Swiftpack.co -  leif-ibsen/SwiftECC as Swift Package
Swiftpack.co is a collection of thousands of indexed Swift packages. Search packages.
leif-ibsen/SwiftECC
Swift Elliptic Curve Cryptography (ECIES & ECDSA)
.package(url: "https://github.com/leif-ibsen/SwiftECC.git", from: "1.1.0")

Description

SwiftECC provides elliptic curve cryptography in Swift. This encompasses:

  • Encryption and decryption using the ECIES algorithm based on the AES block cipher
  • Signature signing and verifying using the ECDSA algorithm, including the option of deterministic signatures
  • General elliptic curve arithmetic
SwiftECC requires Swift 5.0. It also requires that the Int and UInt types be 64 bit types.

Usage

In your project Package.swift file add a dependency like
  dependencies: [
  .package(url: "https://github.com/leif-ibsen/SwiftECC", from: "1.1.0"),
  ]

Basics

The basic concept in SwiftECC is the Elliptic Curve Domain, represented by the Domain class. Please, refer section 3.1 in [SEC 1] that describes the domain concept in detail.

There are 18 predefined NIST domains and 14 predefined Brainpool domains in SwiftECC, and it is possible to create your own characteristic 2, and odd prime characteristic domains.

You need a public key in order to encrypt a message or verify a signature, and you need a private key in order to decrypt a message or sign a message. Given a domain, you can generate public/private key pairs or you can load them from the PEM- or DER encoding of existing keys.

Encryption and Decryption

Encryption and decryption is done using the ECIES algorithm based on AES block cipher. The algorithm uses one of AES-128, AES-192 or AES-256 ciphers, depending on your choice.
The following cipher block modes are supported:
  • GCM - Galois Counter mode. This is the default mode
  • ECB - Electronic Codebook mode with PKCS#7 padding
  • CBC - Cipher Block Chaining mode with PKCS#7 padding
  • CFB - Cipher Feedback mode
  • CTR - Counter mode
  • OFB - Output Feedback mode
The encryption and decryption speed for domain EC256k1 (the bitcoin domain) was measured on a MacBook Pro 2018, 2,2 GHz 6-Core Intel Core i7. The results using AES-128 are shown in the table below - units are Megabytes per second.
Block ModeEncryptDecrypt
GCM26 MByte/Sec26 MByte/Sec
ECB19 MByte/Sec19 MByte/Sec
CBC14 MByte/Sec16 MByte/Sec
CFB20 MByte/Sec20 MByte/Sec
CTR21 MByte/Sec21 MByte/Sec
OFB25 MByte/Sec26 MByte/Sec

BlueECC Compatibility

Data encrypted by SwiftECC in the EC256r1 domain with AES128/GCM, in the EC384r1 domain with AES256/GCM and in the EC521r1 domain with AES256/GCM can be decrypted with IBM's BlueECC product using curve prime256v1, secp384r1, and secp521r1, respectively. Likewise, data encrypted by BlueECC with curve prime256v1, secp384r1 and secp521, can be decrypted by SwiftECC using EC256r1 with AES128/GCM, EC384r1 with AES256/GCM and EC521r1 with AES256/GCM, respectively.

Example

import SwiftECC

// You need a public key to encrypt a message and the corresponding private key to decrypt it,
// for example from the EC163k1 domain

let pemPublic163k1 =
"""
-----BEGIN PUBLIC KEY-----
MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEA6txn7CCae0d9AiGj3Rk5m9XflTCB81oe1fKZi4F4oip
SF2u79k8TD5J
-----END PUBLIC KEY-----
"""

let pemPrivate163k1 =
"""
-----BEGIN EC PRIVATE KEY-----
MFICAQEEFNfflqz2oOd9WpxuMZ9wJTFO1sjgoAcGBSuBBAABoS4DLAAEA6txn7CCae0d9AiGj3Rk
5m9XflTCB81oe1fKZi4F4oipSF2u79k8TD5J
-----END EC PRIVATE KEY-----
"""

let text = "The quick brown fox jumps over the lazy dog!"

do {
  let pubKey = try ECPublicKey(pem: pemPublic163k1)
  let privKey = try ECPrivateKey(pem: pemPrivate163k1)
  let encryptedData = pubKey.encrypt(msg: text.data(using: .utf8)!, cipher: .AES128)
  let decryptedData = try privKey.decrypt(msg: encryptedData, cipher: .AES128)
  print(String(data: decryptedData, encoding: .utf8)!)
} catch {
  print("\(error)")
}

giving

The quick brown fox jumps over the lazy dog!

