Mercurial > hg > ucis.core

annotate NaCl/crypto_sign/edwards25519sha512batch.cs @ 71:7e9d1cfcc562

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
NaCl: added ed25519 public key message signing implementation
author Ivo Smits <Ivo@UCIS.nl>
date Fri, 01 Nov 2013 00:07:36 +0100
parents c873e3dd73fe
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
20
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
1 ???using System;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
2
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
3 namespace UCIS.NaCl.crypto_sign {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
4 public static class edwards25519sha512batch {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
5 public const int SECRETKEYBYTES = 64;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
6 public const int PUBLICKEYBYTES = 32;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
7 public const int CRYPTO_BYTES = 64;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
8
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
9 /*Arithmetic modulo the group order n = 2^252 + 27742317777372353535851937790883648493 = 7237005577332262213973186563042994240857116359379907606001950938285454250989 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
10
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
11 unsafe struct sc25519 {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
12 public fixed UInt32 v[32]; //crypto_uint32 v[32];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
13
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
14 static UInt32[] m = new UInt32[32] {0xED, 0xD3, 0xF5, 0x5C, 0x1A, 0x63, 0x12, 0x58, 0xD6, 0x9C, 0xF7, 0xA2, 0xDE, 0xF9, 0xDE, 0x14,
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
15 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10};
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
16
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
17 static UInt32[] mu = new UInt32[33] {0x1B, 0x13, 0x2C, 0x0A, 0xA3, 0xE5, 0x9C, 0xED, 0xA7, 0x29, 0x63, 0x08, 0x5D, 0x21, 0x06, 0x21,
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
18 0xEB, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F};
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
19
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
20 /* Reduce coefficients of r before calling reduce_add_sub */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
21 static unsafe void reduce_add_sub(sc25519* r) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
22 int i, b = 0, pb = 0, nb;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
23 Byte* t = stackalloc Byte[32];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
24
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
25 for (i = 0; i < 32; i++) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
26 b = (r->v[i] < pb + m[i]) ? 1 : 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
27 t[i] = (Byte)(r->v[i] - pb - m[i] + b * 256);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
28 pb = b;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
29 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
30 nb = 1 - b;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
31 for (i = 0; i < 32; i++) r->v[i] = (uint)(r->v[i] * b + t[i] * nb);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
32 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
33
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
34 /* Reduce coefficients of x before calling barrett_reduce */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
35 static unsafe void barrett_reduce(sc25519* r, UInt32* x) { // const crypto_uint32 x[64]
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
36 /* See HAC, Alg. 14.42 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
37 UInt32* q2 = stackalloc UInt32[66]; // { 0 };
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
38 for (int z = 0; z < 66; z++) q2[z] = 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
39 UInt32* q3 = q2 + 33;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
40 UInt32* r1 = stackalloc UInt32[33];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
41 UInt32* r2 = stackalloc UInt32[33]; // { 0 };
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
42 for (int z = 0; z < 33; z++) r2[z] = 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
43 UInt32 carry;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
44 int b, pb = 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
45
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
46 for (int i = 0; i < 33; i++)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
47 for (int j = 0; j < 33; j++)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
48 if (i + j >= 31) q2[i + j] += mu[i] * x[j + 31];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
49 carry = q2[31] >> 8;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
50 q2[32] += carry;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
51 carry = q2[32] >> 8;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
52 q2[33] += carry;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
53
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
54 for (int i = 0; i < 33; i++) r1[i] = x[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
55 for (int i = 0; i < 32; i++)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
56 for (int j = 0; j < 33; j++)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
57 if (i + j < 33) r2[i + j] += m[i] * q3[j];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
58
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
59 for (int i = 0; i < 32; i++) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
60 carry = r2[i] >> 8;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
61 r2[i + 1] += carry;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
62 r2[i] &= 0xff;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
63 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
64
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
65 for (int i = 0; i < 32; i++) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
66 b = (r1[i] < pb + r2[i]) ? 1 : 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
67 r->v[i] = (uint)(r1[i] - pb - r2[i] + b * 256);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
68 pb = b;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
69 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
70
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
71 /* XXX: Can it really happen that r<0?, See HAC, Alg 14.42, Step 3
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
72 * If so: Handle it here!
