On Fri, 13 Jan 2023, Damien Miller wrote:
> Hi,
>
> Forewarning: this is a big, noisy diff. Also on Github at
> https://github.com/djmdjm/openssh-wip/pull/18
>
> This updates the ED25519 code to the latest version of SUPERCOP (20221122),
> but the real motivation for this is to move the ED25519 code to the same
> approach we use for the Streamlined NTRUPrime code: using a shell-script
> to extract the bits we want from SUPERCOP and squish them all into a
> single file.
>
> This removes a bunch of exported function names, a bit of unused
> code and means that all the ED25519 code is in a single file rather
> than eight.
>
> To review this, it's probably best to run the shellscript locally
> (use sh ed25519.sh /path/to/directory/with/supercop) and inspect the
> output. Apart from the original ed25519.c (assembled from the keypair.c,
> sign.c and open.c files in SUPERCOP) there are no substantial changes.
Here's a better way to look at the substantive changes:
1. Assemble the existing ed25519 code in the same order as how this
patch arranges things:
cat verify.c fe25519.h fe25519.c sc25519.h sc25519.c \
ge25519.h ge25519.c ed25519.c | \
sed -e '/#include "ge25519_base.data"/r ge25519_base.data' \
-e '/#include.*/d' > ed25519.c.old
2. Apply the patch
3. Diff the original and new code (below)
This isn't completely without noise, but it lets you see the substantive
changes clearly.
-d
----
--- /tmp/ed25519.c Sat Jan 14 16:25:09 2023
+++ ed25519.c Sat Jan 14 16:25:41 2023
@@ -1,12 +1,30 @@
-/* $OpenBSD: verify.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
+/* $OpenBSD: $ */
/*
- * Public Domain, Author: Daniel J. Bernstein
- * Copied from nacl-20110221/crypto_verify/32/ref/verify.c
+ * Public Domain, Authors:
+ * - Daniel J. Bernstein
+ * - Niels Duif
+ * - Tanja Lange
+ * - lead: Peter Schwabe
+ * - Bo-Yin Yang
*/
+#include <string.h>
-int crypto_verify_32(const unsigned char *x,const unsigned char *y)
+#include "crypto_api.h"
+
+#define int8 crypto_int8
+#define uint8 crypto_uint8
+#define int16 crypto_int16
+#define uint16 crypto_uint16
+#define int32 crypto_int32
+#define uint32 crypto_uint32
+#define int64 crypto_int64
+#define uint64 crypto_uint64
+
+/* from supercop-20221122/crypto_verify/32/ref/verify.c */
+
+static int crypto_verify_32(const unsigned char *x,const unsigned char *y)
{
unsigned int differentbits = 0;
#define F(i) differentbits |= x[i] ^ y[i];
@@ -44,14 +62,7 @@
F(31)
return (1 & ((differentbits - 1) >> 8)) - 1;
}
-/* $OpenBSD: fe25519.h,v 1.3 2013/12/09 11:03:45 markus Exp $ */
-
-/*
- * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
- * Peter Schwabe, Bo-Yin Yang.
- * Copied from supercop-20130419/crypto_sign/ed25519/ref/fe25519.h
- */
-
+/* from supercop-20221122/crypto_sign/ed25519/ref/fe25519.h */
#ifndef FE25519_H
#define FE25519_H
@@ -80,52 +91,45 @@
}
fe25519;
-void fe25519_freeze(fe25519 *r);
+static void fe25519_freeze(fe25519 *r);
-void fe25519_unpack(fe25519 *r, const unsigned char x[32]);
+static void fe25519_unpack(fe25519 *r, const unsigned char x[32]);
-void fe25519_pack(unsigned char r[32], const fe25519 *x);
+static void fe25519_pack(unsigned char r[32], const fe25519 *x);
-int fe25519_iszero(const fe25519 *x);
+static int fe25519_iszero(const fe25519 *x);
-int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y);
+static int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y);
-void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b);
+static void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b);
-void fe25519_setone(fe25519 *r);
+static void fe25519_setone(fe25519 *r);
-void fe25519_setzero(fe25519 *r);
+static void fe25519_setzero(fe25519 *r);
-void fe25519_neg(fe25519 *r, const fe25519 *x);
+static void fe25519_neg(fe25519 *r, const fe25519 *x);
unsigned char fe25519_getparity(const fe25519 *x);
-void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y);
+static void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y);
-void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y);
+static void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y);
-void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y);
+static void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y);
-void fe25519_square(fe25519 *r, const fe25519 *x);
+static void fe25519_square(fe25519 *r, const fe25519 *x);
-void fe25519_invert(fe25519 *r, const fe25519 *x);
+static void fe25519_invert(fe25519 *r, const fe25519 *x);
-void fe25519_pow2523(fe25519 *r, const fe25519 *x);
+static void fe25519_pow2523(fe25519 *r, const fe25519 *x);
#endif
-/* $OpenBSD: fe25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
-
-/*
- * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
- * Peter Schwabe, Bo-Yin Yang.