Signing and Verifying

Signing data and verifying signatures is performed using the ECDSA algorithm. It is possible to generate deterministic signatures as specificed in [RFC-6979] by setting the deterministic parameter to true in the sign operation.

The message digest used in the process is determined from the domain field size as follows:

  • field size <= 224: SHA2-224
  • 224 < field size <= 256: SHA2-256
  • 256 < field size <= 384: SHA2-384
  • 384 < field size: SHA2-512

BlueECC Compatibility

Signatures created by SwiftECC in the EC256r1, EC384r1 and EC521r1 domains can be verified by IBM's BlueECC product using curve prime256v1, secp384r1 and secp521r1, respectively. Likewise, signatures created by BlueECC with one of the curves prime256v1, secp384r1 and secp521r1 can be verified by SwiftECC using domains EC256r1, EC384r1 and EC521r1, respectively.

Example

import SwiftECC

// Get a predefined domain - for example brainpool BP160r1

let domain = Domain.instance(curve: .BP160r1)

// Create your own keys

let (pubKey, privKey) = domain.makeKeyPair()

// See how they look

print(pubKey.asn1)
print(privKey.asn1)

// Store them in PEM format for future use

let pubPEM = pubKey.pem
let privPEM = privKey.pem

let message = "The quick brown fox jumps over the lazy dog!".data(using: .utf8)!

let sig = privKey.sign(msg: message)
let ok = pubKey.verify(signature: sig, msg: message)
print("Signature is", ok ? "good" : "wrong")

giving (for example):

Sequence (2):
	Sequence (2):
		Object Identifier: 1.2.840.10045.2.1
		Object Identifier: 1.3.36.3.3.2.8.1.1.1
	Bit String (328): 00000100 00000011 00000111 00110011 01010100 00000001 10111100 01101111 10100001 01001000 11101000 01111100 10001111 00000110 00010010 11100111 11111010 10010001 00100100 01001000 11000110 01110001 00110100 01001000 10011110 01011110 11000000 10010001 01000110 01011010 01001110 01110000 00011011 01010111 10101011 01101010 00011011 01101100 01100100 01000100 01111101

Sequence (4):
	Integer: 1
	Octet String (20): 32 96 e0 c4 d7 f5 cb 03 0c 95 63 b1 a2 c1 2f 64 4c dc d6 4c
	[0]:
		Object Identifier: 1.3.36.3.3.2.8.1.1.1
	[1]:
		Bit String (328): 00000100 00000011 00000111 00110011 01010100 00000001 10111100 01101111 10100001 01001000 11101000 01111100 10001111 00000110 00010010 11100111 11111010 10010001 00100100 01001000 11000110 01110001 00110100 01001000 10011110 01011110 11000000 10010001 01000110 01011010 01001110 01110000 00011011 01010111 10101011 01101010 00011011 01101100 01100100 01000100 01111101

Signature is good

Creating Domains

You can create your own domains as illustrated by the two examples below.

Example

This is example 3.5 from [GUIDE]. It shows how to make your own prime characteristic domain.

import SwiftECC
import BigInt

// Create the domain
let domain = try Domain.instance(name: "EC29", p: BInt(29), a: BInt(4), b: BInt(20), gx: BInt(1), gy: BInt(5), order: BInt(37), cofactor: 1)

let p1 = Point(BInt(5), BInt(22))
let p2 = Point(BInt(16), BInt(27))

print("p1 + p2 =", try domain.addPoints(p1, p2))
print("p1 * 2  =", try domain.multiplyPoint(p1, BInt(2)))