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
73 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
74
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
75 reduce_add_sub(r);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
76 reduce_add_sub(r);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
77 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
78
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
79 /*
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
80 static int iszero(const sc25519 *x)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
81 {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
82 // Implement
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
83 return 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
84 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
85 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
86
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
87 public static unsafe void sc25519_from32bytes(sc25519* r, Byte* x) { //const unsigned char x[32]
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
88 UInt32* t = stackalloc UInt32[64]; // { 0 };
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
89 for (int i = 0; i < 32; i++) t[i] = x[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
90 for (int i = 32; i < 64; i++) t[i] = 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
91 barrett_reduce(r, t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
92 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
93
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
94 public static unsafe void sc25519_from64bytes(sc25519* r, Byte* x) { //const unsigned char x[64]
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
95 UInt32* t = stackalloc UInt32[64]; // { 0 };
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
96 for (int i = 0; i < 64; i++) t[i] = x[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
97 barrett_reduce(r, t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
98 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
99
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
100 /* XXX: What we actually want for crypto_group is probably just something like
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
101 * void sc25519_frombytes(sc25519 *r, const unsigned char *x, size_t xlen)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
102 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
103
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
104 public static unsafe void sc25519_to32bytes(Byte* r, sc25519* x) { //unsigned char r[32]
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
105 for (int i = 0; i < 32; i++) r[i] = (Byte)x->v[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
106 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
107
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
108 public static unsafe void sc25519_add(sc25519* r, sc25519* x, sc25519* y) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
109 for (int i = 0; i < 32; i++) r->v[i] = x->v[i] + y->v[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
110 for (int i = 0; i < 31; i++) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
111 uint carry = r->v[i] >> 8;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
112 r->v[i + 1] += carry;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
113 r->v[i] &= 0xff;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
114 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
115 reduce_add_sub(r);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
116 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
117
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
118 public static unsafe void sc25519_mul(sc25519* r, sc25519* x, sc25519* y) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
119 UInt32* t = stackalloc UInt32[64];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
120 for (int i = 0; i < 64; i++) t[i] = 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
121
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
122 for (int i = 0; i < 32; i++)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
123 for (int j = 0; j < 32; j++)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
124 t[i + j] += x->v[i] * y->v[j];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
125
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
126 /* Reduce coefficients */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
127 for (int i = 0; i < 63; i++) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
128 uint carry = t[i] >> 8;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
129 t[i + 1] += carry;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
130 t[i] &= 0xff;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
131 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
132
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
133 barrett_reduce(r, t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
134 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
135
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
136 public static unsafe void sc25519_square(sc25519* r, sc25519* x) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
137 sc25519_mul(r, x, x);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
138 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
139 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
140 struct ge25519 {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
141 public fe25519 x;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
142 public fe25519 y;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
143 public fe25519 z;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
144 public fe25519 t;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
145
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
146 struct ge25519_p1p1 {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
147 public fe25519 x;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
148 public fe25519 z;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
149 public fe25519 y;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
150 public fe25519 t;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
151 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
152 struct ge25519_p2 {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
153 public fe25519 x;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
154 public fe25519 y;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
155 public fe25519 z;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
156 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
157
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
158 /* Windowsize for fixed-window scalar multiplication */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
159 const int WINDOWSIZE = 2; //#define WINDOWSIZE 2 /* Should be 1,2, or 4 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
160 const int WINDOWMASK = ((1 << WINDOWSIZE) - 1); //#define WINDOWMASK ((1<<WINDOWSIZE)-1)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
161
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
162 /* packed parameter d in the Edwards curve equation */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
163 static Byte[] ecd = new Byte[32] {0xA3, 0x78, 0x59, 0x13, 0xCA, 0x4D, 0xEB, 0x75, 0xAB, 0xD8, 0x41, 0x41, 0x4D, 0x0A, 0x70, 0x00,
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
164 0x98, 0xE8, 0x79, 0x77, 0x79, 0x40, 0xC7, 0x8C, 0x73, 0xFE, 0x6F, 0x2B, 0xEE, 0x6C, 0x03, 0x52};
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
165
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
166 /* Packed coordinates of the base point */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
167 static Byte[] ge25519_base_x = new Byte[32] {0x1A, 0xD5, 0x25, 0x8F, 0x60, 0x2D, 0x56, 0xC9, 0xB2, 0xA7, 0x25, 0x95, 0x60, 0xC7, 0x2C, 0x69,
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
168 0x5C, 0xDC, 0xD6, 0xFD, 0x31, 0xE2, 0xA4, 0xC0, 0xFE, 0x53, 0x6E, 0xCD, 0xD3, 0x36, 0x69, 0x21};
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
169 static Byte[] ge25519_base_y = new Byte[32] {0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
170 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66};
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
171 static Byte[] ge25519_base_z = new Byte[32] { 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
172 static Byte[] ge25519_base_t = new Byte[32] {0xA3, 0xDD, 0xB7, 0xA5, 0xB3, 0x8A, 0xDE, 0x6D, 0xF5, 0x52, 0x51, 0x77, 0x80, 0x9F, 0xF0, 0x20,
