jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

eddsa-25519 now using sha512. But problem! We are using IsoEd25519 so we actually need an isogeny anyway to get to Ed25519 proper

master
Michael Hamburg 9 years ago
parent
0fa687437f
commit
d9a9bb96b5
4 changed files with 53 additions and 19 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -1
      src/gen_headers/curve_data.py
  2. +12
    -7
      src/per_curve/decaf.tmpl.c
  3. +12
    -6
      src/per_curve/eddsa.tmpl.c
  4. +28
    -5
      test/test_decaf.cxx

+ 1
- 1
src/gen_headers/curve_data.py View File

@@ -35,7 +35,7 @@ curve_data = {
"wnaf":wnaf_config(5,3),
"window_bits":4,
"eddsa_hash": "sha3_512", # TODO: no, actually it's SHA2-512
"eddsa_hash": "sha512",
"eddsa_supports_contexts": 0,
"eddsa_dom": ""
},


+ 12
- 7
src/per_curve/decaf.tmpl.c View File

@@ -1052,28 +1052,32 @@ void API_NS(point_encode_like_eddsa) (
/* The point is now on the twisted curve. Move it to untwisted. */
gf x, y, z, t;
point_t q;
#if COFACTOR == 8
API_NS(point_double)(q,p);
#else
API_NS(point_copy)(q,p);
#endif
#if IMAGINE_TWIST
{
/* TODO: make sure cofactor is clear */
point_t q;
API_NS(point_double)(q,p);
API_NS(point_double)(q,q);
gf_div_qnr(x, q->x);
gf_copy(y, q->y);
gf_copy(z, q->z);
API_NS(point_destroy(q));
}
#else
{
/* 4-isogeny: 2xy/(y^+x^2), (y^2-x^2)/(2z^2-y^2+x^2) */
gf u;
gf_sqr ( x, p->x );
gf_sqr ( t, p->y );
gf_sqr ( x, q->x );
gf_sqr ( t, q->y );
gf_add( u, x, t );
gf_add( z, p->y, p->x );
gf_add( z, q->y, q->x );
gf_sqr ( y, z);
gf_sub ( y, y, u );
gf_sub ( z, t, x );
gf_sqr ( x, p->z );
gf_sqr ( x, q->z );
gf_add ( t, x, x);
gf_sub ( t, t, z);
gf_mul ( x, t, y );
@@ -1096,6 +1100,7 @@ void API_NS(point_encode_like_eddsa) (
decaf_bzero(y,sizeof(y));
decaf_bzero(z,sizeof(z));
decaf_bzero(t,sizeof(t));
API_NS(point_destroy)(q);
}




+ 12
- 6
src/per_curve/eddsa.tmpl.c View File

@@ -4,7 +4,8 @@
*/

#include <decaf/eddsa_$(gf_bits).h>
#include "decaf/shake.h"
#include <decaf/shake.h>
#include <decaf/sha512.h>
#include "word.h"
#include <string.h>

@@ -73,8 +74,10 @@ void API_NS(eddsa_derive_public_key) (
API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));
/* TODO: write documentation for why (due to isogenies) this needs to be quartered */
API_NS(scalar_sub)(secret_scalar,API_NS(scalar_zero),secret_scalar);
API_NS(scalar_halve)(secret_scalar,secret_scalar);
API_NS(scalar_halve)(secret_scalar,secret_scalar);
for (unsigned int c = 1; c < $(cofactor); c <<= 1) {
API_NS(scalar_halve)(secret_scalar,secret_scalar);
}
API_NS(point_t) p;
API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),secret_scalar);
@@ -142,9 +145,12 @@ void API_NS(eddsa_sign) (
{
/* Scalarmul to create the nonce-point */
API_NS(scalar_t) nonce_scalar_2;
API_NS(scalar_halve)(nonce_scalar_2, nonce_scalar);
API_NS(scalar_halve)(nonce_scalar_2, nonce_scalar_2);
API_NS(scalar_sub)(nonce_scalar_2,API_NS(scalar_zero),nonce_scalar_2);
API_NS(scalar_sub)(nonce_scalar_2,API_NS(scalar_zero),nonce_scalar);
for (unsigned int c = 1; c < $(cofactor); c <<= 1) {
API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2);
}
API_NS(point_t) p;
API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),nonce_scalar_2);
API_NS(point_encode_like_eddsa)(nonce_point, p);


