replace Argon2 with PBKDF2

4 years ago · f1c7829f04
parent 9e9b8c7464
commit f1c7829f04
6 changed files with 321 additions and 9 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -19,6 +19,7 @@ src/gf_elem.cpp
 src/gf_poly.cpp
 src/main.cpp
 src/monero_seed.cpp
+src/pbkdf2.c
 src/reed_solomon_code.cpp
 src/secure_random.cpp
 src/wordlist.cpp)
--- a/README.md
+++ b/README.md
@ -16,7 +16,7 @@ The sole argument is the wallet creation date in `yyyy/MM/dd` format.
 > ./monero-seed --create 2100/03/14
 Mnemonic phrase: pumpkin alter spice lend position sentence surface snow atom lobster exotic robot profit chase
 - version: 1
- private key: a147f59c9b80e77824ba2e44241598b3b9ddf2e6458e9970352894216b9cbbba
+- private key: 9a1a9fe303f84d39277c0e87ccf42aa78f19c28127b2187d574266f29992971f
 - created on or after: 02/Mar/2100
 ```

@ -25,7 +25,7 @@ Mnemonic phrase: pumpkin alter spice lend position sentence surface snow atom lo
 ```
 > ./monero-seed --restore "pumpkin alter spice lend position sentence surface snow atom lobster exotic robot profit chase"
 - version: 1
- private key: a147f59c9b80e77824ba2e44241598b3b9ddf2e6458e9970352894216b9cbbba
+- private key: 9a1a9fe303f84d39277c0e87ccf42aa78f19c28127b2187d574266f29992971f
 - created on or after: 02/Mar/2100
 ```

@ -36,7 +36,7 @@ This can be tested by replacing a word with `xxxx`:
 > ./monero-seed --restore "pumpkin alter xxxx lend position sentence surface snow atom lobster exotic robot profit chase"
 Warning: corrected erasure: xxxx -> spice
 - version: 1
- private key: a147f59c9b80e77824ba2e44241598b3b9ddf2e6458e9970352894216b9cbbba
+- private key: 9a1a9fe303f84d39277c0e87ccf42aa78f19c28127b2187d574266f29992971f
 - created on or after: 02/Mar/2100
 ```

@ -64,7 +64,14 @@ and September 2105 can be represented.

 ### Private key seed

-The private key is generated by wallet software from the 128-bit seed included in the mnemonic phrase. Argon2id is used as KDF (memory = 256 MB). The wallet creation date is used as a salt. 128-bit seed provides the same level of security as the elliptic curve used by Monero.
+PBKDF2 with 4096 iterations is used to generate the private key from the 128-bit seed included in the mnemonic phrase. The wallet creation date is used as a salt. 128-bit seed provides the same level of security as the elliptic curve used by Monero.
+
+### Reserved bits
+
+There are 2 reserved bits for future use. Possible use cases:
+
+* a flag to differentiate between normal and "short" address format (with view key equal to the spend key)
+* different KDF algorithms for generating the private key

 ### Error detection/correction

--- a/src/monero_seed.cpp
+++ b/src/monero_seed.cpp
@ -10,6 +10,7 @@
 #include "reed_solomon_code.hpp"
 #include "argon2/argon2.h"
 #include "argon2/blake2/blake2-impl.h"
+#include "pbkdf2.h"
 #include <chrono>
 #include <cassert>
 #include <stdexcept>
@ -56,6 +57,7 @@ constexpr unsigned phrase_words = gf_poly::max_degree + 1;
 constexpr unsigned total_bits = gf_elem::size() * phrase_words;
 constexpr uint32_t argon_tcost = 3;
 constexpr uint32_t argon_mcost = 256 * 1024;
+constexpr int pbkdf2_iterations = 4096;

 static_assert(total_bits
 	== version_bits + date_bits + reserved_bits + checksum_size +
@ -102,11 +104,11 @@ monero_seed::monero_seed(std::time_t date_created) {
 	reserved_ = 0;
 	secure_random::gen_bytes(seed_.data(), seed_.size());
 	
