Documentation
¶
Index ¶
- Variables
- func AppendBigIntToBytesSlice(commonBytes []byte, appended *big.Int) []byte
- func BigIntsToBytes(bigInts []*big.Int) [][]byte
- func ConstantTimeCompare(a, b *big.Int, padLen int) int
- func DisableConstantTimeOps()
- func EnableConstantTimeOps()
- func GetRandomBytes(rand io.Reader, length int) ([]byte, error)
- func GetRandomGeneratorOfTheQuadraticResidue(rand io.Reader, n *big.Int) *big.Int
- func GetRandomPositiveInt(rand io.Reader, lessThan *big.Int) *big.Int
- func GetRandomPositiveRelativelyPrimeInt(rand io.Reader, n *big.Int) *big.Int
- func GetRandomPrimeInt(rand io.Reader, bits int) *big.Int
- func GetRandomQuadraticNonResidue(rand io.Reader, n *big.Int) *big.Int
- func IsConstantTimeEnabled() bool
- func IsInInterval(b *big.Int, bound *big.Int) bool
- func IsNumberInMultiplicativeGroup(n, v *big.Int) bool
- func ModInt(mod *big.Int) *modInt
- func MultiBytesToBigInts(bytes [][]byte) []*big.Int
- func MustGetRandomInt(rand io.Reader, bits int) *big.Int
- func NonEmptyBytes(bz []byte) bool
- func NonEmptyMultiBytes(bzs [][]byte, expectLen ...int) bool
- func PadToLengthBytesInPlace(src []byte, length int) []byte
- func RejectionSample(q *big.Int, eHash *big.Int) *big.Int
- func SHA512_256(in ...[]byte) []byte
- func SHA512_256i(in ...*big.Int) *big.Int
- func SHA512_256iOne(in *big.Int) *big.Int
- func SHA512_256i_TAGGED(tag []byte, in ...*big.Int) *big.Int
- type CTModInt
- type GermainSafePrime
- type SignatureData
- func (*SignatureData) Descriptor() ([]byte, []int)deprecated
- func (x *SignatureData) GetM() []byte
- func (x *SignatureData) GetR() []byte
- func (x *SignatureData) GetS() []byte
- func (x *SignatureData) GetSignature() []byte
- func (x *SignatureData) GetSignatureRecovery() []byte
- func (*SignatureData) ProtoMessage()
- func (x *SignatureData) ProtoReflect() protoreflect.Message
- func (x *SignatureData) Reset()
- func (x *SignatureData) String() string
- type TimingProtection
Constants ¶
This section is empty.
Variables ¶
var ErrGeneratorCancelled = fmt.Errorf("generator work cancelled")
ErrGeneratorCancelled is an error returned from GetRandomSafePrimesConcurrent when the work of the generator has been cancelled as a result of the context being done (cancellation or timeout).
var File_protob_signature_proto protoreflect.FileDescriptor
var Logger = log.Logger("tss-lib")
Functions ¶
func BigIntsToBytes ¶
func ConstantTimeCompare ¶
ConstantTimeCompare compares two big.Int values in constant time. Both values are padded to padLen bytes before comparison to avoid leaking relative magnitude. If padLen is 0, the maximum of the two byte lengths is used.
func DisableConstantTimeOps ¶
func DisableConstantTimeOps()
DisableConstantTimeOps disables constant-time operations (default).
func EnableConstantTimeOps ¶
func EnableConstantTimeOps()
EnableConstantTimeOps enables constant-time cryptographic operations. Call this at application startup if timing side-channel protection is required.
func GetRandomBytes ¶
GetRandomBytes returns random bytes of length.
func GetRandomGeneratorOfTheQuadraticResidue ¶
Return a random generator of RQn with high probability. THIS METHOD ONLY WORKS IF N IS THE PRODUCT OF TWO SAFE PRIMES!
https://github.com/didiercrunch/paillier/blob/d03e8850a8e4c53d04e8016a2ce8762af3278b71/utils.go#L39
func GetRandomPositiveRelativelyPrimeInt ¶
Generate a random element in the group of all the elements in Z/nZ that has a multiplicative inverse.
func GetRandomQuadraticNonResidue ¶
GetRandomQuadraticNonResidue returns a quadratic non residue of odd n.
func IsConstantTimeEnabled ¶
func IsConstantTimeEnabled() bool
IsConstantTimeEnabled returns true if constant-time operations are enabled.
func MultiBytesToBigInts ¶
func MustGetRandomInt ¶
MustGetRandomInt panics if it is unable to gather entropy from `io.Reader` or when `bits` is <= 0
func NonEmptyBytes ¶
Returns true when the byte slice is non-nil and non-empty
func NonEmptyMultiBytes ¶
Returns true when all of the slices in the multi-dimensional byte slice are non-nil and non-empty
func PadToLengthBytesInPlace ¶
PadToLengthBytesInPlace pad {0, ...} to the front of src if len(src) < length output length is equal to the parameter length
func RejectionSample ¶
RejectionSample implements the rejection sampling logic for converting a SHA512/256 hash to a value between 0-q
func SHA512_256 ¶
SHA-512/256 is protected against length extension attacks and is more performant than SHA-256 on 64-bit architectures. https://en.wikipedia.org/wiki/Template:Comparison_of_SHA_functions
Types ¶
type CTModInt ¶
type CTModInt struct {
// contains filtered or unexported fields
}
CTModInt provides constant-time modular arithmetic using filippo.io/bigmod. This is the recommended implementation as bigmod is: 1. Maintained by the Go crypto team lead (Filippo Valsorda) 2. The same code used internally by crypto/rsa and crypto/ecdsa 3. Highly optimized with architecture-specific assembly
func NewCTModInt ¶
NewCTModInt creates a constant-time modular context using bigmod. Note: bigmod requires odd modulus for Exp operations.