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
173 0x7D, 0xE3, 0xAB, 0x64, 0x8E, 0x4E, 0xEA, 0x66, 0x65, 0x76, 0x8B, 0xD7, 0x0F, 0x5F, 0x87, 0x67};
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
174
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
175 /* Packed coordinates of the neutral element */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
176 static Byte[] ge25519_neutral_x = new Byte[32]; // { 0 };
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
177 static Byte[] ge25519_neutral_y = new Byte[32] { 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
178 static Byte[] ge25519_neutral_z = new Byte[32] { 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
179 static Byte[] ge25519_neutral_t = new Byte[32]; // { 0 };
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
180
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
181 static unsafe void p1p1_to_p2(ge25519_p2* r, ge25519_p1p1* p) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
182 fe25519.fe25519_mul(&r->x, &p->x, &p->t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
183 fe25519.fe25519_mul(&r->y, &p->y, &p->z);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
184 fe25519.fe25519_mul(&r->z, &p->z, &p->t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
185 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
186
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
187 static unsafe void p1p1_to_p3(ge25519* r, ge25519_p1p1* p) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
188 p1p1_to_p2((ge25519_p2*)r, p);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
189 fe25519.fe25519_mul(&r->t, &p->x, &p->y);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
190 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
191
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
192 /* Constant-time version of: if(b) r = p */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
193 static unsafe void cmov_p3(ge25519* r, ge25519* p, Byte b) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
194 fe25519.fe25519_cmov(&r->x, &p->x, b);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
195 fe25519.fe25519_cmov(&r->y, &p->y, b);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
196 fe25519.fe25519_cmov(&r->z, &p->z, b);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
197 fe25519.fe25519_cmov(&r->t, &p->t, b);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
198 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
199
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
200 /* See http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#doubling-dbl-2008-hwcd */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
201 static unsafe void dbl_p1p1(ge25519_p1p1* r, ge25519_p2* p) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
202 fe25519 a, b, c, d;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
203 fe25519.fe25519_square(&a, &p->x);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
204 fe25519.fe25519_square(&b, &p->y);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
205 fe25519.fe25519_square(&c, &p->z);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
206 fe25519.fe25519_add(&c, &c, &c);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
207 fe25519.fe25519_neg(&d, &a);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
208
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
209 fe25519.fe25519_add(&r->x, &p->x, &p->y);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
210 fe25519.fe25519_square(&r->x, &r->x);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
211 fe25519.fe25519_sub(&r->x, &r->x, &a);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
212 fe25519.fe25519_sub(&r->x, &r->x, &b);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
213 fe25519.fe25519_add(&r->z, &d, &b);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
214 fe25519.fe25519_sub(&r->t, &r->z, &c);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
215 fe25519.fe25519_sub(&r->y, &d, &b);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
216 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
217
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
218 static unsafe void add_p1p1(ge25519_p1p1* r, ge25519* p, ge25519* q) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
219 fe25519 a, b, c, d, t, fd;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
220 fixed (Byte* ecdp = ecd) fe25519.fe25519_unpack(&fd, ecdp);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
221
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
222 fe25519.fe25519_sub(&a, &p->y, &p->x); // A = (Y1-X1)*(Y2-X2)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
223 fe25519.fe25519_sub(&t, &q->y, &q->x);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
224 fe25519.fe25519_mul(&a, &a, &t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
225 fe25519.fe25519_add(&b, &p->x, &p->y); // B = (Y1+X1)*(Y2+X2)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
226 fe25519.fe25519_add(&t, &q->x, &q->y);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
227 fe25519.fe25519_mul(&b, &b, &t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
228 fe25519.fe25519_mul(&c, &p->t, &q->t); //C = T1*k*T2
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
229 fe25519.fe25519_mul(&c, &c, &fd);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
230 fe25519.fe25519_add(&c, &c, &c); //XXX: Can save this addition by precomputing 2*ecd
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
231 fe25519.fe25519_mul(&d, &p->z, &q->z); //D = Z1*2*Z2
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
232 fe25519.fe25519_add(&d, &d, &d);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
233 fe25519.fe25519_sub(&r->x, &b, &a); // E = B-A
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
234 fe25519.fe25519_sub(&r->t, &d, &c); // F = D-C
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
235 fe25519.fe25519_add(&r->z, &d, &c); // G = D+C
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
236 fe25519.fe25519_add(&r->y, &b, &a); // H = B+A
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
237 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
238
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
239 /* ********************************************************************
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
240 * EXPORTED FUNCTIONS
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
241 ******************************************************************** */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
242
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
243 /* return 0 on success, -1 otherwise */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
244 public unsafe static Boolean ge25519_unpack_vartime(ge25519* r, Byte* p) { //const unsigned char p[32]
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
245 Boolean ret;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
246 fe25519 t, fd;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
247 fe25519.fe25519_setone(&r->z);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
248 fixed (Byte* ecdp = ecd) fe25519.fe25519_unpack(&fd, ecdp);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
249 Byte par = (Byte)(p[31] >> 7);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
250 fe25519.fe25519_unpack(&r->y, p);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
251 fe25519.fe25519_square(&r->x, &r->y);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
252 fe25519.fe25519_mul(&t, &r->x, &fd);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
253 fe25519.fe25519_sub(&r->x, &r->x, &r->z);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
254 fe25519.fe25519_add(&t, &r->z, &t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
255 fe25519.fe25519_invert(&t, &t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
256 fe25519.fe25519_mul(&r->x, &r->x, &t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
257 ret = fe25519.fe25519_sqrt_vartime(&r->x, &r->x, par);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
258 fe25519.fe25519_mul(&r->t, &r->x, &r->y);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
259 return ret;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
260 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
261
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
262 public static unsafe void ge25519_pack(Byte* r, ge25519* p) { //unsigned char r[32]
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
263 fe25519 tx, ty, zi;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