// Inspect the domain - please refer [SEC 1] appendix C.2
print(domain.asn1Explicit())

giving

p1 + p2 = Point(13, 6)
p1 * 2  = Point(14, 6)
Sequence (6):
  Integer: 1
  Sequence (2):
    Object Identifier: 1.2.840.10045.1.1
    Integer: 29
  Sequence (2):
    Octet String (1): 04
    Octet String (1): 14
  Octet String (3): 04 01 05
  Integer: 37
  Integer: 1

Example

This is example 3.6 from [GUIDE]. It shows how to make your own characteristic 2 domain.

import SwiftECC
import BigInt

// Reduction polynomial for x^4 + x + 1    
let rp = RP(4, 1)
// Create the domain
let domain = try Domain.instance(name: "EC4", rp: rp, a: BInt(8), b: BInt(9), gx: BInt(1), gy: BInt(1), order: BInt(22), cofactor: 2)

let p1 = Point(BInt(2), BInt(15))
let p2 = Point(BInt(12), BInt(12))

print("p1 + p2 =", try domain.addPoints(p1, p2))
print("p1 * 2  =", try domain.multiplyPoint(p1, BInt(2)))

// Inspect the domain - please refer [SEC 1] appendix C.2
print(domain.asn1Explicit())

giving

p1 + p2 = Point(1, 1)
p1 * 2  = Point(11, 2)
Sequence (6):
  Integer: 1
  Sequence (2):
    Object Identifier: 1.2.840.10045.1.2
    Sequence (2):
      Integer: 4
      Integer: 1
  Sequence (2):
    Octet String (1): 08
    Octet String (1): 09
  Octet String (3): 04 01 01
  Integer: 22
  Integer: 2

Elliptic Curve Arithmetic

SwiftECC implements the common elliptic curve arithmetic operations:
  • Point multiplication
  • Point addition
  • Point doubling
  • Point subtraction
  • Point negation
  • Is Point on curve?
It is also possible to encode curve points in either compressed- or uncompressed format, as well as to do the reverse decoding.

Key Derivation

SwiftECC uses the X9.63 Key Derivation Function to derive block cipher keying materiel. Please refer [SEC 1] section 3.6. Six cases are considered:

AES-128/GCM block mode

KDF generates 32 bytes.

Encryption/decryption key = bytes 0 ..< 16
Initialization vector = bytes 16 ..< 32

AES-192/GCM block mode

KDF generates 40 bytes.

Encryption/decryption key = bytes 0 ..< 24
Initialization vector = bytes 24 ..< 40

AES-256/GCM block mode

KDF generates 48 bytes.

Encryption/decryption key = bytes 0 ..< 32
Initialization vector = bytes 32 ..< 48

AES-128/Non-GCM block mode

KDF generates 48 bytes.

Encryption/decryption key = bytes 0 ..< 16
HMAC key = bytes 16 ..< 48

AES-192/Non-GCM block mode

KDF generates 56 bytes.

Encryption/decryption key = bytes 0 ..< 24
HMAC key = bytes 24 ..< 56

AES-256/Non-GCM block mode

KDF generates 64 bytes.

Encryption/decryption key = bytes 0 ..< 32
HMAC key = bytes 32 ..< 64

For block modes CBC, CFB, CTR, and OFB the initialization vector (IV) is 16 zero bytes.