+ 28
- 5
test/test_decaf.cxx View File

@@ -480,7 +480,7 @@ static void test_cfrg_vectors() {
SecureBuffer eddsa_pk2 = EdDSA::generate_key(eddsa_sk);
if (!memeq(SecureBuffer(eddsa_pk), eddsa_pk2)) {
test.fail();
printf(" EdDSA vectors disagree.");
printf(" EdDSA PK vectors disagree.");
printf("\n Correct: ");
for (unsigned i=0; i<eddsa_pk.size(); i++) printf("%02x", eddsa_pk[i]);
printf("\n Incorrect: ");
@@ -492,7 +492,7 @@ static void test_cfrg_vectors() {

if (!memeq(SecureBuffer(eddsa_sig0),sig)) {
test.fail();
printf(" EdDSA vectors disagree.");
printf(" EdDSA sig vectors disagree.");
printf("\n Correct: ");
for (unsigned i=0; i<eddsa_sig0.size(); i++) printf("%02x", eddsa_sig0[i]);
printf("\n Incorrect: ");
@@ -685,9 +685,32 @@ template<> const Block Tests<Ed448Goldilocks>::eddsa_sk(ed448_eddsa_sk,57);
template<> const Block Tests<Ed448Goldilocks>::eddsa_pk(ed448_eddsa_pk,57);
template<> const Block Tests<Ed448Goldilocks>::eddsa_sig0(ed448_eddsa_sig0,114);

template<> const Block Tests<IsoEd25519>::eddsa_sk(NULL,0); /* TODO */
template<> const Block Tests<IsoEd25519>::eddsa_pk(NULL,0); /* TODO */
template<> const Block Tests<IsoEd25519>::eddsa_sig0(NULL,0); /* TODO */
const uint8_t ed25519_eddsa_sk[32] = {
0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
};
const uint8_t ed25519_eddsa_pk[32] = {
0xd7,0x5a,0x98,0x01,0x82,0xb1,0x0a,0xb7,
0xd5,0x4b,0xfe,0xd3,0xc9,0x64,0x07,0x3a,
0x0e,0xe1,0x72,0xf3,0xda,0xa6,0x23,0x25,
0xaf,0x02,0x1a,0x68,0xf7,0x07,0x51,0x1a
};
const uint8_t ed25518_eddsa_sig0[64] = {
0xe5,0x56,0x43,0x00,0xc3,0x60,0xac,0x72,
0x90,0x86,0xe2,0xcc,0x80,0x6e,0x82,0x8a,
0x84,0x87,0x7f,0x1e,0xb8,0xe5,0xd9,0x74,
0xd8,0x73,0xe0,0x65,0x22,0x49,0x01,0x55,
0x5f,0xb8,0x82,0x15,0x90,0xa3,0x3b,0xac,
0xc6,0x1e,0x39,0x70,0x1c,0xf9,0xb4,0x6b,
0xd2,0x5b,0xf5,0xf0,0x59,0x5b,0xbe,0x24,
0x65,0x51,0x41,0x43,0x8e,0x7a,0x10,0x0b
};

template<> const Block Tests<IsoEd25519>::eddsa_sk(ed25519_eddsa_sk,32);
template<> const Block Tests<IsoEd25519>::eddsa_pk(ed25519_eddsa_pk,32);
template<> const Block Tests<IsoEd25519>::eddsa_sig0(ed25518_eddsa_sig0,64);

int main(int argc, char **argv) {
(void) argc; (void) argv;


Write Preview
Loading…
Cancel
Save