int
ed25519_donna_blind_public_key(unsigned char *out, const unsigned char *inp,
const unsigned char *param)
{
static const bignum256modm zero = { 0 };
unsigned char tweak[64];
unsigned char pkcopy[32];
ge25519 ALIGN(16) A, Aprime;
bignum256modm ALIGN(16) t;
ed25519_donna_gettweak(tweak, param);
expand256_modm(t, tweak, 32);
/* No "ge25519_unpack", negate the public key. */
memcpy(pkcopy, inp, 32);
pkcopy[31] ^= (1<<7);
ge25519_unpack_negative_vartime(&A, pkcopy);
/* A' = [tweak] * A + [0] * basepoint. */
ge25519_double_scalarmult_vartime(&Aprime, &A, t, zero);
ge25519_pack(out, &Aprime);
memwipe(tweak, 0, sizeof(tweak));
memwipe(pkcopy, 0, sizeof(pkcopy));
memwipe(&A, 0, sizeof(A));
memwipe(&Aprime, 0, sizeof(Aprime));
memwipe(t, 0, sizeof(t));
return 0;
}
void
ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_public_key pk, ed25519_signature RS) {
ed25519_hash_context ctx;
bignum256modm r, S, a;
ge25519 MM16 R;
hash_512bits extsk, hashr, hram;
ed25519_extsk(extsk, sk);
/* r = H(aExt[32..64], m) */
ed25519_hash_init(&ctx);
ed25519_hash_update(&ctx, extsk + 32, 32);
ed25519_hash_update(&ctx, m, mlen);
ed25519_hash_final(&ctx, hashr);
expand256_modm(r, hashr, 64);
/* R = rB */
ge25519_scalarmult_base_niels(&R, ge25519_niels_base_multiples, r);
ge25519_pack(RS, &R);
/* S = H(R,A,m).. */
ed25519_hram(hram, RS, pk, m, mlen);
expand256_modm(S, hram, 64);
/* S = H(R,A,m)a */
expand256_modm(a, extsk, 32);
mul256_modm(S, S, a);
/* S = (r + H(R,A,m)a) */
add256_modm(S, S, r);
/* S = (r + H(R,A,m)a) mod L */
contract256_modm(RS + 32, S);
}
void
ed25519_sign(const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_public_key pk, ed25519_signature RS) {
SHA512_CTX shactx;
bignum256modm r, S, a;
ge25519 MM16 R;
hash_512bits extsk, hashr, hram;
ed25519_extsk(extsk, sk);
/* r = H(aExt[32..64], m) */
SHA512_Init(&shactx);
SHA512_Update(&shactx, extsk + 32, 32);
SHA512_Update(&shactx, m, mlen);
SHA512_Final(hashr, &shactx);
expand256_modm(r, hashr, 64);
/* R = rB */
ge25519_scalarmult_base_niels(&R, r);
ge25519_pack(RS, &R);
/* S = H(R,A,m).. */
ed25519_hram(hram, RS, pk, m, mlen);
expand256_modm(S, hram, 64);
/* S = H(R,A,m)a */
expand256_modm(a, extsk, 32);
mul256_modm(S, S, a);
/* S = (r + H(R,A,m)a) */
add256_modm(S, S, r);
/* S = (r + H(R,A,m)a) mod L */
contract256_modm(RS + 32, S);
}
int schnorr_publickey(uint8_t pk[SCHNORR_PUBLICKEYBYTES],
const uint8_t sk[SCHNORR_SECRETKEYBYTES]) {
sc25519 sc_sk;
ge25519 ge_pk;
sc25519_from32bytes(&sc_sk, sk);
ge25519_scalarmult_base(&ge_pk, &sc_sk);
ge25519_pack(pk, &ge_pk);
return 0;
}
void
ED25519_FN(ed25519_publickey) (const ed25519_secret_key sk, ed25519_public_key pk) {
bignum256modm a;
ge25519 MM16 A;
hash_512bits extsk;
/* A = aB */
ed25519_extsk(extsk, sk);
expand256_modm(a, extsk, 32);
ge25519_scalarmult_base_niels(&A, ge25519_niels_base_multiples, a);
ge25519_pack(pk, &A);
}
void sender_genS(SIMPLEOT_SENDER * s, unsigned char * S_pack)
{
int i;
ge25519 S, yS;
//
sc25519_random(&s->y, 0);
ge25519_scalarmult_base(&S, &s->y); // S
ge25519_pack(S_pack, &S); // E^0(S)
for (i = 0; i < 3; i++) ge25519_double(&S, &S); // 8S
ge25519_pack(s->S_pack, &S); // E_1(S)
ge25519_scalarmult(&yS, &S, &s->y);
for (i = 0; i < 3; i++) ge25519_double(&yS, &yS); // 64T
ge_to_4x(&s->yS, &yS);
}
int
ed25519_donna_pubkey(unsigned char *pk, const unsigned char *sk)
{
