rfc6979/
lib.rs

1#![no_std]
2#![doc = include_str!("../README.md")]
3#![forbid(unsafe_code, clippy::unwrap_used)]
4#![warn(missing_docs, rust_2018_idioms)]
5#![doc(
6    html_logo_url = "https://raw.githubusercontent.com/RustCrypto/media/8f1a9894/logo.svg",
7    html_favicon_url = "https://raw.githubusercontent.com/RustCrypto/media/8f1a9894/logo.svg"
8)]
9
10//! ## Usage
11//!
12//! See also: the documentation for the [`generate_k`] function.
13//!
14//! ```
15//! use hex_literal::hex;
16//! use rfc6979::consts::U32;
17//! use sha2::{Digest, Sha256};
18//!
19//! // NIST P-256 field modulus
20//! const NIST_P256_MODULUS: [u8; 32] =
21//!     hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551");
22//!
23//! // Public key for RFC6979 NIST P256/SHA256 test case
24//! const RFC6979_KEY: [u8; 32] =
25//!     hex!("C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721");
26//!
27//! // Test message for RFC6979 NIST P256/SHA256 test case
28//! const RFC6979_MSG: &[u8; 6] = b"sample";
29//!
30//! // Expected K for RFC6979 NIST P256/SHA256 test case
31//! const RFC6979_EXPECTED_K: [u8; 32] =
32//!     hex!("A6E3C57DD01ABE90086538398355DD4C3B17AA873382B0F24D6129493D8AAD60");
33//!
34//! let h = Sha256::digest(RFC6979_MSG);
35//! let aad = b"";
36//! let k = rfc6979::generate_k::<Sha256, U32>(&RFC6979_KEY.into(), &NIST_P256_MODULUS.into(), &h, aad);
37//! assert_eq!(k.as_slice(), &RFC6979_EXPECTED_K);
38//! ```
39
40mod ct_cmp;
41
42pub use hmac::digest::generic_array::typenum::consts;
43
44use hmac::{
45    digest::{
46        core_api::BlockSizeUser,
47        generic_array::{ArrayLength, GenericArray},
48        Digest, FixedOutput, FixedOutputReset, Mac,
49    },
50    SimpleHmac,
51};
52
53/// Array of bytes representing a scalar serialized as a big endian integer.
54pub type ByteArray<Size> = GenericArray<u8, Size>;
55
56/// Deterministically generate ephemeral scalar `k`.
57///
58/// Accepts the following parameters and inputs:
59///
60/// - `x`: secret key
61/// - `n`: field modulus
62/// - `h`: hash/digest of input message: must be reduced modulo `n` in advance
63/// - `data`: additional associated data, e.g. CSRNG output used as added entropy
64#[inline]
65pub fn generate_k<D, N>(
66    x: &ByteArray<N>,
67    n: &ByteArray<N>,
68    h: &ByteArray<N>,
69    data: &[u8],
70) -> ByteArray<N>
71where
72    D: Digest + BlockSizeUser + FixedOutput<OutputSize = N> + FixedOutputReset,
73    N: ArrayLength<u8>,
74{
75    let mut hmac_drbg = HmacDrbg::<D>::new(x, h, data);
76
77    loop {
78        let mut k = ByteArray::<N>::default();
79        hmac_drbg.fill_bytes(&mut k);
80
81        let k_is_zero = ct_cmp::ct_eq(&k, &ByteArray::default());
82        if (!k_is_zero & ct_cmp::ct_lt(&k, n)).into() {
83            return k;
84        }
85    }
86}
87
88/// Internal implementation of `HMAC_DRBG` as described in NIST SP800-90A.
89///
90/// <https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final>
91///
92/// This is a HMAC-based deterministic random bit generator used compute a
93/// deterministic ephemeral scalar `k`.
94pub struct HmacDrbg<D>
95where
96    D: Digest + BlockSizeUser + FixedOutputReset,
97{
98    /// HMAC key `K` (see RFC 6979 Section 3.2.c)
99    k: SimpleHmac<D>,
100
101    /// Chaining value `V` (see RFC 6979 Section 3.2.c)
102    v: GenericArray<u8, D::OutputSize>,
103}
104
105impl<D> HmacDrbg<D>
106where
107    D: Digest + BlockSizeUser + FixedOutputReset,
108{
109    /// Initialize `HMAC_DRBG`
110    pub fn new(entropy_input: &[u8], nonce: &[u8], additional_data: &[u8]) -> Self {
111        let mut k = SimpleHmac::new(&Default::default());
112        let mut v = GenericArray::default();
113
114        for b in &mut v {
115            *b = 0x01;
116        }
117
118        for i in 0..=1 {
119            k.update(&v);
120            k.update(&[i]);
121            k.update(entropy_input);
122            k.update(nonce);
123            k.update(additional_data);
124            k = SimpleHmac::new_from_slice(&k.finalize().into_bytes()).expect("HMAC error");
125
126            // Steps 3.2.e,g: v = HMAC_k(v)
127            k.update(&v);
128            v = k.finalize_reset().into_bytes();
129        }
130
131        Self { k, v }
132    }
133
134    /// Write the next `HMAC_DRBG` output to the given byte slice.
135    pub fn fill_bytes(&mut self, out: &mut [u8]) {
136        for out_chunk in out.chunks_mut(self.v.len()) {
137            self.k.update(&self.v);
138            self.v = self.k.finalize_reset().into_bytes();
139            out_chunk.copy_from_slice(&self.v[..out_chunk.len()]);
140        }
141
142        self.k.update(&self.v);
143        self.k.update(&[0x00]);
144        self.k =
145            SimpleHmac::new_from_slice(&self.k.finalize_reset().into_bytes()).expect("HMAC error");
146        self.k.update(&self.v);
147        self.v = self.k.finalize_reset().into_bytes();
148    }
149}