arcana/ecc/x448.rs
1//! X448 Diffie-Hellman key agreement on Curve448 (RFC 7748).
2//!
3//! X448 is the 448-bit sibling of [`super::x25519`]: same Montgomery-
4//! ladder structure, different field prime (`p = 2^448 - 2^224 - 1`),
5//! different base-point u-coordinate (`5` instead of `9`), different
6//! scalar clamping, and 56-byte little-endian encoding throughout
7//! (not 32). It is the ECDH half of the RFC 8032 "Ed448 / X448" pair
8//! and the higher-security tier of the Curve25519 / Curve448 family
9//! used in TLS 1.3, Noise, and Signal's future-proofing profiles.
10//!
11//! # Side-channel posture
12//!
13//! Same plan as `super::x25519`
14//! (see `arcana/doc/sca/countermeasures/x25519_x448.rst`):
15//! `T1-G` audit pass, `T2-A` Z-rerandomization on `(X : Z)`, `T2-B`
16//! scalar blinding. The implementation route is identical mutatis
17//! mutandis on Curve448; the field arithmetic shares
18//! [`super::field`]'s `black_box`-shielded mask selects.
19//!
20//! # Constants (RFC 7748 §4.2)
21//!
22//! | Parameter | Value |
23//! |----------------|------------------------------------------------|
24//! | p | `2^448 - 2^224 - 1` |
25//! | A | `156326` |
26//! | a24 | `(A - 2) / 4 = 39081` |
27//! | Base u | `5` |
28//! | Scalar bits | 448 (clamping sets bit 447, clears low 2 bits) |
29//!
30//! # API
31//!
32//! Mirror of the X25519 API with 56-byte arrays:
33//!
34//! ```rust,ignore
35//! use arcana::ecc::x448::{x448_derive_public, x448_ecdh};
36//!
37//! let alice_sk: [u8; 56] = /* rng */;
38//! let bob_sk: [u8; 56] = /* rng */;
39//!
40//! let alice_pk = x448_derive_public(&alice_sk);
41//! let bob_pk = x448_derive_public(&bob_sk);
42//!
43//! let s_ab = x448_ecdh(&alice_sk, &bob_pk);
44//! let s_ba = x448_ecdh(&bob_sk, &alice_pk);
45//! assert_eq!(s_ab, s_ba);
46//! ```
47//!
48//! # Test vectors
49//!
50//! The tests at the bottom of this file pin the two primitive vectors
51//! from RFC 7748 §5.2 and the full Diffie-Hellman vector from §6.2
52//! byte-exact. Together they exercise ladder, clamping, and LE
53//! encoding against the spec.
54
55use super::field::*;
56
57// ============================================================================
58// Curve constants (RFC 7748 §4.2)
59// ============================================================================
60
61/// `a24 = (156326 - 2) / 4 = 39081`.
62fn a24() -> FieldElement<7> {
63 let mut fe = FieldElement::<7>::ZERO;
64 fe.limbs[0] = 39_081;
65 fe
66}
67
68/// Curve448 base point u-coordinate = 5 (RFC 7748 §4.2).
69const BASE_U: [u8; 56] = {
70 let mut b = [0u8; 56];
71 b[0] = 5;
72 b
73};
74
75// ============================================================================
76// Scalar clamping + u-coordinate decoding (RFC 7748 §5)
77// ============================================================================
78
79/// RFC 7748 §5 `decodeScalar448`: force the scalar into the range
80/// `[2^447, 2^448)` and a multiple of 4.
81///
82/// - Clear the 2 low bits of byte 0 (multiple of 4)
83/// - Set the top bit of byte 55 (bit 447 of the 448-bit LE integer)
84///
85/// Note: unlike X25519 there is no "clear bit 255" step because 448
86/// is already byte-aligned.
87fn decode_scalar(scalar: &[u8; 56]) -> [u8; 56] {
88 let mut k = *scalar;
89 k[0] &= 252; // 0b11111100
90 k[55] |= 128; // 0b10000000
91 k
92}
93
94/// RFC 7748 §5 `decodeUCoordinate` for Curve448.
95///
96/// Unlike Curve25519, Curve448's u is decoded as a plain little-endian
97/// integer in `Fp` with no high-bit masking: 448 is already a multiple
98/// of 8, so the RFC's "clear the high bits above (qlen mod 8)" step
99/// is a no-op.
100fn decode_u(u: &[u8; 56]) -> FieldElement<7> {
101 FieldElement::<7>::from_bytes_le(u)
102}
103
104/// Encode a field element as 56 little-endian bytes.
