void curve25519_keygen(unsigned char* curve25519_pubkey_out, const unsigned char* curve25519_privkey_in) { ge_p3 ed; /* Ed25519 pubkey point */ fe ed_y_plus_one, one_minus_ed_y, inv_one_minus_ed_y; fe mont_x; /* Perform a fixed-base multiplication of the Edwards base point, (which is efficient due to precalculated tables), then convert to the Curve25519 montgomery-format public key. In particular, convert Curve25519's "montgomery" x-coordinate into an Ed25519 "edwards" y-coordinate: mont_x = (ed_y + 1) / (1 - ed_y) with projective coordinates: mont_x = (ed_y + ed_z) / (ed_z - ed_y) NOTE: ed_y=1 is converted to mont_x=0 since fe_invert is mod-exp */ ge_scalarmult_base(&ed, curve25519_privkey_in); fe_add(ed_y_plus_one, ed.Y, ed.Z); fe_sub(one_minus_ed_y, ed.Z, ed.Y); fe_invert(inv_one_minus_ed_y, one_minus_ed_y); fe_mul(mont_x, ed_y_plus_one, inv_one_minus_ed_y); fe_tobytes(curve25519_pubkey_out, mont_x); }
void ge_montx_to_p2(ge_p2* p, const fe u, const unsigned char ed_sign_bit) { fe x, y, A, v, v2, iv, nx; fe_frombytes(A, A_bytes); /* given u, recover edwards y */ /* given u, recover v */ /* given u and v, recover edwards x */ fe_montx_to_edy(y, u); /* y = (u - 1) / (u + 1) */ fe_mont_rhs(v2, u); /* v^2 = u(u^2 + Au + 1) */ fe_sqrt(v, v2); /* v = sqrt(v^2) */ fe_mul(x, u, A); /* x = u * sqrt(-(A+2)) */ fe_invert(iv, v); /* 1/v */ fe_mul(x, x, iv); /* x = (u/v) * sqrt(-(A+2)) */ fe_neg(nx, x); /* negate x to match sign bit */ fe_cmov(x, nx, fe_isnegative(x) ^ ed_sign_bit); fe_copy(p->X, x); fe_copy(p->Y, y); fe_1(p->Z); /* POSTCONDITION: check that p->X and p->Y satisfy the Ed curve equation */ /* -x^2 + y^2 = 1 + dx^2y^2 */ #ifndef NDEBUG { fe one, d, x2, y2, x2y2, dx2y2; unsigned char dbytes[32] = { 0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75, 0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00, 0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c, 0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52 }; fe_frombytes(d, dbytes); fe_1(one); fe_sq(x2, p->X); /* x^2 */ fe_sq(y2, p->Y); /* y^2 */ fe_mul(dx2y2, x2, y2); /* x^2y^2 */ fe_mul(dx2y2, dx2y2, d); /* dx^2y^2 */ fe_add(dx2y2, dx2y2, one); /* dx^2y^2 + 1 */ fe_neg(x2y2, x2); /* -x^2 */ fe_add(x2y2, x2y2, y2); /* -x^2 + y^2 */ assert(fe_isequal(x2y2, dx2y2)); } #endif }
static void edwards_to_montgomery(fe montgomeryX, const fe edwardsY, const fe edwardsZ) { fe tempX; fe tempZ; fe_add(tempX, edwardsZ, edwardsY); fe_sub(tempZ, edwardsZ, edwardsY); fe_invert(tempZ, tempZ); fe_mul(montgomeryX, tempX, tempZ); }
void ge_tobytes(unsigned char *s, const ge_p2 *h) { fe recip; fe x; fe y; fe_invert(recip, h->Z); fe_mul(x, h->X, recip); fe_mul(y, h->Y, recip); fe_tobytes(s, y); s[31] ^= fe_isnegative(x) << 7; }
