(const std::string& provider, std::chrono::milliseconds msec) {
+         bench_pk_ka("X448", "X448", "", provider, msec);
+      }
+#endif
+
 #if defined(BOTAN_HAS_MCELIECE)
       void bench_mceliece(const std::string& provider, std::chrono::milliseconds msec) {
          /*

diff --git a/src/lib/asn1/oid_maps.cpp b/src/lib/asn1/oid_maps.cpp
@@ -1,7 +1,7 @@
 /*
 * OID maps
 *
-* This file was automatically generated by ./src/scripts/dev_tools/gen_oids.py on 2023-11-02
+* This file was automatically generated by ./src/scripts/dev_tools/gen_oids.py on 2024-02-29
 *
 * All manual edits to this file will be lost. Edit the script
 * then regenerate this source file.
@@ -107,7 +107,9 @@ std::unordered_map<std::string, std::string> OID_Map::load_oid2str_map() {
       {"1.2.840.113549.2.9", "HMAC(SHA-256)"},
       {"1.2.840.113549.3.7", "TripleDES/CBC"},
       {"1.3.101.110", "Curve25519"},
+      {"1.3.101.111", "X448"},
       {"1.3.101.112", "Ed25519"},
+      {"1.3.101.113", "Ed448"},
       {"1.3.132.0.10", "secp256k1"},
       {"1.3.132.0.30", "secp160r2"},
       {"1.3.132.0.31", "secp192k1"},
@@ -337,6 +339,7 @@ std::unordered_map<std::string, OID> OID_Map::load_str2oid_map() {
       {"ChaCha20Poly1305", OID({1, 2, 840, 113549, 1, 9, 16, 3, 18})},
       {"Compression.Zlib", OID({1, 2, 840, 113549, 1, 9, 16, 3, 8})},
       {"Curve25519", OID({1, 3, 101, 110})},
+      {"X448", OID({1, 3, 101, 111})},
       {"DES/CBC", OID({1, 3, 14, 3, 2, 7})},
       {"DH", OID({1, 2, 840, 10046, 2, 1})},
       {"DSA", OID({1, 2, 840, 10040, 4, 1})},
@@ -378,6 +381,7 @@ std::unordered_map<std::string, OID> OID_Map::load_str2oid_map() {
       {"ECKCDSA/SHA-224", OID({1, 2, 410, 200004, 1, 100, 4, 4})},
       {"ECKCDSA/SHA-256", OID({1, 2, 410, 200004, 1, 100, 4, 5})},
       {"Ed25519", OID({1, 3, 101, 112})},
+      {"Ed448", OID({1, 3, 101, 113})},
       {"ElGamal", OID({1, 3, 6, 1, 4, 1, 3029, 1, 2, 1})},
       {"FrodoKEM-1344-AES", OID({1, 3, 6, 1, 4, 1, 25258, 1, 15, 3})},
       {"FrodoKEM-1344-SHAKE", OID({1, 3, 6, 1, 4, 1, 25258, 1, 14, 3})},

diff --git a/src/lib/ffi/ffi.h b/src/lib/ffi/ffi.h
@@ -1421,6 +1421,18 @@ BOTAN_FFI_EXPORT(2, 2) int botan_privkey_ed25519_get_privkey(botan_privkey_t key
 
 BOTAN_FFI_EXPORT(2, 2) int botan_pubkey_ed25519_get_pubkey(botan_pubkey_t key, uint8_t pubkey[32]);
 
+/*
+* Algorithm specific key operations: Ed448
+*/
+
+BOTAN_FFI_EXPORT(3, 4) int botan_privkey_load_ed448(botan_privkey_t* key, const uint8_t privkey[57]);
+
+BOTAN_FFI_EXPORT(3, 4) int botan_pubkey_load_ed448(botan_pubkey_t* key, const uint8_t pubkey[57]);
+
+BOTAN_FFI_EXPORT(3, 4) int botan_privkey_ed448_get_privkey(botan_privkey_t key, uint8_t output[57]);
+
+BOTAN_FFI_EXPORT(3, 4) int botan_pubkey_ed448_get_pubkey(botan_pubkey_t key, uint8_t pubkey[57]);
+
 /*
 * Algorithm specific key operations: X25519
 */
@@ -1433,6 +1445,18 @@ BOTAN_FFI_EXPORT(2, 8) int botan_privkey_x25519_get_privkey(botan_privkey_t key,
 
 BOTAN_FFI_EXPORT(2, 8) int botan_pubkey_x25519_get_pubkey(botan_pubkey_t key, uint8_t pubkey[32]);
 
+/*
+* Algorithm specific key operations: X448
+*/
+
+BOTAN_FFI_EXPORT(3, 4) int botan_privkey_load_x448(botan_privkey_t* key, const uint8_t privkey[56]);
+
+BOTAN_FFI_EXPORT(3, 4) int botan_pubkey_load_x448(botan_pubkey_t* key, const uint8_t pubkey[56]);
+
+BOTAN_FFI_EXPORT(3, 4) int botan_privkey_x448_get_privkey(botan_privkey_t key, uint8_t output[56]);
+
+BOTAN_FFI_EXPORT(3, 4) int botan_pubkey_x448_get_pubkey(botan_pubkey_t key, uint8_t pubkey[56]);
+
 /*
 * Algorithm specific key operations: Kyber
 */