-	char salt[25] = "Monero 14-word seed";
+	uint8_t salt[25] = "Monero 14-word seed";
 	salt[20] = version_;
 	store32(salt + 21, quantized_date);
-	argon2id_hash_raw(argon_tcost, argon_mcost, 1, seed_.data(), seed_.size(), salt, sizeof(salt), key_.data(), key_.size());
-
+	//argon2id_hash_raw(argon_tcost, argon_mcost, 1, seed_.data(), seed_.size(), salt, sizeof(salt), key_.data(), key_.size());
+	pbkdf2_hmac_sha256(seed_.data(), seed_.size(), salt, sizeof(salt), pbkdf2_iterations, key_.data(), key_.size());
 	unsigned rem_bits = gf_elem::size();
 	write_data(message_, rem_bits, version_, version_bits);
 	write_data(message_, rem_bits, reserved_, reserved_bits);
@ -186,10 +188,11 @@ monero_seed::monero_seed(const std::string& phrase) {

 	date_ = epoch + quantized_date * time_step;

-	char salt[25] = "Monero 14-word seed";
+	uint8_t salt[25] = "Monero 14-word seed";
 	salt[20] = version_;
 	store32(salt + 21, quantized_date);
-	argon2id_hash_raw(argon_tcost, argon_mcost, 1, seed_.data(), seed_.size(), salt, sizeof(salt), key_.data(), key_.size());
+	//argon2id_hash_raw(argon_tcost, argon_mcost, 1, seed_.data(), seed_.size(), salt, sizeof(salt), key_.data(), key_.size());
+	pbkdf2_hmac_sha256(seed_.data(), seed_.size(), salt, sizeof(salt), pbkdf2_iterations, key_.data(), key_.size());
 }