- * Copied from supercop-20130419/crypto_sign/ed25519/ref/fe25519.c
- */
-
+/* from supercop-20221122/crypto_sign/ed25519/ref/fe25519.c */
#define WINDOWSIZE 1 /* Should be 1,2, or 4 */
#define WINDOWMASK ((1<<WINDOWSIZE)-1)
-static crypto_uint32 equal(crypto_uint32 a,crypto_uint32 b) /* 16-bit inputs */
+static crypto_uint32 fe25519_equal(crypto_uint32 a,crypto_uint32 b) /* 16-bit
inputs */
{
crypto_uint32 x = a ^ b; /* 0: yes; 1..65535: no */
x -= 1; /* 4294967295: yes; 0..65534: no */
@@ -152,7 +156,7 @@
return (a << 5) + (a << 2) + (a << 1);
}
-static void reduce_add_sub(fe25519 *r)
+static void fe25519_reduce_add_sub(fe25519 *r)
{
crypto_uint32 t;
int i,rep;
@@ -193,12 +197,12 @@
}
/* reduction modulo 2^255-19 */
-void fe25519_freeze(fe25519 *r)
+static void fe25519_freeze(fe25519 *r)
{
int i;
- crypto_uint32 m = equal(r->v[31],127);
+ crypto_uint32 m = fe25519_equal(r->v[31],127);
for(i=30;i>0;i--)
- m &= equal(r->v[i],255);
+ m &= fe25519_equal(r->v[i],255);
m &= ge(r->v[0],237);
m = -m;
@@ -209,7 +213,7 @@
r->v[0] -= m&237;
}
-void fe25519_unpack(fe25519 *r, const unsigned char x[32])
+static void fe25519_unpack(fe25519 *r, const unsigned char x[32])
{
int i;
for(i=0;i<32;i++) r->v[i] = x[i];
@@ -217,7 +221,7 @@
}
/* Assumes input x being reduced below 2^255 */
-void fe25519_pack(unsigned char r[32], const fe25519 *x)
+static void fe25519_pack(unsigned char r[32], const fe25519 *x)
{
int i;
fe25519 y = *x;
@@ -226,19 +230,19 @@
r[i] = y.v[i];
}
-int fe25519_iszero(const fe25519 *x)
+static int fe25519_iszero(const fe25519 *x)
{
int i;
int r;
fe25519 t = *x;
fe25519_freeze(&t);
- r = equal(t.v[0],0);
+ r = fe25519_equal(t.v[0],0);
for(i=1;i<32;i++)
- r &= equal(t.v[i],0);
+ r &= fe25519_equal(t.v[i],0);
return r;
}
-int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y)
+static int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y)
{
int i;
fe25519 t1 = *x;
@@ -250,7 +254,7 @@
return 1;
}
-void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b)
+static void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b)
{
int i;
crypto_uint32 mask = b;
@@ -265,20 +269,20 @@
return t.v[0] & 1;
}
-void fe25519_setone(fe25519 *r)
+static void fe25519_setone(fe25519 *r)
{
int i;
r->v[0] = 1;
for(i=1;i<32;i++) r->v[i]=0;
}
-void fe25519_setzero(fe25519 *r)
+static void fe25519_setzero(fe25519 *r)
{
int i;
for(i=0;i<32;i++) r->v[i]=0;
}
-void fe25519_neg(fe25519 *r, const fe25519 *x)
+static void fe25519_neg(fe25519 *r, const fe25519 *x)
{
fe25519 t;
int i;
@@ -287,14 +291,14 @@
fe25519_sub(r, r, &t);
}
-void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y)
+static void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y)
{
int i;
for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i];
- reduce_add_sub(r);
+ fe25519_reduce_add_sub(r);
}
-void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y)
+static void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y)
{
int i;
crypto_uint32 t[32];
@@ -302,10 +306,10 @@
t[31] = x->v[31] + 0xfe;
for(i=1;i<31;i++) t[i] = x->v[i] + 0x1fe;
for(i=0;i<32;i++) r->v[i] = t[i] - y->v[i];
