|
|
|
|
@ -18,6 +18,7 @@
|
|
|
|
|
#include "ed25519.h"
|
|
|
|
|
|
|
|
|
|
#include "ed25519-hash-custom.h"
|
|
|
|
|
#include "memzero.h"
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
Generates a (extsk[0..31]) and aExt (extsk[32..63])
|
|
|
|
|
@ -46,11 +47,13 @@ ED25519_FN(ed25519_publickey) (const ed25519_secret_key sk, ed25519_public_key p
|
|
|
|
|
ge25519 ALIGN(16) A;
|
|
|
|
|
hash_512bits extsk = {0};
|
|
|
|
|
|
|
|
|
|
/* A = aB */
|
|
|
|
|
ed25519_extsk(extsk, sk);
|
|
|
|
|
|
|
|
|
|
expand256_modm(a, extsk, 32);
|
|
|
|
|
memzero(&extsk, sizeof(extsk));
|
|
|
|
|
|
|
|
|
|
/* A = aB */
|
|
|
|
|
ge25519_scalarmult_base_niels(&A, ge25519_niels_base_multiples, a);
|
|
|
|
|
memzero(&a, sizeof(a));
|
|
|
|
|
ge25519_pack(pk, &A);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@ -66,7 +69,9 @@ ED25519_FN(ed25519_publickey_ext) (const ed25519_secret_key sk, const ed25519_se
|
|
|
|
|
memcpy(extsk, sk, 32);
|
|
|
|
|
memcpy(extsk+32, skext, 32);
|
|
|
|
|
expand256_modm(a, extsk, 32);
|
|
|
|
|
memzero(&extsk, sizeof(extsk));
|
|
|
|
|
ge25519_scalarmult_base_niels(&A, ge25519_niels_base_multiples, a);
|
|
|
|
|
memzero(&a, sizeof(a));
|
|
|
|
|
ge25519_pack(pk, &A);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
@ -81,6 +86,7 @@ ED25519_FN(ed25519_cosi_sign) (const unsigned char *m, size_t mlen, const ed2551
|
|
|
|
|
|
|
|
|
|
/* r = nonce */
|
|
|
|
|
expand256_modm(r, extnonce, 32);
|
|
|
|
|
memzero(&extnonce, sizeof(extnonce));
|
|
|
|
|
|
|
|
|
|
/* S = H(R,A,m).. */
|
|
|
|
|
ed25519_hram(hram, R, pk, m, mlen);
|
|
|
|
|
@ -88,10 +94,13 @@ ED25519_FN(ed25519_cosi_sign) (const unsigned char *m, size_t mlen, const ed2551
|
|
|
|
|
|
|
|
|
|
/* S = H(R,A,m)a */
|
|
|
|
|
expand256_modm(a, extsk, 32);
|
|
|
|
|
memzero(&extsk, sizeof(extsk));
|
|
|
|
|
mul256_modm(S, S, a);
|
|
|
|
|
memzero(&a, sizeof(a));
|
|
|
|
|
|
|
|
|
|
/* S = (r + H(R,A,m)a) */
|
|
|
|
|
add256_modm(S, S, r);
|
|
|
|
|
memzero(&r, sizeof(r));
|
|
|
|
|
|
|
|
|
|
/* S = (r + H(R,A,m)a) mod L */
|
|
|
|
|
contract256_modm(sig, S);
|
|
|
|
|
@ -113,6 +122,7 @@ ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_sec
|
|
|
|
|
ed25519_hash_update(&ctx, m, mlen);
|
|
|
|
|
ed25519_hash_final(&ctx, hashr);
|
|
|
|
|
expand256_modm(r, hashr, 64);
|
|
|
|
|
memzero(&hashr, sizeof(hashr));
|
|
|
|
|
|
|
|
|
|
/* R = rB */
|
|
|
|
|
ge25519_scalarmult_base_niels(&R, ge25519_niels_base_multiples, r);
|
|
|
|
|
@ -124,10 +134,13 @@ ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_sec
|
|
|
|
|
|
|
|
|
|
/* S = H(R,A,m)a */
|
|
|
|
|
