mirror of
https://github.com/tendermint/tendermint.git
synced 2026-02-11 06:11:07 +00:00
c5cc3c8d3f
At Oasis we have spend some time writing a new Ed25519/X25519/sr25519 implementation called curve25519-voi. This PR switches the import from ed25519consensus/go-schnorrkel, which should lead to performance gains on most systems. Summary of changes: * curve25519-voi is now used for Ed25519 operations, following the existing ZIP-215 semantics. * curve25519-voi's public key cache is enabled (hardcoded size of 4096 entries, should be tuned, see the code comment) to accelerate repeated Ed25519 verification with the same public key(s). * (BREAKING) curve25519-voi is now used for sr25519 operations. This is a breaking change as the current sr25519 support does something decidedly non-standard when going from a MiniSecretKey to a SecretKey and or PublicKey (The expansion routine is called twice). While I believe the new behavior (that expands once and only once) to be more "correct", this changes the semantics as implemented. * curve25519-voi is now used for merlin since the included STROBE implementation produces much less garbage on the heap. Side issues fixed: * The version of go-schnorrkel that is currently imported by tendermint has a badly broken batch verification implementation. Upstream has fixed the issue after I reported it, so the version should be bumped in the interim. Open design questions/issues: * As noted, the public key cache size should be tuned. It is currently backed by a trivial thread-safe LRU cache, which is not scan-resistant, but replacing it with something better is a matter of implementing an interface. * As far as I can tell, the only reason why serial verification on batch failure is necessary is to provide more detailed error messages (that are only used in some unit tests). If you trust the batch verification to be consistent with serial verification then the fallback can be eliminated entirely (the BatchVerifier provided by the new library supports an option that omits the fallback if this is chosen as the way forward). * curve25519-voi's sr25519 support could use more optimization and more eyes on the code. The algorithm unfortunately is woefully under-specified, and the implementation was done primarily because I got really sad when I actually looked at go-schnorrkel, and we do not use the algorithm at this time.
228 lines
6.1 KiB
Go
228 lines
6.1 KiB
Go
package ed25519
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/subtle"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
|
|
"github.com/oasisprotocol/curve25519-voi/primitives/ed25519"
|
|
"github.com/oasisprotocol/curve25519-voi/primitives/ed25519/extra/cache"
|
|
|
|
"github.com/tendermint/tendermint/crypto"
|
|
"github.com/tendermint/tendermint/crypto/tmhash"
|
|
tmjson "github.com/tendermint/tendermint/libs/json"
|
|
)
|
|
|
|
//-------------------------------------
|
|
|
|
var (
|
|
_ crypto.PrivKey = PrivKey{}
|
|
|
|
// curve25519-voi's Ed25519 implementation supports configurable
|
|
// verification behavior, and tendermint uses the ZIP-215 verification
|
|
// semantics.
|
|
verifyOptions = &ed25519.Options{
|
|
Verify: ed25519.VerifyOptionsZIP_215,
|
|
}
|
|
|
|
cachingVerifier = cache.NewVerifier(cache.NewLRUCache(cacheSize))
|
|
)
|
|
|
|
const (
|
|
PrivKeyName = "tendermint/PrivKeyEd25519"
|
|
PubKeyName = "tendermint/PubKeyEd25519"
|
|
// PubKeySize is is the size, in bytes, of public keys as used in this package.
|
|
PubKeySize = 32
|
|
// PrivateKeySize is the size, in bytes, of private keys as used in this package.
|
|
PrivateKeySize = 64
|
|
// Size of an Edwards25519 signature. Namely the size of a compressed
|
|
// Edwards25519 point, and a field element. Both of which are 32 bytes.
|
|
SignatureSize = 64
|
|
// SeedSize is the size, in bytes, of private key seeds. These are the
|
|
// private key representations used by RFC 8032.
|
|
SeedSize = 32
|
|
|
|
KeyType = "ed25519"
|
|
|
|
// cacheSize is the number of public keys that will be cached in
|
|
// an expanded format for repeated signature verification.
|
|
//
|
|
// TODO/perf: Either this should exclude single verification, or be
|
|
// tuned to `> validatorSize + maxTxnsPerBlock` to avoid cache
|
|
// thrashing.
|
|
cacheSize = 4096
|
|
)
|
|
|
|
func init() {
|
|
tmjson.RegisterType(PubKey{}, PubKeyName)
|
|
tmjson.RegisterType(PrivKey{}, PrivKeyName)
|
|
}
|
|
|
|
// PrivKey implements crypto.PrivKey.
|
|
type PrivKey []byte
|
|
|
|
// Bytes returns the privkey byte format.
|
|
func (privKey PrivKey) Bytes() []byte {
|
|
return []byte(privKey)
|
|
}
|
|
|
|
// Sign produces a signature on the provided message.
|
|
// This assumes the privkey is wellformed in the golang format.
|
|
// The first 32 bytes should be random,
|
|
// corresponding to the normal ed25519 private key.
|
|
// The latter 32 bytes should be the compressed public key.
|
|
// If these conditions aren't met, Sign will panic or produce an
|
|
// incorrect signature.
|
|
func (privKey PrivKey) Sign(msg []byte) ([]byte, error) {
|
|
signatureBytes := ed25519.Sign(ed25519.PrivateKey(privKey), msg)
|
|
return signatureBytes, nil
|
|
}
|
|
|
|
// PubKey gets the corresponding public key from the private key.
|
|
//
|
|
// Panics if the private key is not initialized.