264 fe25519.fe25519_invert(&zi, &p->z);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
265 fe25519.fe25519_mul(&tx, &p->x, &zi);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
266 fe25519.fe25519_mul(&ty, &p->y, &zi);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
267 fe25519.fe25519_pack(r, &ty);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
268 r[31] ^= (Byte)(fe25519.fe25519_getparity(&tx) << 7);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
269 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
270
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
271 public static unsafe void ge25519_add(ge25519* r, ge25519* p, ge25519* q) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
272 ge25519_p1p1 grp1p1;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
273 add_p1p1(&grp1p1, p, q);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
274 p1p1_to_p3(r, &grp1p1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
275 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
276
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
277 public static unsafe void ge25519_double(ge25519* r, ge25519* p) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
278 ge25519_p1p1 grp1p1;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
279 dbl_p1p1(&grp1p1, (ge25519_p2*)p);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
280 p1p1_to_p3(r, &grp1p1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
281 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
282
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
283 public static unsafe void ge25519_scalarmult(ge25519* r, ge25519* p, sc25519* s) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
284 int i, j, k;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
285 ge25519 g;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
286 fixed (Byte* ge25519_neutral_xp = ge25519_neutral_x) fe25519.fe25519_unpack(&g.x, ge25519_neutral_xp);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
287 fixed (Byte* ge25519_neutral_yp = ge25519_neutral_y) fe25519.fe25519_unpack(&g.y, ge25519_neutral_yp);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
288 fixed (Byte* ge25519_neutral_zp = ge25519_neutral_z) fe25519.fe25519_unpack(&g.z, ge25519_neutral_zp);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
289 fixed (Byte* ge25519_neutral_tp = ge25519_neutral_t) fe25519.fe25519_unpack(&g.t, ge25519_neutral_tp);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
290
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
291 ge25519[] pre = new ge25519[(1 << WINDOWSIZE)];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
292 ge25519 t;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
293 ge25519_p1p1 tp1p1;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
294 Byte w;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
295 Byte* sb = stackalloc Byte[32];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
296 sc25519.sc25519_to32bytes(sb, s);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
297
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
298 // Precomputation
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
299 pre[0] = g;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
300 pre[1] = *p;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
301 for (i = 2; i < (1 << WINDOWSIZE); i += 2) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
302 fixed (ge25519* prep = pre) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
303 dbl_p1p1(&tp1p1, (ge25519_p2*)(prep + i / 2));
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
304 p1p1_to_p3(prep + i, &tp1p1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
305 add_p1p1(&tp1p1, prep + i, prep + 1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
306 p1p1_to_p3(prep + i + 1, &tp1p1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
307 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
308 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
309
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
310 // Fixed-window scalar multiplication
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
311 for (i = 32; i > 0; i--) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
312 for (j = 8 - WINDOWSIZE; j >= 0; j -= WINDOWSIZE) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
313 for (k = 0; k < WINDOWSIZE - 1; k++) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
314 dbl_p1p1(&tp1p1, (ge25519_p2*)&g);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
315 p1p1_to_p2((ge25519_p2*)&g, &tp1p1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
316 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
317 dbl_p1p1(&tp1p1, (ge25519_p2*)&g);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
318 p1p1_to_p3(&g, &tp1p1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
319 // Cache-timing resistant loading of precomputed value:
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
320 w = (Byte)((sb[i - 1] >> j) & WINDOWMASK);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
321 t = pre[0];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
322 for (k = 1; k < (1 << WINDOWSIZE); k++)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
323 fixed (ge25519* prekp = &pre[k]) cmov_p3(&t, prekp, (k == w) ? (Byte)1 : (Byte)0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
324
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
325 add_p1p1(&tp1p1, &g, &t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
326 if (j != 0) p1p1_to_p2((ge25519_p2*)&g, &tp1p1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
327 else p1p1_to_p3(&g, &tp1p1); /* convert to p3 representation at the end */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
328 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
329 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
330 r->x = g.x;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
331 r->y = g.y;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
332 r->z = g.z;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
333 r->t = g.t;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
334 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
335
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
336 public unsafe static void ge25519_scalarmult_base(ge25519* r, sc25519* s) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
337 /* XXX: Better algorithm for known-base-point scalar multiplication */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
338 ge25519 t;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
339 fixed (Byte* ge25519_base_xp = ge25519_base_x) fe25519.fe25519_unpack(&t.x, ge25519_base_xp);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
340 fixed (Byte* ge25519_base_yp = ge25519_base_y) fe25519.fe25519_unpack(&t.y, ge25519_base_yp);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
341 fixed (Byte* ge25519_base_zp = ge25519_base_z) fe25519.fe25519_unpack(&t.z, ge25519_base_zp);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
342 fixed (Byte* ge25519_base_tp = ge25519_base_t) fe25519.fe25519_unpack(&t.t, ge25519_base_tp);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
343 ge25519_scalarmult(r, &t, s);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
344 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
345 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
346 unsafe struct fe25519 {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
347 public fixed UInt32 v[32]; // crypto_uint32 v[32];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
348
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
349 const int WINDOWSIZE = 4; //#define WINDOWSIZE 4 /* Should be 1,2, or 4 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
350 const int WINDOWMASK = ((1 << WINDOWSIZE) - 1); //#define WINDOWMASK ((1<<WINDOWSIZE)-1)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
351
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
352 static unsafe void reduce_add_sub(fe25519* r) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
353 for (int rep = 0; rep < 4; rep++) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
354 UInt32 t = r->v[31] >> 7;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
355 r->v[31] &= 127;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
356 t *= 19;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
357 r->v[0] += t;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
358 for (int i = 0; i < 31; i++) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
359 t = r->v[i] >> 8;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
