jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

decaf_###_x_direct_scalarmul -> decaf_x###_direct_scalarmul

master
Michael Hamburg 10 years ago
parent
f4558c1e13
commit
714a5db7a0
6 changed files with 110 additions and 104 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +10
    -10
      src/per_curve/decaf.tmpl.c
  2. +8
    -8
      src/per_curve/decaf.tmpl.h
  3. +6
    -6
      src/per_curve/decaf.tmpl.hxx
  4. +41
    -35
      src/per_curve/eddsa.tmpl.c
  5. +18
    -18
      src/per_curve/eddsa.tmpl.h
  6. +27
    -27
      src/per_curve/eddsa.tmpl.hxx

+ 10
- 10
src/per_curve/decaf.tmpl.c View File

@@ -35,7 +35,7 @@ static const scalar_t point_scalarmul_adjustment = {{{
$(ser((2**(combs.n*combs.t*combs.s) - 1) % q,64,"SC_LIMB")) $(ser((2**(combs.n*combs.t*combs.s) - 1) % q,64,"SC_LIMB"))
}}}; }}};


const uint8_t API_NS(x_base_point)[X_SER_BYTES] = { $(ser(mont_base,8)) };
const uint8_t decaf_x$(gf_shortname)_base_point[DECAF_X$(gf_shortname)_PUBLIC_BYTES] = { $(ser(mont_base,8)) };


#if COFACTOR==8 || EDDSA_USE_SIGMA_ISOGENY #if COFACTOR==8 || EDDSA_USE_SIGMA_ISOGENY
static const gf SQRT_ONE_MINUS_D = {FIELD_LITERAL( static const gf SQRT_ONE_MINUS_D = {FIELD_LITERAL(
@@ -47,7 +47,7 @@ const uint8_t API_NS(x_base_point)[X_SER_BYTES] = { $(ser(mont_base,8)) };


/* Sanity */ /* Sanity */
#if (COFACTOR == 8) && !IMAGINE_TWIST #if (COFACTOR == 8) && !IMAGINE_TWIST
/* FUTURE: Curve41417 doesn't have these properties. */
/* FUTURE MAGIC: Curve41417 doesn't have these properties. */
#error "Currently require IMAGINE_TWIST (and thus p=5 mod 8) for cofactor 8" #error "Currently require IMAGINE_TWIST (and thus p=5 mod 8) for cofactor 8"
#endif #endif


@@ -1048,7 +1048,7 @@ decaf_error_t API_NS(direct_scalarmul) (
} }


void API_NS(point_encode_like_eddsa) ( void API_NS(point_encode_like_eddsa) (
uint8_t enc[$(C_NS)_EDDSA_PUBLIC_BYTES],
uint8_t enc[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const point_t p const point_t p
) { ) {
@@ -1123,9 +1123,9 @@ void API_NS(point_encode_like_eddsa) (
gf_mul(x,y,z); gf_mul(x,y,z);
/* Encode */ /* Encode */
enc[$(C_NS)_EDDSA_PRIVATE_BYTES-1] = 0;
enc[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] = 0;
gf_serialize(enc, x, 1); gf_serialize(enc, x, 1);
enc[$(C_NS)_EDDSA_PRIVATE_BYTES-1] |= 0x80 & gf_lobit(t);
enc[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] |= 0x80 & gf_lobit(t);


decaf_bzero(x,sizeof(x)); decaf_bzero(x,sizeof(x));
decaf_bzero(y,sizeof(y)); decaf_bzero(y,sizeof(y));
@@ -1137,17 +1137,17 @@ void API_NS(point_encode_like_eddsa) (


decaf_error_t API_NS(point_decode_like_eddsa) ( decaf_error_t API_NS(point_decode_like_eddsa) (
point_t p, point_t p,
const uint8_t enc[$(C_NS)_EDDSA_PUBLIC_BYTES]
const uint8_t enc[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES]
) { ) {
uint8_t enc2[$(C_NS)_EDDSA_PUBLIC_BYTES];
uint8_t enc2[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES];
memcpy(enc2,enc,sizeof(enc2)); memcpy(enc2,enc,sizeof(enc2));


mask_t low = ~word_is_zero(enc2[$(C_NS)_EDDSA_PRIVATE_BYTES-1] & 0x80);
enc2[$(C_NS)_EDDSA_PRIVATE_BYTES-1] &= ~0x80;
mask_t low = ~word_is_zero(enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] & 0x80);
enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] &= ~0x80;
mask_t succ = DECAF_TRUE; mask_t succ = DECAF_TRUE;
#if $(gf_bits % 8) == 0 #if $(gf_bits % 8) == 0
succ = word_is_zero(enc2[$(C_NS)_EDDSA_PRIVATE_BYTES-1]);
succ = word_is_zero(enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1]);
#endif #endif
succ &= gf_deserialize(p->y, enc2, 1); succ &= gf_deserialize(p->y, enc2, 1);