|
|
func (privKey PrivKey) PubKey() crypto.PubKey {
|
|
// If the latter 32 bytes of the privkey are all zero, privkey is not
|
|
// initialized.
|
|
initialized := false
|
|
for _, v := range privKey[32:] {
|
|
if v != 0 {
|
|
initialized = true
|
|
break
|
|
}
|
|
}
|
|
|
|
if !initialized {
|
|
panic("Expected ed25519 PrivKey to include concatenated pubkey bytes")
|
|
}
|
|
|
|
pubkeyBytes := make([]byte, PubKeySize)
|
|
copy(pubkeyBytes, privKey[32:])
|
|
return PubKey(pubkeyBytes)
|
|
}
|
|
|
|
// Equals - you probably don't need to use this.
|
|
// Runs in constant time based on length of the keys.
|
|
func (privKey PrivKey) Equals(other crypto.PrivKey) bool {
|
|
if otherEd, ok := other.(PrivKey); ok {
|
|
return subtle.ConstantTimeCompare(privKey[:], otherEd[:]) == 1
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func (privKey PrivKey) Type() string {
|
|
return KeyType
|
|
}
|
|
|
|
// GenPrivKey generates a new ed25519 private key.
|
|
// It uses OS randomness in conjunction with the current global random seed
|
|
// in tendermint/libs/common to generate the private key.
|
|
func GenPrivKey() PrivKey {
|
|
return genPrivKey(crypto.CReader())
|
|
}
|
|
|
|
// genPrivKey generates a new ed25519 private key using the provided reader.
|
|
func genPrivKey(rand io.Reader) PrivKey {
|
|
_, priv, err := ed25519.GenerateKey(rand)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
return PrivKey(priv)
|
|
}
|
|
|
|
// GenPrivKeyFromSecret hashes the secret with SHA2, and uses
|
|
// that 32 byte output to create the private key.
|
|
// NOTE: secret should be the output of a KDF like bcrypt,
|
|
// if it's derived from user input.
|
|
func GenPrivKeyFromSecret(secret []byte) PrivKey {
|
|
seed := crypto.Sha256(secret) // Not Ripemd160 because we want 32 bytes.
|
|
|
|
return PrivKey(ed25519.NewKeyFromSeed(seed))
|
|
}
|
|
|
|
//-------------------------------------
|
|
|
|
var _ crypto.PubKey = PubKey{}
|
|
|
|
// PubKeyEd25519 implements crypto.PubKey for the Ed25519 signature scheme.
|
|
type PubKey []byte
|
|
|
|
// Address is the SHA256-20 of the raw pubkey bytes.
|
|
func (pubKey PubKey) Address() crypto.Address {
|
|
if len(pubKey) != PubKeySize {
|
|
panic("pubkey is incorrect size")
|
|
}
|
|
return crypto.Address(tmhash.SumTruncated(pubKey))
|
|
}
|
|
|
|
// Bytes returns the PubKey byte format.
|
|
func (pubKey PubKey) Bytes() []byte {
|
|
return []byte(pubKey)
|
|
}
|
|
|
|
func (pubKey PubKey) VerifySignature(msg []byte, sig []byte) bool {
|
|
// make sure we use the same algorithm to sign
|
|
if len(sig) != SignatureSize {
|
|
return false
|
|
}
|
|
|
|
return cachingVerifier.VerifyWithOptions(ed25519.PublicKey(pubKey), msg, sig, verifyOptions)
|
|
}
|
|
|
|
func (pubKey PubKey) String() string {
|
|
return fmt.Sprintf("PubKeyEd25519{%X}", []byte(pubKey))
|
|
}
|
|
|
|
func (pubKey PubKey) Type() string {
|
|
return KeyType
|
|
}
|
|
|
|
func (pubKey PubKey) Equals(other crypto.PubKey) bool {
|
|
if otherEd, ok := other.(PubKey); ok {
|
|
return bytes.Equal(pubKey[:], otherEd[:])
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
var _ crypto.BatchVerifier = &BatchVerifier{}
|
|
|
|
// BatchVerifier implements batch verification for ed25519.
|
|
type BatchVerifier struct {
|
|
*ed25519.BatchVerifier
|
|
}
|
|
|
|
func NewBatchVerifier() crypto.BatchVerifier {
|
|
return &BatchVerifier{ed25519.NewBatchVerifier()}
|
|
}
|
|
|
|
func (b *BatchVerifier) Add(key crypto.PubKey, msg, signature []byte) error {
|
|
pkEd, ok := key.(PubKey)
|
|
if !ok {
|
|
return fmt.Errorf("pubkey is not Ed25519")
|
|
}
|
|
|
|
pkBytes := pkEd.Bytes()
|
|
|
|
if l := len(pkBytes); l != PubKeySize {
|
|
return fmt.Errorf("pubkey size is incorrect; expected: %d, got %d", PubKeySize, l)
|
|
}
|
|
|
|
// check that the signature is the correct length
|
|
if len(signature) != SignatureSize {
|
|
return errors.New("invalid signature")
|
|
}
|
|
|
|
cachingVerifier.AddWithOptions(b.BatchVerifier, ed25519.PublicKey(pkBytes), msg, signature, verifyOptions)
|
|
|
|
return nil
|
|
}
|
|
|
|
func (b *BatchVerifier) Verify() (bool, []bool) {
|
|
return b.BatchVerifier.Verify(crypto.CReader())
|
|
}
|