360 r->v[i + 1] += t;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
361 r->v[i] &= 255;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
362 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
363 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
364 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
365
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
366 unsafe static void reduce_mul(fe25519* r) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
367 for (int rep = 0; rep < 2; rep++) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
368 UInt32 t = r->v[31] >> 7;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
369 r->v[31] &= 127;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
370 t *= 19;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
371 r->v[0] += t;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
372 for (int i = 0; i < 31; i++) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
373 t = r->v[i] >> 8;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
374 r->v[i + 1] += t;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
375 r->v[i] &= 255;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
376 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
377 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
378 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
379
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
380 /* reduction modulo 2^255-19 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
381 unsafe static void freeze(fe25519* r) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
382 UInt32 m = (r->v[31] == 127) ? 1u : 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
383 for (int i = 30; i > 1; i--)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
384 m *= (r->v[i] == 255) ? 1u : 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
385 m *= (r->v[0] >= 237) ? 1u : 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
386
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
387 r->v[31] -= m * 127;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
388 for (int i = 30; i > 0; i--)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
389 r->v[i] -= m * 255;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
390 r->v[0] -= m * 237;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
391 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
392
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
393 /*freeze input before calling isone*/
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
394 unsafe static Boolean isone(fe25519* x) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
395 bool r = x->v[0] == 1;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
396 for (int i = 1; i < 32; i++) r &= (x->v[i] == 0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
397 return r;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
398 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
399
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
400 /*freeze input before calling iszero*/
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
401 unsafe static Boolean iszero(fe25519* x) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
402 bool r = (x->v[0] == 0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
403 for (int i = 1; i < 32; i++) r &= (x->v[i] == 0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
404 return r;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
405 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
406
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
407
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
408 unsafe static Boolean issquare(fe25519* x) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
409 Byte[] e = new Byte[32] { 0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }; /* (p-1)/2 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
410 fe25519 t;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
411
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
412 fixed (Byte* ep = e) fe25519_pow(&t, x, ep);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
413 freeze(&t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
414 return isone(&t) || iszero(&t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
415 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
416
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
417 public static unsafe void fe25519_unpack(fe25519* r, Byte* x) { //const unsigned char x[32]
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
418 for (int i = 0; i < 32; i++) r->v[i] = x[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
419 r->v[31] &= 127;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
420 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
421
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
422 /* Assumes input x being reduced mod 2^255 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
423 public static unsafe void fe25519_pack(Byte* r, fe25519* x) { //unsigned char r[32]
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
424 for (int i = 0; i < 32; i++)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
425 r[i] = (byte)x->v[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
426
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
427 /* freeze byte array */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
428 UInt32 m = (r[31] == 127) ? 1u : 0; /* XXX: some compilers might use branches; fix */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
429 for (int i = 30; i > 1; i--)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
430 m *= (r[i] == 255) ? 1u : 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
431 m *= (r[0] >= 237) ? 1u : 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
432 r[31] -= (byte)(m * 127);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
433 for (int i = 30; i > 0; i--)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
434 r[i] -= (byte)(m * 255);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
435 r[0] -= (byte)(m * 237);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
436 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
437
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
438 public static unsafe void fe25519_cmov(fe25519* r, fe25519* x, Byte b) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
439 Byte nb = (Byte)(1 - b);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
440 for (int i = 0; i < 32; i++) r->v[i] = nb * r->v[i] + b * x->v[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
441 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
442
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
443 public static unsafe Byte fe25519_getparity(fe25519* x) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
444 fe25519 t = new fe25519();
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
445 for (int i = 0; i < 32; i++) t.v[i] = x->v[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
446 freeze(&t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
447 return (Byte)(t.v[0] & 1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
448 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
449
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
450 public static unsafe void fe25519_setone(fe25519* r) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
451 r->v[0] = 1;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
452 for (int i = 1; i < 32; i++) r->v[i] = 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
453 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
454
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
455 static unsafe void fe25519_setzero(fe25519* r) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
456 for (int i = 0; i < 32; i++) r->v[i] = 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
457 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
458
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
459 public static unsafe void fe25519_neg(fe25519* r, fe25519* x) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
460 fe25519 t = new fe25519();
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
461 for (int i = 0; i < 32; i++) t.v[i] = x->v[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
462 fe25519_setzero(r);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
463 fe25519_sub(r, r, &t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
464 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
465
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