+ 8
- 8
src/per_curve/decaf.tmpl.h View File

@@ -38,10 +38,10 @@ typedef struct gf_$(gf_shortname)_s {
#define $(C_NS)_INVERT_ELLIGATOR_WHICH_BITS $(ceil_log2(cofactor) + 7 + elligator_onto - ((gf_bits-2) % 8)) #define $(C_NS)_INVERT_ELLIGATOR_WHICH_BITS $(ceil_log2(cofactor) + 7 + elligator_onto - ((gf_bits-2) % 8))


/** Number of bytes in an x$(gf_shortname) public key */ /** Number of bytes in an x$(gf_shortname) public key */
#define X$(gf_shortname)_PUBLIC_BYTES $((gf_bits-1)/8 + 1)
#define DECAF_X$(gf_shortname)_PUBLIC_BYTES $((gf_bits-1)/8 + 1)


/** Number of bytes in an x$(gf_shortname) private key */ /** Number of bytes in an x$(gf_shortname) private key */
#define X$(gf_shortname)_PRIVATE_BYTES $((gf_bits-1)/8 + 1)
#define DECAF_X$(gf_shortname)_PRIVATE_BYTES $((gf_bits-1)/8 + 1)


/** Twisted Edwards extended homogeneous coordinates */ /** Twisted Edwards extended homogeneous coordinates */
typedef struct $(c_ns)_point_s { typedef struct $(c_ns)_point_s {
@@ -384,13 +384,13 @@ decaf_error_t $(c_ns)_direct_scalarmul (
* point is in a small subgroup. * point is in a small subgroup.
*/ */
decaf_error_t decaf_x$(gf_shortname)_direct_scalarmul ( decaf_error_t decaf_x$(gf_shortname)_direct_scalarmul (
uint8_t out[X$(gf_shortname)_PUBLIC_BYTES],
const uint8_t base[X$(gf_shortname)_PUBLIC_BYTES],
const uint8_t scalar[X$(gf_shortname)_PRIVATE_BYTES]
uint8_t out[DECAF_X$(gf_shortname)_PUBLIC_BYTES],
const uint8_t base[DECAF_X$(gf_shortname)_PUBLIC_BYTES],
const uint8_t scalar[DECAF_X$(gf_shortname)_PRIVATE_BYTES]
) API_VIS NONNULL WARN_UNUSED NOINLINE; ) API_VIS NONNULL WARN_UNUSED NOINLINE;


/** The base point for X$(gf_shortname) Diffie-Hellman */ /** The base point for X$(gf_shortname) Diffie-Hellman */
extern const uint8_t $(c_ns)_x_base_point[X$(gf_shortname)_PUBLIC_BYTES] API_VIS;
extern const uint8_t decaf_x$(gf_shortname)_base_point[DECAF_X$(gf_shortname)_PUBLIC_BYTES] API_VIS;


/** /**
* @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses * @brief RFC 7748 Diffie-Hellman base point scalarmul. This function uses
@@ -400,8 +400,8 @@ extern const uint8_t $(c_ns)_x_base_point[X$(gf_shortname)_PUBLIC_BYTES] API_VIS
* @param [in] scalar The scalar to multiply by. * @param [in] scalar The scalar to multiply by.
*/ */
void decaf_x$(gf_shortname)_base_scalarmul ( void decaf_x$(gf_shortname)_base_scalarmul (
uint8_t out[X$(gf_shortname)_PUBLIC_BYTES],
const uint8_t scalar[X$(gf_shortname)_PRIVATE_BYTES]
uint8_t out[DECAF_X$(gf_shortname)_PUBLIC_BYTES],
const uint8_t scalar[DECAF_X$(gf_shortname)_PRIVATE_BYTES]
) API_VIS NONNULL NOINLINE; ) API_VIS NONNULL NOINLINE;


/* FUTURE: uint8_t $(c_ns)_encode_like_curve$(gf_shortname)) */ /* FUTURE: uint8_t $(c_ns)_encode_like_curve$(gf_shortname)) */


