Feature: x448 and Ed448

[FAlbertDev]

This pull request adds support for the x448 key agreement and the ed448 signature scheme as defined in RFC 7748 and RFC 8032. Requested in #3895.

Pull Request Dependencies

• Refactor: Final iteration on load/store #3869
• Commit: eb243e4 (CI fix of master)

Features

• X448 key agreement
• Ed448 signature scheme without and with prehashing (Ed448 (default) and Ed448ph). As with Ed25519, the usage of custom contexts (i.e. Ed448ctx) is not supported.
• FFI bindings for both algorithms
• TLS support for both algorithms
• Hybrid key exchange instances x448/eFrodoKEM-976-SHAKE, x448/eFrodoKEM-976-AES, and x448/Kyber-768-r3

Internals

The algorithms used for modular arithmetic in $GF(p)$, where $p = 2^{448} - 2^{224} - 1$, are based on the paper "Reduction Modulo 2^448 - 2^224 - 1" from Nath and Sarkar. These algorithms operate on 64-bit limbs and are implemented in the Gf448Elem class.

In addition, the Ed448 algorithm requires modular arithmetic on the group order of Curve448. To handle this, a Scalar448 class has been implemented, providing the necessary operations modulo the group order (L in RFC 8032).

Both implementations are designed to be constant-time. As the current big integer implementation is not constant-time for all required operations (especially reduction), the Gf448Elem and Scalar448 classes are independent of the big integer implementation and directly utilize the mp_core operations. This design may have future potential for an abstract GfElem class that can be used for other prime fields as well.

The test cases for these implementations are based on wycheproof.

Performance

$ ./botan speed --msec=3000 Curve448 Ed448
Curve448 3157 keygen/sec; 0.32 ms/op 528275 cycles/op (2 ops in 1 ms)
Curve448 3355 keygen/sec; 0.30 ms/op 503325 cycles/op (2 ops in 1 ms)
Curve448 3009 key agreements/sec; 0.33 ms/op 561397 cycles/op (9028 ops in 3000 ms)

Ed448 747 keygen/sec; 1.34 ms/op 2259032 cycles/op (1 op in 1 ms)
Ed448 Pure 1077 sign/sec; 0.93 ms/op 1568058 cycles/op (3233 ops in 3001 ms)
Ed448 Pure 550 verify/sec; 1.82 ms/op 3070291 cycles/op (1652 ops in 3002 ms)

[coveralls]

coverage: 92.082% (+0.04%) from 92.045%
when pulling a9a3d8b on Rohde-Schwarz:ec/448
into f03c6a9 on randombit:master.

[reneme]

First pass. Didn't look at the actual implementation of Ed/X448, yet. Mostly, higher-level API and design nits.

[reneme]

Some more remarks mostly focussing on the utility classes.

[reneme]

Perhaps its worthwhile defining some commonly used types:

using byte_span = std::span<const uint8_t, to_bytes(448)>;
using word_span = std::span<const uint64_t, to_words(448)>;
// same for arrays, perhaps

[FAlbertDev]

I don't use such aliases because they hide the actual type from the user. Also, I would need one variant with and without const. However, I think using constants for 56 (bytes per 448) and 7 (words per 448) are sensible.

[reneme]

Comments regarding the actual implementation of x448. Looks really concise to me! 😃

[reneme]

Comments regarding Ed448.

[reneme]

Generally, the implementation is well-structured and thought out. 😃 Don't be put off by the number of comments, most address small nits or potential memory inefficiencies. Some minor architectural things.

One thing, I'd really appreciate in general: Let's try to consolidate magic strings and magic numbers. First and foremost, the lengths of key material arrays (both in word length and byte length). But also the hash functions used. Please try to have as little "atomic" constants as possible and calculate dependent values were reasonably possible.

As mentioned before somewhere, sooner or later we should establish a standard interface to be able to access such constants statically from within the library.

[FAlbertDev]

Thank you very much for your helpful and detailed review, @reneme. I applied your suggestions and rebased to the current head of #3869.

[reneme]

In a blunt nerd-sniping attempt: if we would manage to make Botan::hex_decode() constexpr, this could be:

Suggested change

	/// @return a word array for c = 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d
	consteval std::array<word, WORDS_C> c_words() {
	// Currently load_le does not work with constexpr. Therefore, we have to use this workaround.
	const std::array<uint8_t, WORDS_C * sizeof(word)> c_bytes{0x0d, 0xbb, 0xa7, 0x54, 0x6d, 0x3d, 0x87, 0xdc, 0xaa, 0x70,
	0x3a, 0x72, 0x8d, 0x3d, 0x93, 0xde, 0x6f, 0xc9, 0x29, 0x51,
	0xb6, 0x24, 0xb1, 0x3b, 0x16, 0xdc, 0x35, 0x83};
	return load_le<std::array<word, WORDS_C>>(c_bytes);
	}
	consteval std::array<word, WORDS_C> c_words() {
	return load_le<std::array<word, WORDS_C>>(Botan::hex_decode(
	"0dbba7546d3d87dcaa703a728d3d93de6fc92951b624b13b16dc3583"));
	}

... which would be quite fantastic.

[FAlbertDev]

Thanks for your re-review, @reneme! However, it seems that you somehow managed to review the files that were moved (i.e., the files in src/lib/pubkey/ed448/). Your last two suggestions are already addressed in my latest commit. I also cannot answer to these suggestions. Weird...

Regarding:

By any chance: Did you compile with the amalgamation?

No, I measured the default static build.

[reneme]

However, it seems that you somehow managed to review the files that were moved

Mhm, I replied to discussions that were already open, while having started a pending review. Apparently GitHub treats those comments in a funny way; half reply, half free-standing but unanswerable new threads. >.<

[reneme]

Mhh, on Windows the typecast_copy<StrongTypeOfStdArray> doesn't seem to work. :( I'm having a look.

[reneme]

One little nit, otherwise I'm happy. 👍

[randombit]

Looks very good! Didn’t have time to finish review but here are some initial comments.

[randombit]

Lots of room for optimization here if performance becomes an issue.

[FAlbertDev]

If you have any optimizations in mind, let me know 👍 Otherwise, I think the performance is currently acceptable.

[randombit]

Just that double-and-always-add is (literally) the worst case scenario for a multiplication algorithm since for scalar length l it performs l doublings and l additions. Easy optimization would be a fixed window with a constant time table lookup, eg a 4 bit window you instead do l doublings and l/4 additions.

Fine to use this if you consider current performance ok.

[FAlbertDev]

This sounds promising! I will leave it with the simple variant for now since the PR is already complex enough. Maybe we can speed it up in a follow-up PR.

[FAlbertDev]

Thanks for your comments, @randombit. Any suggestions are welcome :)
I renamed Curve448 to X448 and applied your other suggestions.

[randombit]

@FAlbertDev thanks. This needs a rebase post #3869 and possibly some history cleanup. I'll do a final review after.

[FAlbertDev]

This needs a rebase post #3869 and possibly some history cleanup.

Done :)

[reneme]

I'm guessing this caused botan3.py to conflict with master. Could you rebase once more, please?

[randombit]

Looks very good, thanks

[FAlbertDev]

Could you rebase once more, please?

Done. Should be ready to merge.