ucis.core: NaCl/crypto_sign/edwards25519sha512batch.cs annotate

annotate NaCl/crypto_sign/edwards25519sha512batch.cs @ 68:e811297f5aa4

Updated USBLib: removed old LibUsbDotNet compatibility code and added new information helper classes

author	Ivo Smits <Ivo@UCIS.nl>
date	Wed, 16 Oct 2013 16:58:39 +0200
parents	c873e3dd73fe
children	7e9d1cfcc562

rev	line source
20 c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	1 ???using System;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	2 using UCIS.NaCl;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	3 using System.Runtime.InteropServices;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	4
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	5 namespace UCIS.NaCl.crypto_sign {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	6 public static class edwards25519sha512batch {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	7 public const int SECRETKEYBYTES = 64;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	8 public const int PUBLICKEYBYTES = 32;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	9 public const int CRYPTO_BYTES = 64;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	10
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	11 /Arithmetic modulo the group order n = 2^252 + 27742317777372353535851937790883648493 = 7237005577332262213973186563042994240857116359379907606001950938285454250989 /
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	12
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	13 unsafe struct sc25519 {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	14 public fixed UInt32 v[32]; //crypto_uint32 v[32];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	15
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	16 static UInt32[] m = new UInt32[32] {0xED, 0xD3, 0xF5, 0x5C, 0x1A, 0x63, 0x12, 0x58, 0xD6, 0x9C, 0xF7, 0xA2, 0xDE, 0xF9, 0xDE, 0x14,
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	17 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10};
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	18
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	19 static UInt32[] mu = new UInt32[33] {0x1B, 0x13, 0x2C, 0x0A, 0xA3, 0xE5, 0x9C, 0xED, 0xA7, 0x29, 0x63, 0x08, 0x5D, 0x21, 0x06, 0x21,
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	20 0xEB, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F};
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	21
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	22 /* Reduce coefficients of r before calling reduce_add_sub */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	23 static unsafe void reduce_add_sub(sc25519* r) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	24 int i, b = 0, pb = 0, nb;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	25 Byte* t = stackalloc Byte[32];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	26
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	27 for (i = 0; i < 32; i++) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	28 b = (r->v[i] < pb + m[i]) ? 1 : 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	29 t[i] = (Byte)(r->v[i] - pb - m[i] + b * 256);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	30 pb = b;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	31 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	32 nb = 1 - b;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	33 for (i = 0; i < 32; i++) r->v[i] = (uint)(r->v[i] * b + t[i] * nb);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	34 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	35
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	36 /* Reduce coefficients of x before calling barrett_reduce */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	37 static unsafe void barrett_reduce(sc25519* r, UInt32* x) { // const crypto_uint32 x[64]
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	38 /* See HAC, Alg. 14.42 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	39 UInt32* q2 = stackalloc UInt32[66]; // { 0 };
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	40 for (int z = 0; z < 66; z++) q2[z] = 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	41 UInt32* q3 = q2 + 33;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	42 UInt32* r1 = stackalloc UInt32[33];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	43 UInt32* r2 = stackalloc UInt32[33]; // { 0 };
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	44 for (int z = 0; z < 33; z++) r2[z] = 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	45 UInt32 carry;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	46 int b, pb = 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	47
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	48 for (int i = 0; i < 33; i++)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	49 for (int j = 0; j < 33; j++)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	50 if (i + j >= 31) q2[i + j] += mu[i] * x[j + 31];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	51 carry = q2[31] >> 8;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	52 q2[32] += carry;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	53 carry = q2[32] >> 8;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	54 q2[33] += carry;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	55
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	56 for (int i = 0; i < 33; i++) r1[i] = x[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	57 for (int i = 0; i < 32; i++)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	58 for (int j = 0; j < 33; j++)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	59 if (i + j < 33) r2[i + j] += m[i] * q3[j];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	60
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	61 for (int i = 0; i < 32; i++) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	62 carry = r2[i] >> 8;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	63 r2[i + 1] += carry;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	64 r2[i] &= 0xff;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	65 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	66
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	67 for (int i = 0; i < 32; i++) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	68 b = (r1[i] < pb + r2[i]) ? 1 : 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	69 r->v[i] = (uint)(r1[i] - pb - r2[i] + b * 256);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	70 pb = b;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	71 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	72
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	73 /* XXX: Can it really happen that r<0?, See HAC, Alg 14.42, Step 3
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	74 * If so: Handle it here!