+ 6
- 6
src/per_curve/decaf.tmpl.hxx View File

@@ -316,13 +316,13 @@ public:
* Contents of the point are undefined. * Contents of the point are undefined.
*/ */
inline decaf_error_t WARN_UNUSED decode_like_eddsa_noexcept ( inline decaf_error_t WARN_UNUSED decode_like_eddsa_noexcept (
const FixedBlock<$(C_NS)_EDDSA_PUBLIC_BYTES> &buffer
const FixedBlock<DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES> &buffer
) NOEXCEPT { ) NOEXCEPT {
return $(c_ns)_point_decode_like_eddsa(p,buffer.data()); return $(c_ns)_point_decode_like_eddsa(p,buffer.data());
} }


inline void decode_like_eddsa ( inline void decode_like_eddsa (
const FixedBlock<$(C_NS)_EDDSA_PUBLIC_BYTES> &buffer
const FixedBlock<DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES> &buffer
) throw(CryptoException) { ) throw(CryptoException) {
if (DECAF_SUCCESS != decode_like_eddsa_noexcept(buffer)) throw(CryptoException()); if (DECAF_SUCCESS != decode_like_eddsa_noexcept(buffer)) throw(CryptoException());
} }
@@ -331,7 +331,7 @@ public:
* Encode like EdDSA. FIXME: and multiply by the cofactor... * Encode like EdDSA. FIXME: and multiply by the cofactor...
*/ */
inline SecureBuffer encode_like_eddsa() const { inline SecureBuffer encode_like_eddsa() const {
SecureBuffer ret($(C_NS)_EDDSA_PUBLIC_BYTES);
SecureBuffer ret(DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
$(c_ns)_point_encode_like_eddsa(ret.data(),p); $(c_ns)_point_encode_like_eddsa(ret.data(),p);
return ret; return ret;
} }
@@ -624,14 +624,14 @@ public:
struct DhLadder { struct DhLadder {
public: public:
/** Bytes in an X$(gf_shortname) public key. */ /** Bytes in an X$(gf_shortname) public key. */
static const size_t PUBLIC_BYTES = X$(gf_shortname)_PUBLIC_BYTES;
static const size_t PUBLIC_BYTES = DECAF_X$(gf_shortname)_PUBLIC_BYTES;


/** Bytes in an X$(gf_shortname) private key. */ /** Bytes in an X$(gf_shortname) private key. */
static const size_t PRIVATE_BYTES = X$(gf_shortname)_PRIVATE_BYTES;
static const size_t PRIVATE_BYTES = DECAF_X$(gf_shortname)_PRIVATE_BYTES;


/** Base point for a scalar multiplication. */ /** Base point for a scalar multiplication. */
static const FixedBlock<PUBLIC_BYTES> base_point() NOEXCEPT { static const FixedBlock<PUBLIC_BYTES> base_point() NOEXCEPT {
return FixedBlock<PUBLIC_BYTES>($(c_ns)_x_base_point);
return FixedBlock<PUBLIC_BYTES>(decaf_x$(gf_shortname)_base_point);
} }


/** Generate and return a shared secret with public key. */ /** Generate and return a shared secret with public key. */


+ 41
- 35
src/per_curve/eddsa.tmpl.c View File

@@ -19,22 +19,28 @@
#define hash_destroy decaf_$(eddsa_hash)_destroy #define hash_destroy decaf_$(eddsa_hash)_destroy
#define hash_hash decaf_$(eddsa_hash)_hash #define hash_hash decaf_$(eddsa_hash)_hash


#define SUPPORTS_CONTEXTS $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
#define SUPPORTS_CONTEXTS DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
#define EDDSA_USE_SIGMA_ISOGENY $(eddsa_sigma_iso) #define EDDSA_USE_SIGMA_ISOGENY $(eddsa_sigma_iso)
#define COFACTOR $(cofactor) #define COFACTOR $(cofactor)


/* EDDSA_BASE_POINT_RATIO = 1 or 2
* Because EdDSA25519 is not on E_d but on the isogenous E_sigma_d,
* its base point is twice ours.
*/
#define EDDSA_BASE_POINT_RATIO (1+EDDSA_USE_SIGMA_ISOGENY)

static void clamp ( static void clamp (
uint8_t secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES]
uint8_t secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]
) { ) {
/* Blarg */ /* Blarg */
secret_scalar_ser[0] &= -COFACTOR; secret_scalar_ser[0] &= -COFACTOR;
uint8_t hibit = (1<<$(gf_bits % 8))>>1; uint8_t hibit = (1<<$(gf_bits % 8))>>1;
if (hibit == 0) { if (hibit == 0) {
secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES - 1] = 0;
secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES - 2] |= 0x80;
secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES - 1] = 0;
secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES - 2] |= 0x80;
} else { } else {
secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES - 1] &= hibit-1;
secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES - 1] |= hibit;
secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES - 1] &= hibit-1;
secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES - 1] |= hibit;
} }
} }