- reduce_add_sub(r);
+ fe25519_reduce_add_sub(r);
}
-void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y)
+static void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y)
{
int i,j;
crypto_uint32 t[63];
@@ -322,12 +326,12 @@
reduce_mul(r);
}
-void fe25519_square(fe25519 *r, const fe25519 *x)
+static void fe25519_square(fe25519 *r, const fe25519 *x)
{
fe25519_mul(r, x, x);
}
-void fe25519_invert(fe25519 *r, const fe25519 *x)
+static void fe25519_invert(fe25519 *r, const fe25519 *x)
{
fe25519 z2;
fe25519 z9;
@@ -394,7 +398,7 @@
/* 2^255 - 21 */ fe25519_mul(r,&t1,&z11);
}
-void fe25519_pow2523(fe25519 *r, const fe25519 *x)
+static void fe25519_pow2523(fe25519 *r, const fe25519 *x)
{
fe25519 z2;
fe25519 z9;
@@ -447,14 +451,7 @@
/* 2^252 - 2^2 */ fe25519_square(&t,&t);
/* 2^252 - 3 */ fe25519_mul(r,&t,x);
}
-/* $OpenBSD: sc25519.h,v 1.3 2013/12/09 11:03:45 markus Exp $ */
-
-/*
- * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
- * Peter Schwabe, Bo-Yin Yang.
- * Copied from supercop-20130419/crypto_sign/ed25519/ref/sc25519.h
- */
-
+/* from supercop-20221122/crypto_sign/ed25519/ref/sc25519.h */
#ifndef SC25519_H
#define SC25519_H
@@ -462,19 +459,11 @@
#define sc25519 crypto_sign_ed25519_ref_sc25519
#define shortsc25519 crypto_sign_ed25519_ref_shortsc25519
#define sc25519_from32bytes crypto_sign_ed25519_ref_sc25519_from32bytes
-#define shortsc25519_from16bytes
crypto_sign_ed25519_ref_shortsc25519_from16bytes
#define sc25519_from64bytes crypto_sign_ed25519_ref_sc25519_from64bytes
-#define sc25519_from_shortsc crypto_sign_ed25519_ref_sc25519_from_shortsc
#define sc25519_to32bytes crypto_sign_ed25519_ref_sc25519_to32bytes
-#define sc25519_iszero_vartime crypto_sign_ed25519_ref_sc25519_iszero_vartime
-#define sc25519_isshort_vartime
crypto_sign_ed25519_ref_sc25519_isshort_vartime
-#define sc25519_lt_vartime crypto_sign_ed25519_ref_sc25519_lt_vartime
#define sc25519_add crypto_sign_ed25519_ref_sc25519_add
-#define sc25519_sub_nored crypto_sign_ed25519_ref_sc25519_sub_nored
#define sc25519_mul crypto_sign_ed25519_ref_sc25519_mul
-#define sc25519_mul_shortsc crypto_sign_ed25519_ref_sc25519_mul_shortsc
#define sc25519_window3 crypto_sign_ed25519_ref_sc25519_window3
-#define sc25519_window5 crypto_sign_ed25519_ref_sc25519_window5
#define sc25519_2interleave2 crypto_sign_ed25519_ref_sc25519_2interleave2
typedef struct
@@ -489,58 +478,43 @@
}
shortsc25519;
-void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]);
+static void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]);
-void shortsc25519_from16bytes(shortsc25519 *r, const unsigned char x[16]);
-void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]);
+static void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]);
-void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x);
-void sc25519_to32bytes(unsigned char r[32], const sc25519 *x);
+static void sc25519_to32bytes(unsigned char r[32], const sc25519 *x);
-int sc25519_iszero_vartime(const sc25519 *x);
-int sc25519_isshort_vartime(const sc25519 *x);
