int schnorr_publickey(uint8_t pk[SCHNORR_PUBLICKEYBYTES], const uint8_t sk[SCHNORR_SECRETKEYBYTES]) { sc25519 sc_sk; ge25519 ge_pk; sc25519_from32bytes(&sc_sk, sk); ge25519_scalarmult_base(&ge_pk, &sc_sk); ge25519_pack(pk, &ge_pk); return 0; }
int crypto_sign_ed25519_tinynacl_open(unsigned char *m, unsigned long long *mlen, const unsigned char *sm, unsigned long long n, const unsigned char *pk) { long long i; unsigned char pkcopy[32], rcopy[32], scopy[32], hram[64], rcheck[32]; ge25519 R, S, A; int ret = -1; /* check input */ if (n < 64) goto fail; if (sm[63] & 224) goto fail; /* unpack pk */ if (ge25519_frombytes_negate_vartime(A, pk) != 0) goto fail; /* copy pk, r, s */ for (i = 0; i < 32; ++i) pkcopy[i] = pk[i]; for (i = 0; i < 32; ++i) rcopy[i] = sm[i]; for (i = 0; i < 32; ++i) scopy[i] = sm[i + 32]; /* copy sm to m and copy pk to m */ for (i = n - 1; i >= 0; --i) m[i] = sm[i]; for (i = 0; i < 32; ++i) m[i + 32] = pkcopy[i]; /* calculate hram = H(r, a, m) */ crypto_hash_sha512(hram, m, n); sc25519_reduce(hram); /* compute R */ ge25519_scalarmult(A, A, hram); ge25519_scalarmult_base(S, scopy); ge25519_add(R, S, A); /* check R */ ge25519_tobytes(rcheck, R); if (crypto_verify_32(rcheck, rcopy) != 0) goto fail; /* copy message */ n -= 64; *mlen = n; for (i = 0; i < n; ++i) m[i] = m[i + 64]; for (i = 0; i < 64; ++i) m[i + n] = 0; ret = 0; goto cleanup; fail: for (i = 0; i < n; ++i) m[i] = 0; cleanup: cleanup(pkcopy); cleanup(rcopy); cleanup(scopy); cleanup(hram); cleanup(rcheck); cleanup(R); cleanup(S); cleanup(A); return ret; }
int crypto_sign_ed25519( unsigned char *sm,unsigned long long *smlen, const unsigned char *m,unsigned long long mlen, const unsigned char *sk ) { sc25519 sck, scs, scsk; ge25519 ger; unsigned char r[32]; unsigned char s[32]; unsigned char extsk[64]; unsigned long long i; unsigned char hmg[crypto_hash_sha512_BYTES]; unsigned char hram[crypto_hash_sha512_BYTES]; crypto_hash_sha512(extsk, sk, 32); extsk[0] &= 248; extsk[31] &= 127; extsk[31] |= 64; *smlen = mlen+64; for(i=0;i<mlen;i++) sm[64 + i] = m[i]; for(i=0;i<32;i++) sm[32 + i] = extsk[32+i]; crypto_hash_sha512(hmg, sm+32, mlen+32); /* Generate k as h(extsk[32],...,extsk[63],m) */ /* Computation of R */ sc25519_from64bytes(&sck, hmg); ge25519_scalarmult_base(&ger, &sck); ge25519_pack(r, &ger); /* Computation of s */ for(i=0;i<32;i++) sm[i] = r[i]; get_hram(hram, sm, sk+32, sm, mlen+64); sc25519_from64bytes(&scs, hram); sc25519_from32bytes(&scsk, extsk); sc25519_mul(&scs, &scs, &scsk); sc25519_add(&scs, &scs, &sck); sc25519_to32bytes(s,&scs); /* cat s */ for(i=0;i<32;i++) sm[32 + i] = s[i]; return 0; }
int _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p, const unsigned char *m, unsigned long long mlen, const unsigned char *sk, int prehashed) { crypto_hash_sha512_state hs; unsigned char az[64]; unsigned char nonce[64]; unsigned char hram[64]; ge25519_p3 R; _crypto_sign_ed25519_ref10_hinit(&hs, prehashed); #ifdef ED25519_NONDETERMINISTIC memcpy(az, sk, 32); _crypto_sign_ed25519_synthetic_r_hv(&hs, nonce, az); #else crypto_hash_sha512(az, sk, 32); crypto_hash_sha512_update(&hs, az + 32, 32); #endif crypto_hash_sha512_update(&hs, m, mlen); crypto_hash_sha512_final(&hs, nonce); memmove(sig + 32, sk + 32, 32); sc25519_reduce(nonce); ge25519_scalarmult_base(&R, nonce); ge25519_p3_tobytes(sig, &R); _crypto_sign_ed25519_ref10_hinit(&hs, prehashed); crypto_hash_sha512_update(&hs, sig, 64); crypto_hash_sha512_update(&hs, m, mlen); crypto_hash_sha512_final(&hs, hram); sc25519_reduce(hram); _crypto_sign_ed25519_clamp(az); sc25519_muladd(sig + 32, hram, az, nonce); sodium_memzero(az, sizeof az); sodium_memzero(nonce, sizeof nonce); if (siglen_p != NULL) { *siglen_p = 64U; } return 0; }