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	75 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	76
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	77 reduce_add_sub(r);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	78 reduce_add_sub(r);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	79 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	80
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	81 /*
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	82 static int iszero(const sc25519 *x)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	83 {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	84 // Implement
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	85 return 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	86 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	87 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	88
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	89 public static unsafe void sc25519_from32bytes(sc25519* r, Byte* x) { //const unsigned char x[32]
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	90 UInt32* t = stackalloc UInt32[64]; // { 0 };
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	91 for (int i = 0; i < 32; i++) t[i] = x[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	92 for (int i = 32; i < 64; i++) t[i] = 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	93 barrett_reduce(r, t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	94 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	95
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	96 public static unsafe void sc25519_from64bytes(sc25519* r, Byte* x) { //const unsigned char x[64]
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	97 UInt32* t = stackalloc UInt32[64]; // { 0 };
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	98 for (int i = 0; i < 64; i++) t[i] = x[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	99 barrett_reduce(r, t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	100 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	101
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	102 /* XXX: What we actually want for crypto_group is probably just something like
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	103 * void sc25519_frombytes(sc25519 r, const unsigned char x, size_t xlen)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	104 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	105
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	106 public static unsafe void sc25519_to32bytes(Byte* r, sc25519* x) { //unsigned char r[32]
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	107 for (int i = 0; i < 32; i++) r[i] = (Byte)x->v[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	108 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	109
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	110 public static unsafe void sc25519_add(sc25519* r, sc25519* x, sc25519* y) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	111 for (int i = 0; i < 32; i++) r->v[i] = x->v[i] + y->v[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	112 for (int i = 0; i < 31; i++) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	113 uint carry = r->v[i] >> 8;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	114 r->v[i + 1] += carry;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	115 r->v[i] &= 0xff;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	116 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	117 reduce_add_sub(r);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	118 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	119
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	120 public static unsafe void sc25519_mul(sc25519* r, sc25519* x, sc25519* y) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	121 UInt32* t = stackalloc UInt32[64];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	122 for (int i = 0; i < 64; i++) t[i] = 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	123
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	124 for (int i = 0; i < 32; i++)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	125 for (int j = 0; j < 32; j++)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	126 t[i + j] += x->v[i] * y->v[j];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	127
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	128 /* Reduce coefficients */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	129 for (int i = 0; i < 63; i++) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	130 uint carry = t[i] >> 8;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	131 t[i + 1] += carry;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	132 t[i] &= 0xff;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	133 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	134
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	135 barrett_reduce(r, t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	136 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	137
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	138 public static unsafe void sc25519_square(sc25519* r, sc25519* x) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	139 sc25519_mul(r, x, x);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	140 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	141 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	142 struct ge25519 {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	143 public fe25519 x;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	144 public fe25519 y;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	145 public fe25519 z;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	146 public fe25519 t;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	147
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	148 struct ge25519_p1p1 {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	149 public fe25519 x;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	150 public fe25519 z;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	151 public fe25519 y;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	152 public fe25519 t;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	153 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	154 struct ge25519_p2 {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	155 public fe25519 x;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	156 public fe25519 y;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	157 public fe25519 z;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	158 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	159
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	160 /* Windowsize for fixed-window scalar multiplication */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	161 const int WINDOWSIZE = 2; //#define WINDOWSIZE 2 /* Should be 1,2, or 4 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	162 const int WINDOWMASK = ((1 << WINDOWSIZE) - 1); //#define WINDOWMASK ((1<<WINDOWSIZE)-1)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	163
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	164 /* packed parameter d in the Edwards curve equation */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	165 static Byte[] ecd = new Byte[32] {0xA3, 0x78, 0x59, 0x13, 0xCA, 0x4D, 0xEB, 0x75, 0xAB, 0xD8, 0x41, 0x41, 0x4D, 0x0A, 0x70, 0x00,
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	166 0x98, 0xE8, 0x79, 0x77, 0x79, 0x40, 0xC7, 0x8C, 0x73, 0xFE, 0x6F, 0x2B, 0xEE, 0x6C, 0x03, 0x52};
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	167