@@ -61,18 +67,18 @@ static void hash_init_with_dom(
#endif #endif
} }


void API_NS(eddsa_derive_public_key) (
uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES],
const uint8_t privkey[$(C_NS)_EDDSA_PRIVATE_BYTES]
void decaf_eddsa_$(gf_shortname)_derive_public_key (
uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]
) { ) {
/* only this much used for keygen */ /* only this much used for keygen */
uint8_t secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES];
uint8_t secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES];
hash_hash( hash_hash(
secret_scalar_ser, secret_scalar_ser,
sizeof(secret_scalar_ser), sizeof(secret_scalar_ser),
privkey, privkey,
$(C_NS)_EDDSA_PRIVATE_BYTES
DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES
); );
clamp(secret_scalar_ser); clamp(secret_scalar_ser);
@@ -80,7 +86,7 @@ void API_NS(eddsa_derive_public_key) (
API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser)); API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));
/* TODO: write documentation for why (due to isogenies) this needs to be quartered/eighthed */ /* TODO: write documentation for why (due to isogenies) this needs to be quartered/eighthed */
for (unsigned int c = 1; c < COFACTOR/(1+EDDSA_USE_SIGMA_ISOGENY); c <<= 1) {
for (unsigned int c = 1; c < COFACTOR/EDDSA_BASE_POINT_RATIO; c <<= 1) {
API_NS(scalar_halve)(secret_scalar,secret_scalar); API_NS(scalar_halve)(secret_scalar,secret_scalar);
} }
@@ -95,10 +101,10 @@ void API_NS(eddsa_derive_public_key) (
decaf_bzero(secret_scalar_ser, sizeof(secret_scalar_ser)); decaf_bzero(secret_scalar_ser, sizeof(secret_scalar_ser));
} }


void API_NS(eddsa_sign) (
uint8_t signature[$(C_NS)_EDDSA_SIGNATURE_BYTES],
const uint8_t privkey[$(C_NS)_EDDSA_PRIVATE_BYTES],
const uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES],
void decaf_eddsa_$(gf_shortname)_sign (
uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const uint8_t *message, const uint8_t *message,
size_t message_len, size_t message_len,
uint8_t prehashed uint8_t prehashed
@@ -116,14 +122,14 @@ void API_NS(eddsa_sign) (
{ {
/* Schedule the secret key */ /* Schedule the secret key */
struct { struct {
uint8_t secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES];
uint8_t seed[$(C_NS)_EDDSA_PRIVATE_BYTES];
uint8_t secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES];
uint8_t seed[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES];
} __attribute__((packed)) expanded; } __attribute__((packed)) expanded;
hash_hash( hash_hash(
(uint8_t *)&expanded, (uint8_t *)&expanded,
sizeof(expanded), sizeof(expanded),
privkey, privkey,
$(C_NS)_EDDSA_PRIVATE_BYTES
DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES
); );
clamp(expanded.secret_scalar_ser); clamp(expanded.secret_scalar_ser);
API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser)); API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
@@ -138,18 +144,18 @@ void API_NS(eddsa_sign) (
/* Decode the nonce */ /* Decode the nonce */
API_NS(scalar_t) nonce_scalar; API_NS(scalar_t) nonce_scalar;
{ {
uint8_t nonce[2*$(C_NS)_EDDSA_PRIVATE_BYTES];
uint8_t nonce[2*DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES];
hash_final(hash,nonce,sizeof(nonce)); hash_final(hash,nonce,sizeof(nonce));
API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce)); API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce));
decaf_bzero(nonce, sizeof(nonce)); decaf_bzero(nonce, sizeof(nonce));
} }
uint8_t nonce_point[$(C_NS)_EDDSA_PUBLIC_BYTES] = {0};
uint8_t nonce_point[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES] = {0};
{ {
/* Scalarmul to create the nonce-point */ /* Scalarmul to create the nonce-point */
API_NS(scalar_t) nonce_scalar_2; API_NS(scalar_t) nonce_scalar_2;
API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar); API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar);
for (unsigned int c = 2; c < COFACTOR/(1+EDDSA_USE_SIGMA_ISOGENY); c <<= 1) {
for (unsigned int c = 2; c < COFACTOR/EDDSA_BASE_POINT_RATIO; c <<= 1) {
API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2); API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2);
} }
@@ -165,9 +171,9 @@ void API_NS(eddsa_sign) (
/* Compute the challenge */ /* Compute the challenge */
hash_init_with_dom(hash,prehashed,context,context_len); hash_init_with_dom(hash,prehashed,context,context_len);
hash_update(hash,nonce_point,sizeof(nonce_point)); hash_update(hash,nonce_point,sizeof(nonce_point));
hash_update(hash,pubkey,$(C_NS)_EDDSA_PUBLIC_BYTES);
hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
hash_update(hash,message,message_len); hash_update(hash,message,message_len);
uint8_t challenge[2*$(C_NS)_EDDSA_PRIVATE_BYTES];
uint8_t challenge[2*DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES];
hash_final(hash,challenge,sizeof(challenge)); hash_final(hash,challenge,sizeof(challenge));
hash_destroy(hash); hash_destroy(hash);
API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge)); API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
@@ -177,9 +183,9 @@ void API_NS(eddsa_sign) (
API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar); API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar);
API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar); API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar);
decaf_bzero(signature,$(C_NS)_EDDSA_SIGNATURE_BYTES);
decaf_bzero(signature,DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES);
memcpy(signature,nonce_point,sizeof(nonce_point)); memcpy(signature,nonce_point,sizeof(nonce_point));
API_NS(scalar_encode)(&signature[$(C_NS)_EDDSA_PUBLIC_BYTES],challenge_scalar);
API_NS(scalar_encode)(&signature[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],challenge_scalar);
API_NS(scalar_destroy)(secret_scalar); API_NS(scalar_destroy)(secret_scalar);
API_NS(scalar_destroy)(nonce_scalar); API_NS(scalar_destroy)(nonce_scalar);
@@ -187,9 +193,9 @@ void API_NS(eddsa_sign) (
} }