-int sc25519_lt_vartime(const sc25519 *x, const sc25519 *y);
-void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y);
+static void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y);
-void sc25519_sub_nored(sc25519 *r, const sc25519 *x, const sc25519 *y);
-void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y);
+static void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y);
-void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519 *y);
/* Convert s into a representation of the form \sum_{i=0}^{84}r[i]2^3
* with r[i] in {-4,...,3}
*/
-void sc25519_window3(signed char r[85], const sc25519 *s);
+static void sc25519_window3(signed char r[85], const sc25519 *s);
/* Convert s into a representation of the form \sum_{i=0}^{50}r[i]2^5
* with r[i] in {-16,...,15}
*/
-void sc25519_window5(signed char r[51], const sc25519 *s);
-void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const
sc25519 *s2);
+static void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1,
const sc25519 *s2);
#endif
-/* $OpenBSD: sc25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
+/* from supercop-20221122/crypto_sign/ed25519/ref/sc25519.c */
-/*
- * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
- * Peter Schwabe, Bo-Yin Yang.
- * Copied from supercop-20130419/crypto_sign/ed25519/ref/sc25519.c
- */
-
-
/*Arithmetic modulo the group order m = 2^252 +
27742317777372353535851937790883648493 =
7237005577332262213973186563042994240857116359379907606001950938285454250989 */
-static const crypto_uint32 m[32] = {0xED, 0xD3, 0xF5, 0x5C, 0x1A, 0x63, 0x12,
0x58, 0xD6, 0x9C, 0xF7, 0xA2, 0xDE, 0xF9, 0xDE, 0x14,
+static const crypto_uint32 sc25519_m[32] = {0xED, 0xD3, 0xF5, 0x5C, 0x1A,
0x63, 0x12, 0x58, 0xD6, 0x9C, 0xF7, 0xA2, 0xDE, 0xF9, 0xDE, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10};
-static const crypto_uint32 mu[33] = {0x1B, 0x13, 0x2C, 0x0A, 0xA3, 0xE5, 0x9C,
0xED, 0xA7, 0x29, 0x63, 0x08, 0x5D, 0x21, 0x06, 0x21,
+static const crypto_uint32 sc25519_mu[33] = {0x1B, 0x13, 0x2C, 0x0A, 0xA3,
0xE5, 0x9C, 0xED, 0xA7, 0x29, 0x63, 0x08, 0x5D, 0x21, 0x06, 0x21,
0xEB, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F};
static crypto_uint32 lt(crypto_uint32 a,crypto_uint32 b) /* 16-bit inputs */
@@ -551,8 +525,8 @@
return x;
}
-/* Reduce coefficients of r before calling reduce_add_sub */
-static void reduce_add_sub(sc25519 *r)
+/* Reduce coefficients of r before calling sc25519_reduce_add_sub */
+static void sc25519_reduce_add_sub(sc25519 *r)
{
crypto_uint32 pb = 0;
crypto_uint32 b;
@@ -562,7 +536,7 @@
for(i=0;i<32;i++)
{
- pb += m[i];
+ pb += sc25519_m[i];
b = lt(r->v[i],pb);
t[i] = r->v[i]-pb+(b<<8);
pb = b;
@@ -590,7 +564,7 @@
for(i=0;i<33;i++)
for(j=0;j<33;j++)
- if(i+j >= 31) q2[i+j] += mu[i]*x[j+31];
+ if(i+j >= 31) q2[i+j] += sc25519_mu[i]*x[j+31];
carry = q2[31] >> 8;
q2[32] += carry;
carry = q2[32] >> 8;
@@ -599,7 +573,7 @@
for(i=0;i<33;i++)r1[i] = x[i];
for(i=0;i<32;i++)
for(j=0;j<33;j++)
- if(i+j < 33) r2[i+j] += m[i]*q3[j];
+ if(i+j < 33) r2[i+j] += sc25519_m[i]*q3[j];
for(i=0;i<32;i++)
{
@@ -620,11 +594,11 @@
* If so: Handle it here!
