def test_scalarmult_ed25519_unavailable():
zero = 32 * b"\x00"
with pytest.raises(UnavailableError):
c.crypto_scalarmult_ed25519_base(zero)
with pytest.raises(UnavailableError):
c.crypto_scalarmult_ed25519_base_noclamp(zero)
with pytest.raises(UnavailableError):
c.crypto_scalarmult_ed25519(zero, zero)
with pytest.raises(UnavailableError):
c.crypto_scalarmult_ed25519_noclamp(zero, zero)
def test_scalarmult_ed25519_noclamp():
# An arbitrary scalar which is known to differ once clamped
scalar = 32 * b'\x01'
BASEPOINT = bytes(bytearray([0x58, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66]
)
)
p = c.crypto_scalarmult_ed25519_noclamp(scalar, BASEPOINT)
pb = c.crypto_scalarmult_ed25519_base_noclamp(scalar)
pc = c.crypto_scalarmult_ed25519_base(scalar)
assert p == pb
assert pb != pc
# clamp manually
ba = bytearray(scalar)
ba0 = bytes(bytearray([ba[0] & 248]))
ba31 = bytes(bytearray([(ba[31] & 127) | 64]))
scalar_clamped = ba0 + bytes(ba[1:31]) + ba31
p1 = c.crypto_scalarmult_ed25519_noclamp(scalar_clamped, BASEPOINT)
p2 = c.crypto_scalarmult_ed25519(scalar, BASEPOINT)
assert p1 == p2
def test_scalarmult_ed25519():
SCALARBYTES = c.crypto_scalarmult_ed25519_SCALARBYTES
# the minimum ed25519 scalar is represented by a 8 value in the
# first octet, a 64 value in the last octet, and all zeros
# in between:
MINSC = bytes(bytearray([8] + (SCALARBYTES - 2) * [0] + [64]))
# the scalar multiplication formula for ed25519
# "clamps" the scalar by setting the most significant bit
# of the last octet to zero, therefore scalar multiplication
# by CLMPD is equivalent to scalar multiplication by MINSC
CLMPD = bytes(bytearray([8] + (SCALARBYTES - 2) * [0] + [192]))
MIN_P1 = bytes(bytearray([9] + (SCALARBYTES - 2) * [0] + [64]))
MIN_P7 = bytes(bytearray([15] + (SCALARBYTES - 2) * [0] + [64]))
MIN_P8 = bytes(bytearray([16] + (SCALARBYTES - 2) * [0] + [64]))
p, _s = c.crypto_sign_keypair()
_p = p
for i in range(254):
# double _p
_p = c.crypto_core_ed25519_add(_p, _p)
for i in range(8):
_p = c.crypto_core_ed25519_add(_p, p)
# at this point _p is (2^254+8) times p
assert c.crypto_scalarmult_ed25519(MINSC, p) == _p
assert c.crypto_scalarmult_ed25519(CLMPD, p) == _p
# ed25519 scalar multiplication sets the least three significant
# bits of the first octet to zero; therefore:
assert c.crypto_scalarmult_ed25519(MIN_P1, p) == _p
assert c.crypto_scalarmult_ed25519(MIN_P7, p) == _p
_p8 = _p
for i in range(8):
_p8 = c.crypto_core_ed25519_add(_p8, p)
# at this point _p is (2^254 + 16) times p
assert c.crypto_scalarmult_ed25519(MIN_P8, p) == _p8
def test_scalarmult_ed25519():
SCALARBYTES = c.crypto_scalarmult_ed25519_SCALARBYTES
# the minimum ed25519 scalar is represented by a 8 value in the
# first octet, a 64 value in the last octet, and all zeros
# in between:
MINSC = bytes(bytearray([8] + (SCALARBYTES - 2) * [0] + [64]))
# the scalar multiplication formula for ed25519
# "clamps" the scalar by setting the most significant bit
# of the last octet to zero, therefore scalar multiplication
# by CLMPD is equivalent to scalar multiplication by MINSC
CLMPD = bytes(bytearray([8] + (SCALARBYTES - 2) * [0] + [192]))
MIN_P1 = bytes(bytearray([9] + (SCALARBYTES - 2) * [0] + [64]))
MIN_P7 = bytes(bytearray([15] + (SCALARBYTES - 2) * [0] + [64]))
MIN_P8 = bytes(bytearray([16] + (SCALARBYTES - 2) * [0] + [64]))
p, _s = c.crypto_sign_keypair()
_p = p
for i in range(254):
# double _p
_p = c.crypto_core_ed25519_add(_p, _p)
for i in range(8):
_p = c.crypto_core_ed25519_add(_p, p)
# at this point _p is (2^254+8) times p
assert c.crypto_scalarmult_ed25519(MINSC, p) == _p
assert c.crypto_scalarmult_ed25519(CLMPD, p) == _p
# ed25519 scalar multiplication sets the least three significant
# bits of the first octet to zero; therefore:
assert c.crypto_scalarmult_ed25519(MIN_P1, p) == _p
assert c.crypto_scalarmult_ed25519(MIN_P7, p) == _p
_p8 = _p
for i in range(8):
_p8 = c.crypto_core_ed25519_add(_p8, p)
# at this point _p is (2^254 + 16) times p
assert c.crypto_scalarmult_ed25519(MIN_P8, p) == _p8
def getRequestOTKey(self, entryIndex: str) -> bytes:
"""
Given the index of an entry of interest to the Receiver, returns the
tailored public Oblivious Transfer key of the Receiver. Further, the
Oblivious Transfer secret key is stored internally, which later is used
to decrypt the entry of interest to the Receiver.