func NewCTModIntWithPhi ¶
NewCTModIntWithPhi creates a constant-time modular context for composite moduli. This is required for correct ModInverse on composite moduli where phi(n) is known. For RSA-like moduli n = p*q, pass phiN = (p-1)*(q-1).
func (*CTModInt) ExpCT ¶
ExpCT performs constant-time modular exponentiation using bigmod. IMPORTANT: The modulus must be odd. Negative exponents are not supported and will panic.
func (*CTModInt) ModInverseCT ¶
ModInverseCT computes the modular inverse in constant time using Fermat's little theorem. For a prime modulus p: a^(-1) = a^(p-2) mod p For a non-prime modulus n with known phi(n): a^(-1) = a^(phi(n)-1) mod n SECURITY: This uses constant-time Exp, making the entire operation constant-time. Note: The modulus should be prime for this to work correctly. For composite moduli, use NewCTModIntWithPhi to provide phi(n).
type GermainSafePrime ¶
type GermainSafePrime struct {
// contains filtered or unexported fields
}
func GetRandomSafePrimesConcurrent ¶
func GetRandomSafePrimesConcurrent(ctx context.Context, bitLen, numPrimes int, concurrency int, rand io.Reader) ([]*GermainSafePrime, error)
GetRandomSafePrimesConcurrent tries to find safe primes concurrently. The returned results are safe primes `p` and prime `q` such that `p=2q+1`. Concurrency level can be controlled with the `concurrencyLevel` parameter. If a safe prime could not be found before the context is done, the error is returned. Also, if at least one search process failed, error is returned as well.
How fast we generate a prime number is mostly a matter of luck and it depends on how lucky we are with drawing the first bytes. With today's multi-core processors, we can execute the process on multiple cores concurrently, accept the first valid result and cancel the rest of work. This way, with the same finding algorithm, we can get the result faster.
Concurrency level should be set depending on what `bitLen` of prime is expected. For example, as of today, on a typical workstation, for 512-bit safe prime, `concurrencyLevel` should be set to `1` as generating the prime of this length is a matter of milliseconds for a single core. For 1024-bit safe prime, `concurrencyLevel` should be usually set to at least `2` and for 2048-bit safe prime, `concurrencyLevel` must be set to at least `4` to get the result in a reasonable time.
This function generates safe primes of at least 6 `bitLen`. For every generated safe prime, the two most significant bits are always set to `1` - we don't want the generated number to be too small.
func (*GermainSafePrime) Prime ¶
func (sgp *GermainSafePrime) Prime() *big.Int
func (*GermainSafePrime) SafePrime ¶
func (sgp *GermainSafePrime) SafePrime() *big.Int
func (*GermainSafePrime) Validate ¶
func (sgp *GermainSafePrime) Validate() bool
type SignatureData ¶
type SignatureData struct {
Signature []byte `protobuf:"bytes,1,opt,name=signature,proto3" json:"signature,omitempty"`
// Ethereum-style recovery byte; only the first byte is relevant
SignatureRecovery []byte `protobuf:"bytes,2,opt,name=signature_recovery,json=signatureRecovery,proto3" json:"signature_recovery,omitempty"`
// Signature components R, S
R []byte `protobuf:"bytes,3,opt,name=r,proto3" json:"r,omitempty"`
S []byte `protobuf:"bytes,4,opt,name=s,proto3" json:"s,omitempty"`
// M represents the original message digest that was signed M
M []byte `protobuf:"bytes,5,opt,name=m,proto3" json:"m,omitempty"`
// contains filtered or unexported fields
}
Container for output signatures, mostly used for marshalling this data structure to a mobile app
func (*SignatureData) Descriptor
deprecated
func (*SignatureData) Descriptor() ([]byte, []int)
Deprecated: Use SignatureData.ProtoReflect.Descriptor instead.
func (*SignatureData) GetM ¶
func (x *SignatureData) GetM() []byte
func (*SignatureData) GetR ¶
func (x *SignatureData) GetR() []byte
func (*SignatureData) GetS ¶
func (x *SignatureData) GetS() []byte
func (*SignatureData) GetSignature ¶
func (x *SignatureData) GetSignature() []byte
func (*SignatureData) GetSignatureRecovery ¶
func (x *SignatureData) GetSignatureRecovery() []byte
func (*SignatureData) ProtoMessage ¶
func (*SignatureData) ProtoMessage()
func (*SignatureData) ProtoReflect ¶
func (x *SignatureData) ProtoReflect() protoreflect.Message
func (*SignatureData) Reset ¶
func (x *SignatureData) Reset()
func (*SignatureData) String ¶
func (x *SignatureData) String() string
type TimingProtection ¶
type TimingProtection struct {
// contains filtered or unexported fields
}
TimingProtection provides response time normalization to prevent timing attacks.
func NewTimingProtection ¶
func NewTimingProtection(targetDuration, jitterRange time.Duration) *TimingProtection
NewTimingProtection creates a TimingProtection with custom parameters. targetDuration is the minimum padded duration for every operation. jitterRange adds a random delay on top of targetDuration to prevent fingerprinting the fixed padding boundary.
func (*TimingProtection) ProtectBigInt ¶
ProtectBigInt wraps a function that returns *big.Int with timing normalization. The total execution time is always >= targetDuration + a random jitter, regardless of how long the actual operation takes.