int ed25519_donna_blind_public_key(unsigned char *out, const unsigned char *inp, const unsigned char *param) { static const bignum256modm zero = { 0 }; unsigned char tweak[64]; unsigned char pkcopy[32]; ge25519 ALIGN(16) A, Aprime; bignum256modm ALIGN(16) t; ed25519_donna_gettweak(tweak, param); expand256_modm(t, tweak, 32); /* No "ge25519_unpack", negate the public key. */ memcpy(pkcopy, inp, 32); pkcopy[31] ^= (1<<7); ge25519_unpack_negative_vartime(&A, pkcopy); /* A' = [tweak] * A + [0] * basepoint. */ ge25519_double_scalarmult_vartime(&Aprime, &A, t, zero); ge25519_pack(out, &Aprime); memwipe(tweak, 0, sizeof(tweak)); memwipe(pkcopy, 0, sizeof(pkcopy)); memwipe(&A, 0, sizeof(A)); memwipe(&Aprime, 0, sizeof(Aprime)); memwipe(t, 0, sizeof(t)); return 0; }
void ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_public_key pk, ed25519_signature RS) { ed25519_hash_context ctx; bignum256modm r, S, a; ge25519 MM16 R; hash_512bits extsk, hashr, hram; ed25519_extsk(extsk, sk); /* r = H(aExt[32..64], m) */ ed25519_hash_init(&ctx); ed25519_hash_update(&ctx, extsk + 32, 32); ed25519_hash_update(&ctx, m, mlen); ed25519_hash_final(&ctx, hashr); expand256_modm(r, hashr, 64); /* R = rB */ ge25519_scalarmult_base_niels(&R, ge25519_niels_base_multiples, r); ge25519_pack(RS, &R); /* S = H(R,A,m).. */ ed25519_hram(hram, RS, pk, m, mlen); expand256_modm(S, hram, 64); /* S = H(R,A,m)a */ expand256_modm(a, extsk, 32); mul256_modm(S, S, a); /* S = (r + H(R,A,m)a) */ add256_modm(S, S, r); /* S = (r + H(R,A,m)a) mod L */ contract256_modm(RS + 32, S); }
void ed25519_sign(const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_public_key pk, ed25519_signature RS) { SHA512_CTX shactx; bignum256modm r, S, a; ge25519 MM16 R; hash_512bits extsk, hashr, hram; ed25519_extsk(extsk, sk); /* r = H(aExt[32..64], m) */ SHA512_Init(&shactx); SHA512_Update(&shactx, extsk + 32, 32); SHA512_Update(&shactx, m, mlen); SHA512_Final(hashr, &shactx); expand256_modm(r, hashr, 64); /* R = rB */ ge25519_scalarmult_base_niels(&R, r); ge25519_pack(RS, &R); /* S = H(R,A,m).. */ ed25519_hram(hram, RS, pk, m, mlen); expand256_modm(S, hram, 64); /* S = H(R,A,m)a */ expand256_modm(a, extsk, 32); mul256_modm(S, S, a); /* S = (r + H(R,A,m)a) */ add256_modm(S, S, r); /* S = (r + H(R,A,m)a) mod L */ contract256_modm(RS + 32, S); }
int schnorr_publickey(uint8_t pk[SCHNORR_PUBLICKEYBYTES], const uint8_t sk[SCHNORR_SECRETKEYBYTES]) { sc25519 sc_sk; ge25519 ge_pk; sc25519_from32bytes(&sc_sk, sk); ge25519_scalarmult_base(&ge_pk, &sc_sk); ge25519_pack(pk, &ge_pk); return 0; }
void ED25519_FN(ed25519_publickey) (const ed25519_secret_key sk, ed25519_public_key pk) { bignum256modm a; ge25519 MM16 A; hash_512bits extsk; /* A = aB */ ed25519_extsk(extsk, sk); expand256_modm(a, extsk, 32); ge25519_scalarmult_base_niels(&A, ge25519_niels_base_multiples, a); ge25519_pack(pk, &A); }
void sender_genS(SIMPLEOT_SENDER * s, unsigned char * S_pack) { int i; ge25519 S, yS; // sc25519_random(&s->y, 0); ge25519_scalarmult_base(&S, &s->y); // S ge25519_pack(S_pack, &S); // E^0(S) for (i = 0; i < 3; i++) ge25519_double(&S, &S); // 8S ge25519_pack(s->S_pack, &S); // E_1(S) ge25519_scalarmult(&yS, &S, &s->y); for (i = 0; i < 3; i++) ge25519_double(&yS, &yS); // 64T ge_to_4x(&s->yS, &yS); }