bignum256modm a = {0};
ge25519 ALIGN(16) A = {{0}, {0}, {0}, {0}};
/* A = aB */
expand256_modm(a, sk, 32);
ge25519_scalarmult_base_niels(&A, ge25519_niels_base_multiples, a);
ge25519_pack(pk, &A);
return 0;
}
int crypto_sign_ed25519(
unsigned char *sm,unsigned long long *smlen,
const unsigned char *m,unsigned long long mlen,
const unsigned char *sk
)
{
sc25519 sck, scs, scsk;
ge25519 ger;
unsigned char r[32];
unsigned char s[32];
unsigned char extsk[64];
unsigned long long i;
unsigned char hmg[crypto_hash_sha512_BYTES];
unsigned char hram[crypto_hash_sha512_BYTES];
crypto_hash_sha512(extsk, sk, 32);
extsk[0] &= 248;
extsk[31] &= 127;
extsk[31] |= 64;
*smlen = mlen+64;
for(i=0;i<mlen;i++)
sm[64 + i] = m[i];
for(i=0;i<32;i++)
sm[32 + i] = extsk[32+i];
crypto_hash_sha512(hmg, sm+32, mlen+32); /* Generate k as h(extsk[32],...,extsk[63],m) */
/* Computation of R */
sc25519_from64bytes(&sck, hmg);
ge25519_scalarmult_base(&ger, &sck);
ge25519_pack(r, &ger);
/* Computation of s */
for(i=0;i<32;i++)
sm[i] = r[i];
get_hram(hram, sm, sk+32, sm, mlen+64);
sc25519_from64bytes(&scs, hram);
sc25519_from32bytes(&scsk, extsk);
sc25519_mul(&scs, &scs, &scsk);
sc25519_add(&scs, &scs, &sck);
sc25519_to32bytes(s,&scs); /* cat s */
for(i=0;i<32;i++)
sm[32 + i] = s[i];
return 0;
}
int crypto_sign_open(
unsigned char *m,unsigned long long *mlen,
const unsigned char *sm,unsigned long long smlen,
const unsigned char *pk
)
{
unsigned char pkcopy[32];
unsigned char rcopy[32];
unsigned char hram[64];
unsigned char rcheck[32];
ge25519 get1, get2;
sc25519 schram, scs;
if (smlen < 64) goto badsig;
if (sm[63] & 224) goto badsig;
if (ge25519_unpackneg_vartime(&get1,pk)) goto badsig;
memmove(pkcopy,pk,32);
memmove(rcopy,sm,32);
sc25519_from32bytes(&scs, sm+32);
memmove(m,sm,smlen);
memmove(m + 32,pkcopy,32);
crypto_hash_sha512(hram,m,smlen);
sc25519_from64bytes(&schram, hram);
ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &ge25519_base, &scs);
ge25519_pack(rcheck, &get2);
if (crypto_verify_32(rcopy,rcheck) == 0) {
memmove(m,m + 64,smlen - 64);
memset(m + smlen - 64,0,64);
*mlen = smlen - 64;
return 0;
}
badsig:
*mlen = (unsigned long long) -1;
memset(m,0,smlen);
return -1;
}
int crypto_sign_ed25519_open(
unsigned char *m,unsigned long long *mlen,
const unsigned char *sm,unsigned long long smlen,
const unsigned char *pk
)
{
unsigned int i;
int ret;
unsigned char t2[32];
ge25519 get1, get2;
sc25519 schram, scs;
unsigned char hram[crypto_hash_sha512_BYTES];
*mlen = (unsigned long long) -1;
if (smlen < 64) return -1;
if (ge25519_unpackneg_vartime(&get1, pk)) return -1;
get_hram(hram,sm,pk,m,smlen);
sc25519_from64bytes(&schram, hram);
sc25519_from32bytes(&scs, sm+32);
ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &ge25519_base, &scs);
ge25519_pack(t2, &get2);
ret = crypto_verify_32(sm, t2);
if (!ret)
{
for(i=0;i<smlen-64;i++)
m[i] = sm[i + 64];
*mlen = smlen-64;
}
else
{
for(i=0;i<smlen-64;i++)
m[i] = 0;
}
return ret;
}
int
ed25519_donna_sign(unsigned char *sig, const unsigned char *m, size_t mlen,
const unsigned char *sk, const unsigned char *pk)
{
ed25519_hash_context ctx;
bignum256modm r = {0}, S, a;
ge25519 ALIGN(16) R = {{0}, {0}, {0}, {0}};
hash_512bits hashr, hram;
/* This is equivalent to the removed `ED25519_FN(ed25519_sign)` routine,
* except that the key expansion step is omitted as sk already is in expanded
* form.