 std::ostream& operator<<(std::ostream& os, const monero_seed& seed) {
--- a/src/pbkdf2.c
+++ b/src/pbkdf2.c
@ -0,0 +1,65 @@
+/*
+	Copyright (c) 2020 tevador <tevador@gmail.com>
+	All rights reserved.
+*/
+
+#include "sha256/hash_impl.h"
+
+#include <string.h>
+#include <stdint.h>
+
+#define BLOCK_SIZE 32
+
+typedef struct pbkdf_state {
+	int iterations;
+	uint32_t block_count;
+	uint8_t block[BLOCK_SIZE];
+} pbkdf_state;
+
+static void pbkdf2_transform(const uint8_t* password, size_t pw_size,
+	const uint8_t* salt, size_t salt_size, pbkdf_state* state)
+{
+	hmac_sha256_state hash_state;
+	hmac_sha256_initialize(&hash_state, password, pw_size);
+	hmac_sha256_write(&hash_state, salt, salt_size);
+	uint8_t block_buff[4];
+	//big endian
+	block_buff[0] = state->block_count >> 24;
+	block_buff[1] = state->block_count >> 16;
+	block_buff[2] = state->block_count >> 8;
+	block_buff[3] = state->block_count;
+	hmac_sha256_write(&hash_state, block_buff, sizeof(block_buff));
+	hmac_sha256_finalize(&hash_state, state->block);
+	hmac_sha256_initialize(&hash_state, password, pw_size);
+
+	uint8_t temp[BLOCK_SIZE];
+	memcpy(temp, state->block, BLOCK_SIZE);
+
+	for (unsigned i = 2; i <= state->iterations; ++i) {
+		hmac_sha256_write(&hash_state, temp, sizeof(temp));
+		hmac_sha256_finalize(&hash_state, temp);
+		for (unsigned j = 0; j < BLOCK_SIZE; ++j) {
+			state->block[j] ^= temp[j];
+		}
+		hmac_sha256_initialize(&hash_state, password, pw_size);
+	}
+
+	state->block_count++;
+}
+
+void pbkdf2_hmac_sha256(const uint8_t* password, size_t pw_size,
+	uint8_t* salt, size_t salt_size,
+	int iterations, uint8_t* key, size_t key_size)
+{
+	pbkdf_state state = {
+		.block_count = 1,
+		.iterations = iterations
+	};
+	while (key_size > 0) {
+		pbkdf2_transform(password, pw_size, salt, salt_size, &state);
+		size_t block_size = key_size > BLOCK_SIZE ? BLOCK_SIZE : key_size;
+		memcpy(key, state.block, block_size);
+		key += BLOCK_SIZE;
+		key_size -= BLOCK_SIZE;
+	}
+}
--- a/src/pbkdf2.h
+++ b/src/pbkdf2.h
@ -0,0 +1,20 @@
+/*
+	Copyright (c) 2020 tevador <tevador@gmail.com>
+	All rights reserved.
+*/
+
+#pragma once
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+void pbkdf2_hmac_sha256(const uint8_t* password, size_t pw_size,
+	const uint8_t* salt, size_t salt_size,
+	int iterations, uint8_t* key, size_t key_size);
+
+#ifdef __cplusplus
+}
+#endif
--- a/src/sha256/hash_impl.h
+++ b/src/sha256/hash_impl.h
@ -0,0 +1,216 @@
+/**********************************************************************
+ * Copyright (c) 2014 Pieter Wuille                                   *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef _SECP256K1_HASH_IMPL_H_
+#define _SECP256K1_HASH_IMPL_H_
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+
+typedef struct {
+    uint32_t s[8];
+    uint32_t buf[16]; /* In big endian */
+    size_t bytes;
+} sha256_state;
+
+static void sha256_initialize(sha256_state* hash);
+static void sha256_write(sha256_state* hash, const uint8_t* data, size_t size);
+static void sha256_finalize(sha256_state* hash, uint8_t* out32);
+
+typedef struct {
+    sha256_state inner, outer;
+} hmac_sha256_state;