int ed25519_donna_pubkey(unsigned char *pk, const unsigned char *sk) { bignum256modm a = {0}; ge25519 ALIGN(16) A = {{0}, {0}, {0}, {0}}; /* A = aB */ expand256_modm(a, sk, 32); ge25519_scalarmult_base_niels(&A, ge25519_niels_base_multiples, a); ge25519_pack(pk, &A); return 0; }
int crypto_sign_ed25519( unsigned char *sm,unsigned long long *smlen, const unsigned char *m,unsigned long long mlen, const unsigned char *sk ) { sc25519 sck, scs, scsk; ge25519 ger; unsigned char r[32]; unsigned char s[32]; unsigned char extsk[64]; unsigned long long i; unsigned char hmg[crypto_hash_sha512_BYTES]; unsigned char hram[crypto_hash_sha512_BYTES]; crypto_hash_sha512(extsk, sk, 32); extsk[0] &= 248; extsk[31] &= 127; extsk[31] |= 64; *smlen = mlen+64; for(i=0;i<mlen;i++) sm[64 + i] = m[i]; for(i=0;i<32;i++) sm[32 + i] = extsk[32+i]; crypto_hash_sha512(hmg, sm+32, mlen+32); /* Generate k as h(extsk[32],...,extsk[63],m) */ /* Computation of R */ sc25519_from64bytes(&sck, hmg); ge25519_scalarmult_base(&ger, &sck); ge25519_pack(r, &ger); /* Computation of s */ for(i=0;i<32;i++) sm[i] = r[i]; get_hram(hram, sm, sk+32, sm, mlen+64); sc25519_from64bytes(&scs, hram); sc25519_from32bytes(&scsk, extsk); sc25519_mul(&scs, &scs, &scsk); sc25519_add(&scs, &scs, &sck); sc25519_to32bytes(s,&scs); /* cat s */ for(i=0;i<32;i++) sm[32 + i] = s[i]; return 0; }
int crypto_sign_open( unsigned char *m,unsigned long long *mlen, const unsigned char *sm,unsigned long long smlen, const unsigned char *pk ) { unsigned char pkcopy[32]; unsigned char rcopy[32]; unsigned char hram[64]; unsigned char rcheck[32]; ge25519 get1, get2; sc25519 schram, scs; if (smlen < 64) goto badsig; if (sm[63] & 224) goto badsig; if (ge25519_unpackneg_vartime(&get1,pk)) goto badsig; memmove(pkcopy,pk,32); memmove(rcopy,sm,32); sc25519_from32bytes(&scs, sm+32); memmove(m,sm,smlen); memmove(m + 32,pkcopy,32); crypto_hash_sha512(hram,m,smlen); sc25519_from64bytes(&schram, hram); ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &ge25519_base, &scs); ge25519_pack(rcheck, &get2); if (crypto_verify_32(rcopy,rcheck) == 0) { memmove(m,m + 64,smlen - 64); memset(m + smlen - 64,0,64); *mlen = smlen - 64; return 0; } badsig: *mlen = (unsigned long long) -1; memset(m,0,smlen); return -1; }
int crypto_sign_ed25519_open( unsigned char *m,unsigned long long *mlen, const unsigned char *sm,unsigned long long smlen, const unsigned char *pk ) { unsigned int i; int ret; unsigned char t2[32]; ge25519 get1, get2; sc25519 schram, scs; unsigned char hram[crypto_hash_sha512_BYTES]; *mlen = (unsigned long long) -1; if (smlen < 64) return -1; if (ge25519_unpackneg_vartime(&get1, pk)) return -1; get_hram(hram,sm,pk,m,smlen); sc25519_from64bytes(&schram, hram); sc25519_from32bytes(&scs, sm+32); ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &ge25519_base, &scs); ge25519_pack(t2, &get2); ret = crypto_verify_32(sm, t2); if (!ret) { for(i=0;i<smlen-64;i++) m[i] = sm[i + 64]; *mlen = smlen-64; } else { for(i=0;i<smlen-64;i++) m[i] = 0; } return ret; }