*/
/* r = H(aExt[32..64], m) */
ed25519_hash_init(&ctx);
ed25519_hash_update(&ctx, sk + 32, 32);
ed25519_hash_update(&ctx, m, mlen);
ed25519_hash_final(&ctx, hashr);
expand256_modm(r, hashr, 64);
/* R = rB */
ge25519_scalarmult_base_niels(&R, ge25519_niels_base_multiples, r);
ge25519_pack(sig, &R);
/* S = H(R,A,m).. */
ed25519_hram(hram, sig, pk, m, mlen);
expand256_modm(S, hram, 64);
/* S = H(R,A,m)a */
expand256_modm(a, sk, 32);
mul256_modm(S, S, a);
/* S = (r + H(R,A,m)a) */
add256_modm(S, S, r);
/* S = (r + H(R,A,m)a) mod L */
contract256_modm(sig + 32, S);
return 0;
}
// Step 3 bis
// verify pk_r = y.B - c.pk with pk = sk.B
int schnorr_id_verify(const uint8_t pk[SCHNORR_PUBLICKEYBYTES],
const uint8_t pk_r[SCHNORR_PUBLICKEYBYTES],
const uint8_t challenge[SCHNORR_ID_CHALLENGEBYTES],
const uint8_t response[SCHNORR_ID_RESPONSEBYTES]) {
ge25519 ge_pk_neg;
sc25519 sc_challenge;
sc25519 sc_response;
ge25519 ge_pk_r_verifier;
uint8_t pk_r_verifier[SCHNORR_PUBLICKEYBYTES];
if (ge25519_unpackneg_vartime(&ge_pk_neg, pk))
return -1;
sc25519_from_challenge_bytes(&sc_challenge, challenge);
sc25519_from32bytes(&sc_response, response);
ge25519_double_scalarmult_vartime(&ge_pk_r_verifier,
&ge_pk_neg, &sc_challenge,
&ge25519_base, &sc_response);
ge25519_pack(pk_r_verifier, &ge_pk_r_verifier);
return verify_32(pk_r, pk_r_verifier);
}
/* Do the scalar multiplication of <b>pubkey</b> with the group order
* <b>modm_m</b>. Place the result in <b>out</b> which must be at least 32
* bytes long. */
int
ed25519_donna_scalarmult_with_group_order(unsigned char *out,
const unsigned char *pubkey)
{
static const bignum256modm ALIGN(16) zero = { 0 };
unsigned char pkcopy[32];
ge25519 ALIGN(16) Point, Result;
/* No "ge25519_unpack", negate the public key and unpack it back.
* See ed25519_donna_blind_public_key() */
memcpy(pkcopy, pubkey, 32);
pkcopy[31] ^= (1<<7);
if (!ge25519_unpack_negative_vartime(&Point, pkcopy)) {
return -1; /* error: bail out */
}
/* There is no regular scalarmult function so we have to do:
* Result = l*P + 0*B */
ge25519_double_scalarmult_vartime(&Result, &Point, modm_m, zero);
ge25519_pack(out, &Result);
return 0;
}
int
ED25519_FN(ed25519_sign_open) (const unsigned char *m, size_t mlen, const ed25519_public_key pk, const ed25519_signature RS) {
ge25519 MM16 R, A;
hash_512bits hash;
bignum256modm hram, S;
unsigned char checkR[32];
if ((RS[63] & 224) || !ge25519_unpack_negative_vartime(&A, pk))
return -1;
/* hram = H(R,A,m) */
ed25519_hram(hash, RS, pk, m, mlen);
expand256_modm(hram, hash, 64);
/* S */
expand256_modm(S, RS + 32, 32);
/* SB - H(R,A,m)A */
ge25519_double_scalarmult_vartime(&R, &A, hram, S);
ge25519_pack(checkR, &R);
/* check that R = SB - H(R,A,m)A */
return ed25519_verify(RS, checkR, 32) ? 0 : -1;
}
int crypto_sign_ed25519_keypair(
unsigned char *pk,
unsigned char *sk
)
{
sc25519 scsk;
ge25519 gepk;
unsigned char extsk[64];
int i;
randombytes(sk, 32);
crypto_hash_sha512(extsk, sk, 32);
extsk[0] &= 248;
extsk[31] &= 127;
extsk[31] |= 64;
sc25519_from32bytes(&scsk,extsk);
ge25519_scalarmult_base(&gepk, &scsk);
ge25519_pack(pk, &gepk);
for(i=0;i<32;i++)
sk[32 + i] = pk[i];
return 0;
}