expand256_modm(a, extsk, 32);
|
|
|
|
|
memzero(&extsk, sizeof(extsk));
|
|
|
|
|
mul256_modm(S, S, a);
|
|
|
|
|
memzero(&a, sizeof(a));
|
|
|
|
|
|
|
|
|
|
/* S = (r + H(R,A,m)a) */
|
|
|
|
|
add256_modm(S, S, r);
|
|
|
|
|
memzero(&r, sizeof(r));
|
|
|
|
|
|
|
|
|
|
/* S = (r + H(R,A,m)a) mod L */
|
|
|
|
|
contract256_modm(RS + 32, S);
|
|
|
|
|
@ -153,6 +166,7 @@ ED25519_FN(ed25519_sign_ext) (const unsigned char *m, size_t mlen, const ed25519
|
|
|
|
|
ed25519_hash_update(&ctx, m, mlen);
|
|
|
|
|
ed25519_hash_final(&ctx, hashr);
|
|
|
|
|
expand256_modm(r, hashr, 64);
|
|
|
|
|
memzero(&hashr, sizeof(hashr));
|
|
|
|
|
|
|
|
|
|
/* R = rB */
|
|
|
|
|
ge25519_scalarmult_base_niels(&R, ge25519_niels_base_multiples, r);
|
|
|
|
|
@ -164,10 +178,13 @@ ED25519_FN(ed25519_sign_ext) (const unsigned char *m, size_t mlen, const ed25519
|
|
|
|
|
|
|
|
|
|
/* S = H(R,A,m)a */
|
|
|
|
|
expand256_modm(a, extsk, 32);
|
|
|
|
|
memzero(&extsk, sizeof(extsk));
|
|
|
|
|
mul256_modm(S, S, a);
|
|
|
|
|
memzero(&a, sizeof(a));
|
|
|
|
|
|
|
|
|
|
/* S = (r + H(R,A,m)a) */
|
|
|
|
|
add256_modm(S, S, r);
|
|
|
|
|
memzero(&r, sizeof(r));
|
|
|
|
|
|
|
|
|
|
/* S = (r + H(R,A,m)a) mod L */
|
|
|
|
|
contract256_modm(RS + 32, S);
|
|
|
|
|
@ -209,12 +226,14 @@ ED25519_FN(ed25519_scalarmult) (ed25519_public_key res, const ed25519_secret_key
|
|
|
|
|
|
|
|
|
|
ed25519_extsk(extsk, sk);
|
|
|
|
|
expand256_modm(a, extsk, 32);
|
|
|
|
|
memzero(&extsk, sizeof(extsk));
|
|
|
|
|
|
|
|
|
|
if (!ge25519_unpack_negative_vartime(&P, pk)) {
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ge25519_scalarmult(&A, &P, a);
|
|
|
|
|
memzero(&a, sizeof(a));
|
|
|
|
|
curve25519_neg(A.x, A.x);
|
|
|
|
|
ge25519_pack(res, &A);
|
|
|
|
|
return 0;
|
|
|
|
|
@ -288,9 +307,11 @@ curve25519_scalarmult_basepoint(curve25519_key pk, const curve25519_key e) {
|
|
|
|
|
ec[31] |= 64;
|
|
|
|
|
|
|
|
|
|
expand_raw256_modm(s, ec);
|
|
|
|
|
memzero(&ec, sizeof(ec));
|
|
|
|
|
|
|
|
|
|
/* scalar * basepoint */
|
|
|
|
|
ge25519_scalarmult_base_niels(&p, ge25519_niels_base_multiples, s);
|
|
|
|
|
memzero(&s, sizeof(s));
|
|
|
|
|
|
|
|
|
|
/* u = (y + z) / (z - y) */
|
|
|
|
|
curve25519_add(yplusz, p.y, p.z);
|
|
|
|
|
@ -310,6 +331,7 @@ curve25519_scalarmult(curve25519_key mypublic, const curve25519_key secret, cons
|
|
|
|
|
e[31] &= 0x7f;
|
|
|
|
|
e[31] |= 0x40;
|
|
|
|
|
curve25519_scalarmult_donna(mypublic, e, basepoint);
|
|
|
|
|
memzero(&e, sizeof(e));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif // ED25519_SUFFIX
|
|
|
|
|
|
Andrew Kozlik
3 years ago
committed by