2016-04-22 15:47:48 +00:00
|
|
|
/*
|
|
|
|
Public domain by Andrew M. <liquidsun@gmail.com>
|
|
|
|
|
|
|
|
Ed25519 reference implementation using Ed25519-donna
|
|
|
|
*/
|
|
|
|
|
2017-05-16 18:19:58 +00:00
|
|
|
|
|
|
|
/* define ED25519_SUFFIX to have it appended to the end of each public function */
|
|
|
|
#ifdef ED25519_SUFFIX
|
|
|
|
#define ED25519_FN3(fn,suffix) fn##suffix
|
|
|
|
#define ED25519_FN2(fn,suffix) ED25519_FN3(fn,suffix)
|
|
|
|
#define ED25519_FN(fn) ED25519_FN2(fn,ED25519_SUFFIX)
|
|
|
|
#else
|
|
|
|
#define ED25519_FN(fn) fn
|
|
|
|
#endif
|
|
|
|
|
2016-04-22 15:47:48 +00:00
|
|
|
#include "ed25519-donna.h"
|
|
|
|
#include "ed25519.h"
|
|
|
|
|
2017-05-16 18:19:58 +00:00
|
|
|
#include "ed25519-hash-custom.h"
|
2022-06-24 20:55:25 +00:00
|
|
|
#include "rand.h"
|
2021-07-09 08:35:42 +00:00
|
|
|
#include "memzero.h"
|
2017-03-28 17:48:36 +00:00
|
|
|
|
2016-04-22 15:47:48 +00:00
|
|
|
/*
|
|
|
|
Generates a (extsk[0..31]) and aExt (extsk[32..63])
|
|
|
|
*/
|
|
|
|
DONNA_INLINE static void
|
|
|
|
ed25519_extsk(hash_512bits extsk, const ed25519_secret_key sk) {
|
|
|
|
ed25519_hash(extsk, sk, 32);
|
|
|
|
extsk[0] &= 248;
|
|
|
|
extsk[31] &= 127;
|
|
|
|
extsk[31] |= 64;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2021-09-01 10:20:13 +00:00
|
|
|
ed25519_hram(hash_512bits hram, const ed25519_public_key R, const ed25519_public_key pk, const unsigned char *m, size_t mlen) {
|
2016-04-22 15:47:48 +00:00
|
|
|
ed25519_hash_context ctx;
|
|
|
|
ed25519_hash_init(&ctx);
|
2021-09-01 10:20:13 +00:00
|
|
|
ed25519_hash_update(&ctx, R, 32);
|
2016-04-22 15:47:48 +00:00
|
|
|
ed25519_hash_update(&ctx, pk, 32);
|
|
|
|
ed25519_hash_update(&ctx, m, mlen);
|
|
|
|
ed25519_hash_final(&ctx, hram);
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
2017-05-16 18:19:58 +00:00
|
|
|
ED25519_FN(ed25519_publickey) (const ed25519_secret_key sk, ed25519_public_key pk) {
|
2019-10-02 14:31:36 +00:00
|
|
|
hash_512bits extsk = {0};
|
2016-04-22 15:47:48 +00:00
|
|
|
ed25519_extsk(extsk, sk);
|
2022-07-01 10:46:35 +00:00
|
|
|
ed25519_publickey_ext(extsk, pk);
|
2021-07-09 08:35:42 +00:00
|
|
|
memzero(&extsk, sizeof(extsk));
|
2018-06-19 09:50:59 +00:00
|
|
|
}
|
|
|
|
|
2017-04-01 22:08:04 +00:00
|
|
|
void
|
2022-06-24 20:55:25 +00:00
|
|
|
ED25519_FN(ed25519_cosi_commit) (ed25519_secret_key nonce, ed25519_public_key commitment) {
|
|
|
|
bignum256modm r = {0};
|
|
|
|
ge25519 ALIGN(16) R;
|
|
|
|
unsigned char extnonce[64] = {0};
|
|
|
|
|
|
|
|
/* r = random512 mod L */
|
|
|
|
random_buffer(extnonce, sizeof(extnonce));