*/
- reduce_add_sub(r);
- reduce_add_sub(r);
+ sc25519_reduce_add_sub(r);
+ sc25519_reduce_add_sub(r);
}
-void sc25519_from32bytes(sc25519 *r, const unsigned char x[32])
+static void sc25519_from32bytes(sc25519 *r, const unsigned char x[32])
{
int i;
crypto_uint32 t[64];
@@ -633,13 +607,8 @@
barrett_reduce(r, t);
}
-void shortsc25519_from16bytes(shortsc25519 *r, const unsigned char x[16])
-{
- int i;
- for(i=0;i<16;i++) r->v[i] = x[i];
-}
-void sc25519_from64bytes(sc25519 *r, const unsigned char x[64])
+static void sc25519_from64bytes(sc25519 *r, const unsigned char x[64])
{
int i;
crypto_uint32 t[64];
@@ -647,49 +616,17 @@
barrett_reduce(r, t);
}
-void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x)
-{
- int i;
- for(i=0;i<16;i++)
- r->v[i] = x->v[i];
- for(i=0;i<16;i++)
- r->v[16+i] = 0;
-}
-void sc25519_to32bytes(unsigned char r[32], const sc25519 *x)
+static void sc25519_to32bytes(unsigned char r[32], const sc25519 *x)
{
int i;
for(i=0;i<32;i++) r[i] = x->v[i];
}
-int sc25519_iszero_vartime(const sc25519 *x)
-{
- int i;
- for(i=0;i<32;i++)
- if(x->v[i] != 0) return 0;
- return 1;
-}
-int sc25519_isshort_vartime(const sc25519 *x)
-{
- int i;
- for(i=31;i>15;i--)
- if(x->v[i] != 0) return 0;
- return 1;
-}
-int sc25519_lt_vartime(const sc25519 *x, const sc25519 *y)
-{
- int i;
- for(i=31;i>=0;i--)
- {
- if(x->v[i] < y->v[i]) return 1;
- if(x->v[i] > y->v[i]) return 0;
- }
- return 0;
-}
-void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y)
+static void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y)
{
int i, carry;
for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i];
@@ -699,23 +636,11 @@
r->v[i+1] += carry;
r->v[i] &= 0xff;
}
- reduce_add_sub(r);
+ sc25519_reduce_add_sub(r);
}
-void sc25519_sub_nored(sc25519 *r, const sc25519 *x, const sc25519 *y)
-{
- crypto_uint32 b = 0;
- crypto_uint32 t;
- int i;
- for(i=0;i<32;i++)
- {
- t = x->v[i] - y->v[i] - b;
- r->v[i] = t & 255;
- b = (t >> 8) & 1;
- }
-}
-void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y)
+static void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y)
{
int i,j,carry;
crypto_uint32 t[64];
@@ -736,14 +661,8 @@
barrett_reduce(r, t);
}
-void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519 *y)
-{
- sc25519 t;
- sc25519_from_shortsc(&t, y);
- sc25519_mul(r, x, &t);
-}
-void sc25519_window3(signed char r[85], const sc25519 *s)
+static void sc25519_window3(signed char r[85], const sc25519 *s)
{
char carry;
int i;
@@ -780,45 +699,9 @@
r[84] += carry;
}
-void sc25519_window5(signed char r[51], const sc25519 *s)
-{
- char carry;
- int i;
- for(i=0;i<6;i++)
- {
- r[8*i+0] = s->v[5*i+0] & 31;
- r[8*i+1] = (s->v[5*i+0] >> 5) & 31;
- r[8*i+1] ^= (s->v[5*i+1] << 3) & 31;
- r[8*i+2] = (s->v[5*i+1] >> 2) & 31;
- r[8*i+3] = (s->v[5*i+1] >> 7) & 31;
- r[8*i+3] ^= (s->v[5*i+2] << 1) & 31;
- r[8*i+4] = (s->v[5*i+2] >> 4) & 31;
