ec: expose low-level point arithmetic

Author: samoht

ec/mirage_crypto_ec.ml

@@ -68,6 +68,17 @@ end
 module type Dh_dsa = sig
   module Dh : Dh
   module Dsa : Dsa
+  module Point : sig
+    type point
+    type scalar
+    val of_octets : string -> (point, error) result
+    val to_octets : ?compress:bool -> point -> string
+    val scalar_of_octets : string -> (scalar, error) result
+    val scalar_to_octets : scalar -> string
+    val generator : point
+    val add : point -> point -> point
+    val scalar_mult : scalar -> point -> point
+  end
 end
 
 type field_element = string
@@ -774,6 +785,18 @@ module Make_dsa (Param : Parameters) (F : Fn) (P : Point) (S : Scalar) (H : Dige
   end
 end
 
+module Point (P : Point) (S : Scalar) = struct
+  type nonrec point = point
+  type nonrec scalar = scalar
+  let of_octets = P.of_octets
+  let to_octets ?(compress = false) p = P.to_octets ~compress p
+  let scalar_of_octets = S.of_octets
+  let scalar_to_octets = S.to_octets
+  let generator = P.params_g
+  let add = P.add
+  let scalar_mult = S.scalar_mult
+end
+
 module P256 : Dh_dsa  = struct
   module Params = struct
     let a = "\xFF\xFF\xFF\xFF\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFC"
@@ -823,6 +846,7 @@ module P256 : Dh_dsa  = struct
   module Dh = Make_dh(Params)(P)(S)
   module Fn = Make_Fn(Params)(Foreign_n)
   module Dsa = Make_dsa(Params)(Fn)(P)(S)(Digestif.SHA256)
+  module Point = Point(P)(S)
 end
 
 module P384 : Dh_dsa = struct
@@ -875,6 +899,7 @@ module P384 : Dh_dsa = struct
   module Dh = Make_dh(Params)(P)(S)
   module Fn = Make_Fn(Params)(Foreign_n)
   module Dsa = Make_dsa(Params)(Fn)(P)(S)(Digestif.SHA384)
+  module Point = Point(P)(S)
 end
 
 module P521 : Dh_dsa = struct
@@ -928,6 +953,7 @@ module P521 : Dh_dsa = struct
   module Dh = Make_dh(Params)(P)(S)
   module Fn = Make_Fn(Params)(Foreign_n)
   module Dsa = Make_dsa(Params)(Fn)(P)(S)(Digestif.SHA512)
+  module Point = Point(P)(S)
 end
 
 module X25519 = struct

ec/mirage_crypto_ec.mli

@@ -163,6 +163,40 @@ module type Dh_dsa = sig
 
   (** Digital signature algorithm. *)
   module Dsa : Dsa
+
+  (** Low-level point arithmetic. *)
+  module Point : sig
+    type point
+    (** The type for points on the elliptic curve. *)
+
+    type scalar
+    (** The type for scalars. *)
+
+    val of_octets : string -> (point, error) result
+    (** [of_octets buf] decodes a point from [buf] in uncompressed or compressed
+        SEC 1 format. Returns an error if the point is not on the curve. *)
+
+    val to_octets : ?compress:bool -> point -> string
+    (** [to_octets ~compress point] encodes [point] to SEC 1 format. If
+        [compress] is [true] (default [false]), the compressed format is used. *)
+
+    val scalar_of_octets : string -> (scalar, error) result
+    (** [scalar_of_octets buf] decodes a scalar from [buf]. Returns an error if
+        the scalar is not in the valid range \[1, n-1\] where n is the group
+        order. *)
+
+    val scalar_to_octets : scalar -> string
+    (** [scalar_to_octets scalar] encodes [scalar] to a byte string. *)
+
+    val generator : point
+    (** [generator] is the generator point (base point) of the curve. *)
+
+    val add : point -> point -> point
+    (** [add p q] is the sum of points [p] and [q]. *)
+
+    val scalar_mult : scalar -> point -> point
+    (** [scalar_mult s p] is the scalar multiplication of [p] by [s]. *)
+  end
 end
 
 (** The NIST P-256 curve, also known as SECP256R1. *)

tests/test_ec.ml

@@ -803,6 +803,91 @@ let ed25519 =
      |};
   ]
 
