void ed25519_sign(unsigned char *signature, const unsigned char *message, size_t message_len, const unsigned char *public_key, const unsigned char *private_key) {
sha512_context hash;
unsigned char hram[64];
unsigned char r[64];
ge_p3 R;
sha512_init(&hash);
sha512_update(&hash, private_key + 32, 32);
sha512_update(&hash, message, message_len);
sha512_final(&hash, r);
sc_reduce(r);
ge_scalarmult_base(&R, r);
ge_p3_tobytes(signature, &R);
sha512_init(&hash);
sha512_update(&hash, signature, 32);
sha512_update(&hash, public_key, 32);
sha512_update(&hash, message, message_len);
sha512_final(&hash, hram);
sc_reduce(hram);
sc_muladd(signature + 32, hram, private_key, r);
}
void ed25519_sign(unsigned char *signature, const unsigned char *message, int32_t message_len, const unsigned char *public_key, const unsigned char *private_key) {
sha3_context ctx;
unsigned char hram[64];
unsigned char r[64];
ge_p3 R;
sha3_init512(&ctx);
sha3_update(&ctx, private_key + 32, 32);
sha3_update(&ctx, message, message_len);
sha3_finalize(&ctx, &r);
sc_reduce(r);
ge_scalarmult_base(&R, r);
ge_p3_tobytes(signature, &R);
sha3_init512(&ctx);
sha3_update(&ctx, signature, 32);
sha3_update(&ctx, public_key, 32);
sha3_update(&ctx, message, message_len);
sha3_finalize(&ctx, hram);
sc_reduce(hram);
sc_muladd(signature + 32, hram, private_key, r);
}
void Sign_signMsg(uint8_t keyPair[64], struct Message* msg, struct Random* rand)
{
// az is set to the secret key followed by another secret value
// which since we don't have a secret seed in this algorithm is just the
// hash of the secret key and 32 bytes of random
uint8_t az[64];
uint8_t r[64];
ge_p3 R;
uint8_t hram[64];
Bits_memcpy(az, keyPair, 32);
Random_bytes(rand, &az[32], 32);
crypto_hash_sha512(az,az,64);
Bits_memcpy(az, keyPair, 32);
az[0] &= 248;
az[31] &= 63;
az[31] |= 64;
// hash message + secret number
Message_push(msg, &az[32], 32, NULL);
crypto_hash_sha512(r, msg->bytes, msg->length);
// Replace secret number with public key
Bits_memcpy(msg->bytes, &keyPair[32], 32);
// push pointMul(r) to message
sc_reduce(r);
ge_scalarmult_base(&R,r);
Message_shift(msg, 32, NULL);
ge_p3_tobytes(msg->bytes,&R);
crypto_hash_sha512(hram, msg->bytes, msg->length);
sc_reduce(hram);
sc_muladd(&msg->bytes[32], hram, az, r);
}
int crypto_sign(
unsigned char *sm,unsigned long long *smlen,
const unsigned char *m,unsigned long long mlen,
const unsigned char *sk
)
{
unsigned char az[64];
unsigned char r[64];
unsigned char hram[64];
ge_p3 R;
unsigned long long i;
crypto_hash_sha512(az,sk,32);
az[0] &= 248;
az[31] &= 63;
az[31] |= 64;
*smlen = mlen + 64;
for (i = 0;i < mlen;++i) sm[64 + i] = m[i];
for (i = 0;i < 32;++i) sm[32 + i] = az[32 + i];
crypto_hash_sha512(r,sm + 32,mlen + 32);
for (i = 0;i < 32;++i) sm[32 + i] = sk[32 + i];
sc_reduce(r);
ge_scalarmult_base(&R,r);
ge_p3_tobytes(sm,&R);
crypto_hash_sha512(hram,sm,mlen + 64);
sc_reduce(hram);
sc_muladd(sm + 32,hram,az,r);
return 0;
}
int crypto_sign_open(
unsigned char *sm, unsigned long long smlen,
const unsigned char *pk
)
{
unsigned char scopy[32];
unsigned char h[64];
unsigned char rcheck[32];
ge_p3 A;
ge_p2 R;
if (smlen < 64) goto badsig;
if (sm[63] & 224) goto badsig;
if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig;
memmove(scopy,sm + 32,32);
memmove(sm + 32,pk,32);
crypto_hash_sha512(h,sm,smlen);
sc_reduce(h);
ge_double_scalarmult_vartime(&R,h,&A,scopy);
ge_tobytes(rcheck,&R);
if (crypto_verify_32(rcheck,sm) == 0)
return 0;
badsig:
return -1;
}
int ed25519_verify(const unsigned char *signature, const unsigned char *message, size_t message_len, const unsigned char *public_key) {