|
|
|
|
expand256_modm(r, extnonce, sizeof(extnonce));
|
|
|
|
memzero(&extnonce, sizeof(extnonce));
|
|
|
|
contract256_modm(nonce, r);
|
|
|
|
|
|
|
|
/* R = rB */
|
2024-09-01 18:52:00 +00:00
|
|
|
ge25519_scalarmult_base_wrapper(&R, r);
|
2022-06-24 20:55:25 +00:00
|
|
|
memzero(&r, sizeof(r));
|
|
|
|
ge25519_pack(commitment, &R);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2017-05-16 18:19:58 +00:00
|
|
|
ED25519_FN(ed25519_cosi_sign) (const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_secret_key nonce, const ed25519_public_key R, const ed25519_public_key pk, ed25519_cosi_signature sig) {
|
2019-10-02 14:31:36 +00:00
|
|
|
bignum256modm r = {0}, S = {0}, a = {0};
|
2022-06-24 20:55:25 +00:00
|
|
|
hash_512bits extsk = {0}, hram = {0};
|
2017-04-01 22:08:04 +00:00
|
|
|
|
|
|
|
ed25519_extsk(extsk, sk);
|
|
|
|
|
2022-06-24 20:55:25 +00:00
|
|
|
/* r */
|
|
|
|
expand_raw256_modm(r, nonce);
|
|
|
|
if (!is_reduced256_modm(r))
|
|
|
|
return -1;
|
2017-04-01 22:08:04 +00:00
|
|
|
|
|
|
|
/* S = H(R,A,m).. */
|
|
|
|
ed25519_hram(hram, R, pk, m, mlen);
|
|
|
|
expand256_modm(S, hram, 64);
|
|
|
|
|
|
|
|
/* S = H(R,A,m)a */
|
|
|
|
expand256_modm(a, extsk, 32);
|
2021-07-09 08:35:42 +00:00
|
|
|
memzero(&extsk, sizeof(extsk));
|
2017-04-01 22:08:04 +00:00
|
|
|
mul256_modm(S, S, a);
|
2021-07-09 08:35:42 +00:00
|
|
|
memzero(&a, sizeof(a));
|
2017-04-01 22:08:04 +00:00
|
|
|
|
|
|
|
/* S = (r + H(R,A,m)a) */
|
|
|
|
add256_modm(S, S, r);
|
2021-07-09 08:35:42 +00:00
|
|
|
memzero(&r, sizeof(r));
|
2017-04-01 22:08:04 +00:00
|
|
|
|
|
|
|
/* S = (r + H(R,A,m)a) mod L */
|
|
|
|
contract256_modm(sig, S);
|
2022-06-24 20:55:25 +00:00
|
|
|
|
|
|
|
return 0;
|
2017-04-01 22:08:04 +00:00
|
|
|
}
|
|
|
|
|
2018-06-19 09:50:59 +00:00
|
|
|
void
|
2024-07-30 09:09:15 +00:00
|
|
|
ED25519_FN(ed25519_sign_ext) (const unsigned char *m, size_t mlen, const ed25519_secret_key secret_scalar, const ed25519_secret_key skext, ed25519_signature RS) {
|
2018-06-19 09:50:59 +00:00
|
|
|
ed25519_hash_context ctx;
|
2019-10-02 14:31:36 +00:00
|
|
|
bignum256modm r = {0}, S = {0}, a = {0};
|
|
|
|
ge25519 ALIGN(16) R = {0};
|
2022-06-23 16:00:31 +00:00
|
|
|
ge25519 ALIGN(16) A = {0};
|
|
|
|
ed25519_public_key pk = {0};
|
2024-07-30 09:09:15 +00:00
|
|
|
hash_512bits hashr = {0}, hram = {0};
|
2018-06-19 09:50:59 +00:00
|
|
|
|
|
|
|
/* r = H(aExt[32..64], m) */
|
|
|
|
ed25519_hash_init(&ctx);
|
2024-07-30 09:09:15 +00:00
|
|
|
ed25519_hash_update(&ctx, skext, 32);
|
2018-06-19 09:50:59 +00:00
|
|
|
ed25519_hash_update(&ctx, m, mlen);
|
|
|
|