466 public static unsafe void fe25519_add(fe25519* r, fe25519* x, fe25519* y) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
467 for (int i = 0; i < 32; i++) r->v[i] = x->v[i] + y->v[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
468 reduce_add_sub(r);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
469 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
470
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
471 public static unsafe void fe25519_sub(fe25519* r, fe25519* x, fe25519* y) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
472 UInt32* t = stackalloc UInt32[32];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
473 t[0] = x->v[0] + 0x1da;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
474 t[31] = x->v[31] + 0xfe;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
475 for (int i = 1; i < 31; i++) t[i] = x->v[i] + 0x1fe;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
476 for (int i = 0; i < 32; i++) r->v[i] = t[i] - y->v[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
477 reduce_add_sub(r);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
478 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
479
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
480 public static unsafe void fe25519_mul(fe25519* r, fe25519* x, fe25519* y) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
481 UInt32* t = stackalloc UInt32[63];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
482 for (int i = 0; i < 63; i++) t[i] = 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
483 for (int i = 0; i < 32; i++)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
484 for (int j = 0; j < 32; j++)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
485 t[i + j] += x->v[i] * y->v[j];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
486
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
487 for (int i = 32; i < 63; i++)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
488 r->v[i - 32] = t[i - 32] + 38 * t[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
489 r->v[31] = t[31]; /* result now in r[0]...r[31] */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
490
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
491 reduce_mul(r);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
492 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
493
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
494 public static unsafe void fe25519_square(fe25519* r, fe25519* x) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
495 fe25519_mul(r, x, x);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
496 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
497
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
498 /*XXX: Make constant time! */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
499 public static unsafe void fe25519_pow(fe25519* r, fe25519* x, Byte* e) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
500 /*
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
501 fe25519 g;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
502 fe25519_setone(&g);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
503 int i;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
504 unsigned char j;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
505 for(i=32;i>0;i--)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
506 {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
507 for(j=128;j>0;j>>=1)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
508 {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
509 fe25519_square(&g,&g);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
510 if(e[i-1] & j)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
511 fe25519_mul(&g,&g,x);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
512 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
513 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
514 for(i=0;i<32;i++) r->v[i] = g.v[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
515 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
516 fe25519 g;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
517 fe25519_setone(&g);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
518 fe25519[] pre = new fe25519[(1 << WINDOWSIZE)];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
519 fe25519 t;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
520 Byte w;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
521
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
522 // Precomputation
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
523 fixed (fe25519* prep = pre) fe25519_setone(prep);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
524 pre[1] = *x;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
525 for (int i = 2; i < (1 << WINDOWSIZE); i += 2) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
526 fixed (fe25519* prep = pre) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
527 fe25519_square(prep + i, prep + i / 2);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
528 fe25519_mul(prep + i + 1, prep + i, prep + 1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
529 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
530 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
531
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
532 // Fixed-window scalar multiplication
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
533 for (int i = 32; i > 0; i--) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
534 for (int j = 8 - WINDOWSIZE; j >= 0; j -= WINDOWSIZE) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
535 for (int k = 0; k < WINDOWSIZE; k++)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
536 fe25519_square(&g, &g);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
537 // Cache-timing resistant loading of precomputed value:
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
538 w = (Byte)((e[i - 1] >> j) & WINDOWMASK);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
539 t = pre[0];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
540 for (int k = 1; k < (1 << WINDOWSIZE); k++) fixed (fe25519* prekp = &pre[k]) fe25519_cmov(&t, prekp, (k == w) ? (Byte)1 : (Byte)0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
541 fe25519_mul(&g, &g, &t);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
542 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
543 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
544 *r = g;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
545 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
546
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
547 /* Return 0 on success, 1 otherwise */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
548 public static unsafe Boolean fe25519_sqrt_vartime(fe25519* r, fe25519* x, Byte parity) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
549 /* See HAC, Alg. 3.37 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
550 if (!issquare(x)) return true;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
551 Byte[] e = new Byte[32] { 0xfb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f }; /* (p-1)/4 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
552 Byte[] e2 = new Byte[32] { 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f }; /* (p+3)/8 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
553 Byte[] e3 = new Byte[32] { 0xfd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f }; /* (p-5)/8 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
554 fe25519 p = new fe25519(); // { { 0 } };
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
555 fe25519 d;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
556 fixed (Byte* ep = e) fe25519.fe25519_pow(&d, x, ep);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
557 freeze(&d);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
558 if (isone(&d))
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
559 fixed (Byte* e2p = e2) fe25519.fe25519_pow(r, x, e2p);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
560 else {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
561 for (int i = 0; i < 32; i++)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
562 d.v[i] = 4 * x->v[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
563 fixed (Byte* e3p = e3) fe25519.fe25519_pow(&d, &d, e3p);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
564 for (int i = 0; i < 32; i++)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
565 r->v[i] = 2 * x->v[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
566 fe25519_mul(r, r, &d);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
567 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