unsigned char h[64];
unsigned char checker[32];
CC_SHA512_CTX hash;
ge_p3 A;
ge_p2 R;
if (signature[63] & 224) {
return 0;
}
if (ge_frombytes_negate_vartime(&A, public_key) != 0) {
return 0;
}
CC_SHA512_Init(&hash);
CC_SHA512_Update(&hash, signature, 32);
CC_SHA512_Update(&hash, public_key, 32);
CC_SHA512_Update_Long(&hash, message, message_len);
CC_SHA512_Final(h, &hash);
sc_reduce(h);
ge_double_scalarmult_vartime(&R, h, &A, signature + 32);
ge_tobytes(checker, &R);
if (!consttime_equal(checker, signature)) {
return 0;
}
return 1;
}
int crypto_sign_verify(const unsigned char *signature, const unsigned char *message, size_t message_len, const unsigned char *public_key) {
unsigned char h[64];
unsigned char checker[32];
SHA512_CTX hash;
ge_p3 A;
ge_p2 R;
if (signature[63] & 224) {
return -1;
}
if (ge_frombytes_negate_vartime(&A, public_key) != 0) {
return -2;
}
SHA512_Init(&hash);
SHA512_Update(&hash, signature, 32);
SHA512_Update(&hash, public_key, 32);
SHA512_Update(&hash, message, message_len);
SHA512_Final(h, &hash);
sc_reduce(h);
ge_double_scalarmult_vartime(&R, h, &A, signature + 32);
ge_tobytes(checker, &R);
if (!(crypto_verify_32(checker, signature) == 0)) {
return -3;
}
return 0;
}
int crypto_sign_open(
unsigned char *m,unsigned long long *mlen,
const unsigned char *sm,unsigned long long smlen,
const unsigned char *pk
)
{
unsigned char h[64];
unsigned char checkr[32];
ge_p3 A;
ge_p2 R;
unsigned long long i;
*mlen = -1;
if (smlen < 64) return -1;
if (sm[63] & 224) return -2;
if (ge_frombytes_negate_vartime(&A,pk) != 0) return -3;
for (i = 0;i < smlen;++i) m[i] = sm[i];
for (i = 0;i < 32;++i) m[32 + i] = pk[i];
SHA512(m, smlen, h);
sc_reduce(h);
ge_double_scalarmult_vartime(&R,h,&A,sm + 32);
ge_tobytes(checkr,&R);
if (crypto_verify_32(checkr,sm) != 0) {
for (i = 0;i < smlen;++i) m[i] = 0;
return crypto_verify_32(checkr,sm);
}
for (i = 0;i < smlen - 64;++i) m[i] = sm[64 + i];
for (i = smlen - 64;i < smlen;++i) m[i] = 0;
*mlen = smlen - 64;
return 0;
}
static themis_status_t ed_point_sign(uint8_t pos, const uint8_t *scalar, const ge_p3 *point, uint8_t *signature)
{
uint8_t r[ED25519_GE_LENGTH];
ge_p3 R;
uint8_t k[64];
soter_hash_ctx_t hash_ctx;
size_t hash_length = 64;
themis_status_t res;
generate_random_32(r);
ge_scalarmult_base(&R, r);
ge_p3_tobytes(k, &R);
res = soter_hash_init(&hash_ctx, SOTER_HASH_SHA512);
if (THEMIS_SUCCESS != res)
{
return res;
}
res = soter_hash_update(&hash_ctx, k, ED25519_GE_LENGTH);
if (THEMIS_SUCCESS != res)
{
soter_hash_final(&hash_ctx, k, &hash_length);
return res;
}
ge_scalarmult_blinded(&R, r, point);
ge_p3_tobytes(k, &R);
res = soter_hash_update(&hash_ctx, k, ED25519_GE_LENGTH);
if (THEMIS_SUCCESS != res)
{
soter_hash_final(&hash_ctx, k, &hash_length);
return res;
}
res = soter_hash_update(&hash_ctx, &pos, sizeof(pos));
if (THEMIS_SUCCESS != res)
{
soter_hash_final(&hash_ctx, k, &hash_length);
return res;
}
res = soter_hash_final(&hash_ctx, k, &hash_length);
if (THEMIS_SUCCESS != res)
{
return res;
}
if (THEMIS_SUCCESS == res)
{
sc_reduce(k);
memcpy(signature, k, ED25519_GE_LENGTH);
sc_muladd(signature + ED25519_GE_LENGTH, k, scalar, r);
}
return res;
}
int cced25519_verify(const struct ccdigest_info *di,
size_t mlen, const void *inMsg,
const ccec25519signature sig,
const ccec25519pubkey pk)
{
const uint8_t * const m = (const uint8_t *) inMsg;
ccdigest_di_decl(di, dc);
uint8_t h[64];
uint8_t checkr[32];
ge_p3 A;
ge_p2 R;
ASSERT_DIGEST_SIZE(di);
if (ge_frombytes_negate_vartime(&A,pk) != 0) return -1;
ccdigest_init(di,dc);
ccdigest_update(di,dc,32,sig);
ccdigest_update(di,dc,32,pk);
ccdigest_update(di,dc,mlen,m);