- r[8*i+4] ^= (s->v[5*i+3] << 4) & 31;
- r[8*i+5] = (s->v[5*i+3] >> 1) & 31;
- r[8*i+6] = (s->v[5*i+3] >> 6) & 31;
- r[8*i+6] ^= (s->v[5*i+4] << 2) & 31;
- r[8*i+7] = (s->v[5*i+4] >> 3) & 31;
- }
- r[8*i+0] = s->v[5*i+0] & 31;
- r[8*i+1] = (s->v[5*i+0] >> 5) & 31;
- r[8*i+1] ^= (s->v[5*i+1] << 3) & 31;
- r[8*i+2] = (s->v[5*i+1] >> 2) & 31;
- /* Making it signed */
- carry = 0;
- for(i=0;i<50;i++)
+static void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1,
const sc25519 *s2)
{
- r[i] += carry;
- r[i+1] += r[i] >> 5;
- r[i] &= 31;
- carry = r[i] >> 4;
- r[i] -= carry<<5;
- }
- r[50] += carry;
-}
-
-void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const
sc25519 *s2)
-{
int i;
for(i=0;i<31;i++)
{
@@ -831,14 +714,7 @@
r[125] = ((s1->v[31] >> 2) & 3) ^ (((s2->v[31] >> 2) & 3) << 2);
r[126] = ((s1->v[31] >> 4) & 3) ^ (((s2->v[31] >> 4) & 3) << 2);
}
-/* $OpenBSD: ge25519.h,v 1.4 2015/02/16 18:26:26 miod Exp $ */
-
-/*
- * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
- * Peter Schwabe, Bo-Yin Yang.
- * Copied from supercop-20130419/crypto_sign/ed25519/ref/ge25519.h
- */
-
+/* from supercop-20221122/crypto_sign/ed25519/ref/ge25519.h */
#ifndef GE25519_H
#define GE25519_H
@@ -859,29 +735,22 @@
fe25519 t;
} ge25519;
-extern const ge25519 ge25519_base;
+const ge25519 ge25519_base;
int ge25519_unpackneg_vartime(ge25519 *r, const unsigned char p[32]);
-void ge25519_pack(unsigned char r[32], const ge25519 *p);
+static void ge25519_pack(unsigned char r[32], const ge25519 *p);
int ge25519_isneutral_vartime(const ge25519 *p);
-void ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const
sc25519 *s1, const ge25519 *p2, const sc25519 *s2);
+static void ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1,
const sc25519 *s1, const ge25519 *p2, const sc25519 *s2);
-void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s);
+static void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s);
#endif
-/* $OpenBSD: ge25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
+/* from supercop-20221122/crypto_sign/ed25519/ref/ge25519.c */
/*
- * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
- * Peter Schwabe, Bo-Yin Yang.
- * Copied from supercop-20130419/crypto_sign/ed25519/ref/ge25519.c
- */
-
-
-/*
* Arithmetic on the twisted Edwards curve -x^2 + y^2 = 1 + dx^2y^2
* with d = -(121665/121666) =
37095705934669439343138083508754565189542113879843219016388785533085940283555
* Base point:
(15112221349535400772501151409588531511454012693041857206046113283949847762202,46316835694926478169428394003475163141307993866256225615783033603165251855960);
@@ -933,14 +802,6 @@
/* Multiples of the base point in affine representation */
static const ge25519_aff ge25519_base_multiples_affine[425] = {
-/* $OpenBSD: ge25519_base.data,v 1.3 2013/12/09 11:03:45 markus Exp $ */
-
-/*
- * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
- * Peter Schwabe, Bo-Yin Yang.