Performance

To assess the performance of SwiftECC, the signature generation and verification time and the keypair generation time was measured on a MacBook Pro 2018, 2,2 GHz 6-Core Intel Core i7. The results are shown in the table below - units are milliseconds. The columns mean:
  • Sign: The time it takes to sign a short message
  • Verify: The time it takes to verify a signature for a short message
  • Keypair Generation: The time it takes to generate a public/private keypair
CurveSignVerifyKeypair Generation
brainpoolP160r11.4 mSec2.5 mSec5.1 mSec
brainpoolP160t11.4 mSec2.4 mSec5.1 mSec
brainpoolP192r11.7 mSec3.0 mSec6.3 mSec
brainpoolP192t11.7 mSec3.1 mSec6.4 mSec
brainpoolP224r12.3 mSec4.3 mSec9.4 mSec
brainpoolP224t12.3 mSec4.3 mSec9.4 mSec
brainpoolP256r12.7 mSec5.1 mSec11 mSec
brainpoolP256t12.7 mSec5.0 mSec11 mSec
brainpoolP320r14.2 mSec7.7 mSec18 mSec
brainpoolP320t14.2 mSec7.8 mSec18 mSec
brainpoolP384r16.0 mSec11 mSec27 mSec
brainpoolP384t16.1 mSec11 mSec27 mSec
brainpoolP512r111 mSec21 mSec52 mSec
brainpoolP512t111 mSec21 mSec52 mSec
secp192k11.6 mSec3.0 mSec6.2 mSec
secp192r11.6 mSec3.0 mSec6.3 mSec
secp224k12.3 mSec4.2 mSec9.5 mSec
secp224r12.3 mSec4.2 mSec9.4 mSec
secp256k12.7 mSec5.2 mSec11 mSec
secp256r12.7 mSec5.0 mSec11 mSec
secp384r16.1 mSec11 mSec27 mSec
secp521r111 mSec21 mSec51 mSec
sect163k11.9 mSec3.6 mSec7.8 mSec
sect163r21.9 mSec3.6 mSec7.9 mSec
sect233k13.5 mSec6.9 mSec15 mSec
sect233r13.5 mSec6.4 mSec15 mSec
sect283k15.3 mSec10 mSec25 mSec
sect283r15.3 mSec9.8 mSec25 mSec
sect409k111 mSec22 mSec57 mSec
sect409r111 mSec21 mSec58 mSec
sect571k123 mSec45 mSec126 mSec
sect571r123 mSec46 mSec126 mSec

Dependencies

The SwiftECC package depends on the ASN1 and BigInt packages

dependencies: [
    .package(url: "https://github.com/leif-ibsen/ASN1", from: "1.2.1"),
    .package(url: "https://github.com/leif-ibsen/BigInt", from: "1.2.5"),
],

References

Algorithms from the following books and papers have been used in the implementation. There are references in the source code where appropriate.

  • [FIPS 180-4] - FIPS PUB 180-4 - Secure Hash Standard (SHS), August 2015
  • [GCM] - The Galois/Counter Mode of Operation (GCM)
  • [GUIDE] - Hankerson, Menezes, Vanstone: Guide to Elliptic Curve Cryptography. Springer 2004
  • [KNUTH] - Donald E. Knuth: Seminumerical Algorithms. Addison-Wesley 1971
  • [NIST] - NIST Special Publication 800-38D, November 2007
  • [RFC-6979] - Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA), August 2013
  • [SAVACS] - E. Savacs, C.K. Koc: The Montgomery Modular Inverse - Revisited, July 2000
  • [SEC 1] - Standards for Efficient Cryptography 1 (SEC 1), Certicom Corp. 2009
  • [SEC 2] - Standards for Efficient Cryptography 2 (SEC 2), Certicom Corp. 2010
  • [WARREN] - Henry S. Warren, Jr.: Montgomery Multiplication, July 2012
  • [X9.62] - X9.62 - Public Key Cryptography For The Financial Services Industry, 1998

Acknowledgement

The AES block cipher implementation is essentially a translation to Swift of the Go Language implementation of AES.

GitHub

link
Stars: 7
Last commit: 5 days ago

Ad: Job Offers

iOS Software Engineer @ Perry Street Software
Perry Street Software is Jack’d and SCRUFF. We are two of the world’s largest gay, bi, trans and queer social dating apps on iOS and Android. Our brands reach more than 20 million members worldwide so members can connect, meet and express themselves on a platform that prioritizes privacy and security. We invest heavily into SwiftUI and using Swift Packages to modularize the codebase.

Release Notes

Release 1.1.0
5 days ago
  1. Added 4 new unit tests: BrainpoolTest, FuzzTest, SHA2Test and VerifyTest

  2. Added extra validation steps in the signature verify method

  3. Added new methods in the Domain class: doublePoint, addPoints, subtractPoints, negatePoint and multiplyPoint that verify that their inputs are curve points. The old methods: double, add, subtract, negate and multiply are deprecated

Swiftpack is being maintained by Petr Pavlik | @ptrpavlik | @swiftpackco | API