ccdigest_final(di,dc,h);
ccdigest_di_clear(di,dc);
sc_reduce(h);
ge_double_scalarmult_vartime(&R,h,&A,sig + 32);
ge_tobytes(checkr,&R);
return crypto_verify_32(checkr,sig);
}
int
_crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p,
const unsigned char *m, unsigned long long mlen,
const unsigned char *sk, int prehashed)
{
crypto_hash_sha512_state hs;
unsigned char az[64];
unsigned char nonce[64];
unsigned char hram[64];
ge_p3 R;
_crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
#ifdef ED25519_NONDETERMINISTIC
memcpy(az, sk, 32);
_crypto_sign_ed25519_synthetic_r_hv(&hs, nonce, az);
#else
crypto_hash_sha512(az, sk, 32);
crypto_hash_sha512_update(&hs, az + 32, 32);
#endif
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, nonce);
memmove(sig + 32, sk + 32, 32);
sc_reduce(nonce);
ge_scalarmult_base(&R, nonce);
ge_p3_tobytes(sig, &R);
_crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
crypto_hash_sha512_update(&hs, sig, 64);
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, hram);
sc_reduce(hram);
_crypto_sign_ed25519_clamp(az);
sc_muladd(sig + 32, hram, az, nonce);
sodium_memzero(az, sizeof az);
sodium_memzero(nonce, sizeof nonce);
if (siglen_p != NULL) {
*siglen_p = 64U;
}
return 0;
}
static themis_status_t ed_dbl_base_sign(uint8_t pos, const uint8_t *scalar1, const uint8_t *scalar2, const ge_p3 *base1, const ge_p3 *base2, uint8_t *signature)
{
uint8_t r1[ED25519_GE_LENGTH];
uint8_t r2[ED25519_GE_LENGTH];
ge_p3 R1;
ge_p2 R2;
uint8_t k[64];
soter_hash_ctx_t hash_ctx;
size_t hash_length = 64;
themis_status_t res;
generate_random_32(r1);
generate_random_32(r2);
ge_scalarmult_blinded(&R1, r1, base2);
ge_double_scalarmult_vartime(&R2, r2, base1, r1);
res = soter_hash_init(&hash_ctx, SOTER_HASH_SHA512);
if (THEMIS_SUCCESS != res)
{
return res;
}
ge_p3_tobytes(k, &R1);
res = soter_hash_update(&hash_ctx, k, ED25519_GE_LENGTH);
if (THEMIS_SUCCESS != res)
{
soter_hash_final(&hash_ctx, k, &hash_length);
return res;
}
ge_tobytes(k, &R2);
res = soter_hash_update(&hash_ctx, k, ED25519_GE_LENGTH);
if (THEMIS_SUCCESS != res)
{
soter_hash_final(&hash_ctx, k, &hash_length);
return res;
}
res = soter_hash_update(&hash_ctx, &pos, sizeof(pos));
if (THEMIS_SUCCESS != res)
{
soter_hash_final(&hash_ctx, k, &hash_length);
return res;
}
res = soter_hash_final(&hash_ctx, k, &hash_length);
if (THEMIS_SUCCESS == res)
{
sc_reduce(k);
memcpy(signature, k, ED25519_GE_LENGTH);
sc_muladd(signature + ED25519_GE_LENGTH, k, scalar1, r1);
sc_muladd(signature + (2 * ED25519_GE_LENGTH), k, scalar2, r2);
}
return res;
}
int
crypto_sign_detached(unsigned char *sig, unsigned long long *siglen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *sk)
{
crypto_hash_sha512_state hs;
unsigned char pk[32];
unsigned char az[64];
unsigned char nonce[64];
unsigned char hram[64];
ge_p3 R;
memmove(pk, sk + 32, 32);
crypto_hash_sha512(az, sk, 32);
az[0] &= 248;
az[31] &= 63;
az[31] |= 64;
crypto_hash_sha512_init(&hs);
crypto_hash_sha512_update(&hs, az + 32, 32);
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, nonce);
memmove(sig + 32, pk, 32);
sc_reduce(nonce);
ge_scalarmult_base(&R, nonce);
ge_p3_tobytes(sig, &R);
crypto_hash_sha512_init(&hs);
crypto_hash_sha512_update(&hs, sig, 64);
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, hram);
sc_reduce(hram);
sc_muladd(sig + 32, hram, az, nonce);
sodium_memzero(az, sizeof az);
sodium_memzero(nonce, sizeof nonce);
if (siglen != NULL) {
*siglen = 64U;
}
return 0;
}
/* NEW: Compare to pristine crypto_sign()
Uses explicit private key for nonce derivation and as scalar,
instead of deriving both from a master key.