568 freeze(r);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
569 if ((r->v[0] & 1) != (parity & 1)) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
570 fe25519_sub(r, &p, r);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
571 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
572 return false;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
573 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
574
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
575 public static unsafe void fe25519_invert(fe25519* r, fe25519* x) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
576 fe25519 z2;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
577 fe25519 z9;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
578 fe25519 z11;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
579 fe25519 z2_5_0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
580 fe25519 z2_10_0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
581 fe25519 z2_20_0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
582 fe25519 z2_50_0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
583 fe25519 z2_100_0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
584 fe25519 t0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
585 fe25519 t1;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
586
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
587 /* 2 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
588 fe25519_square(&z2, x);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
589 /* 4 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
590 fe25519_square(&t1, &z2);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
591 /* 8 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
592 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
593 /* 9 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
594 fe25519_mul(&z9, &t0, x);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
595 /* 11 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
596 fe25519_mul(&z11, &z9, &z2);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
597 /* 22 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
598 fe25519_square(&t0, &z11);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
599 /* 2^5 - 2^0 = 31 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
600 fe25519_mul(&z2_5_0, &t0, &z9);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
601
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
602 /* 2^6 - 2^1 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
603 fe25519_square(&t0, &z2_5_0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
604 /* 2^7 - 2^2 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
605 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
606 /* 2^8 - 2^3 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
607 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
608 /* 2^9 - 2^4 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
609 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
610 /* 2^10 - 2^5 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
611 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
612 /* 2^10 - 2^0 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
613 fe25519_mul(&z2_10_0, &t0, &z2_5_0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
614
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
615 /* 2^11 - 2^1 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
616 fe25519_square(&t0, &z2_10_0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
617 /* 2^12 - 2^2 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
618 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
619 /* 2^20 - 2^10 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
620 for (int i = 2; i < 10; i += 2) { fe25519_square(&t0, &t1); fe25519_square(&t1, &t0); }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
621 /* 2^20 - 2^0 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
622 fe25519_mul(&z2_20_0, &t1, &z2_10_0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
623
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
624 /* 2^21 - 2^1 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
625 fe25519_square(&t0, &z2_20_0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
626 /* 2^22 - 2^2 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
627 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
628 /* 2^40 - 2^20 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
629 for (int i = 2; i < 20; i += 2) { fe25519_square(&t0, &t1); fe25519_square(&t1, &t0); }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
630 /* 2^40 - 2^0 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
631 fe25519_mul(&t0, &t1, &z2_20_0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
632
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
633 /* 2^41 - 2^1 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
634 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
635 /* 2^42 - 2^2 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
636 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
637 /* 2^50 - 2^10 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
638 for (int i = 2; i < 10; i += 2) { fe25519_square(&t1, &t0); fe25519_square(&t0, &t1); }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
639 /* 2^50 - 2^0 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
640 fe25519_mul(&z2_50_0, &t0, &z2_10_0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
641
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
642 /* 2^51 - 2^1 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
643 fe25519_square(&t0, &z2_50_0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
644 /* 2^52 - 2^2 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
645 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
646 /* 2^100 - 2^50 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
647 for (int i = 2; i < 50; i += 2) { fe25519_square(&t0, &t1); fe25519_square(&t1, &t0); }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
648 /* 2^100 - 2^0 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
649 fe25519_mul(&z2_100_0, &t1, &z2_50_0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
650
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
651 /* 2^101 - 2^1 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
652 fe25519_square(&t1, &z2_100_0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
653 /* 2^102 - 2^2 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
654 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
655 /* 2^200 - 2^100 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
656 for (int i = 2; i < 100; i += 2) { fe25519_square(&t1, &t0); fe25519_square(&t0, &t1); }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
657 /* 2^200 - 2^0 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
658 fe25519_mul(&t1, &t0, &z2_100_0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
659
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
660 /* 2^201 - 2^1 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
661 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
662 /* 2^202 - 2^2 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
663 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
664 /* 2^250 - 2^50 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
665 for (int i = 2; i < 50; i += 2) { fe25519_square(&t0, &t1); fe25519_square(&t1, &t0); }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
666 /* 2^250 - 2^0 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
667 fe25519_mul(&t0, &t1, &z2_50_0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
668
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
669 /* 2^251 - 2^1 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
670 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
671 /* 2^252 - 2^2 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
672 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
673 /* 2^253 - 2^3 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
674 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
675 /* 2^254 - 2^4 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
676 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
677 /* 2^255 - 2^5 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
678 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
679 /* 2^255 - 21 */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
680 fe25519_mul(r, &t1, &z11);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
681 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