+
+static void hmac_sha256_initialize(hmac_sha256_state* hash, const uint8_t* key, size_t size);
+static void hmac_sha256_write(hmac_sha256_state* hash, const uint8_t* data, size_t size);
+static void hmac_sha256_finalize(hmac_sha256_state* hash, uint8_t* out32);
+
+#define Ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
+#define Maj(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define Sigma0(x) (((x) >> 2 | (x) << 30) ^ ((x) >> 13 | (x) << 19) ^ ((x) >> 22 | (x) << 10))
+#define Sigma1(x) (((x) >> 6 | (x) << 26) ^ ((x) >> 11 | (x) << 21) ^ ((x) >> 25 | (x) << 7))
+#define sigma0(x) (((x) >> 7 | (x) << 25) ^ ((x) >> 18 | (x) << 14) ^ ((x) >> 3))
+#define sigma1(x) (((x) >> 17 | (x) << 15) ^ ((x) >> 19 | (x) << 13) ^ ((x) >> 10))
+
+#define Round(a,b,c,d,e,f,g,h,k,w) do { \
+    uint32_t t1 = (h) + Sigma1(e) + Ch((e), (f), (g)) + (k) + (w); \
+    uint32_t t2 = Sigma0(a) + Maj((a), (b), (c)); \
+    (d) += t1; \
+    (h) = t1 + t2; \
+} while(0)
+
+#define BE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24))
+
+static void sha256_initialize(sha256_state *hash) {
+    hash->s[0] = 0x6a09e667ul;
+    hash->s[1] = 0xbb67ae85ul;
+    hash->s[2] = 0x3c6ef372ul;
+    hash->s[3] = 0xa54ff53aul;
+    hash->s[4] = 0x510e527ful;
+    hash->s[5] = 0x9b05688cul;
+    hash->s[6] = 0x1f83d9abul;
+    hash->s[7] = 0x5be0cd19ul;
+    hash->bytes = 0;
+}
+
+/** Perform one SHA-256 transformation, processing 16 big endian 32-bit words. */
+static void sha256_transform(uint32_t* s, const uint32_t* chunk) {
+    uint32_t a = s[0], b = s[1], c = s[2], d = s[3], e = s[4], f = s[5], g = s[6], h = s[7];
+    uint32_t w0, w1, w2, w3, w4, w5, w6, w7, w8, w9, w10, w11, w12, w13, w14, w15;
+
+    Round(a, b, c, d, e, f, g, h, 0x428a2f98, w0 = BE32(chunk[0]));
+    Round(h, a, b, c, d, e, f, g, 0x71374491, w1 = BE32(chunk[1]));
+    Round(g, h, a, b, c, d, e, f, 0xb5c0fbcf, w2 = BE32(chunk[2]));
+    Round(f, g, h, a, b, c, d, e, 0xe9b5dba5, w3 = BE32(chunk[3]));
+    Round(e, f, g, h, a, b, c, d, 0x3956c25b, w4 = BE32(chunk[4]));
+    Round(d, e, f, g, h, a, b, c, 0x59f111f1, w5 = BE32(chunk[5]));
+    Round(c, d, e, f, g, h, a, b, 0x923f82a4, w6 = BE32(chunk[6]));
+    Round(b, c, d, e, f, g, h, a, 0xab1c5ed5, w7 = BE32(chunk[7]));
+    Round(a, b, c, d, e, f, g, h, 0xd807aa98, w8 = BE32(chunk[8]));
+    Round(h, a, b, c, d, e, f, g, 0x12835b01, w9 = BE32(chunk[9]));
+    Round(g, h, a, b, c, d, e, f, 0x243185be, w10 = BE32(chunk[10]));
+    Round(f, g, h, a, b, c, d, e, 0x550c7dc3, w11 = BE32(chunk[11]));
+    Round(e, f, g, h, a, b, c, d, 0x72be5d74, w12 = BE32(chunk[12]));
+    Round(d, e, f, g, h, a, b, c, 0x80deb1fe, w13 = BE32(chunk[13]));
+    Round(c, d, e, f, g, h, a, b, 0x9bdc06a7, w14 = BE32(chunk[14]));
+    Round(b, c, d, e, f, g, h, a, 0xc19bf174, w15 = BE32(chunk[15]));
+
+    Round(a, b, c, d, e, f, g, h, 0xe49b69c1, w0 += sigma1(w14) + w9 + sigma0(w1));
+    Round(h, a, b, c, d, e, f, g, 0xefbe4786, w1 += sigma1(w15) + w10 + sigma0(w2));
+    Round(g, h, a, b, c, d, e, f, 0x0fc19dc6, w2 += sigma1(w0) + w11 + sigma0(w3));
+    Round(f, g, h, a, b, c, d, e, 0x240ca1cc, w3 += sigma1(w1) + w12 + sigma0(w4));