int curve25519_verify(const unsigned char* signature, const unsigned char* curve25519_pubkey, const unsigned char* msg, const unsigned long msg_len) { fe mont_x, mont_x_minus_one, mont_x_plus_one, inv_mont_x_plus_one; fe one; fe ed_y; unsigned char ed_pubkey[32]; unsigned long long some_retval; unsigned char verifybuf[MAX_MSG_LEN + 64]; /* working buffer */ unsigned char verifybuf2[MAX_MSG_LEN + 64]; /* working buffer #2 */ if (msg_len > MAX_MSG_LEN) { return -1; } /* Convert the Curve25519 public key into an Ed25519 public key. In particular, convert Curve25519's "montgomery" x-coordinate into an Ed25519 "edwards" y-coordinate: ed_y = (mont_x - 1) / (mont_x + 1) NOTE: mont_x=-1 is converted to ed_y=0 since fe_invert is mod-exp Then move the sign bit into the pubkey from the signature. */ fe_frombytes(mont_x, curve25519_pubkey); fe_1(one); fe_sub(mont_x_minus_one, mont_x, one); fe_add(mont_x_plus_one, mont_x, one); fe_invert(inv_mont_x_plus_one, mont_x_plus_one); fe_mul(ed_y, mont_x_minus_one, inv_mont_x_plus_one); fe_tobytes(ed_pubkey, ed_y); /* Copy the sign bit, and remove it from signature */ ed_pubkey[31] &= 0x7F; /* bit should be zero already, but just in case */ ed_pubkey[31] |= (signature[63] & 0x80); memmove(verifybuf, signature, 64); verifybuf[63] &= 0x7F; memmove(verifybuf+64, msg, msg_len); /* Then perform a normal Ed25519 verification, return 0 on success */ /* The below call has a strange API: */ /* verifybuf = R || S || message */ /* verifybuf2 = internal to next call gets a copy of verifybuf, S gets replaced with pubkey for hashing, then the whole thing gets zeroized (if bad sig), or contains a copy of msg (good sig) */ return crypto_sign_open(verifybuf2, &some_retval, verifybuf, 64 + msg_len, ed_pubkey); }
void fe_montx_to_edy(fe y, const fe u) { /* y = (u - 1) / (u + 1) NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp */ fe one, um1, up1; fe_1(one); fe_sub(um1, u, one); fe_add(up1, u, one); fe_invert(up1, up1); fe_mul(y, um1, up1); }
static int curve25519(unsigned char* q, unsigned char* n, unsigned char* p) { unsigned char e[32]; unsigned int i; fe x1; fe x2; fe z2; fe x3; fe z3; fe tmp0; fe tmp1; int pos; unsigned int swap; unsigned int b; for (i = 0;i < 32;++i) e[i] = n[i]; e[0] &= 248; e[31] &= 127; e[31] |= 64; fe_frombytes(x1,p); fe_1(x2); fe_0(z2); fe_copy(x3,x1); fe_1(z3); swap = 0; for (pos = 254;pos >= 0;--pos) { b = e[pos / 8] >> (pos & 7); b &= 1; swap ^= b; fe_cswap(x2,x3,swap); fe_cswap(z2,z3,swap); swap = b; #include <cyassl/ctaocrypt/ecc25519_montgomery.h> } fe_cswap(x2,x3,swap); fe_cswap(z2,z3,swap); fe_invert(z2,z2); fe_mul(x2,x2,z2); fe_tobytes(q,x2); return 0; }
int crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk, const unsigned char *ed25519_pk) { ge_p3 A; fe x; fe one_minus_y; ge_frombytes_negate_vartime(&A, ed25519_pk); fe_1(one_minus_y); fe_sub(one_minus_y, one_minus_y, A.Y); fe_invert(one_minus_y, one_minus_y); fe_1(x); fe_add(x, x, A.Y); fe_mul(x, x, one_minus_y); fe_tobytes(curve25519_pk, x); return 0; }