*/
int crypto_sign_modified(
unsigned char *sm,
const unsigned char *m,unsigned long long mlen,
const unsigned char *sk, const unsigned char* pk,
const unsigned char* random
)
{
unsigned char nonce[64];
unsigned char hram[64];
ge_p3 R;
int count=0;
memmove(sm + 64,m,mlen);
memmove(sm + 32,sk,32); /* NEW: Use privkey directly for nonce derivation */
/* NEW : add prefix to separate hash uses - see .h */
sm[0] = 0xFE;
for (count = 1; count < 32; count++)
sm[count] = 0xFF;
/* NEW: add suffix of random data */
memmove(sm + mlen + 64, random, 64);
crypto_hash_sha512(nonce,sm,mlen + 128);
memmove(sm + 32,pk,32);
sc_reduce(nonce);
ge_scalarmult_base(&R,nonce);
ge_p3_tobytes(sm,&R);
crypto_hash_sha512(hram,sm,mlen + 64);
sc_reduce(hram);
sc_muladd(sm + 32,hram,sk,nonce); /* NEW: Use privkey directly */
/* NEW: Try to erase any traces of privkey or
nonce left in the stack from sc_muladd. */
zeroize_stack();
zeroize(nonce, 64);
return 0;
}
int crypto_sign(
unsigned char *sig,
const unsigned char *m, size_t mlen,
const unsigned char *sk,const unsigned char *pk
)
{
unsigned char nonce[64];
unsigned char hram[64];
ge_p3 R;
crypto_hash_sha512_2(nonce, sk+32, 32, m, mlen);
sc_reduce(nonce);
ge_scalarmult_base(&R,nonce);
ge_p3_tobytes(sig,&R);
crypto_hash_sha512_3(hram, sig, 32, pk, 32, m, mlen);
sc_reduce(hram);
sc_muladd(sig + 32,hram,sk,nonce);
return 0;
}
void ed25519_sign(unsigned char *signature, const unsigned char *message, size_t message_len, const unsigned char *public_key, const unsigned char *private_key) {
CC_SHA512_CTX hash;
unsigned char hram[64];
unsigned char r[64];
ge_p3 R;
CC_SHA512_Init(&hash);
CC_SHA512_Update(&hash, private_key + 32, 32);
CC_SHA512_Update_Long(&hash, message, message_len);
CC_SHA512_Final(r, &hash);
sc_reduce(r);
ge_scalarmult_base(&R, r);
ge_p3_tobytes(signature, &R);
CC_SHA512_Init(&hash);
CC_SHA512_Update(&hash, signature, 32);
CC_SHA512_Update(&hash, public_key, 32);
CC_SHA512_Update_Long(&hash, message, message_len);
CC_SHA512_Final(hram, &hash);
sc_reduce(hram);
sc_muladd(signature + 32, hram, private_key, r);
}
int crypto_sign_edwards25519sha512batch(unsigned char *sm,
unsigned long long *smlen_p,
const unsigned char *m,
unsigned long long mlen,
const unsigned char *sk)
{
crypto_hash_sha512_state hs;
unsigned char nonce[64];
unsigned char hram[64];
unsigned char sig[64];
ge_p3 A;
ge_p3 R;
crypto_hash_sha512_init(&hs);
crypto_hash_sha512_update(&hs, sk + 32, 32);
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, nonce);
ge_scalarmult_base(&A, sk);
ge_p3_tobytes(sig + 32, &A);
sc_reduce(nonce);
ge_scalarmult_base(&R, nonce);
ge_p3_tobytes(sig, &R);
crypto_hash_sha512_init(&hs);
crypto_hash_sha512_update(&hs, sig, 32);
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, hram);
sc_reduce(hram);
sc_muladd(sig + 32, hram, nonce, sk);
sodium_memzero(hram, sizeof hram);
memmove(sm + 32, m, (size_t) mlen);
memcpy(sm, sig, 32);
memcpy(sm + 32 + mlen, sig + 32, 32);
*smlen_p = mlen + 64U;
return 0;
}
int crypto_sign_edwards25519sha512batch_open(unsigned char *m,
unsigned long long *mlen_p,
const unsigned char *sm,
unsigned long long smlen,
const unsigned char *pk)
{
unsigned char h[64];
