如何使用 .NET Core 支持 ECC 中的安全曲线（例如 Curve25519）

Question

.NET Core 似乎支持在 ECC 中创建自定义曲线。

我试过定义Curve25519，如下图：

public class Curves
{
    // TODO: check the key gen rand.
    public static ECCurve Curve25519
    {
        get
        {
            return new ECCurve()
            {
                CurveType = ECCurve.ECCurveType.PrimeMontgomery,
                B = new byte[] { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1},
                A = new byte[] {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,109,6},
                G = new ECPoint()
                {
                    X = new byte[] { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9},
                    Y = new byte[] {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }},
                Prime = new byte[] { 127, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 237 },
                Order = new byte[] {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8},
                Cofactor = new byte[] { 1 } // fix later
            };
        }
    }

但是，当我尝试定义它时

var ecc2 = ECDsa.Create(Curves.Curve25519);

我得到一个空指针异常。

有没有人看到任何明显的错误，或者 .NET Core 中对显式曲线的支持仍然不多？

Answer 1

之所以会出现错误，是因为 Curve25519 是为 ECDH 密钥交换计算而设计的，特别是 X25519。此用法的详细信息位于此SO问题。

ECDSA 应该用于 Curve25519 的扭曲 Edwards 版本，即 Ed25519。该曲线可以在 .Net Core 中定义和使用，如下所示。

ECCurve ecCurve = new ECCurve() // Ed25519, 32 bytes, 256 bit
{
    CurveType = ECCurve.ECCurveType.PrimeTwistedEdwards,
    A = new byte[] { 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xec }, // GF(-1)
    B = new byte[] { 0x52, 0x03, 0x6C, 0xEE, 0x2B, 0x6F, 0xFE, 0x73, 0x8C, 0xC7, 0x40, 0x79, 0x77, 0x79, 0xE8, 0x98,
      0x00, 0x70, 0x0A, 0x4D, 0x41, 0x41, 0xD8, 0xAB, 0x75, 0xEB, 0x4D, 0xCA, 0x13, 0x59, 0x78, 0xA3 },
    G = new ECPoint()
    {
      X = new byte[] { 0x21, 0x69, 0x36, 0xD3, 0xCD, 0x6E, 0x53, 0xFE, 0xC0, 0xA4, 0xE2, 0x31, 0xFD, 0xD6, 0xDC, 0x5C,
        0x69, 0x2C, 0xC7, 0x60, 0x95, 0x25, 0xA7, 0xB2, 0xC9, 0x56, 0x2D, 0x60, 0x8F, 0x25, 0xD5, 0x1A },
      Y = new byte[] { 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
        0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x58 }
    },
    Prime = new byte[] { 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xed },
    Order = new byte[] { 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
      0x14, 0xde, 0xf9, 0xde, 0xa2, 0xf7, 0x9c, 0xd6, 0x58, 0x12, 0x63, 0x1a, 0x5c, 0xf5, 0xd3, 0xed },
    Cofactor = new byte[] { 8 }
};

参数A为-1，上面的表示在2^255-19的伽罗瓦域中为-1。这可以通过评估SageMathCell中的以下代码来计算。

gf=GF(2^255-19)
print (hex(gf(-1)))

但是，文档显示，Windows 10 和 macOS 以下版本不支持显式曲线，而我的尝试表明它们在 Linux 上会抛出异常。因此，如果需要 Windows 10 以外的平台或需要跨平台可操作性，则应使用NSec或libsodium-core等库。