+let point_module_tests (module C : Mirage_crypto_ec.Dh_dsa) name =
+  let open C in
+  let test_generator_not_identity () =
+    (* Generator should not be the identity (at infinity) *)
+    let g = Point.generator in
+    let g_bytes = Point.to_octets g in
+    (* Generator serialized should not be just the identity point *)
+    Alcotest.(check bool) "generator has non-trivial encoding"
+      true (String.length g_bytes > 1)
+  in
+  let test_point_serialization_roundtrip () =
+    (* Generate a key pair and check that the public key roundtrips through Point *)
+    let _priv, pub = Dsa.generate () in
+    let pub_bytes = Dsa.pub_to_octets pub in
+    match Point.of_octets pub_bytes with
+    | Ok point ->
+      let point_bytes = Point.to_octets point in
+      Alcotest.(check string) "point roundtrip" pub_bytes point_bytes
+    | Error e -> Alcotest.failf "of_octets failed: %a" pp_error e
+  in
+  let test_point_compressed_serialization () =
+    let _priv, pub = Dsa.generate () in
+    let pub_bytes = Dsa.pub_to_octets pub in
+    match Point.of_octets pub_bytes with
+    | Ok point ->
+      let compressed = Point.to_octets ~compress:true point in
+      (* Compressed form should be shorter *)
+      Alcotest.(check bool) "compressed is shorter"
+        true (String.length compressed < String.length pub_bytes);
+      (* Should be able to decode compressed form *)
+      (match Point.of_octets compressed with
+       | Ok point' ->
+         let uncompressed = Point.to_octets point' in
+         Alcotest.(check string) "compressed roundtrip" pub_bytes uncompressed
+       | Error e -> Alcotest.failf "compressed of_octets failed: %a" pp_error e)
+    | Error e -> Alcotest.failf "of_octets failed: %a" pp_error e
+  in
+  let test_scalar_serialization_roundtrip () =
+    (* Generate a key and check scalar roundtrip *)
+    let secret, _pub = Dh.gen_key () in
+    let secret_bytes = Dh.secret_to_octets secret in
+    match Point.scalar_of_octets secret_bytes with
+    | Ok scalar ->
+      let scalar_bytes = Point.scalar_to_octets scalar in
+      Alcotest.(check string) "scalar roundtrip" secret_bytes scalar_bytes
+    | Error e -> Alcotest.failf "scalar_of_octets failed: %a" pp_error e
+  in
+  let test_scalar_mult_with_generator () =
+    (* scalar_mult with generator should give the same result as pub_of_priv *)
+    let priv, pub = Dsa.generate () in
+    let priv_bytes = Dsa.priv_to_octets priv in
+    let pub_bytes = Dsa.pub_to_octets pub in
+    match Point.scalar_of_octets priv_bytes with
+    | Ok scalar ->
+      let computed_pub = Point.scalar_mult scalar Point.generator in
+      let computed_bytes = Point.to_octets computed_pub in
+      Alcotest.(check string) "scalar_mult generator" pub_bytes computed_bytes
+    | Error e -> Alcotest.failf "scalar_of_octets failed: %a" pp_error e
+  in
+  let test_point_add () =
+    (* Test that P + P = 2P (scalar_mult 2 P) *)
+    let g = Point.generator in
+    let g_plus_g = Point.add g g in
+    (* scalar 2 in big-endian encoding *)
+    let two =
+      let buf = Bytes.make Dsa.byte_length '\000' in
+      Bytes.set_uint8 buf (Dsa.byte_length - 1) 2;
+      Bytes.to_string buf
+    in
+    match Point.scalar_of_octets two with
+    | Ok scalar_2 ->
+      let two_g = Point.scalar_mult scalar_2 g in
+      Alcotest.(check string) "G + G = 2G"
+        (Point.to_octets g_plus_g) (Point.to_octets two_g)
+    | Error e -> Alcotest.failf "scalar_of_octets 2 failed: %a" pp_error e
+  in
+  [
+    name ^ " Point generator", `Quick, test_generator_not_identity;
+    name ^ " Point serialization roundtrip", `Quick, test_point_serialization_roundtrip;
+    name ^ " Point compressed serialization", `Quick, test_point_compressed_serialization;
+    name ^ " Scalar serialization roundtrip", `Quick, test_scalar_serialization_roundtrip;
+    name ^ " scalar_mult with generator", `Quick, test_scalar_mult_with_generator;
+    name ^ " Point add", `Quick, test_point_add;
+  ]
+
 let p521_regression () =
   let key = of_hex
 "04 01 e4 f8 8a 40 3d fe  2f 65 a0 20 50 01 9b 87
@@ -853,4 +938,7 @@ let () =
       ("X25519", [ "RFC 7748", `Quick, x25519 ]);
       ("ED25519", ed25519);
       ("ECDSA P521 regression", [ "regreesion1", `Quick, p521_regression ]);
+      ("P256 Point module", point_module_tests (module P256) "P256");
+      ("P384 Point module", point_module_tests (module P384) "P384");
+      ("P521 Point module", point_module_tests (module P521) "P521");
     ]