unsigned char t1[32], t2[32];
unsigned long long mlen;
ge_cached Ai;
ge_p1p1 csa;
ge_p2 cs;
ge_p3 A;
ge_p3 R;
ge_p3 cs3;
*mlen_p = 0;
if (smlen < 64 || smlen > SIZE_MAX) {
return -1;
}
mlen = smlen - 64;
if (sm[smlen - 1] & 224) {
return -1;
}
if (ge_frombytes_negate_vartime(&A, pk) != 0 ||
ge_frombytes_negate_vartime(&R, sm) != 0) {
return -1;
}
ge_p3_to_cached(&Ai, &A);
crypto_hash_sha512(h, sm, mlen + 32);
sc_reduce(h);
ge_scalarmult_vartime(&cs3, h, &R);
ge_add(&csa, &cs3, &Ai);
ge_p1p1_to_p2(&cs, &csa);
ge_tobytes(t1, &cs);
t1[31] ^= 1 << 7;
ge_scalarmult_base(&R, sm + 32 + mlen);
ge_p3_tobytes(t2, &R);
if (crypto_verify_32(t1, t2) != 0) {
return -1;
}
*mlen_p = mlen;
memmove(m, sm + 32, mlen);
return 0;
}
void sc_muladd(byte* out, const byte* a, const byte* b, const byte* c)
{
byte s[32];
byte e[64];
XMEMSET(e, 0, sizeof(e));
XMEMCPY(e, b, 32);
/* Obtain e */
sc_reduce(e);
/* Compute s = ze + k */
fprime_mul(s, a, e, ed25519_order);
fprime_add(s, c, ed25519_order);
XMEMCPY(out, s, 32);
}
int
crypto_sign_verify_detached(const unsigned char *sig, const unsigned char *m,
unsigned long long mlen, const unsigned char *pk)
{
crypto_hash_sha512_state hs;
unsigned char h[64];
unsigned char rcheck[32];
unsigned int i;
unsigned char d = 0;
ge_p3 A;
ge_p2 R;
#ifdef ED25519_PREVENT_MALLEABILITY
if (crypto_sign_check_S_lt_l(sig + 32) != 0) {
return -1;
}
#else
if (sig[63] & 224) {
return -1;
}
#endif
if (ge_frombytes_negate_vartime(&A, pk) != 0) {
return -1;
}
for (i = 0; i < 32; ++i) {
d |= pk[i];
}
if (d == 0) {
return -1;
}
crypto_hash_sha512_init(&hs);
crypto_hash_sha512_update(&hs, sig, 32);
crypto_hash_sha512_update(&hs, pk, 32);
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, h);
sc_reduce(h);
ge_double_scalarmult_vartime(&R, h, &A, sig + 32);
ge_tobytes(rcheck, &R);
return crypto_verify_32(rcheck, sig) | (-(rcheck - sig == 0)) |
sodium_memcmp(sig, rcheck, 32);
}
int
main (int argc, char **argv)
{
int mpiret;
int mpirank, mpisize;
int i, j;
char cvalue, cresult;
int ivalue, iresult;
unsigned short usvalue, usresult;
long lvalue, lresult;
float fvalue[3], fresult[3], fexpect[3];
double dvalue, dresult;
MPI_Comm mpicomm;
mpiret = MPI_Init (&argc, &argv);
SC_CHECK_MPI (mpiret);
mpicomm = MPI_COMM_WORLD;
mpiret = MPI_Comm_size (mpicomm, &mpisize);
SC_CHECK_MPI (mpiret);
mpiret = MPI_Comm_rank (mpicomm, &mpirank);
SC_CHECK_MPI (mpiret);
sc_init (mpicomm, 1, 1, NULL, SC_LP_DEFAULT);
/* test allreduce int max */
ivalue = mpirank;
sc_allreduce (&ivalue, &iresult, 1, MPI_INT, MPI_MAX, mpicomm);
SC_CHECK_ABORT (iresult == mpisize - 1, "Allreduce mismatch");
/* test reduce float max */
fvalue[0] = (float) mpirank;
fexpect[0] = (float) (mpisize - 1);
fvalue[1] = (float) (mpirank % 9 - 4);
fexpect[1] = (float) (mpisize >= 9 ? 4 : (mpisize - 1) % 9 - 4);
fvalue[2] = (float) (mpirank % 6);
fexpect[2] = (float) (mpisize >= 6 ? 5 : (mpisize - 1) % 6);
for (i = 0; i < mpisize; ++i) {
sc_reduce (fvalue, fresult, 3, MPI_FLOAT, MPI_MAX, i, mpicomm);
if (i == mpirank) {
for (j = 0; j < 3; ++j) {
SC_CHECK_ABORTF (fresult[j] == fexpect[j], /* ok */
"Reduce mismatch in %d", j);
}
}
}
/* test allreduce char min */
