/*Secret keys are 64 bytes. First 32 bytes are an exponent, second 32 are
hashed with last 32 bytes of h(m) to give k*/
void crypto_sign_keypair_ecdsa256sha512(unsigned char *pk,
unsigned char *sk){
point p;
randombytes(sk, 64);
p256scalarmult_base(&p, sk); //first 32 bytes are used only
p256pack(pk, &p);
}
int main(){
point p;
unsigned char exp[32]={0, 211, 216, 143, 5, 130, 69, 158, 239,
207, 161, 203, 214, 71, 167, 161, 224, 34,
186, 100, 243, 209, 97, 245, 169, 119, 162,
242, 166, 27, 103, 98};
unsigned char out[64];
p256scalarmult_base(&p, exp);
printf("exp=0x");
for(int i=0; i<32; i++){
printf("%02x", exp[i]);
}
printf("\n");
p256pack(out, &p);
printf("x=0x");
for(int i=0; i<32; i++){
printf("%02x", out[i]);
}
printf("\n");
printf("y=0x");
for(int i=32; i<64; i++){
printf("%02x", out[i]);
}
printf("\n");
exit(0);
}
int
crypto_dh_nistp256_wbl_keypair(unsigned char *pk, unsigned char *sk)
{
point temp;
randombytes(sk, 32);
p256scalarmult_base(&temp, sk);
p256pack(pk, &temp);
return 0;
}
int
crypto_dh_nistp256_wbl(unsigned char *out, const unsigned char *p,
const unsigned char *n)
{
point temp;
p256unpack(&temp, p);
if(!p256oncurvefinite(&temp)){ //we don't have a good point
p256scalarmult_base(&temp, n); //use the basepoint instead
} else {
p256scalarmult(&temp, &temp, n);
}
p256pack(out, &temp);
return 0;
}
int main(){
unsigned char exp[32];
point temp;
unsigned char otherexp[32];
point b;
point basepoint;
printf("start\n");
printf("exp section\n");
for(int i=0; i<10; i++){
//note that in future this will be wrapped up as scalarmult
randombytes(exp, 32);
p256scalarmult_base(&temp, exp);
if(p256oncurvefinite(&temp)){
printf("1\n");
}else{
printf("0\n");
}
}
exit(0);
}
/*The format of signed messages is as follows: the first 64 bytes are a
signature, the first 32 being r, the second 32 s. The message follows.*/
void crypto_sign_ecdsa256sha512(unsigned char *sm, unsigned long long *smlen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *sk){
unsigned char mhash[64];
unsigned char kchar[64];
unsigned char rchar[64];
unsigned char expt[32];
scp256 z;
scp256 k;
point R;
scp256 r;
scp256 d;
scp256 kinv;
scp256 s;
scp256 t1;
scp256 t2;
memcpy(sm+64, m, mlen);
*smlen=mlen+64;
crypto_hash(mhash, m, mlen);
scp256_unpack(&z, mhash);
/*We could append sk, but I worry about secret key leaks
with mmapped memory*/
memcpy(mhash, sk+32, 32);
crypto_hash(kchar, mhash, 64);
scp256_from64bytes(&k, kchar); //not FIPS compliant, but that's okay
scp256_pack(expt, &k);
p256scalarmult_base(&R, expt);
p256pack(rchar, &R);
scp256_unpack(&r, rchar); //this is just x
scp256_unpack(&d, sk); //the secret exponent
scp256_mul(&t1, &d, &r);
scp256_add(&t2, &z, &t1); //z+rd
scp256_inv(&kinv, &k);
scp256_mul(&s, &kinv, &t2); //k^{-1}(z-rd)
scp256_pack(sm, &r); //r goes first
scp256_pack(sm+32, &s); //s goes next.
//what about r=0 or s=0? Then we can't sign this message, ever.
//so let's assume that doesn't happen.
//this is okay: signer will not accept it
}