int crypto_sign_ed25519_tinynacl_keypair(unsigned char *pk, unsigned char *sk) { unsigned char h[64]; ge25519 A; long long i; randombytes(sk, 32); crypto_hash_sha512(h, sk, 32); h[0] &= 248; h[31] &= 63; h[31] |= 64; ge25519_scalarmult_base(A, h); ge25519_tobytes(pk, A); for (i = 31; i >= 0; --i) sk[i + 32] = pk[i]; cleanup(h); cleanup(A); return 0; }
static int _crypto_scalarmult_ed25519_base(unsigned char *q, const unsigned char *n, const int clamp) { unsigned char *t = q; ge25519_p3 Q; unsigned int i; for (i = 0; i < 32; ++i) { t[i] = n[i]; } if (clamp != 0) { _crypto_scalarmult_ed25519_clamp(t); } ge25519_scalarmult_base(&Q, t); ge25519_p3_tobytes(q, &Q); if (_crypto_scalarmult_ed25519_is_inf(q) != 0 || sodium_is_zero(n, 32)) { return -1; } return 0; }
int crypto_sign_ed25519_tinynacl(unsigned char *sm, unsigned long long *smlen, const unsigned char *m, unsigned long long n, const unsigned char *skorig) { long long i; unsigned char nonce[64], hram[64], sk[64], pk[32]; ge25519 R; /* compute secret key from seed sk = H(skorig), H = sha512 */ crypto_hash_sha512(sk, skorig, 32); sk[0] &= 248; sk[31] &= 63; sk[31] |= 64; /* copy m to sm, copy secret key and public key */ *smlen = n + 64; for (i = 31; i >= 0; --i) pk[i ] = skorig[i + 32]; for (i = n - 1; i >= 0; --i) sm[i + 64] = m[i]; for (i = 31; i >= 0; --i) sm[i + 32] = sk[i + 32]; /* get pseudorandom nonce = H(sk2, m) */ crypto_hash_sha512(nonce, sm + 32, n + 32); sc25519_reduce(nonce); /* copy pk to sm */ for (i = 31; i >= 0; --i) sm[i + 32] = pk[i]; /* compute R */ ge25519_scalarmult_base(R, nonce); ge25519_tobytes(sm, R); /* calculate hram = H(r, a, m) */ crypto_hash_sha512(hram, sm, n + 64); sc25519_reduce(hram); /* compute S */ sc25519_muladd(sm + 32, hram, sk, nonce); /* cleanup */ cleanup(nonce); cleanup(hram); cleanup(sk); cleanup(pk); cleanup(R); return 0; }
void sender_genS(SIMPLEOT_SENDER * s, unsigned char * S_pack) { int i; ge25519 S, yS; // sc25519_random(&s->y, 0); ge25519_scalarmult_base(&S, &s->y); // S ge25519_pack(S_pack, &S); // E^0(S) for (i = 0; i < 3; i++) ge25519_double(&S, &S); // 8S ge25519_pack(s->S_pack, &S); // E_1(S) ge25519_scalarmult(&yS, &S, &s->y); for (i = 0; i < 3; i++) ge25519_double(&yS, &yS); // 64T ge_to_4x(&s->yS, &yS); }
int crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk, const unsigned char *seed) { ge25519_p3 A; #ifdef ED25519_NONDETERMINISTIC memmove(sk, seed, 32); #else crypto_hash_sha512(sk, seed, 32); #endif sk[0] &= 248; sk[31] &= 127; sk[31] |= 64; ge25519_scalarmult_base(&A, sk); ge25519_p3_tobytes(pk, &A); memmove(sk, seed, 32); memmove(sk + 32, pk, 32); return 0; }
int crypto_sign_ed25519_keypair( unsigned char *pk, unsigned char *sk ) { sc25519 scsk; ge25519 gepk; unsigned char extsk[64]; int i; randombytes(sk, 32); crypto_hash_sha512(extsk, sk, 32); extsk[0] &= 248; extsk[31] &= 127; extsk[31] |= 64; sc25519_from32bytes(&scsk,extsk); ge25519_scalarmult_base(&gepk, &scsk); ge25519_pack(pk, &gepk); for(i=0;i<32;i++) sk[32 + i] = pk[i]; return 0; }