cvalue = (char) (mpirank % 127);
sc_allreduce (&cvalue, &cresult, 1, MPI_CHAR, MPI_MIN, mpicomm);
SC_CHECK_ABORT (cresult == 0, "Allreduce mismatch");
/* test reduce unsigned short min */
usvalue = (unsigned short) (mpirank % 32767);
for (i = 0; i < mpisize; ++i) {
sc_reduce (&usvalue, &usresult, 1, MPI_UNSIGNED_SHORT, MPI_MIN, i,
mpicomm);
if (i == mpirank) {
SC_CHECK_ABORT (usresult == 0, "Reduce mismatch");
}
}
/* test allreduce long sum */
lvalue = (long) mpirank;
sc_allreduce (&lvalue, &lresult, 1, MPI_LONG, MPI_SUM, mpicomm);
SC_CHECK_ABORT (lresult == ((long) (mpisize - 1)) * mpisize / 2,
"Allreduce mismatch");
/* test reduce double sum */
dvalue = (double) mpirank;
for (i = 0; i < mpisize; ++i) {
sc_reduce (&dvalue, &dresult, 1, MPI_DOUBLE, MPI_SUM, i, mpicomm);
if (i == mpirank) {
SC_CHECK_ABORT (dresult == ((double) (mpisize - 1)) * mpisize / 2., /* ok */
"Reduce mismatch");
}
}
sc_finalize ();
mpiret = MPI_Finalize ();
SC_CHECK_MPI (mpiret);
return 0;
}
/*
in contains the message to sign
inlen is the length of the message to sign
out is the buffer to write the signature
outLen [in/out] input size of out buf
output gets set as the final length of out
key is the ed25519 key to use when signing
return 0 on success
*/
int wc_ed25519_sign_msg(const byte* in, word32 inlen, byte* out,
word32 *outLen, ed25519_key* key)
{
ge_p3 R;
byte nonce[SHA512_DIGEST_SIZE];
byte hram[SHA512_DIGEST_SIZE];
byte az[ED25519_PRV_KEY_SIZE];
Sha512 sha;
int ret;
/* sanity check on arguments */
if (in == NULL || out == NULL || outLen == NULL || key == NULL)
return BAD_FUNC_ARG;
/* check and set up out length */
if (*outLen < ED25519_SIG_SIZE) {
*outLen = ED25519_SIG_SIZE;
return BUFFER_E;
}
*outLen = ED25519_SIG_SIZE;
/* step 1: create nonce to use where nonce is r in
r = H(h_b, ... ,h_2b-1,M) */
ret = wc_Sha512Hash(key->k, ED25519_KEY_SIZE, az);
if (ret != 0)
return ret;
/* apply clamp */
az[0] &= 248;
az[31] &= 63; /* same than az[31] &= 127 because of az[31] |= 64 */
az[31] |= 64;
ret = wc_InitSha512(&sha);
if (ret != 0)
return ret;
ret = wc_Sha512Update(&sha, az + ED25519_KEY_SIZE, ED25519_KEY_SIZE);
if (ret != 0)
return ret;
ret = wc_Sha512Update(&sha, in, inlen);
if (ret != 0)
return ret;
ret = wc_Sha512Final(&sha, nonce);
if (ret != 0)
return ret;
sc_reduce(nonce);
/* step 2: computing R = rB where rB is the scalar multiplication of
r and B */
ge_scalarmult_base(&R,nonce);
ge_p3_tobytes(out,&R);
/* step 3: hash R + public key + message getting H(R,A,M) then
creating S = (r + H(R,A,M)a) mod l */
ret = wc_InitSha512(&sha);
if (ret != 0)
return ret;
ret = wc_Sha512Update(&sha, out, ED25519_SIG_SIZE/2);
if (ret != 0)
return ret;
ret = wc_Sha512Update(&sha, key->p, ED25519_PUB_KEY_SIZE);
if (ret != 0)
return ret;
ret = wc_Sha512Update(&sha, in, inlen);
if (ret != 0)
return ret;
ret = wc_Sha512Final(&sha, hram);
if (ret != 0)
return ret;
sc_reduce(hram);
sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
return ret;
}
/*
sig is array of bytes containing the signature
siglen is the length of sig byte array
msg the array of bytes containing the message
msglen length of msg array
stat will be 1 on successful verify and 0 on unsuccessful