int ed25519_donna_sign(unsigned char *sig, const unsigned char *m, size_t mlen, const unsigned char *sk, const unsigned char *pk) { ed25519_hash_context ctx; bignum256modm r = {0}, S, a; ge25519 ALIGN(16) R = {{0}, {0}, {0}, {0}}; hash_512bits hashr, hram; /* This is equivalent to the removed `ED25519_FN(ed25519_sign)` routine, * except that the key expansion step is omitted as sk already is in expanded * form. */ /* r = H(aExt[32..64], m) */ ed25519_hash_init(&ctx); ed25519_hash_update(&ctx, sk + 32, 32); ed25519_hash_update(&ctx, m, mlen); ed25519_hash_final(&ctx, hashr); expand256_modm(r, hashr, 64); /* R = rB */ ge25519_scalarmult_base_niels(&R, ge25519_niels_base_multiples, r); ge25519_pack(sig, &R); /* S = H(R,A,m).. */ ed25519_hram(hram, sig, pk, m, mlen); expand256_modm(S, hram, 64); /* S = H(R,A,m)a */ expand256_modm(a, sk, 32); mul256_modm(S, S, a); /* S = (r + H(R,A,m)a) */ add256_modm(S, S, r); /* S = (r + H(R,A,m)a) mod L */ contract256_modm(sig + 32, S); return 0; }
// Step 3 bis // verify pk_r = y.B - c.pk with pk = sk.B int schnorr_id_verify(const uint8_t pk[SCHNORR_PUBLICKEYBYTES], const uint8_t pk_r[SCHNORR_PUBLICKEYBYTES], const uint8_t challenge[SCHNORR_ID_CHALLENGEBYTES], const uint8_t response[SCHNORR_ID_RESPONSEBYTES]) { ge25519 ge_pk_neg; sc25519 sc_challenge; sc25519 sc_response; ge25519 ge_pk_r_verifier; uint8_t pk_r_verifier[SCHNORR_PUBLICKEYBYTES]; if (ge25519_unpackneg_vartime(&ge_pk_neg, pk)) return -1; sc25519_from_challenge_bytes(&sc_challenge, challenge); sc25519_from32bytes(&sc_response, response); ge25519_double_scalarmult_vartime(&ge_pk_r_verifier, &ge_pk_neg, &sc_challenge, &ge25519_base, &sc_response); ge25519_pack(pk_r_verifier, &ge_pk_r_verifier); return verify_32(pk_r, pk_r_verifier); }
/* Do the scalar multiplication of <b>pubkey</b> with the group order * <b>modm_m</b>. Place the result in <b>out</b> which must be at least 32 * bytes long. */ int ed25519_donna_scalarmult_with_group_order(unsigned char *out, const unsigned char *pubkey) { static const bignum256modm ALIGN(16) zero = { 0 }; unsigned char pkcopy[32]; ge25519 ALIGN(16) Point, Result; /* No "ge25519_unpack", negate the public key and unpack it back. * See ed25519_donna_blind_public_key() */ memcpy(pkcopy, pubkey, 32); pkcopy[31] ^= (1<<7); if (!ge25519_unpack_negative_vartime(&Point, pkcopy)) { return -1; /* error: bail out */ } /* There is no regular scalarmult function so we have to do: * Result = l*P + 0*B */ ge25519_double_scalarmult_vartime(&Result, &Point, modm_m, zero); ge25519_pack(out, &Result); return 0; }
int ED25519_FN(ed25519_sign_open) (const unsigned char *m, size_t mlen, const ed25519_public_key pk, const ed25519_signature RS) { ge25519 MM16 R, A; hash_512bits hash; bignum256modm hram, S; unsigned char checkR[32]; if ((RS[63] & 224) || !ge25519_unpack_negative_vartime(&A, pk)) return -1; /* hram = H(R,A,m) */ ed25519_hram(hash, RS, pk, m, mlen); expand256_modm(hram, hash, 64); /* S */ expand256_modm(S, RS + 32, 32); /* SB - H(R,A,m)A */ ge25519_double_scalarmult_vartime(&R, &A, hram, S); ge25519_pack(checkR, &R); /* check that R = SB - H(R,A,m)A */ return ed25519_verify(RS, checkR, 32) ? 0 : -1; }
int crypto_sign_ed25519_keypair( unsigned char *pk, unsigned char *sk ) { sc25519 scsk; ge25519 gepk; unsigned char extsk[64]; int i; randombytes(sk, 32); crypto_hash_sha512(extsk, sk, 32); extsk[0] &= 248; extsk[31] &= 127; extsk[31] |= 64; sc25519_from32bytes(&scsk,extsk); ge25519_scalarmult_base(&gepk, &scsk); ge25519_pack(pk, &gepk); for(i=0;i<32;i++) sk[32 + i] = pk[i]; return 0; }