ed25519_hash_final(&ctx, hashr);
|
|
|
|
expand256_modm(r, hashr, 64);
|
2021-07-09 08:35:42 +00:00
|
|
|
memzero(&hashr, sizeof(hashr));
|
2018-06-19 09:50:59 +00:00
|
|
|
|
|
|
|
/* R = rB */
|
2024-09-01 18:52:00 +00:00
|
|
|
ge25519_scalarmult_base_wrapper(&R, r);
|
2018-06-19 09:50:59 +00:00
|
|
|
ge25519_pack(RS, &R);
|
|
|
|
|
2022-06-23 16:00:31 +00:00
|
|
|
/* a = aExt[0..31] */
|
2024-07-30 09:09:15 +00:00
|
|
|
expand256_modm(a, secret_scalar, 32);
|
2022-06-23 16:00:31 +00:00
|
|
|
|
|
|
|
/* A = aB */
|
2024-09-01 18:52:00 +00:00
|
|
|
ge25519_scalarmult_base_wrapper(&A, a);
|
2022-06-23 16:00:31 +00:00
|
|
|
ge25519_pack(pk, &A);
|
|
|
|
|
2018-06-19 09:50:59 +00:00
|
|
|
/* S = H(R,A,m).. */
|
|
|
|
ed25519_hram(hram, RS, pk, m, mlen);
|
|
|
|
expand256_modm(S, hram, 64);
|
|
|
|
|
|
|
|
/* S = H(R,A,m)a */
|
|
|
|
mul256_modm(S, S, a);
|
2021-07-09 08:35:42 +00:00
|
|
|
memzero(&a, sizeof(a));
|
2018-06-19 09:50:59 +00:00
|
|
|
|
|
|
|
/* S = (r + H(R,A,m)a) */
|
|
|
|
add256_modm(S, S, r);
|
2021-07-09 08:35:42 +00:00
|
|
|
memzero(&r, sizeof(r));
|
2018-06-19 09:50:59 +00:00
|
|
|
|
|
|
|
/* S = (r + H(R,A,m)a) mod L */
|
|
|
|
contract256_modm(RS + 32, S);
|
|
|
|
}
|
2022-07-01 10:46:35 +00:00
|
|
|
|
|
|
|
void
|
|
|
|
ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_secret_key sk, ed25519_signature RS) {
|
|
|
|
hash_512bits extsk = {0};
|
|
|
|
ed25519_extsk(extsk, sk);
|
|
|
|
ED25519_FN(ed25519_sign_ext)(m, mlen, extsk, extsk + 32, RS);
|
|
|
|
memzero(&extsk, sizeof(extsk));
|
|
|
|
}
|
2018-06-19 09:50:59 +00:00
|
|
|
|
2016-04-22 15:47:48 +00:00
|
|
|
int
|
2017-05-16 18:19:58 +00:00
|
|
|
ED25519_FN(ed25519_sign_open) (const unsigned char *m, size_t mlen, const ed25519_public_key pk, const ed25519_signature RS) {
|
2022-07-01 12:57:52 +00:00
|
|
|
ge25519 ALIGN(16) R = {0}, A = {0};
|
2019-10-02 14:31:36 +00:00
|
|
|
hash_512bits hash = {0};
|
|
|
|
bignum256modm hram = {0}, S = {0};
|
|
|
|
unsigned char checkR[32] = {0};
|
2016-04-22 15:47:48 +00:00
|
|
|
|
|
|
|
if ((RS[63] & 224) || !ge25519_unpack_negative_vartime(&A, pk))
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
/* hram = H(R,A,m) */
|
|
|
|
ed25519_hram(hash, RS, pk, m, mlen);
|
|
|
|
expand256_modm(hram, hash, 64);
|
|
|
|
|
|
|
|
/* S */
|
2018-07-16 10:37:47 +00:00
|
|
|
expand_raw256_modm(S, RS + 32);
|
|
|
|
if (!is_reduced256_modm(S))
|
2022-06-24 20:55:25 +00:00
|
|
|
return -1;
|
2016-04-22 15:47:48 +00:00
|
|
|
|
|
|
|
/* SB - H(R,A,m)A */
|
|
|
|
ge25519_double_scalarmult_vartime(&R, &A, hram, S);
|
|
|
|
ge25519_pack(checkR, &R);
|