*/
int wc_ed25519_verify_msg(byte* sig, word32 siglen, const byte* msg,
word32 msglen, int* stat, ed25519_key* key)
{
byte rcheck[ED25519_KEY_SIZE];
byte h[SHA512_DIGEST_SIZE];
ge_p3 A;
ge_p2 R;
int ret;
Sha512 sha;
/* sanity check on arguments */
if (sig == NULL || msg == NULL || stat == NULL || key == NULL)
return BAD_FUNC_ARG;
/* set verification failed by default */
*stat = 0;
/* check on basics needed to verify signature */
if (siglen < ED25519_SIG_SIZE || (sig[ED25519_SIG_SIZE-1] & 224))
return BAD_FUNC_ARG;
/* uncompress A (public key), test if valid, and negate it */
if (ge_frombytes_negate_vartime(&A, key->p) != 0)
return BAD_FUNC_ARG;
/* find H(R,A,M) and store it as h */
ret = wc_InitSha512(&sha);
if (ret != 0)
return ret;
ret = wc_Sha512Update(&sha, sig, ED25519_SIG_SIZE/2);
if (ret != 0)
return ret;
ret = wc_Sha512Update(&sha, key->p, ED25519_PUB_KEY_SIZE);
if (ret != 0)
return ret;
ret = wc_Sha512Update(&sha, msg, msglen);
if (ret != 0)
return ret;
ret = wc_Sha512Final(&sha, h);
if (ret != 0)
return ret;
sc_reduce(h);
/*
Uses a fast single-signature verification SB = R + H(R,A,M)A becomes
SB - H(R,A,M)A saving decompression of R
*/
ret = ge_double_scalarmult_vartime(&R, h, &A, sig + (ED25519_SIG_SIZE/2));
if (ret != 0)
return ret;
ge_tobytes(rcheck, &R);
/* comparison of R created to R in sig */
ret = ConstantCompare(rcheck, sig, ED25519_SIG_SIZE/2);
if (ret != 0)
return ret;
/* set the verification status */
*stat = 1;
return ret;
}
void
problem_init
(
int argc,
char* argv [],
p4est_t* p4est,
p4est_geometry_t* p4est_geom,
dgmath_jit_dbase_t* dgmath_jit_dbase,
int proc_size,
sc_MPI_Comm mpicomm,
int load_from_checkpoint
)
{
mpi_assert((P4EST_DIM) == 2 || (P4EST_DIM) == 3);
int world_rank, world_size;
sc_MPI_Comm_rank(sc_MPI_COMM_WORLD, &world_rank);
sc_MPI_Comm_size(sc_MPI_COMM_WORLD, &world_size);
double* Au = P4EST_ALLOC_ZERO(double, 1);
double* rhs = P4EST_ALLOC_ZERO(double, 1);
double* u = P4EST_ALLOC_ZERO(double, 1);
double* f = P4EST_ALLOC_ZERO(double, 1);
double* u_analytic = P4EST_ALLOC_ZERO(double, 1);
int local_nodes = 1;
problem_input_t input = problem_input("options.input");
int endlevel = input.endlevel;
int degree = input.degree;
ip_flux_params_t ip_flux_params;
ip_flux_params.ip_flux_penalty_prefactor = input.ip_flux_penalty;
ip_flux_params.ip_flux_penalty_calculate_fcn = sipg_flux_vector_calc_penalty_maxp2_over_minh;
p4est_ghost_t* ghost = p4est_ghost_new (p4est, P4EST_CONNECT_FACE);
/* create space for storing the ghost data */
element_data_t* ghost_data = P4EST_ALLOC (element_data_t,
ghost->ghosts.elem_count);
p4est_partition(p4est, 0, NULL);
p4est_balance (p4est, P4EST_CONNECT_FACE, NULL);
grid_fcn_t boundary_flux_fcn = zero_fcn;
problem_data_t prob_vecs;
prob_vecs.rhs = rhs;
prob_vecs.Au = Au;
prob_vecs.u = u;
prob_vecs.f = f;
prob_vecs.local_nodes = local_nodes;
for (int level = 0; level < endlevel; ++level){
if (level != 0){
p4est_refine_ext(p4est,
0,
-1,
refine_function,
NULL,
NULL
);
p4est_balance_ext
(
p4est,
P4EST_CONNECT_FACE,
NULL,
NULL
);
p4est_ghost_destroy(ghost);
P4EST_FREE(ghost_data);
ghost = p4est_ghost_new(p4est, P4EST_CONNECT_FACE);
