-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathecdhattacks_test.go
142 lines (108 loc) · 3.56 KB
/
ecdhattacks_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
package dhpals
import (
"crypto/rand"
"fmt"
"math/big"
"testing"
"github.com/dnkolegov/dhpals/elliptic"
"github.com/dnkolegov/dhpals/x128"
)
func TestECDHInvalidCurveAttack(t *testing.T) {
p128 := elliptic.P128()
basePointOrder, _ := new(big.Int).SetString("29246302889428143187362802287225875743", 10)
ex, ey := p128.ScalarBaseMult(basePointOrder.Bytes())
if fmt.Sprintf("%d", ex) != "0" || fmt.Sprintf("%d", ey) != "0" {
t.Fatalf("%s: correction test failed", t.Name())
}
// Alice generates a key pair.
aPriv, ax, ay, _ := elliptic.GenerateKey(p128, nil)
// Bob generates a key pair.
bPriv, bx, by, _ := elliptic.GenerateKey(p128, nil)
// Alice runs DH.
asx, asy := p128.ScalarMult(bx, by, aPriv)
// Bob runs DH.
bsx, bsy := p128.ScalarMult(ax, ay, bPriv)
if asx.Cmp(bsx) != 0 || asy.Cmp(bsy) != 0 {
t.Errorf("%s: incorrect ECDH", t.Name())
}
oracle, isKeyCorrect, _ := newECDHAttackOracle(p128)
privateKey := runECDHInvalidCurveAttack(oracle)
t.Logf("%s: Private key:%d", t.Name(), privateKey)
if !isKeyCorrect(privateKey.Bytes()) {
t.Fatalf("%s: wrong private key was found in the invalid curve attack", t.Name())
}
}
func TestECDHSmallSubgroupAttack(t *testing.T) {
p48 := elliptic.P48()
if !p48.IsOnCurve(p48.Params().Gx, p48.Params().Gy) {
t.Fatalf("%s: p48: base point is not on the curve", t.Name())
}
basePointOrder := p48.Params().N
ex, ey := p48.ScalarBaseMult(basePointOrder.Bytes())
if fmt.Sprintf("%d", ex) != "0" || fmt.Sprintf("%d", ey) != "0" {
t.Fatalf("%s: sanity check failed", t.Name())
}
oracle, isKeyCorrect, _ := newECDHAttackOracle(p48)
privateKey := runECDHSmallSubgroupAttack(p48, oracle)
if !isKeyCorrect(privateKey.Bytes()) {
t.Fatalf("%s: wrong private key was found in the small-sugbroup attack on ECDH", t.Name())
}
}
func TestCurvesP128AndX128(t *testing.T) {
p128 := elliptic.P128()
for i := 0; i < 1000; i++ {
k, _ := rand.Int(rand.Reader, p128.Params().P)
kx, ky := p128.ScalarBaseMult(k.Bytes())
if !p128.IsOnCurve(kx, ky) {
t.Fatalf("%s: the point is not on the p128 curve", t.Name())
}
// u = x - 178
// v = y
ku := x128.ScalarBaseMult(k.Bytes())
kv := new(big.Int).Set(ky)
if !x128.IsOnCurve(ku, kv) {
t.Fatalf("%s: the point is not on the x128 curve", t.Name())
}
if new(big.Int).Sub(kx, big.NewInt(178)).Cmp(ku) != 0 {
t.Errorf("%s: comparison failed on (%d, %d, %d)", t.Name(), k, ku, kx)
}
}
}
type ecKangarooTest struct {
k, b string
}
var ecKangarooTests = []ecKangarooTest{
{"10", "100"},
{"12130", "17000"},
{"12132880", "22132880"},
}
func TestECKangarooAlgorithm(t *testing.T) {
curve := elliptic.P128()
a := new(big.Int).Set(Big0)
bx, by := curve.Params().Gx, curve.Params().Gy
for _, e := range ecKangarooTests {
k, _ := new(big.Int).SetString(e.k, 10)
b, _ := new(big.Int).SetString(e.b, 10)
x, y := curve.ScalarBaseMult(k.Bytes())
kk, err := catchKangarooOnCurve(curve, bx, by, x, y, a, b)
if err != nil {
t.Fatalf("%s: %s", t.Name(), err)
}
if kk.Cmp(k) != 0 {
t.Fatalf("%s: (%d, %d) failed", t.Name(), k, b)
}
}
}
func TestTwistAttack(t *testing.T) {
v, _ := new(big.Int).SetString("85518893674295321206118380980485522083", 10)
u := new(big.Int).SetInt64(4)
if !x128.IsOnCurve(u, v) {
t.Fatalf("%s: the point is not on the x128 curve", t.Name())
}
ecdh, isKeyCorrect, getPublic, vulnOracle := newX128TwistAttackOracle()
privateKey := runECDHTwistAttack(ecdh, getPublic, vulnOracle)
if !isKeyCorrect(privateKey.Bytes()) {
t.Fatalf("%s: wrong private key was found in the sugbroup attack", t.Name())
}
fmt.Print(privateKey)
}