105fn encode_u(fe: &FieldElement<7>) -> [u8; 56] {
106 let v = fe.to_bytes_le();
107 let mut out = [0u8; 56];
108 out.copy_from_slice(&v);
109 out
110}
111
112// ============================================================================
113// Constant-time conditional swap of two field elements
114// ============================================================================
115
116/// Constant-time swap of `a` and `b` iff `swap == 1`.
117///
118/// Same structure as the X25519 helper but sized for LIMBS=7 instead
119/// of 4. `swap` must be 0 or 1.
120fn ct_swap_fe(a: &mut FieldElement<7>, b: &mut FieldElement<7>, swap: u64) {
121 let mask = 0u64.wrapping_sub(swap);
122 for i in 0..7 {
123 let t = mask & (a.limbs[i] ^ b.limbs[i]);
124 a.limbs[i] ^= t;
125 b.limbs[i] ^= t;
126 }
127}
128
129// ============================================================================
130// The X448 primitive — RFC 7748 §5, Montgomery ladder on (X:Z)
131// ============================================================================
132
133/// RFC 7748 §5 `X448(scalar, u)`.
134///
135/// Takes a 56-byte little-endian scalar and a 56-byte little-endian
136/// u-coordinate, and returns the 56-byte little-endian u-coordinate
137/// of `scalar * (u, v)` on Curve448.
138///
139/// The ladder runs 448 iterations (bits 447..0 of the clamped
140/// scalar); the clamp sets bit 447 unconditionally, so the first
141/// cswap initializes (x_2, x_3) = (u, 1), (z_2, z_3) = (1, u).
142pub fn x448(scalar: &[u8; 56], u: &[u8; 56]) -> [u8; 56] {
143 let k = decode_scalar(scalar);
144 let x1 = decode_u(u);
145 let a24 = a24();
146 let p = &CURVE448_P;
147
148 // Ladder state: x_2 = 1, z_2 = 0, x_3 = x1, z_3 = 1.
149 let mut x_2 = FieldElement::<7>::one();
150 let mut z_2 = FieldElement::<7>::ZERO;
151 let mut x_3 = x1;
152 let mut z_3 = FieldElement::<7>::one();
153
154 let mut swap: u64 = 0;
155
156 for t in (0..=447).rev() {
157 let k_t = ((k[t >> 3] >> (t & 7)) & 1) as u64;
158 swap ^= k_t;
159 ct_swap_fe(&mut x_2, &mut x_3, swap);
160 ct_swap_fe(&mut z_2, &mut z_3, swap);
161 swap = k_t;
162
163 // RFC 7748 §5 ladder step (same for Curve25519 and Curve448,
164 // only a24 and the field prime differ):
165 //
166 // A = x_2 + z_2
167 // AA = A^2
168 // B = x_2 - z_2
169 // BB = B^2
170 // E = AA - BB
171 // C = x_3 + z_3
172 // D = x_3 - z_3
173 // DA = D * A
174 // CB = C * B
175 // x_3 = (DA + CB)^2
176 // z_3 = x_1 * (DA - CB)^2
177 // x_2 = AA * BB
178 // z_2 = E * (AA + a24 * E)
179 let a = field_add(&x_2, &z_2, p);
180 let aa = field_sqr(&a, p);
181 let b = field_sub(&x_2, &z_2, p);
182 let bb = field_sqr(&b, p);
183 let e = field_sub(&aa, &bb, p);
184 let c = field_add(&x_3, &z_3, p);
185 let d = field_sub(&x_3, &z_3, p);
186 let da = field_mul(&d, &a, p);
187 let cb = field_mul(&c, &b, p);
188
189 let da_plus_cb = field_add(&da, &cb, p);
190 x_3 = field_sqr(&da_plus_cb, p);
191
192 let da_minus_cb = field_sub(&da, &cb, p);
193 let da_minus_cb_sq = field_sqr(&da_minus_cb, p);
194 z_3 = field_mul(&x1, &da_minus_cb_sq, p);
195
196 x_2 = field_mul(&aa, &bb, p);
197
198 let a24_e = field_mul(&a24, &e, p);
199 let aa_plus_a24e = field_add(&aa, &a24_e, p);
200 z_2 = field_mul(&e, &aa_plus_a24e, p);
201 }
202
203 // Final unmasking swap.
204 ct_swap_fe(&mut x_2, &mut x_3, swap);
205 ct_swap_fe(&mut z_2, &mut z_3, swap);
206
207 // Return x_2 / z_2 = x_2 * z_2^{p-2} mod p as 56 LE bytes.
