jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
144 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: faeb1fb092
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'faeb1fb092'
${ noResults }
ed448goldilocks/src/decaf_crypto.c

226 lines
6.8 KiB
Raw Blame History 

  1. /**

  2.  * @cond internal

  3.  * @file decaf_crypto.c

  4.  * @copyright

  5.  *   Copyright (c) 2015 Cryptography Research, Inc.  \n

  6.  *   Released under the MIT License.  See LICENSE.txt for license information.

  7.  * @author Mike Hamburg

  8.  * @brief Decaf cyrpto routines. 

  9.  */

  10. 

  11. #include "decaf_crypto.h"

  12. #include <string.h>

  13. #include "sha512.h"

  14. 

  15. static const unsigned int DECAF_448_SCALAR_OVERKILL_BYTES = DECAF_448_SCALAR_BYTES + 8;

  16. 

  17. void decaf_448_derive_private_key (

  18.     decaf_448_private_key_t priv,

  19.     const decaf_448_symmetric_key_t proto

  20. ) {

  21.     const char *magic = "decaf_448_derive_private_key";

  22.     uint8_t encoded_scalar[DECAF_448_SCALAR_OVERKILL_BYTES];

  23.     decaf_448_point_t pub;

  24. 

  25.     keccak_sponge_t sponge;

  26.     shake256_init(sponge);

  27.     shake256_update(sponge, proto, sizeof(decaf_448_symmetric_key_t));

  28.     shake256_update(sponge, (const unsigned char *)magic, strlen(magic));

  29.     shake256_final(sponge, encoded_scalar, sizeof(encoded_scalar));

  30.     shake256_destroy(sponge);

  31.     

  32.     memcpy(priv->sym, proto, sizeof(decaf_448_symmetric_key_t));

  33.     decaf_448_scalar_decode_long(priv->secret_scalar, encoded_scalar, sizeof(encoded_scalar));

  34.     

  35.     decaf_448_precomputed_scalarmul(pub, decaf_448_precomputed_base, priv->secret_scalar);

  36.     decaf_448_point_encode(priv->pub, pub);

  37.     

  38.     decaf_bzero(encoded_scalar, sizeof(encoded_scalar));

  39. }

  40. 

  41. void

  42. decaf_448_destroy_private_key (

  43.     decaf_448_private_key_t priv

  44. )  {

  45.     decaf_bzero((void*)priv, sizeof(decaf_448_private_key_t));

  46. }

  47. 

  48. void decaf_448_private_to_public (

  49.     decaf_448_public_key_t pub,

  50.     const decaf_448_private_key_t priv

  51. ) {

  52.     memcpy(pub, priv->pub, sizeof(decaf_448_public_key_t));

  53. }

  54. 

  55. decaf_bool_t

  56. decaf_448_shared_secret (

  57.     uint8_t *shared,

  58.     size_t shared_bytes,

  59.     const decaf_448_private_key_t my_privkey,

  60.     const decaf_448_public_key_t your_pubkey

  61. ) {

  62.     uint8_t ss_ser[DECAF_448_SER_BYTES];

  63.     const char *nope = "decaf_448_ss_invalid";

  64.     

  65.     unsigned i;

  66.     /* Lexsort keys.  Less will be -1 if mine is less, and 0 otherwise. */

  67.     uint16_t less = 0;

  68.     for (i=0; i<DECAF_448_SER_BYTES; i++) {

  69.         uint16_t delta = my_privkey->pub[i];

  70.         delta -= your_pubkey[i];

  71.         /* Case:

  72.          * = -> delta = 0 -> hi delta-1 = -1, hi delta = 0

  73.          * > -> delta > 0 -> hi delta-1 = 0, hi delta = 0

  74.          * < -> delta < 0 -> hi delta-1 = (doesnt matter), hi delta = -1

  75.          */

  76.         less &= delta-1;

  77.         less |= delta;

  78.     }

  79.     less >>= 8;

  80. 

  81.     keccak_sponge_t sponge;

  82.     shake256_init(sponge);

  83. 

  84.     /* update the lesser */

  85.     for (i=0; i<sizeof(ss_ser); i++) {

  86.         ss_ser[i] = (my_privkey->pub[i] & less) | (your_pubkey[i] & ~less);

  87.     }

  88.     shake256_update(sponge, ss_ser, sizeof(ss_ser));

  89. 

  90.     /* update the greater */

  91.     for (i=0; i<sizeof(ss_ser); i++) {

  92.         ss_ser[i] = (my_privkey->pub[i] & ~less) | (your_pubkey[i] & less);

  93.     }

  94.     shake256_update(sponge, ss_ser, sizeof(ss_ser));

  95.     

  96.     decaf_bool_t ret = decaf_448_direct_scalarmul(ss_ser, your_pubkey, my_privkey->secret_scalar, DECAF_FALSE, DECAF_TRUE);

  97.     /* If invalid, then replace ... */

  98.     for (i=0; i<sizeof(ss_ser); i++) {

  99.         ss_ser[i] &= ret;

  100.         

  101.         if (i < sizeof(my_privkey->sym)) {

  102.             ss_ser[i] |= my_privkey->sym[i] & ~ret;

  103.         } else if (i - sizeof(my_privkey->sym) < strlen(nope)) {

  104.             ss_ser[i] |= nope[i-sizeof(my_privkey->sym)] & ~ret;

  105.         }

  106.     }

  107. 