- * Copied from supercop-20130419/crypto_sign/ed25519/ref/ge25519_base.data
- */
-
{{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
{{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}},
{{{0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95,
0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0, 0xfe,
0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21}} ,
@@ -1966,7 +1827,7 @@
return 0;
}
-void ge25519_pack(unsigned char r[32], const ge25519_p3 *p)
+static void ge25519_pack(unsigned char r[32], const ge25519_p3 *p)
{
fe25519 tx, ty, zi;
fe25519_invert(&zi, &p->z);
@@ -1985,7 +1846,7 @@
}
/* computes [s1]p1 + [s2]p2 */
-void ge25519_double_scalarmult_vartime(ge25519_p3 *r, const ge25519_p3 *p1,
const sc25519 *s1, const ge25519_p3 *p2, const sc25519 *s2)
+static void ge25519_double_scalarmult_vartime(ge25519_p3 *r, const ge25519_p3
*p1, const sc25519 *s1, const ge25519_p3 *p2, const sc25519 *s2)
{
ge25519_p1p1 tp1p1;
ge25519_p3 pre[16];
@@ -2029,7 +1890,7 @@
}
}
-void ge25519_scalarmult_base(ge25519_p3 *r, const sc25519 *s)
+static void ge25519_scalarmult_base(ge25519_p3 *r, const sc25519 *s)
{
signed char b[85];
int i;
@@ -2045,52 +1906,28 @@
ge25519_mixadd2(r, &t);
}
}
-/* $OpenBSD: ed25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
+/* from supercop-20221122/crypto_sign/ed25519/ref/keypair.c */
-/*
- * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
- * Peter Schwabe, Bo-Yin Yang.
- * Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c
- */
-
-
-
-static void get_hram(unsigned char *hram, const unsigned char *sm, const
unsigned char *pk, unsigned char *playground, unsigned long long smlen)
+int crypto_sign_ed25519_keypair(unsigned char *pk,unsigned char *sk)
{
- unsigned long long i;
-
- for (i = 0;i < 32;++i) playground[i] = sm[i];
- for (i = 32;i < 64;++i) playground[i] = pk[i-32];
- for (i = 64;i < smlen;++i) playground[i] = sm[i];
-
- crypto_hash_sha512(hram,playground,smlen);
-}
-
-
-int crypto_sign_ed25519_keypair(
- unsigned char *pk,
- unsigned char *sk
- )
-{
+ unsigned char az[64];
sc25519 scsk;
ge25519 gepk;
- unsigned char extsk[64];
- int i;
randombytes(sk, 32);
- crypto_hash_sha512(extsk, sk, 32);
- extsk[0] &= 248;
- extsk[31] &= 127;
- extsk[31] |= 64;
+ crypto_hash_sha512(az,sk,32);
+ az[0] &= 248;
+ az[31] &= 127;
+ az[31] |= 64;
- sc25519_from32bytes(&scsk,extsk);
+ sc25519_from32bytes(&scsk,az);
ge25519_scalarmult_base(&gepk, &scsk);
ge25519_pack(pk, &gepk);
- for(i=0;i<32;i++)
- sk[32 + i] = pk[i];
+ memmove(sk + 32,pk,32);
return 0;
}
+/* from supercop-20221122/crypto_sign/ed25519/ref/sign.c */
int crypto_sign_ed25519(
unsigned char *sm,unsigned long long *smlen,
@@ -2098,51 +1935,53 @@
const unsigned char *sk
)
{
+ unsigned char pk[32];
+ unsigned char az[64];
+ unsigned char nonce[64];
+ unsigned char hram[64];
sc25519 sck, scs, scsk;
ge25519 ger;
- unsigned char r[32];
- unsigned char s[32];
- unsigned char extsk[64];
- unsigned long long i;
- unsigned char hmg[crypto_hash_sha512_BYTES];
- unsigned char hram[crypto_hash_sha512_BYTES];