682 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
683
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
684 public static unsafe void crypto_sign_keypair(out Byte[] pk, out Byte[] sk) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
685 sc25519 scsk;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
686 ge25519 gepk;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
687
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
688 sk = new Byte[SECRETKEYBYTES];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
689 pk = new Byte[PUBLICKEYBYTES];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
690 randombytes.generate(sk);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
691 fixed (Byte* skp = sk) crypto_hash.sha512.crypto_hash(skp, skp, 32);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
692 sk[0] &= 248;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
693 sk[31] &= 127;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
694 sk[31] |= 64;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
695
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
696 fixed (Byte* skp = sk) sc25519.sc25519_from32bytes(&scsk, skp);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
697
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
698 ge25519.ge25519_scalarmult_base(&gepk, &scsk);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
699 fixed (Byte* pkp = pk) ge25519.ge25519_pack(pkp, &gepk);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
700 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
701
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
702 public static unsafe Byte[] crypto_sign(Byte[] m, Byte[] sk) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
703 if (sk.Length != SECRETKEYBYTES) throw new ArgumentException("sk.Length != SECRETKEYBYTES");
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
704 Byte[] sm = new Byte[m.Length + 64];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
705 UInt64 smlen;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
706 fixed (Byte* smp = sm, mp = m, skp = sk) crypto_sign(smp, out smlen, mp, (ulong)m.Length, skp);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
707 return sm;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
708 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
709 public static unsafe void crypto_sign(Byte* sm, out UInt64 smlen, Byte* m, UInt64 mlen, Byte* sk) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
710 sc25519 sck, scs, scsk;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
711 ge25519 ger;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
712 Byte* r = stackalloc Byte[32];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
713 Byte* s = stackalloc Byte[32];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
714 Byte* hmg = stackalloc Byte[crypto_hash.sha512.BYTES];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
715 Byte* hmr = stackalloc Byte[crypto_hash.sha512.BYTES];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
716
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
717 smlen = mlen + 64;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
718 for (UInt64 i = 0; i < mlen; i++) sm[32 + i] = m[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
719 for (int i = 0; i < 32; i++) sm[i] = sk[32 + i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
720 crypto_hash.sha512.crypto_hash(hmg, sm, mlen + 32); /* Generate k as h(m,sk[32],...,sk[63]) */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
721
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
722 sc25519.sc25519_from64bytes(&sck, hmg);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
723 ge25519.ge25519_scalarmult_base(&ger, &sck);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
724 ge25519.ge25519_pack(r, &ger);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
725
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
726 for (int i = 0; i < 32; i++) sm[i] = r[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
727
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
728 crypto_hash.sha512.crypto_hash(hmr, sm, mlen + 32); /* Compute h(m,r) */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
729 sc25519.sc25519_from64bytes(&scs, hmr);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
730 sc25519.sc25519_mul(&scs, &scs, &sck);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
731
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
732 sc25519.sc25519_from32bytes(&scsk, sk);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
733 sc25519.sc25519_add(&scs, &scs, &scsk);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
734
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
735 sc25519.sc25519_to32bytes(s, &scs); /* cat s */
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
736 for (UInt64 i = 0; i < 32; i++)
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
737 sm[mlen + 32 + i] = s[i];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
738 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
739
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
740 public static unsafe Byte[] crypto_sign_open(Byte[] sm, Byte[] pk) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
741 if (pk.Length != PUBLICKEYBYTES) throw new ArgumentException("pk.Length != PUBLICKEYBYTES");
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
742 Byte[] m = new Byte[sm.Length - 64];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
743 UInt64 mlen;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
744 fixed (Byte* smp = sm, mp = m, pkp = pk) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
745 if (crypto_sign_open(mp, out mlen, smp, (ulong)sm.Length, pkp) != 0) return null;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
746 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
747 return m;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
748 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
749 public static unsafe int crypto_sign_open(Byte* m, out UInt64 mlen, Byte* sm, UInt64 smlen, Byte* pk) {
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
750 mlen = 0;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
751 if (smlen < 64) return -1;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
752
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
753 Byte* t1 = stackalloc Byte[32], t2 = stackalloc Byte[32];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
754 ge25519 get1, get2, gepk;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
755 sc25519 schmr, scs;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
756 Byte* hmr = stackalloc Byte[crypto_hash.sha512.BYTES];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
757
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
758 if (ge25519.ge25519_unpack_vartime(&get1, sm)) return -1;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
759 if (ge25519.ge25519_unpack_vartime(&gepk, pk)) return -1;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
760
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
761 crypto_hash.sha512.crypto_hash(hmr, sm, smlen - 32);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
762
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
763 sc25519.sc25519_from64bytes(&schmr, hmr);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
764 ge25519.ge25519_scalarmult(&get1, &get1, &schmr);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
765 ge25519.ge25519_add(&get1, &get1, &gepk);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
766 ge25519.ge25519_pack(t1, &get1);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
767
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
768 sc25519.sc25519_from32bytes(&scs, &sm[smlen - 32]);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
769 ge25519.ge25519_scalarmult_base(&get2, &scs);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
770 ge25519.ge25519_pack(t2, &get2);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
771
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
772 if (m != null) for (UInt64 i = 0; i < smlen - 64; i++) m[i] = sm[i + 32];
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
773 mlen = smlen - 64;
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
774
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
775 return crypto_verify._32.crypto_verify(t1, t2);
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
776 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
777 }
c873e3dd73fe Added NaCl cryptography code
Ivo Smits <Ivo@UCIS.nl>
parents:
diff changeset
778 }