ghost_data = P4EST_ALLOC(element_data_t, ghost->ghosts.elem_count);
}
}
p4est_partition(p4est, 1, NULL);
p4est_balance_ext
(
p4est,
P4EST_CONNECT_FACE,
NULL,
NULL
);
p4est_ghost_destroy(ghost);
P4EST_FREE(ghost_data);
ghost = p4est_ghost_new(p4est, P4EST_CONNECT_FACE);
ghost_data = P4EST_ALLOC(element_data_t, ghost->ghosts.elem_count);
weakeqn_ptrs_t prob_fcns;
prob_fcns.apply_lhs = problem_apply_aij;
element_data_init(p4est, degree);
local_nodes = element_data_get_local_nodes(p4est);
printf("RANK %d: Nodes = %d\n", world_rank, local_nodes);
Au = P4EST_REALLOC(Au, double, local_nodes);
u = P4EST_REALLOC(u, double, local_nodes);
f = P4EST_REALLOC(f, double, local_nodes);
rhs = P4EST_REALLOC(rhs, double, local_nodes);
u_analytic = P4EST_REALLOC(u_analytic, double, local_nodes);
prob_vecs.Au = Au;
prob_vecs.u = u;
prob_vecs.f = f;
prob_vecs.rhs = rhs;
prob_vecs.local_nodes = local_nodes;
linalg_fill_vec(u, 0., local_nodes);
element_data_init_node_vec(p4est,f,f_fcn,dgmath_jit_dbase);
prob_vecs.vector_flux_fcn_data
= sipg_flux_vector_dirichlet_fetch_fcns
(
boundary_fcn,
&ip_flux_params
);
prob_vecs.scalar_flux_fcn_data
= sipg_flux_scalar_dirichlet_fetch_fcns
(
boundary_flux_fcn
);
problem_build_rhs
(
p4est,
&prob_vecs,
&prob_fcns,
ghost,
ghost_data,
dgmath_jit_dbase
);
clock_t begin = 0;
clock_t end = -1;
if (world_rank == 0){
begin = clock();
}
int vcycle_iter = 3;
double vcycle_rtol = 1e-3;
double vcycle_atol = 0.;
int smooth_iter = 8;
int cg_eigs_iter = 10;
double max_eig_factor = 1.1;
int max_eig_reuse = 1;
double lmax_lmin_rat = 30.;
int coarse_iter = 100;
double coarse_rtol = 1e-8;
int save_vtk_snapshot = 0;
int perform_checksum = 0;
multigrid_data_t* mg_data
= multigrid_data_init
(
world_rank,
endlevel,
vcycle_iter,
vcycle_rtol,
vcycle_atol,
smooth_iter,
cg_eigs_iter,
max_eig_factor,
max_eig_reuse,
lmax_lmin_rat,
CG,
coarse_iter,
coarse_rtol,
save_vtk_snapshot,
perform_checksum,
RES_AND_EIG_LOG,
dgmath_jit_dbase
);
multigrid_solve
(
p4est,
&prob_vecs,
&prob_fcns,
mg_data,
&ghost,
&ghost_data
);
multigrid_data_destroy(mg_data);
element_data_init_node_vec(p4est, u_analytic, analytic_solution_fcn, dgmath_jit_dbase);
linalg_vec_axpy(-1., u, u_analytic, local_nodes);
double local_l2_norm_sqr = element_data_compute_l2_norm_sqr_no_local
(
p4est,
u_analytic,
dgmath_jit_dbase
);
double local_nodes_dbl = (double)local_nodes;
double local_reduce [2];
local_reduce[0] = local_nodes_dbl;
local_reduce[1] = local_l2_norm_sqr;
double global_reduce [2];
sc_reduce
(
&local_reduce[0],
&global_reduce[0],
2,
sc_MPI_DOUBLE,
sc_MPI_SUM,
0,
sc_MPI_COMM_WORLD
);
double global_nodes_dbl = global_reduce[0];
double global_l2_norm_sqr = global_reduce[1];
if (world_rank == 0){
end = clock();
double time_spent = (double)(end - begin) / CLOCKS_PER_SEC;
printf
(
"\n\n[HP_AMR]: %d %d %d %.25f %f \n\n",
degree,
(int)p4est->global_num_quadrants,
(int)global_nodes_dbl,
sqrt(global_l2_norm_sqr),
/* info.iterations, */
/* info.residual_norm, */
time_spent
);
}
if (ghost) {
p4est_ghost_destroy (ghost);
P4EST_FREE (ghost_data);
ghost = NULL;
ghost_data = NULL;
}
P4EST_FREE(f);
P4EST_FREE(Au);
P4EST_FREE(rhs);
P4EST_FREE(u_analytic);
P4EST_FREE(u);
}