+    Round(e, f, g, h, a, b, c, d, 0x2de92c6f, w4 += sigma1(w2) + w13 + sigma0(w5));
+    Round(d, e, f, g, h, a, b, c, 0x4a7484aa, w5 += sigma1(w3) + w14 + sigma0(w6));
+    Round(c, d, e, f, g, h, a, b, 0x5cb0a9dc, w6 += sigma1(w4) + w15 + sigma0(w7));
+    Round(b, c, d, e, f, g, h, a, 0x76f988da, w7 += sigma1(w5) + w0 + sigma0(w8));
+    Round(a, b, c, d, e, f, g, h, 0x983e5152, w8 += sigma1(w6) + w1 + sigma0(w9));
+    Round(h, a, b, c, d, e, f, g, 0xa831c66d, w9 += sigma1(w7) + w2 + sigma0(w10));
+    Round(g, h, a, b, c, d, e, f, 0xb00327c8, w10 += sigma1(w8) + w3 + sigma0(w11));
+    Round(f, g, h, a, b, c, d, e, 0xbf597fc7, w11 += sigma1(w9) + w4 + sigma0(w12));
+    Round(e, f, g, h, a, b, c, d, 0xc6e00bf3, w12 += sigma1(w10) + w5 + sigma0(w13));
+    Round(d, e, f, g, h, a, b, c, 0xd5a79147, w13 += sigma1(w11) + w6 + sigma0(w14));
+    Round(c, d, e, f, g, h, a, b, 0x06ca6351, w14 += sigma1(w12) + w7 + sigma0(w15));
+    Round(b, c, d, e, f, g, h, a, 0x14292967, w15 += sigma1(w13) + w8 + sigma0(w0));
+
+    Round(a, b, c, d, e, f, g, h, 0x27b70a85, w0 += sigma1(w14) + w9 + sigma0(w1));
+    Round(h, a, b, c, d, e, f, g, 0x2e1b2138, w1 += sigma1(w15) + w10 + sigma0(w2));
+    Round(g, h, a, b, c, d, e, f, 0x4d2c6dfc, w2 += sigma1(w0) + w11 + sigma0(w3));
+    Round(f, g, h, a, b, c, d, e, 0x53380d13, w3 += sigma1(w1) + w12 + sigma0(w4));
+    Round(e, f, g, h, a, b, c, d, 0x650a7354, w4 += sigma1(w2) + w13 + sigma0(w5));
+    Round(d, e, f, g, h, a, b, c, 0x766a0abb, w5 += sigma1(w3) + w14 + sigma0(w6));
+    Round(c, d, e, f, g, h, a, b, 0x81c2c92e, w6 += sigma1(w4) + w15 + sigma0(w7));
+    Round(b, c, d, e, f, g, h, a, 0x92722c85, w7 += sigma1(w5) + w0 + sigma0(w8));
+    Round(a, b, c, d, e, f, g, h, 0xa2bfe8a1, w8 += sigma1(w6) + w1 + sigma0(w9));
+    Round(h, a, b, c, d, e, f, g, 0xa81a664b, w9 += sigma1(w7) + w2 + sigma0(w10));
+    Round(g, h, a, b, c, d, e, f, 0xc24b8b70, w10 += sigma1(w8) + w3 + sigma0(w11));
+    Round(f, g, h, a, b, c, d, e, 0xc76c51a3, w11 += sigma1(w9) + w4 + sigma0(w12));
+    Round(e, f, g, h, a, b, c, d, 0xd192e819, w12 += sigma1(w10) + w5 + sigma0(w13));
+    Round(d, e, f, g, h, a, b, c, 0xd6990624, w13 += sigma1(w11) + w6 + sigma0(w14));
+    Round(c, d, e, f, g, h, a, b, 0xf40e3585, w14 += sigma1(w12) + w7 + sigma0(w15));
+    Round(b, c, d, e, f, g, h, a, 0x106aa070, w15 += sigma1(w13) + w8 + sigma0(w0));
+
+    Round(a, b, c, d, e, f, g, h, 0x19a4c116, w0 += sigma1(w14) + w9 + sigma0(w1));
+    Round(h, a, b, c, d, e, f, g, 0x1e376c08, w1 += sigma1(w15) + w10 + sigma0(w2));
+    Round(g, h, a, b, c, d, e, f, 0x2748774c, w2 += sigma1(w0) + w11 + sigma0(w3));
+    Round(f, g, h, a, b, c, d, e, 0x34b0bcb5, w3 += sigma1(w1) + w12 + sigma0(w4));
+    Round(e, f, g, h, a, b, c, d, 0x391c0cb3, w4 += sigma1(w2) + w13 + sigma0(w5));
+    Round(d, e, f, g, h, a, b, c, 0x4ed8aa4a, w5 += sigma1(w3) + w14 + sigma0(w6));
+    Round(c, d, e, f, g, h, a, b, 0x5b9cca4f, w6 += sigma1(w4) + w15 + sigma0(w7));
+    Round(b, c, d, e, f, g, h, a, 0x682e6ff3, w7 += sigma1(w5) + w0 + sigma0(w8));