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	168 /* Packed coordinates of the base point */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	169 static Byte[] ge25519_base_x = new Byte[32] {0x1A, 0xD5, 0x25, 0x8F, 0x60, 0x2D, 0x56, 0xC9, 0xB2, 0xA7, 0x25, 0x95, 0x60, 0xC7, 0x2C, 0x69,
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	170 0x5C, 0xDC, 0xD6, 0xFD, 0x31, 0xE2, 0xA4, 0xC0, 0xFE, 0x53, 0x6E, 0xCD, 0xD3, 0x36, 0x69, 0x21};
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	171 static Byte[] ge25519_base_y = new Byte[32] {0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	172 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66};
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	173 static Byte[] ge25519_base_z = new Byte[32] { 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	174 static Byte[] ge25519_base_t = new Byte[32] {0xA3, 0xDD, 0xB7, 0xA5, 0xB3, 0x8A, 0xDE, 0x6D, 0xF5, 0x52, 0x51, 0x77, 0x80, 0x9F, 0xF0, 0x20,
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	175 0x7D, 0xE3, 0xAB, 0x64, 0x8E, 0x4E, 0xEA, 0x66, 0x65, 0x76, 0x8B, 0xD7, 0x0F, 0x5F, 0x87, 0x67};
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	176
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	177 /* Packed coordinates of the neutral element */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	178 static Byte[] ge25519_neutral_x = new Byte[32]; // { 0 };
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	179 static Byte[] ge25519_neutral_y = new Byte[32] { 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	180 static Byte[] ge25519_neutral_z = new Byte[32] { 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	181 static Byte[] ge25519_neutral_t = new Byte[32]; // { 0 };
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	182
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	183 static unsafe void p1p1_to_p2(ge25519_p2* r, ge25519_p1p1* p) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	184 fe25519.fe25519_mul(&r->x, &p->x, &p->t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	185 fe25519.fe25519_mul(&r->y, &p->y, &p->z);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	186 fe25519.fe25519_mul(&r->z, &p->z, &p->t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	187 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	188
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	189 static unsafe void p1p1_to_p3(ge25519* r, ge25519_p1p1* p) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	190 p1p1_to_p2((ge25519_p2*)r, p);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	191 fe25519.fe25519_mul(&r->t, &p->x, &p->y);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	192 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	193
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	194 /* Constant-time version of: if(b) r = p */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	195 static unsafe void cmov_p3(ge25519* r, ge25519* p, Byte b) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	196 fe25519.fe25519_cmov(&r->x, &p->x, b);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	197 fe25519.fe25519_cmov(&r->y, &p->y, b);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	198 fe25519.fe25519_cmov(&r->z, &p->z, b);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	199 fe25519.fe25519_cmov(&r->t, &p->t, b);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	200 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	201
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	202 /* See http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#doubling-dbl-2008-hwcd */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	203 static unsafe void dbl_p1p1(ge25519_p1p1* r, ge25519_p2* p) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	204 fe25519 a, b, c, d;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	205 fe25519.fe25519_square(&a, &p->x);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	206 fe25519.fe25519_square(&b, &p->y);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	207 fe25519.fe25519_square(&c, &p->z);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	208 fe25519.fe25519_add(&c, &c, &c);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	209 fe25519.fe25519_neg(&d, &a);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	210
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	211 fe25519.fe25519_add(&r->x, &p->x, &p->y);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	212 fe25519.fe25519_square(&r->x, &r->x);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	213 fe25519.fe25519_sub(&r->x, &r->x, &a);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	214 fe25519.fe25519_sub(&r->x, &r->x, &b);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	215 fe25519.fe25519_add(&r->z, &d, &b);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	216 fe25519.fe25519_sub(&r->t, &r->z, &c);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	217 fe25519.fe25519_sub(&r->y, &d, &b);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	218 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	219
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	220 static unsafe void add_p1p1(ge25519_p1p1* r, ge25519* p, ge25519* q) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	221 fe25519 a, b, c, d, t, fd;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	222 fixed (Byte* ecdp = ecd) fe25519.fe25519_unpack(&fd, ecdp);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	223
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	224 fe25519.fe25519_sub(&a, &p->y, &p->x); // A = (Y1-X1)*(Y2-X2)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	225 fe25519.fe25519_sub(&t, &q->y, &q->x);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	226 fe25519.fe25519_mul(&a, &a, &t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	227 fe25519.fe25519_add(&b, &p->x, &p->y); // B = (Y1+X1)*(Y2+X2)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	228 fe25519.fe25519_add(&t, &q->x, &q->y);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	229 fe25519.fe25519_mul(&b, &b, &t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	230 fe25519.fe25519_mul(&c, &p->t, &q->t); //C = T1kT2
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	231 fe25519.fe25519_mul(&c, &c, &fd);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	232 fe25519.fe25519_add(&c, &c, &c); //XXX: Can save this addition by precomputing 2*ecd
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	233 fe25519.fe25519_mul(&d, &p->z, &q->z); //D = Z12Z2
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	234 fe25519.fe25519_add(&d, &d, &d);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	235 fe25519.fe25519_sub(&r->x, &b, &a); // E = B-A
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	236 fe25519.fe25519_sub(&r->t, &d, &c); // F = D-C
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	237 fe25519.fe25519_add(&r->z, &d, &c); // G = D+C
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	238 fe25519.fe25519_add(&r->y, &b, &a); // H = B+A
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	239 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	240
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	241 /* ********************************************************************
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	242 * EXPORTED FUNCTIONS
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	243 ******************************************************************** */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	244
