diff --git a/CITATION.cff b/CITATION.cff index 53c96566b..46c4f77f8 100644 --- a/CITATION.cff +++ b/CITATION.cff @@ -1,6 +1,6 @@ --- cff-version: 1.2.0 -version: 1.3.7 +version: 1.3.9 title: "Introducing CIRCL: An Advanced Cryptographic Library" license: BSD-3-Clause abstract: > @@ -25,6 +25,6 @@ keywords: - golang repository-code: "https://github.com/cloudflare/circl/" type: software -message: "Available at https://github.com/cloudflare/circl. v1.3.7 Accessed Dec, 2023." +message: "Available at https://github.com/cloudflare/circl. v1.3.9 Accessed Jun, 2024." contact: - name: "Cloudflare, Inc." diff --git a/README.md b/README.md index 12ae6dbe8..68a8d34a3 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,7 @@ Alternatively, look at the [Cloudflare Go](https://github.com/cloudflare/go/tree |:---:| - [Ed25519](./sign/ed25519) and [Ed448](./sign/ed448) signatures. ([RFC-8032]) +- [BLS](./sign/bls) signatures. ([draft-irtf-cfrg-bls-signature](https://datatracker.ietf.org/doc/draft-irtf-cfrg-bls-signature/)) | Prime Groups | |:---:| @@ -94,7 +95,7 @@ Alternatively, look at the [Cloudflare Go](https://github.com/cloudflare/go/tree - [Schnorr](./zk/dl): Prove knowledge of the Discrete Logarithm. ([RFC-8235]) - [DLEQ](./zk/dleq): Prove knowledge of the Discrete Logarithm Equality. ([RFC-9497]) - - [DLEQ in Qn](./zk/qndleq): Prove knowledge of the Discrete Logarithm Equality for subgroup of squares in (Z/nZ)*. + - [DLEQ in Qn](./zk/qndleq): Prove knowledge of the Discrete Logarithm Equality for subgroup of squares in (Z/nZ)\*. ### Symmetric Cryptography @@ -159,7 +160,7 @@ APA Style ``` Faz-Hernández, A. and Kwiatkowski, K. (2019). Introducing CIRCL: An Advanced Cryptographic Library. Cloudflare. Available at -https://github.com/cloudflare/circl. v1.3.7 Accessed Dec, 2023. +https://github.com/cloudflare/circl. v1.3.9 Accessed Jun, 2024. ``` Bibtex Source @@ -174,7 +175,7 @@ Bibtex Source of this library is to be used as a tool for experimental deployment of cryptographic algorithms targeting Post-Quantum (PQ) and Elliptic Curve Cryptography (ECC).}}, - note = {Available at \url{https://github.com/cloudflare/circl}. v1.3.7 Accessed Dec, 2023}, + note = {Available at \url{https://github.com/cloudflare/circl}. v1.3.9 Accessed Jun, 2024}, month = jun, year = {2019} } diff --git a/ecc/bls12381/doc.go b/ecc/bls12381/doc.go index d7e07e54b..bf4df68db 100644 --- a/ecc/bls12381/doc.go +++ b/ecc/bls12381/doc.go @@ -32,23 +32,41 @@ // is the lexicographically largest of the two associated with the encoded // x-coordinate. // -// |----------------------------------------------------| -// | Serialization Format | -// |-----|-------|-------|---------------|--------------| -// | MSB | MSB-1 | MSB-2 | Description | Encoding | -// |-----|-------|-------|---------------|--------------| -// | 0 | X | X | Uncompressed | e || x || y | -// | 1 | X | X | Compressed | e || x | -// |-----|-------|-------|---------------|--------------| -// | X | 0 | X | Non-Infinity | e || x || y | -// | X | 1 | X | Infinity | e || 0 || 0 | -// |-----|-------|-------|---------------|--------------| -// | | | | Compressed, | | -// | 1 | 0 | 1 | Non-Infinity, | e || x | -// | | | | Big y-coord | | -// |-----|-------|-------|---------------|--------------| -// | | | | Compressed, | | -// | 1 | 0 | 0 | Non-Infinity, | e || x | -// | | | | Small y-coord | | -// |----------------------------------------------------| +// |------------------------------------------------------| +// | Serialization Format | +// |-----|-------|-------|-----------------|--------------| +// | MSB | MSB-1 | MSB-2 | Description | Encoding | +// |-----|-------|-------|-----------------|--------------| +// | | | | Non-compressed, | | +// | 0 | 0 | 0 | Non-Infinity, | e || x || y | +// | | | | Zero. | | +// |-----|-------|-------|-----------------|--------------| +// | | | | Non-compressed, | | +// | 0 | 0 | 1 | Non-Infinity, | Invalid | +// | | | | One. | | +// |-----|-------|-------|-----------------|--------------| +// | | | | Non-compressed, | | +// | 0 | 1 | 0 | Infinity, | e || 0 || 0 | +// | | | | Zero. | | +// |-----|-------|-------|-----------------|--------------| +// | | | | Non-compressed, | | +// | 0 | 1 | 1 | Infinity, | Invalid | +// | | | | One. | | +// |-----|-------|-------|-----------------|--------------| +// | | | | Compressed, | | +// | 1 | 0 | 0 | Non-Infinity, | e || x | +// | | | | Small y-coord | | +// |-----|-------|-------|-----------------|--------------| +// | | | | Compressed, | | +// | 1 | 0 | 1 | Non-Infinity, | e || x | +// | | | | Big y-coord | | +// |-----|-------|-------|-----------------|--------------| +// | | | | Compressed, | | +// | 1 | 1 | 0 | Infinity, | e || 0 | +// | | | | Zero. | | +// |-----|-------|-------|-----------------|--------------| +// | | | | Compressed, | | +// | 1 | 1 | 1 | Infinity, | Invalid | +// | | | | One. | | +// |------------------------------------------------------| package bls12381 diff --git a/ecc/bls12381/g1.go b/ecc/bls12381/g1.go index 7ad211948..08e2ef96e 100644 --- a/ecc/bls12381/g1.go +++ b/ecc/bls12381/g1.go @@ -34,6 +34,12 @@ func (g *G1) SetBytes(b []byte) error { return errInputLength } + // Check for invalid prefixes + switch b[0] & 0xE0 { + case 0x20, 0x60, 0xE0: + return errEncoding + } + isCompressed := int((b[0] >> 7) & 0x1) isInfinity := int((b[0] >> 6) & 0x1) isBigYCoord := int((b[0] >> 5) & 0x1) @@ -44,7 +50,7 @@ func (g *G1) SetBytes(b []byte) error { l = G1SizeCompressed } zeros := make([]byte, l-1) - if (b[0]&0x1F) != 0 || subtle.ConstantTimeCompare(b[1:], zeros) != 1 { + if (b[0]&0x1F) != 0 || subtle.ConstantTimeCompare(b[1:l], zeros) != 1 { return errEncoding } g.SetIdentity() diff --git a/ecc/bls12381/g1_test.go b/ecc/bls12381/g1_test.go index cb601176e..a58b3d8a3 100644 --- a/ecc/bls12381/g1_test.go +++ b/ecc/bls12381/g1_test.go @@ -143,6 +143,13 @@ func TestG1Serial(t *testing.T) { want = *randomG1(t) } }) + t.Run("badPrefix", func(t *testing.T) { + q := new(G1) + b := make([]byte, G1Size) + for _, b[0] = range []byte{0x20, 0x60, 0xE0} { + test.CheckIsErr(t, q.SetBytes(b), mustErr) + } + }) t.Run("badLength", func(t *testing.T) { q := new(G1) p := randomG1(t) diff --git a/ecc/bls12381/g2.go b/ecc/bls12381/g2.go index 0d1a83a56..740148938 100644 --- a/ecc/bls12381/g2.go +++ b/ecc/bls12381/g2.go @@ -32,6 +32,12 @@ func (g *G2) SetBytes(b []byte) error { return errInputLength } + // Check for invalid prefixes + switch b[0] & 0xE0 { + case 0x20, 0x60, 0xE0: + return errEncoding + } + isCompressed := int((b[0] >> 7) & 0x1) isInfinity := int((b[0] >> 6) & 0x1) isBigYCoord := int((b[0] >> 5) & 0x1) @@ -42,7 +48,7 @@ func (g *G2) SetBytes(b []byte) error { l = G2SizeCompressed } zeros := make([]byte, l-1) - if (b[0]&0x1F) != 0 || subtle.ConstantTimeCompare(b[1:], zeros) != 1 { + if (b[0]&0x1F) != 0 || subtle.ConstantTimeCompare(b[1:l], zeros) != 1 { return errEncoding } g.SetIdentity() diff --git a/ecc/bls12381/g2_test.go b/ecc/bls12381/g2_test.go index 1b5fb5952..77ed93986 100644 --- a/ecc/bls12381/g2_test.go +++ b/ecc/bls12381/g2_test.go @@ -102,6 +102,13 @@ func TestG2Serial(t *testing.T) { want = *randomG2(t) } }) + t.Run("badPrefix", func(t *testing.T) { + q := new(G2) + b := make([]byte, G2Size) + for _, b[0] = range []byte{0x20, 0x60, 0xE0} { + test.CheckIsErr(t, q.SetBytes(b), mustErr) + } + }) t.Run("badLength", func(t *testing.T) { q := new(G2) p := randomG2(t) diff --git a/sign/dilithium/dilithium.go b/sign/dilithium/dilithium.go index b9dd1adb0..2a4b61b28 100644 --- a/sign/dilithium/dilithium.go +++ b/sign/dilithium/dilithium.go @@ -40,7 +40,7 @@ type PublicKey interface { Bytes() []byte } -// PrivateKey is a Dilithium public key. +// PrivateKey is a Dilithium private key. // // The structure contains values precomputed during unpacking/key generation // and is therefore significantly larger than a packed private key.