8166597: Crypto support for the EdDSA Signature Algorithm

Reviewed-by: weijun, mullan, wetmore

Author: Anthony Scarpino

make/jdk/src/classes/build/tools/intpoly/FieldGen.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,7 +21,6 @@
  * questions.
  */
 
-
 /*
  * This file is used to generated optimized finite field implementations.
  */
@@ -170,6 +169,19 @@ private static List<CarryReduce> P521CrSequence() {
             o521crSequence(19), orderFieldSmallCrSequence(19)
     );
 
+    static FieldParams O25519 = new FieldParams(
+            "Curve25519OrderField", 26, 10, 1, 252,
+            "1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed",
+            orderFieldCrSequence(10), orderFieldSmallCrSequence(10)
+    );
+
+    static FieldParams O448 = new FieldParams(
+            "Curve448OrderField", 28, 16, 1, 446,
+            "3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3",
+            //"ffffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3",
+            orderFieldCrSequence(16), orderFieldSmallCrSequence(16)
+    );
+
     private static List<CarryReduce> o521crSequence(int numLimbs) {
 
         // split the full reduce in half, with a carry in between
@@ -212,7 +224,8 @@ private static List<CarryReduce> orderFieldSmallCrSequence(int numLimbs) {
     }
 
     static final FieldParams[] ALL_FIELDS = {
-            P256, P384, P521, O256, O384, O521,
+            Curve25519, Curve448,
+            P256, P384, P521, O256, O384, O521, O25519, O448
     };
 
     public static class Term {
@@ -322,6 +335,11 @@ public FieldParams(String className, int bitsPerLimb, int numLimbs,
         private Iterable<Term> buildTerms(BigInteger sub) {
             // split a large subtrahend into smaller terms
             // that are aligned with limbs
+            boolean negate = false;
+            if (sub.compareTo(BigInteger.ZERO) < 0) {
+                negate = true;
+                sub = sub.negate();
+            }
             List<Term> result = new ArrayList<Term>();
             BigInteger mod = BigInteger.valueOf(1 << bitsPerLimb);
             int termIndex = 0;
@@ -332,6 +350,9 @@ private Iterable<Term> buildTerms(BigInteger sub) {
                     coef = coef - (1 << bitsPerLimb);
                     plusOne = true;
                 }
+                if (negate) {
+                    coef = 0 - coef;
+                }
                 if (coef != 0) {
                     int pow = termIndex * bitsPerLimb;
                     result.add(new Term(pow, -coef));
@@ -619,6 +640,14 @@ private String generate(FieldParams params) throws IOException {
         result.appendLine();
         result.appendLine("}");
 
+        StringBuilder coqTerms = new StringBuilder("//");
+        for (Term t : params.getTerms()) {
+            coqTerms.append("(" + t.getPower() + "%nat,");
+            coqTerms.append(t.getCoefficient() + ")::");
+        }
+        coqTerms.append("nil.");
+        result.appendLine(coqTerms.toString());
+
         result.appendLine("private static BigInteger evaluateModulus() {");
         result.incrIndent();
         result.appendLine("BigInteger result = BigInteger.valueOf(2).pow("
@@ -650,6 +679,41 @@ private String generate(FieldParams params) throws IOException {
         result.decrIndent();
         result.appendLine("}");
 
+        result.appendLine("@Override");
+        result.appendLine("protected void reduceIn(long[] limbs, long v, int i) {");
+        result.incrIndent();
+        String c = "v";
+        for (Term t : params.getTerms()) {
+            int reduceBits = params.getPower() - t.getPower();
+            int coefficient = -1 * t.getCoefficient();
+
+            String x = coefficient + " * " + c;
+            String accOp = "+=";
+            String temp = null;
+            if (coefficient == 1) {
+                x = c;
+            } else if (coefficient == -1) {
+                x = c;
+                accOp = "-=";
+            } else {
+                temp = result.getTemporary("long", x);
+                x = temp;
+            }
+
+            if (reduceBits % params.getBitsPerLimb() == 0) {
+                int pos = reduceBits / params.getBitsPerLimb();
+                result.appendLine("limbs[i - " + pos + "] " + accOp + " " + x + ";");
+            } else {
+                int secondPos = reduceBits / params.getBitsPerLimb();
+                int bitOffset = (secondPos + 1) * params.getBitsPerLimb() - reduceBits;
+                int rightBitOffset = params.getBitsPerLimb() - bitOffset;
+                result.appendLine("limbs[i - " + (secondPos + 1) + "] " + accOp + " (" + x + " << " + bitOffset + ") & LIMB_MASK;");
+                result.appendLine("limbs[i - " + secondPos + "] " + accOp + " " + x + " >> " + rightBitOffset + ";");
+            }
+        }
+        result.decrIndent();
+        result.appendLine("}");
+
         result.appendLine("@Override");
         result.appendLine("protected void finalCarryReduceLast(long[] limbs) {");
         result.incrIndent();

src/java.base/share/classes/java/security/interfaces/EdECKey.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package java.security.interfaces;
+
+import java.security.spec.NamedParameterSpec;
+
+/**
+ * An interface for an elliptic curve public/private key as defined by
+ * <a href="https://tools.ietf.org/html/rfc8032">RFC 8032: Edwards-Curve
+ * Digital Signature Algorithm (EdDSA)</a>. These keys are distinct from the
+ * keys represented by {@code ECKey}, and they are intended for use with
+ * algorithms based on RFC 8032 such as the EdDSA {@code Signature} algorithm.
+ * This interface allows access to the algorithm parameters associated with
+ * the key.
+ *
+ * @since 15
+ */
+public interface EdECKey {
+    /**
+     * Returns the algorithm parameters associated with the key.
+     *
+     * @return the associated algorithm parameters.
+     */
+    NamedParameterSpec getParams();
+}