+    Round(a, b, c, d, e, f, g, h, 0x748f82ee, w8 += sigma1(w6) + w1 + sigma0(w9));
+    Round(h, a, b, c, d, e, f, g, 0x78a5636f, w9 += sigma1(w7) + w2 + sigma0(w10));
+    Round(g, h, a, b, c, d, e, f, 0x84c87814, w10 += sigma1(w8) + w3 + sigma0(w11));
+    Round(f, g, h, a, b, c, d, e, 0x8cc70208, w11 += sigma1(w9) + w4 + sigma0(w12));
+    Round(e, f, g, h, a, b, c, d, 0x90befffa, w12 += sigma1(w10) + w5 + sigma0(w13));
+    Round(d, e, f, g, h, a, b, c, 0xa4506ceb, w13 += sigma1(w11) + w6 + sigma0(w14));
+    Round(c, d, e, f, g, h, a, b, 0xbef9a3f7, w14 + sigma1(w12) + w7 + sigma0(w15));
+    Round(b, c, d, e, f, g, h, a, 0xc67178f2, w15 + sigma1(w13) + w8 + sigma0(w0));
+
+    s[0] += a;
+    s[1] += b;
+    s[2] += c;
+    s[3] += d;
+    s[4] += e;
+    s[5] += f;
+    s[6] += g;
+    s[7] += h;
+}
+
+static void sha256_write(sha256_state *hash, const uint8_t *data, size_t len) {
+    size_t bufsize = hash->bytes & 0x3F;
+    hash->bytes += len;
+    while (bufsize + len >= 64) {
+        /* Fill the buffer, and process it. */
+        memcpy(((uint8_t*)hash->buf) + bufsize, data, 64 - bufsize);
+        data += 64 - bufsize;
+        len -= 64 - bufsize;
+        sha256_transform(hash->s, hash->buf);
+        bufsize = 0;
+    }
+    if (len) {
+        /* Fill the buffer with what remains. */
+        memcpy(((uint8_t*)hash->buf) + bufsize, data, len);
+    }
+}
+
+static void sha256_finalize(sha256_state *hash, uint8_t *out32) {
+    static const uint8_t pad[64] = {0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+    uint32_t sizedesc[2];
+    uint32_t out[8];
+    int i = 0;
+    sizedesc[0] = BE32(hash->bytes >> 29);
+    sizedesc[1] = BE32(hash->bytes << 3);
+    sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64));
+    sha256_write(hash, (const uint8_t*)sizedesc, 8);
+    for (i = 0; i < 8; i++) {
+        out[i] = BE32(hash->s[i]);
+        hash->s[i] = 0;
+    }
+    memcpy(out32, (const uint8_t*)out, 32);
+}
+
+static void hmac_sha256_initialize(hmac_sha256_state *hash, const uint8_t *key, size_t keylen) {
+    int n;
+    uint8_t rkey[64];
+    if (keylen <= 64) {
+        memcpy(rkey, key, keylen);
+        memset(rkey + keylen, 0, 64 - keylen);
+    } else {
+        sha256_state sha256;
+        sha256_initialize(&sha256);
+        sha256_write(&sha256, key, keylen);
+        sha256_finalize(&sha256, rkey);
+        memset(rkey + 32, 0, 32);
+    }
+
+    sha256_initialize(&hash->outer);
+    for (n = 0; n < 64; n++) {
+        rkey[n] ^= 0x5c;
+    }
+    sha256_write(&hash->outer, rkey, 64);
+
+    sha256_initialize(&hash->inner);
+    for (n = 0; n < 64; n++) {
+        rkey[n] ^= 0x5c ^ 0x36;
+    }
+    sha256_write(&hash->inner, rkey, 64);
+    memset(rkey, 0, 64);
+}
+
+static void hmac_sha256_write(hmac_sha256_state *hash, const uint8_t *data, size_t size) {
+    sha256_write(&hash->inner, data, size);
+}
+
+static void hmac_sha256_finalize(hmac_sha256_state *hash, uint8_t *out32) {
+    uint8_t temp[32];
+    sha256_finalize(&hash->inner, temp);
+    sha256_write(&hash->outer, temp, 32);
+    memset(temp, 0, 32);
+    sha256_finalize(&hash->outer, out32);
+}
+
+#endif