|
|
|
|
|
|
|
/* check that R = SB - H(R,A,m)A */
|
|
|
|
return ed25519_verify(RS, checkR, 32) ? 0 : -1;
|
|
|
|
}
|
|
|
|
|
2017-06-01 15:08:55 +00:00
|
|
|
int
|
|
|
|
ED25519_FN(ed25519_scalarmult) (ed25519_public_key res, const ed25519_secret_key sk, const ed25519_public_key pk) {
|
2019-10-02 14:31:36 +00:00
|
|
|
bignum256modm a = {0};
|
2022-07-01 12:57:52 +00:00
|
|
|
ge25519 ALIGN(16) A = {0}, P = {0};
|
2019-10-02 14:31:36 +00:00
|
|
|
hash_512bits extsk = {0};
|
2017-06-01 15:08:55 +00:00
|
|
|
|
|
|
|
ed25519_extsk(extsk, sk);
|
|
|
|
expand256_modm(a, extsk, 32);
|
2021-07-09 08:35:42 +00:00
|
|
|
memzero(&extsk, sizeof(extsk));
|
2017-06-01 15:08:55 +00:00
|
|
|
|
|
|
|
if (!ge25519_unpack_negative_vartime(&P, pk)) {
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
ge25519_scalarmult(&A, &P, a);
|
2021-07-09 08:35:42 +00:00
|
|
|
memzero(&a, sizeof(a));
|
2017-06-01 15:08:55 +00:00
|
|
|
curve25519_neg(A.x, A.x);
|
|
|
|
ge25519_pack(res, &A);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2017-05-16 18:19:58 +00:00
|
|
|
#ifndef ED25519_SUFFIX
|
|
|
|
|
|
|
|
#include "curve25519-donna-scalarmult-base.h"
|
|
|
|
|
2022-07-01 10:46:35 +00:00
|
|
|
void
|
|
|
|
ed25519_publickey_ext(const ed25519_secret_key extsk, ed25519_public_key pk) {
|
|
|
|
bignum256modm a = {0};
|
2022-07-01 12:57:52 +00:00
|
|
|
ge25519 ALIGN(16) A = {0};
|
2022-07-01 10:46:35 +00:00
|
|
|
|
|
|
|
expand256_modm(a, extsk, 32);
|
|
|
|
|
|
|
|
/* A = aB */
|
2024-09-01 18:52:00 +00:00
|
|
|
ge25519_scalarmult_base_wrapper(&A, a);
|
2022-07-01 10:46:35 +00:00
|
|
|
memzero(&a, sizeof(a));
|
|
|
|
ge25519_pack(pk, &A);
|
|
|
|
}
|
|
|
|
|
2017-05-16 18:19:58 +00:00
|
|
|
int
|
|
|
|
ed25519_cosi_combine_publickeys(ed25519_public_key res, CONST ed25519_public_key *pks, size_t n) {
|
|
|
|
size_t i = 0;
|
2019-10-02 14:31:36 +00:00
|
|
|
ge25519 P = {0};
|
|
|
|
ge25519_pniels sump = {0};
|
|
|
|
ge25519_p1p1 sump1 = {0};
|
2017-05-16 18:19:58 +00:00
|
|
|
|
|
|
|
if (n == 1) {
|
|
|
|
memcpy(res, pks, sizeof(ed25519_public_key));
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
if (!ge25519_unpack_negative_vartime(&P, pks[i++])) {
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
ge25519_full_to_pniels(&sump, &P);
|
|
|
|
while (i < n - 1) {
|
|
|
|
if (!ge25519_unpack_negative_vartime(&P, pks[i++])) {
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
ge25519_pnielsadd(&sump, &P, &sump);
|
|
|
|
}
|
|
|
|
if (!ge25519_unpack_negative_vartime(&P, pks[i++])) {
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
ge25519_pnielsadd_p1p1(&sump1, &P, &sump, 0);