:param entryIndex: The index of an entry of interest to the Receiver. It
must be provided as a string.
"""
entryIndexBytes = entryIndex.encode('utf8')
sk = nacl.utils.random(crypto_scalarmult_ed25519_SCALARBYTES)
pk = crypto_scalarmult_ed25519_base(sk)
self.__otSecrets[entryIndex] = crypto_scalarmult_ed25519(
sk, self.__senderOTKey)
return crypto_core_ed25519_add(
crypto_scalarmult_ed25519(
b'\0' * (32 - len(entryIndexBytes)) + entryIndexBytes,
self.__senderOTKey), pk)
def __init__(self) -> None:
"""
Initialises the Sender.
"""
self.__senderOTSecret = nacl.utils.random(
#bytes(random.getrandbits(8) for _ in range(
crypto_scalarmult_ed25519_SCALARBYTES)
#)
self.__senderOTKey = crypto_scalarmult_ed25519_base(
self.__senderOTSecret)
self.__senderOTU = crypto_scalarmult_ed25519(self.__senderOTSecret,
self.__senderOTKey)
def retrieve(self, params: dict) -> dict:
"""
Returns all encrypted entries provided to the Sender (usually all
entries of a database). It should contain the entry of interest to the
Receiver, although the Sender is unaware of which entry is the one. Each
entry must be a python dict containing the following keys:
'index' as the index of the entry given by a string,
'value' as the value of the entry given by a string.
All entries will be extended with a new key, which must be calculated
only once per Sender instance:
'indexOTU' as a specific Oblivious Transfer index value calculated
in dependence of the senderOTKey.
:param params: A python dict containing the following:
'requestOTKey' as the tailored public Oblivious Transfer key of the Receiver,
'entries' with a list of all entries to be sent to the Receiver.
"""
sharedOTSecret = crypto_scalarmult_ed25519(self.__senderOTSecret,
params['requestOTKey'])
C = {}
for entry in params['entries']:
entryIndexBytes = entry['index'].encode('utf8')
try:
tmp = entry['indexOTU']
except:
entry['indexOTU'] = crypto_scalarmult_ed25519(
b'\0' * (32 - len(entryIndexBytes)) + entryIndexBytes,
self.__senderOTU)
K = crypto_core_ed25519_sub(sharedOTSecret, entry['indexOTU'])
c = nacl.secret.SecretBox(K).encrypt(entry['value'].encode('utf8'))
if CONCEAL_RESPONSE_INDICES:
i = _calcMac(
entryIndexBytes,
keyBytes=K,
)
else:
i = entry['index']
C[i] = c
return C
def test_scalarmult_ed25519_base():
"""
Verify scalarmult_ed25519_base is congruent to
scalarmult_ed25519 on the ed25519 base point
"""
BASEPOINT = bytes(
bytearray([
0x58,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
0x66,
]))
sclr = c.randombytes(c.crypto_scalarmult_ed25519_SCALARBYTES)
p = c.crypto_scalarmult_ed25519_base(sclr)
p2 = c.crypto_scalarmult_ed25519(sclr, BASEPOINT)
assert p2 == p
def test_scalarmult_ed25519_base():
"""
Verify scalarmult_ed25519_base is congruent to
scalarmult_ed25519 on the ed25519 base point
"""
BASEPOINT = bytes(bytearray([0x58, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66]
)
)
sclr = c.randombytes(c.crypto_scalarmult_ed25519_SCALARBYTES)
p = c.crypto_scalarmult_ed25519_base(sclr)
p2 = c.crypto_scalarmult_ed25519(sclr, BASEPOINT)
assert p2 == p