decaf_error_t API_NS(eddsa_verify) (
const uint8_t signature[$(C_NS)_EDDSA_SIGNATURE_BYTES],
const uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES],
decaf_error_t decaf_eddsa_$(gf_shortname)_verify (
const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const uint8_t *message, const uint8_t *message,
size_t message_len, size_t message_len,
uint8_t prehashed uint8_t prehashed
@@ -214,10 +220,10 @@ decaf_error_t API_NS(eddsa_verify) (
/* Compute the challenge */ /* Compute the challenge */
hash_ctx_t hash; hash_ctx_t hash;
hash_init_with_dom(hash,prehashed,context,context_len); hash_init_with_dom(hash,prehashed,context,context_len);
hash_update(hash,signature,$(C_NS)_EDDSA_PUBLIC_BYTES);
hash_update(hash,pubkey,$(C_NS)_EDDSA_PUBLIC_BYTES);
hash_update(hash,signature,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
hash_update(hash,message,message_len); hash_update(hash,message,message_len);
uint8_t challenge[2*$(C_NS)_EDDSA_PRIVATE_BYTES];
uint8_t challenge[2*DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES];
hash_final(hash,challenge,sizeof(challenge)); hash_final(hash,challenge,sizeof(challenge));
hash_destroy(hash); hash_destroy(hash);
API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge)); API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
@@ -228,10 +234,10 @@ decaf_error_t API_NS(eddsa_verify) (
API_NS(scalar_t) response_scalar; API_NS(scalar_t) response_scalar;
API_NS(scalar_decode_long)( API_NS(scalar_decode_long)(
response_scalar, response_scalar,
&signature[$(C_NS)_EDDSA_PUBLIC_BYTES],
$(C_NS)_EDDSA_PRIVATE_BYTES
&signature[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES
); );
#if EDDSA_USE_SIGMA_ISOGENY
#if EDDSA_BASE_POINT_RATIO == 2
API_NS(scalar_add)(response_scalar,response_scalar,response_scalar); API_NS(scalar_add)(response_scalar,response_scalar,response_scalar);
#endif #endif


+ 18
- 18
src/per_curve/eddsa.tmpl.h View File

@@ -7,16 +7,16 @@ extern "C" {
#endif #endif


/** Number of bytes in an EdDSA public key. */ /** Number of bytes in an EdDSA public key. */
#define $(C_NS)_EDDSA_PUBLIC_BYTES $((gf_bits)/8 + 1)
#define DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES $((gf_bits)/8 + 1)