|
|
|
|
ge25519_p1p1_to_partial(&P, &sump1);
|
|
|
|
curve25519_neg(P.x, P.x);
|
|
|
|
ge25519_pack(res, &P);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
ed25519_cosi_combine_signatures(ed25519_signature res, const ed25519_public_key R, CONST ed25519_cosi_signature *sigs, size_t n) {
|
2019-10-02 14:31:36 +00:00
|
|
|
bignum256modm s = {0}, t = {0};
|
2017-05-16 18:19:58 +00:00
|
|
|
size_t i = 0;
|
|
|
|
|
|
|
|
expand256_modm(s, sigs[i++], 32);
|
|
|
|
while (i < n) {
|
|
|
|
expand256_modm(t, sigs[i++], 32);
|
|
|
|
add256_modm(s, s, t);
|
|
|
|
}
|
|
|
|
memcpy(res, R, 32);
|
|
|
|
contract256_modm(res + 32, s);
|
|
|
|
}
|
|
|
|
|
2016-04-22 15:47:48 +00:00
|
|
|
/*
|
|
|
|
Fast Curve25519 basepoint scalar multiplication
|
|
|
|
*/
|
|
|
|
void
|
2017-03-28 21:05:59 +00:00
|
|
|
curve25519_scalarmult_basepoint(curve25519_key pk, const curve25519_key e) {
|
2019-10-02 14:31:36 +00:00
|
|
|
curve25519_key ec = {0};
|
|
|
|
bignum256modm s = {0};
|
2022-07-01 12:57:52 +00:00
|
|
|
bignum25519 ALIGN(16) yplusz = {0}, zminusy = {0};
|
|
|
|
ge25519 ALIGN(16) p = {0};
|
2019-10-02 14:31:36 +00:00
|
|
|
size_t i = 0;
|
2016-04-22 15:47:48 +00:00
|
|
|
|
|
|
|
/* clamp */
|
|
|
|
for (i = 0; i < 32; i++) ec[i] = e[i];
|
|
|
|
ec[0] &= 248;
|
|
|
|
ec[31] &= 127;
|
|
|
|
ec[31] |= 64;
|
|
|
|
|
|
|
|
expand_raw256_modm(s, ec);
|
2021-07-09 08:35:42 +00:00
|
|
|
memzero(&ec, sizeof(ec));
|
2016-04-22 15:47:48 +00:00
|
|
|
|
|
|
|
/* scalar * basepoint */
|
2024-09-01 18:52:00 +00:00
|
|
|
ge25519_scalarmult_base_wrapper(&p, s);
|
2021-07-09 08:35:42 +00:00
|
|
|
memzero(&s, sizeof(s));
|
2016-04-22 15:47:48 +00:00
|
|
|
|
|
|
|
/* u = (y + z) / (z - y) */
|
|
|
|
curve25519_add(yplusz, p.y, p.z);
|
|
|
|
curve25519_sub(zminusy, p.z, p.y);
|
|
|
|
curve25519_recip(zminusy, zminusy);
|
|
|
|
curve25519_mul(yplusz, yplusz, zminusy);
|
|
|
|
curve25519_contract(pk, yplusz);
|
|
|
|
}
|
|
|
|
|
2017-03-28 17:48:36 +00:00
|
|
|
void
|
2017-03-28 21:05:59 +00:00
|
|
|
curve25519_scalarmult(curve25519_key mypublic, const curve25519_key secret, const curve25519_key basepoint) {
|
2019-10-02 14:31:36 +00:00
|
|
|
curve25519_key e = {0};
|
|
|
|
size_t i = 0;
|
2017-03-28 17:48:36 +00:00
|
|
|
|
|
|
|
for (i = 0;i < 32;++i) e[i] = secret[i];
|
|
|
|
e[0] &= 0xf8;
|
|
|
|
e[31] &= 0x7f;
|
|
|
|
e[31] |= 0x40;
|
|
|
|
curve25519_scalarmult_donna(mypublic, e, basepoint);
|
2021-07-09 08:35:42 +00:00
|
|
|
memzero(&e, sizeof(e));
|
2017-03-28 17:48:36 +00:00
|
|
|
}
|
2017-05-16 18:19:58 +00:00
|
|
|
|
|
|
|
#endif // ED25519_SUFFIX
|