- crypto_hash_sha512(extsk, sk, 32);
- extsk[0] &= 248;
- extsk[31] &= 127;
- extsk[31] |= 64;
+ memmove(pk,sk + 32,32);
+ /* pk: 32-byte public key A */
+ crypto_hash_sha512(az,sk,32);
+ az[0] &= 248;
+ az[31] &= 127;
+ az[31] |= 64;
+ /* az: 32-byte scalar a, 32-byte randomizer z */
+
*smlen = mlen+64;
- for(i=0;i<mlen;i++)
- sm[64 + i] = m[i];
- for(i=0;i<32;i++)
- sm[32 + i] = extsk[32+i];
+ memmove(sm + 64,m,mlen);
+ memmove(sm + 32,az + 32,32);
+ /* sm: 32-byte uninit, 32-byte z, mlen-byte m */
- crypto_hash_sha512(hmg, sm+32, mlen+32); /* Generate k as
h(extsk[32],...,extsk[63],m) */
+ crypto_hash_sha512(nonce, sm+32, mlen+32);
+ /* nonce: 64-byte H(z,m) */
- /* Computation of R */
- sc25519_from64bytes(&sck, hmg);
+ sc25519_from64bytes(&sck, nonce);
ge25519_scalarmult_base(&ger, &sck);
- ge25519_pack(r, &ger);
+ ge25519_pack(sm, &ger);
+ /* sm: 32-byte R, 32-byte z, mlen-byte m */
- /* Computation of s */
- for(i=0;i<32;i++)
- sm[i] = r[i];
+ memmove(sm + 32,pk,32);
+ /* sm: 32-byte R, 32-byte A, mlen-byte m */
- get_hram(hram, sm, sk+32, sm, mlen+64);
+ crypto_hash_sha512(hram,sm,mlen + 64);
+ /* hram: 64-byte H(R,A,m) */
sc25519_from64bytes(&scs, hram);
- sc25519_from32bytes(&scsk, extsk);
+ sc25519_from32bytes(&scsk, az);
sc25519_mul(&scs, &scs, &scsk);
-
sc25519_add(&scs, &scs, &sck);
+ /* scs: S = nonce + H(R,A,m)a */
- sc25519_to32bytes(s,&scs); /* cat s */
- for(i=0;i<32;i++)
- sm[32 + i] = s[i];
+ sc25519_to32bytes(sm + 32,&scs);
+ /* sm: 32-byte R, 32-byte S, mlen-byte m */
return 0;
}
+/* from supercop-20221122/crypto_sign/ed25519/ref/open.c */
int crypto_sign_ed25519_open(
unsigned char *m,unsigned long long *mlen,
@@ -2150,39 +1989,40 @@
const unsigned char *pk
)
{
- unsigned int i;
- int ret;
- unsigned char t2[32];
+ unsigned char pkcopy[32];
+ unsigned char rcopy[32];
+ unsigned char hram[64];
+ unsigned char rcheck[32];
ge25519 get1, get2;
sc25519 schram, scs;
- unsigned char hram[crypto_hash_sha512_BYTES];
- *mlen = (unsigned long long) -1;
- if (smlen < 64) return -1;
+ if (smlen < 64) goto badsig;
+ if (sm[63] & 224) goto badsig;
+ if (ge25519_unpackneg_vartime(&get1,pk)) goto badsig;
- if (ge25519_unpackneg_vartime(&get1, pk)) return -1;
+ memmove(pkcopy,pk,32);
+ memmove(rcopy,sm,32);
- get_hram(hram,sm,pk,m,smlen);
+ sc25519_from32bytes(&scs, sm+32);
+ memmove(m,sm,smlen);
+ memmove(m + 32,pkcopy,32);
+ crypto_hash_sha512(hram,m,smlen);
+
sc25519_from64bytes(&schram, hram);
- sc25519_from32bytes(&scs, sm+32);
-
ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &ge25519_base,
&scs);
- ge25519_pack(t2, &get2);
+ ge25519_pack(rcheck, &get2);
- ret = crypto_verify_32(sm, t2);
-
- if (!ret)
- {
- for(i=0;i<smlen-64;i++)
- m[i] = sm[i + 64];
+ if (crypto_verify_32(rcopy,rcheck) == 0) {
+ memmove(m,m + 64,smlen - 64);
+ memset(m + smlen - 64,0,64);
*mlen = smlen - 64;
+ return 0;
}
- else
- {
- for(i=0;i<smlen-64;i++)
- m[i] = 0;
- }
- return ret;
+
+badsig:
+ *mlen = (unsigned long long) -1;
+ memset(m,0,smlen);
+ return -1;
}