int Sign_publicSigningKeyToCurve25519(uint8_t curve25519keyOut[32], uint8_t publicSigningKey[32]) { ge_p3 A; fe x; fe one_minus_y; if (ge_frombytes_negate_vartime(&A, publicSigningKey) != 0) { return -1; } fe_1(one_minus_y); fe_sub(one_minus_y, one_minus_y, A.Y); fe_invert(one_minus_y, one_minus_y); fe_1(x); fe_add(x, x, A.Y); fe_mul(x, x, one_minus_y); fe_tobytes(curve25519keyOut, x); return 0; }
static int crypto_scalarmult_curve25519_ref10(unsigned char *q, const unsigned char *n, const unsigned char *p) { unsigned char e[32]; unsigned int i; fe x1; fe x2; fe z2; fe x3; fe z3; fe tmp0; fe tmp1; int pos; unsigned int swap; unsigned int b; for (i = 0;i < 32;++i) e[i] = n[i]; e[0] &= 248; e[31] &= 127; e[31] |= 64; fe_frombytes(x1,p); fe_1(x2); fe_0(z2); fe_copy(x3,x1); fe_1(z3); swap = 0; for (pos = 254;pos >= 0;--pos) { b = e[pos / 8] >> (pos & 7); b &= 1; swap ^= b; fe_cswap(x2,x3,swap); fe_cswap(z2,z3,swap); swap = b; fe_sub(tmp0,x3,z3); fe_sub(tmp1,x2,z2); fe_add(x2,x2,z2); fe_add(z2,x3,z3); fe_mul(z3,tmp0,x2); fe_mul(z2,z2,tmp1); fe_sq(tmp0,tmp1); fe_sq(tmp1,x2); fe_add(x3,z3,z2); fe_sub(z2,z3,z2); fe_mul(x2,tmp1,tmp0); fe_sub(tmp1,tmp1,tmp0); fe_sq(z2,z2); fe_mul121666(z3,tmp1); fe_sq(x3,x3); fe_add(tmp0,tmp0,z3); fe_mul(z3,x1,z2); fe_mul(z2,tmp1,tmp0); } fe_cswap(x2,x3,swap); fe_cswap(z2,z3,swap); fe_invert(z2,z2); fe_mul(x2,x2,z2); fe_tobytes(q,x2); return 0; }
void ed25519_key_exchange(unsigned char *shared_secret, const unsigned char *public_key, const unsigned char *private_key) { unsigned char e[32]; unsigned int i; fe x1; fe x2; fe z2; fe x3; fe z3; fe tmp0; fe tmp1; int pos; unsigned int swap; unsigned int b; /* copy the private key and make sure it's valid */ for (i = 0; i < 32; ++i) { e[i] = private_key[i]; } e[0] &= 248; e[31] &= 63; e[31] |= 64; /* unpack the public key and convert edwards to montgomery */ /* due to CodesInChaos: montgomeryX = (edwardsY + 1)*inverse(1 - edwardsY) mod p */ fe_frombytes(x1, public_key); fe_1(tmp1); fe_add(tmp0, x1, tmp1); fe_sub(tmp1, tmp1, x1); fe_invert(tmp1, tmp1); fe_mul(x1, tmp0, tmp1); fe_1(x2); fe_0(z2); fe_copy(x3, x1); fe_1(z3); swap = 0; for (pos = 254; pos >= 0; --pos) { b = e[pos / 8] >> (pos & 7); b &= 1; swap ^= b; fe_cswap(x2, x3, swap); fe_cswap(z2, z3, swap); swap = b; /* from montgomery.h */ fe_sub(tmp0, x3, z3); fe_sub(tmp1, x2, z2); fe_add(x2, x2, z2); fe_add(z2, x3, z3); fe_mul(z3, tmp0, x2); fe_mul(z2, z2, tmp1); fe_sq(tmp0, tmp1); fe_sq(tmp1, x2); fe_add(x3, z3, z2); fe_sub(z2, z3, z2); fe_mul(x2, tmp1, tmp0); fe_sub(tmp1, tmp1, tmp0); fe_sq(z2, z2); fe_mul121666(z3, tmp1); fe_sq(x3, x3); fe_add(tmp0, tmp0, z3); fe_mul(z3, x1, z2); fe_mul(z2, tmp1, tmp0); } fe_cswap(x2, x3, swap); fe_cswap(z2, z3, swap); fe_invert(z2, z2); fe_mul(x2, x2, z2); fe_tobytes(shared_secret, x2); }