208 let z_inv = field_inv(&z_2, p);
209 let result = field_mul(&x_2, &z_inv, p);
210 encode_u(&result)
211}
212
213// ============================================================================
214// Public API — keygen + ECDH convenience wrappers
215// ============================================================================
216
217/// Derive the X448 public key from a 56-byte secret key.
218///
219/// Equivalent to `x448(sk, 5)` per RFC 7748 §5.
220pub fn x448_derive_public(sk: &[u8; 56]) -> [u8; 56] {
221 x448(sk, &BASE_U)
222}
223
224/// X448 Diffie-Hellman: derive a shared secret from our secret key
225/// and the peer's public key.
226///
227/// Returns the 56-byte u-coordinate of `sk * peer_pk`. As with X25519,
228/// this is the raw SP 800-56A "Z" value; callers feed it into a KDF
229/// of their choice before using it for symmetric keying. See the
230/// analogous doc in [`super::x25519`] for the low-order defensive
231/// check rationale.
232pub fn x448_ecdh(sk: &[u8; 56], peer_pk: &[u8; 56]) -> [u8; 56] {
233 x448(sk, peer_pk)
234}
235
236// ============================================================================
237// Tests (RFC 7748 pinned vectors)
238// ============================================================================
239
240#[cfg(test)]
241mod tests {
242 use super::*;
243
244 fn hex56(h: &str) -> [u8; 56] {
245 assert_eq!(h.len(), 112);
246 let mut out = [0u8; 56];
247 for i in 0..56 {
248 out[i] = u8::from_str_radix(&h[2 * i..2 * i + 2], 16).unwrap();
249 }
250 out
251 }
252
253 // ----- RFC 7748 §5.2 primitive test vector #1 -----
254 //
255 // Scalar:
256 // 3d262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae12170
257 // 0a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3
258 // u-coordinate:
259 // 06fce640fa3487bfda5f6cf2d5263f8aad88334cbd07437f020f08f981
260 // 4dc031ddbdc38c19c6da2583fa5429db94ada18aa7a7fb4ef8a086
261 // X448(k, u):
262 // ce3e4ff95a60dc6697da1db1d85e6afbdf79b50a2412d7546d5f239fe1
263 // 4fbaadeb445fc66a01b0779d98223961111e21766282f73dd96b6f
264 #[test]
265 fn rfc7748_section_5_2_vector_1() {
266 let scalar = hex56(
267 "3d262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3",
268 );
269 let u = hex56(
270 "06fce640fa3487bfda5f6cf2d5263f8aad88334cbd07437f020f08f9814dc031ddbdc38c19c6da2583fa5429db94ada18aa7a7fb4ef8a086",
271 );
272 let expected = hex56(
273 "ce3e4ff95a60dc6697da1db1d85e6afbdf79b50a2412d7546d5f239fe14fbaadeb445fc66a01b0779d98223961111e21766282f73dd96b6f",
274 );
275 assert_eq!(x448(&scalar, &u), expected);
276 }
277
278 // ----- RFC 7748 §5.2 primitive test vector #2 -----
279 #[test]
280 fn rfc7748_section_5_2_vector_2() {
281 let scalar = hex56(
282 "203d494428b8399352665ddca42f9de8fef600908e0d461cb021f8c538345dd77c3e4806e25f46d3315c44e0a5b4371282dd2c8d5be3095f",
283 );
284 let u = hex56(
285 "0fbcc2f993cd56d3305b0b7d9e55d4c1a8fb5dbb52f8e9a1e9b6201b165d015894e56c4d3570bee52fe205e28a78b91cdfbde71ce8d157db",
286 );
287 let expected = hex56(
288 "884a02576239ff7a2f2f63b2db6a9ff37047ac13568e1e30fe63c4a7ad1b3ee3a5700df34321d62077e63633c575c1c954514e99da7c179d",
289 );
290 assert_eq!(x448(&scalar, &u), expected);
291 }
292
293 // ----- RFC 7748 §6.2 full Diffie-Hellman test vector -----
294 //
295 // Alice's private key: 9a8f4925d1519f5775cf46b04b5800d4ee9ee8bae8bc5565d498c28d
296 // d9c9baf574a9419744897391006382a6f127ab1d9ac2d8c0a598726b