/** Number of bytes in an EdDSA private key. */ /** Number of bytes in an EdDSA private key. */
#define $(C_NS)_EDDSA_PRIVATE_BYTES $(C_NS)_EDDSA_PUBLIC_BYTES
#define DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES


/** Number of bytes in an EdDSA private key. */ /** Number of bytes in an EdDSA private key. */
#define $(C_NS)_EDDSA_SIGNATURE_BYTES ($(C_NS)_EDDSA_PUBLIC_BYTES + $(C_NS)_EDDSA_PRIVATE_BYTES)
#define DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES (DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES + DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES)


/** Does EdDSA support contexts? */ /** Does EdDSA support contexts? */
#define $(C_NS)_EDDSA_SUPPORTS_CONTEXTS $(eddsa_supports_contexts)
#define DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS $(eddsa_supports_contexts)


/** /**
* @brief EdDSA key generation. This function uses a different (non-Decaf) * @brief EdDSA key generation. This function uses a different (non-Decaf)
@@ -25,9 +25,9 @@ extern "C" {
* @param [out] pubkey The public key. * @param [out] pubkey The public key.
* @param [in] privkey The private key. * @param [in] privkey The private key.
*/ */
void $(c_ns)_eddsa_derive_public_key (
uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES],
const uint8_t privkey[$(C_NS)_EDDSA_PRIVATE_BYTES]
void decaf_eddsa_$(gf_shortname)_derive_public_key (
uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]
) API_VIS NONNULL NOINLINE; ) API_VIS NONNULL NOINLINE;


/** /**
@@ -42,14 +42,14 @@ void $(c_ns)_eddsa_derive_public_key (
* @param [in] message_len The length of the message. * @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign. * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
*/ */
void $(c_ns)_eddsa_sign (
uint8_t signature[$(C_NS)_EDDSA_SIGNATURE_BYTES],
const uint8_t privkey[$(C_NS)_EDDSA_PRIVATE_BYTES],
const uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES],
void decaf_eddsa_$(gf_shortname)_sign (
uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const uint8_t *message, const uint8_t *message,
size_t message_len, size_t message_len,
uint8_t prehashed uint8_t prehashed
#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context, , const uint8_t *context,
uint8_t context_len uint8_t context_len
#endif #endif
@@ -68,13 +68,13 @@ void $(c_ns)_eddsa_sign (
* @param [in] message_len The length of the message. * @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify. * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
*/ */
decaf_error_t $(c_ns)_eddsa_verify (
const uint8_t signature[$(C_NS)_EDDSA_SIGNATURE_BYTES],
const uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES],
decaf_error_t decaf_eddsa_$(gf_shortname)_verify (
const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const uint8_t *message, const uint8_t *message,
size_t message_len, size_t message_len,
uint8_t prehashed uint8_t prehashed
#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context, , const uint8_t *context,
uint8_t context_len uint8_t context_len
#endif #endif
@@ -93,7 +93,7 @@ decaf_error_t $(c_ns)_eddsa_verify (
* point doctrine is worked out. * point doctrine is worked out.
*/ */
void $(c_ns)_point_encode_like_eddsa ( void $(c_ns)_point_encode_like_eddsa (
uint8_t enc[$(C_NS)_EDDSA_PUBLIC_BYTES],
uint8_t enc[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const $(c_ns)_point_t p const $(c_ns)_point_t p
) API_VIS NONNULL NOINLINE; ) API_VIS NONNULL NOINLINE;


@@ -105,7 +105,7 @@ void $(c_ns)_point_encode_like_eddsa (
*/ */
decaf_error_t $(c_ns)_point_decode_like_eddsa ( decaf_error_t $(c_ns)_point_decode_like_eddsa (
$(c_ns)_point_t p, $(c_ns)_point_t p,
const uint8_t enc[$(C_NS)_EDDSA_PUBLIC_BYTES]
const uint8_t enc[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES]
) API_VIS NONNULL NOINLINE; ) API_VIS NONNULL NOINLINE;