  108.     shake256_update(sponge, ss_ser, sizeof(ss_ser));

  109.     shake256_final(sponge, shared, shared_bytes);

  110.     shake256_destroy(sponge);

  111.     

  112.     decaf_bzero(ss_ser, sizeof(ss_ser));

  113.     

  114.     return ret;

  115. }

  116. 

  117. void

  118. decaf_448_sign_shake (

  119.     decaf_448_signature_t sig,

  120.     const decaf_448_private_key_t priv,

  121.     const keccak_sponge_t shake

  122. ) {

  123.     const char *magic = "decaf_448_sign_shake";

  124. 

  125.     uint8_t overkill[DECAF_448_SCALAR_OVERKILL_BYTES], encoded[DECAF_448_SER_BYTES];

  126.     decaf_448_point_t point;

  127.     decaf_448_scalar_t nonce, challenge;

  128.     

  129.     /* Derive nonce */

  130.     keccak_sponge_t ctx;

  131.     memcpy(ctx, shake, sizeof(ctx));

  132.     shake256_update(ctx, priv->sym, sizeof(priv->sym));

  133.     shake256_update(ctx, (const unsigned char *)magic, strlen(magic));

  134.     shake256_final(ctx, overkill, sizeof(overkill));

  135.     

  136.     decaf_448_scalar_decode_long(nonce, overkill, sizeof(overkill));

  137.     decaf_448_precomputed_scalarmul(point, decaf_448_precomputed_base, nonce);

  138.     decaf_448_point_encode(encoded, point);

  139. 

  140.     /* Derive challenge */

  141.     memcpy(ctx, shake, sizeof(ctx));

  142.     shake256_update(ctx, priv->pub, sizeof(priv->pub));

  143.     shake256_update(ctx, encoded, sizeof(encoded));

  144.     shake256_final(ctx, overkill, sizeof(overkill));

  145.     shake256_destroy(ctx);

  146.     decaf_448_scalar_decode_long(challenge, overkill, sizeof(overkill));

  147.     

  148.     /* Respond */

  149.     decaf_448_scalar_mul(challenge, challenge, priv->secret_scalar);

  150.     decaf_448_scalar_sub(nonce, nonce, challenge);

  151.     

  152.     /* Save results */

  153.     memcpy(sig, encoded, sizeof(encoded));

  154.     decaf_448_scalar_encode(&sig[sizeof(encoded)], nonce);

  155.     

  156.     /* Clean up */

  157.     decaf_448_scalar_destroy(nonce);

  158.     decaf_448_scalar_destroy(challenge);

  159.     decaf_bzero(overkill,sizeof(overkill));

  160.     decaf_bzero(encoded,sizeof(encoded));

  161. }

  162. 

  163. decaf_bool_t

  164. decaf_448_verify_shake (

  165.     const decaf_448_signature_t sig,

  166.     const decaf_448_public_key_t pub,

  167.     const keccak_sponge_t shake

  168. ) {

  169.     decaf_bool_t ret;

  170. 

  171.     uint8_t overkill[DECAF_448_SCALAR_OVERKILL_BYTES];

  172.     decaf_448_point_t point, pubpoint;

  173.     decaf_448_scalar_t challenge, response;

  174.     

  175.     /* Derive challenge */

  176.     keccak_sponge_t ctx;

  177.     memcpy(ctx, shake, sizeof(ctx));

  178.     shake256_update(ctx, pub, sizeof(decaf_448_public_key_t));

  179.     shake256_update(ctx, sig, DECAF_448_SER_BYTES);

  180.     shake256_final(ctx, overkill, sizeof(overkill));

  181.     shake256_destroy(ctx);

  182.     decaf_448_scalar_decode_long(challenge, overkill, sizeof(overkill));

  183. 

  184.     /* Decode points. */

  185.     ret  = decaf_448_point_decode(point, sig, DECAF_TRUE);

  186.     ret &= decaf_448_point_decode(pubpoint, pub, DECAF_FALSE);

  187.     ret &= decaf_448_scalar_decode(response, &sig[DECAF_448_SER_BYTES]);

  188. 

  189.     decaf_448_base_double_scalarmul_non_secret (

  190.         pubpoint, response, pubpoint, challenge

  191.     );

  192. 

  193.     ret &= decaf_448_point_eq(pubpoint, point);

  194.     

  195.     return ret;

  196. }

  197. 

  198. void

  199. decaf_448_sign (

  200.     decaf_448_signature_t sig,

  201.     const decaf_448_private_key_t priv,

  202.     const unsigned char *message,

  203.     size_t message_len

  204. ) {

  205.     keccak_sponge_t ctx;

  206.     shake256_init(ctx);

  207.     shake256_update(ctx, message, message_len);

  208.     decaf_448_sign_shake(sig, priv, ctx);

  209.     shake256_destroy(ctx);

  210. }

  211. 

  212. decaf_bool_t

  213. decaf_448_verify (

  214.     const decaf_448_signature_t sig,

  215.     const decaf_448_public_key_t pub,

  216.     const unsigned char *message,

  217.     size_t message_len

  218. ) {

  219.     keccak_sponge_t ctx;

  220.     shake256_init(ctx);

  221.     shake256_update(ctx, message, message_len);

  222.     decaf_bool_t ret = decaf_448_verify_shake(sig, pub, ctx);

  223.     shake256_destroy(ctx);

  224.     return ret;

  225. }