297 // Alice's public key: 9b08f7cc31b7e3e67d22d5aea121074a273bd2b83de09c63faa73d2c
298 // 22c5d9bbc836647241d953d40c5b12da88120d53177f80e532c41fa0
299 // Bob's private key: 1c306a7ac2a0e2e0990b294470cba339e6453772b075811d8fad0d1d
300 // 6927c120bb5ee8972b0d3e21374c9c921b09d1b0366f10b65173992d
301 // Bob's public key: 3eb7a829b0cd20f5bcfc0b599b6feccf6da4627107bdb0d4f345b430
302 // 27d8b972fc3e34fb4232a13ca706dcb57aec3dae07bdc1c67bf33609
303 // Shared secret K: 07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282b
304 // b60c0b56fd2464c335543936521c24403085d59a449a5037514a879d
305 #[test]
306 fn rfc7748_section_6_2_alice_pk() {
307 let alice_sk = hex56(
308 "9a8f4925d1519f5775cf46b04b5800d4ee9ee8bae8bc5565d498c28dd9c9baf574a9419744897391006382a6f127ab1d9ac2d8c0a598726b",
309 );
310 let expected = hex56(
311 "9b08f7cc31b7e3e67d22d5aea121074a273bd2b83de09c63faa73d2c22c5d9bbc836647241d953d40c5b12da88120d53177f80e532c41fa0",
312 );
313 assert_eq!(x448_derive_public(&alice_sk), expected);
314 }
315
316 #[test]
317 fn rfc7748_section_6_2_bob_pk() {
318 let bob_sk = hex56(
319 "1c306a7ac2a0e2e0990b294470cba339e6453772b075811d8fad0d1d6927c120bb5ee8972b0d3e21374c9c921b09d1b0366f10b65173992d",
320 );
321 let expected = hex56(
322 "3eb7a829b0cd20f5bcfc0b599b6feccf6da4627107bdb0d4f345b43027d8b972fc3e34fb4232a13ca706dcb57aec3dae07bdc1c67bf33609",
323 );
324 assert_eq!(x448_derive_public(&bob_sk), expected);
325 }
326
327 #[test]
328 fn rfc7748_section_6_2_shared_secret() {
329 let alice_sk = hex56(
330 "9a8f4925d1519f5775cf46b04b5800d4ee9ee8bae8bc5565d498c28dd9c9baf574a9419744897391006382a6f127ab1d9ac2d8c0a598726b",
331 );
332 let bob_sk = hex56(
333 "1c306a7ac2a0e2e0990b294470cba339e6453772b075811d8fad0d1d6927c120bb5ee8972b0d3e21374c9c921b09d1b0366f10b65173992d",
334 );
335 let alice_pk = x448_derive_public(&alice_sk);
336 let bob_pk = x448_derive_public(&bob_sk);
337 let expected = hex56(
338 "07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d",
339 );
340 assert_eq!(x448_ecdh(&alice_sk, &bob_pk), expected);
341 assert_eq!(x448_ecdh(&bob_sk, &alice_pk), expected);
342 }
343
344 // ----- Round-trip on arbitrary keys -----
345 #[test]
346 fn x448_roundtrip_custom_keys() {
347 let alice_sk = hex56(
348 "0101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101",
349 );
350 let bob_sk = hex56(
351 "0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202",
352 );
353 let alice_pk = x448_derive_public(&alice_sk);
354 let bob_pk = x448_derive_public(&bob_sk);
355 let s_ab = x448_ecdh(&alice_sk, &bob_pk);
356 let s_ba = x448_ecdh(&bob_sk, &alice_pk);
357 assert_eq!(s_ab, s_ba);
358 assert!(s_ab.iter().any(|&b| b != 0));
359 }
360
361 // ----- Clamping idempotence -----
362 //
363 // Forcing the low 2 bits of byte 0 and the top bit of byte 55 to
364 // "dirty" values must not change the output, because `decode_scalar`
365 // overrides them unconditionally.
366 #[test]
367 fn clamping_is_idempotent() {
368 let base = hex56(
369 "3d262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3",
370 );
371 let u = hex56(
372 "06fce640fa3487bfda5f6cf2d5263f8aad88334cbd07437f020f08f9814dc031ddbdc38c19c6da2583fa5429db94ada18aa7a7fb4ef8a086",
373 );
374 let ref_out = x448(&base, &u);
375
376 let mut dirty = base;
377 dirty[0] |= 0b0000_0011; // low 2 bits (cleared by clamp)
378 dirty[55] &= !0b1000_0000; // top bit (set by clamp)
379 let dirty_out = x448(&dirty, &u);
380 assert_eq!(ref_out, dirty_out);
381 }
382}