#ifdef __cplusplus #ifdef __cplusplus


+ 27
- 27
src/per_curve/eddsa.tmpl.hxx View File

@@ -52,7 +52,7 @@ typedef class PrivateKeyBase<PREHASHED> PrivateKeyPh;
class Prehash : public $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) { class Prehash : public $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) {
public: public:
/** Do we support contexts for signatures? If not, they must always be NULL */ /** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = $(C_NS)_EDDSA_SUPPORTS_CONTEXTS;
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS;
private: private:
typedef $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) Super; typedef $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) Super;
@@ -113,14 +113,14 @@ public:
SecureBuffer out(CRTP::SIG_BYTES); SecureBuffer out(CRTP::SIG_BYTES);
FixedArrayBuffer<Prehash::OUTPUT_BYTES> tmp; FixedArrayBuffer<Prehash::OUTPUT_BYTES> tmp;
ph.final(tmp); ph.final(tmp);
$(c_ns)_eddsa_sign (
decaf_eddsa_$(gf_shortname)_sign (
out.data(), out.data(),
((const CRTP*)this)->priv_.data(), ((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(), ((const CRTP*)this)->pub_.data(),
tmp.data(), tmp.data(),
tmp.size(), tmp.size(),
1 1
#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, ph.context_.data(), , ph.context_.data(),
ph.context_.size() ph.context_.size()
#endif #endif
@@ -162,14 +162,14 @@ public:
} }
SecureBuffer out(CRTP::SIG_BYTES); SecureBuffer out(CRTP::SIG_BYTES);
$(c_ns)_eddsa_sign (
decaf_eddsa_$(gf_shortname)_sign (
out.data(), out.data(),
((const CRTP*)this)->priv_.data(), ((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(), ((const CRTP*)this)->pub_.data(),
message.data(), message.data(),
message.size(), message.size(),
0 0
#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, context.data(), , context.data(),
context.size() context.size()
#endif #endif
@@ -205,23 +205,23 @@ private:
""") """)
/** The pre-expansion form of the signing key. */ /** The pre-expansion form of the signing key. */
FixedArrayBuffer<$(C_NS)_EDDSA_PRIVATE_BYTES> priv_;
FixedArrayBuffer<DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES> priv_;
/** The post-expansion public key. */ /** The post-expansion public key. */
FixedArrayBuffer<$(C_NS)_EDDSA_PUBLIC_BYTES> pub_;
FixedArrayBuffer<DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES> pub_;
public: public:
/** Underlying group */ /** Underlying group */
typedef $(cxx_ns) Group; typedef $(cxx_ns) Group;
/** Signature size. */ /** Signature size. */
static const size_t SIG_BYTES = $(C_NS)_EDDSA_SIGNATURE_BYTES;
static const size_t SIG_BYTES = DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES;
/** Serialization size. */ /** Serialization size. */
static const size_t SER_BYTES = $(C_NS)_EDDSA_PRIVATE_BYTES;
static const size_t SER_BYTES = DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES;
/** Do we support contexts for signatures? If not, they must always be NULL */ /** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = $(C_NS)_EDDSA_SUPPORTS_CONTEXTS;
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS;
/** Create but don't initialize */ /** Create but don't initialize */
@@ -235,13 +235,13 @@ public:
/** Create at random */ /** Create at random */
inline explicit PrivateKeyBase(Rng &r) NOEXCEPT : priv_(r) { inline explicit PrivateKeyBase(Rng &r) NOEXCEPT : priv_(r) {
$(c_ns)_eddsa_derive_public_key(pub_.data(), priv_.data());
decaf_eddsa_$(gf_shortname)_derive_public_key(pub_.data(), priv_.data());
} }
/** Assignment from string */ /** Assignment from string */
inline PrivateKeyBase &operator=(const FixedBlock<SER_BYTES> &b) NOEXCEPT { inline PrivateKeyBase &operator=(const FixedBlock<SER_BYTES> &b) NOEXCEPT {
memcpy(priv_.data(),b.data(),b.size()); memcpy(priv_.data(),b.data(),b.size());
$(c_ns)_eddsa_derive_public_key(pub_.data(), priv_.data());
decaf_eddsa_$(gf_shortname)_derive_public_key(pub_.data(), priv_.data());
return *this; return *this;
} }
@@ -273,7 +273,7 @@ template<class CRTP> class Verification<CRTP,PURE> {
public: public:
/** Verify a signature, returning DECAF_FAILURE if verification fails */ /** Verify a signature, returning DECAF_FAILURE if verification fails */
inline decaf_error_t WARN_UNUSED verify_noexcept ( inline decaf_error_t WARN_UNUSED verify_noexcept (
const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig,
const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
const Block &message, const Block &message,
const Block &context = Block(NULL,0) const Block &context = Block(NULL,0)
) const /*NOEXCEPT*/ { ) const /*NOEXCEPT*/ {
@@ -283,13 +283,13 @@ public:
return DECAF_FAILURE; return DECAF_FAILURE;
} }
return $(c_ns)_eddsa_verify (
return decaf_eddsa_$(gf_shortname)_verify (
sig.data(), sig.data(),
((const CRTP*)this)->pub_.data(), ((const CRTP*)this)->pub_.data(),
message.data(), message.data(),
message.size(), message.size(),
0 0
#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, context.data(), , context.data(),
context.size() context.size()
#endif #endif
@@ -305,7 +305,7 @@ public:
* @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages. * @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
*/ */
inline void verify ( inline void verify (
const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig,
const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
const Block &message, const Block &message,
const Block &context = Block(NULL,0) const Block &context = Block(NULL,0)
) const /*throw(LengthException,CryptoException)*/ { ) const /*throw(LengthException,CryptoException)*/ {
@@ -326,18 +326,18 @@ template<class CRTP> class Verification<CRTP,PREHASHED> {
public: public:
/* Verify a prehash context, and reset the context */ /* Verify a prehash context, and reset the context */
inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept ( inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept (
const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig,
const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
Prehash &ph Prehash &ph
) const /*NOEXCEPT*/ { ) const /*NOEXCEPT*/ {
FixedArrayBuffer<Prehash::OUTPUT_BYTES> m; FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
ph.final(m); ph.final(m);
return $(c_ns)_eddsa_verify (
return decaf_eddsa_$(gf_shortname)_verify (
sig.data(), sig.data(),
((const CRTP*)this)->pub_.data(), ((const CRTP*)this)->pub_.data(),
m.data(), m.data(),
m.size(), m.size(),
1 1
#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, ph.context_.data(), , ph.context_.data(),
ph.context_.size() ph.context_.size()
#endif #endif
@@ -346,18 +346,18 @@ public:
/* Verify a prehash context, and reset the context */ /* Verify a prehash context, and reset the context */
inline void verify_prehashed ( inline void verify_prehashed (
const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig,
const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
Prehash &ph Prehash &ph
) const /*throw(CryptoException)*/ { ) const /*throw(CryptoException)*/ {
FixedArrayBuffer<Prehash::OUTPUT_BYTES> m; FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
ph.final(m); ph.final(m);
if (DECAF_SUCCESS != $(c_ns)_eddsa_verify (
if (DECAF_SUCCESS != decaf_eddsa_$(gf_shortname)_verify (
sig.data(), sig.data(),
((const CRTP*)this)->pub_.data(), ((const CRTP*)this)->pub_.data(),
m.data(), m.data(),
m.size(), m.size(),
1 1
#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, ph.context_.data(), , ph.context_.data(),
ph.context_.size() ph.context_.size()
#endif #endif
@@ -368,7 +368,7 @@ public:
/* Verify a message using the prehasher */ /* Verify a message using the prehasher */
inline void verify_with_prehash ( inline void verify_with_prehash (
const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig,
const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
const Block &message, const Block &message,
const Block &context = Block(NULL,0) const Block &context = Block(NULL,0)
) const /*throw(LengthException,CryptoException)*/ { ) const /*throw(LengthException,CryptoException)*/ {
@@ -409,7 +409,7 @@ private:


private: private:
/** The pre-expansion form of the signature */ /** The pre-expansion form of the signature */
FixedArrayBuffer<$(C_NS)_EDDSA_PUBLIC_BYTES> pub_;
FixedArrayBuffer<DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES> pub_;
public: public:
/* PERF FUTURE: Pre-cached decoding? Precomputed table?? */ /* PERF FUTURE: Pre-cached decoding? Precomputed table?? */
@@ -418,13 +418,13 @@ public:
typedef $(cxx_ns) Group; typedef $(cxx_ns) Group;
/** Signature size. */ /** Signature size. */
static const size_t SIG_BYTES = $(C_NS)_EDDSA_SIGNATURE_BYTES;
static const size_t SIG_BYTES = DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES;
/** Serialization size. */ /** Serialization size. */
static const size_t SER_BYTES = $(C_NS)_EDDSA_PRIVATE_BYTES;
static const size_t SER_BYTES = DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES;
/** Do we support contexts for signatures? If not, they must always be NULL */ /** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = $(C_NS)_EDDSA_SUPPORTS_CONTEXTS;
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS;
/** Create but don't initialize */ /** Create but don't initialize */


Write Preview
Loading…
Cancel
Save