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	245 /* return 0 on success, -1 otherwise */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	246 public unsafe static Boolean ge25519_unpack_vartime(ge25519* r, Byte* p) { //const unsigned char p[32]
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	247 Boolean ret;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	248 fe25519 t, fd;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	249 fe25519.fe25519_setone(&r->z);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	250 fixed (Byte* ecdp = ecd) fe25519.fe25519_unpack(&fd, ecdp);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	251 Byte par = (Byte)(p[31] >> 7);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	252 fe25519.fe25519_unpack(&r->y, p);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	253 fe25519.fe25519_square(&r->x, &r->y);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	254 fe25519.fe25519_mul(&t, &r->x, &fd);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	255 fe25519.fe25519_sub(&r->x, &r->x, &r->z);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	256 fe25519.fe25519_add(&t, &r->z, &t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	257 fe25519.fe25519_invert(&t, &t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	258 fe25519.fe25519_mul(&r->x, &r->x, &t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	259 ret = fe25519.fe25519_sqrt_vartime(&r->x, &r->x, par);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	260 fe25519.fe25519_mul(&r->t, &r->x, &r->y);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	261 return ret;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	262 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	263
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	264 public static unsafe void ge25519_pack(Byte* r, ge25519* p) { //unsigned char r[32]
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	265 fe25519 tx, ty, zi;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	266 fe25519.fe25519_invert(&zi, &p->z);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	267 fe25519.fe25519_mul(&tx, &p->x, &zi);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	268 fe25519.fe25519_mul(&ty, &p->y, &zi);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	269 fe25519.fe25519_pack(r, &ty);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	270 r[31] ^= (Byte)(fe25519.fe25519_getparity(&tx) << 7);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	271 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	272
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	273 public static unsafe void ge25519_add(ge25519* r, ge25519* p, ge25519* q) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	274 ge25519_p1p1 grp1p1;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	275 add_p1p1(&grp1p1, p, q);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	276 p1p1_to_p3(r, &grp1p1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	277 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	278
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	279 public static unsafe void ge25519_double(ge25519* r, ge25519* p) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	280 ge25519_p1p1 grp1p1;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	281 dbl_p1p1(&grp1p1, (ge25519_p2*)p);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	282 p1p1_to_p3(r, &grp1p1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	283 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	284
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	285 public static unsafe void ge25519_scalarmult(ge25519* r, ge25519* p, sc25519* s) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	286 int i, j, k;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	287 ge25519 g;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	288 fixed (Byte* ge25519_neutral_xp = ge25519_neutral_x) fe25519.fe25519_unpack(&g.x, ge25519_neutral_xp);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	289 fixed (Byte* ge25519_neutral_yp = ge25519_neutral_y) fe25519.fe25519_unpack(&g.y, ge25519_neutral_yp);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	290 fixed (Byte* ge25519_neutral_zp = ge25519_neutral_z) fe25519.fe25519_unpack(&g.z, ge25519_neutral_zp);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	291 fixed (Byte* ge25519_neutral_tp = ge25519_neutral_t) fe25519.fe25519_unpack(&g.t, ge25519_neutral_tp);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	292
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	293 ge25519[] pre = new ge25519[(1 << WINDOWSIZE)];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	294 ge25519 t;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	295 ge25519_p1p1 tp1p1;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	296 Byte w;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	297 Byte* sb = stackalloc Byte[32];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	298 sc25519.sc25519_to32bytes(sb, s);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	299
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	300 // Precomputation
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	301 pre[0] = g;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	302 pre[1] = *p;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	303 for (i = 2; i < (1 << WINDOWSIZE); i += 2) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	304 fixed (ge25519* prep = pre) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	305 dbl_p1p1(&tp1p1, (ge25519_p2*)(prep + i / 2));
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	306 p1p1_to_p3(prep + i, &tp1p1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	307 add_p1p1(&tp1p1, prep + i, prep + 1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	308 p1p1_to_p3(prep + i + 1, &tp1p1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	309 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	310 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	311
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	312 // Fixed-window scalar multiplication
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	313 for (i = 32; i > 0; i--) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	314 for (j = 8 - WINDOWSIZE; j >= 0; j -= WINDOWSIZE) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	315 for (k = 0; k < WINDOWSIZE - 1; k++) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	316 dbl_p1p1(&tp1p1, (ge25519_p2*)&g);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	317 p1p1_to_p2((ge25519_p2*)&g, &tp1p1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	318 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	319 dbl_p1p1(&tp1p1, (ge25519_p2*)&g);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	320 p1p1_to_p3(&g, &tp1p1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	321 // Cache-timing resistant loading of precomputed value:
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	322 w = (Byte)((sb[i - 1] >> j) & WINDOWMASK);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	323 t = pre[0];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	324 for (k = 1; k < (1 << WINDOWSIZE); k++)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	325 fixed (ge25519* prekp = &pre[k]) cmov_p3(&t, prekp, (k == w) ? (Byte)1 : (Byte)0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	326
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	327 add_p1p1(&tp1p1, &g, &t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	328 if (j != 0) p1p1_to_p2((ge25519_p2*)&g, &tp1p1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	329 else p1p1_to_p3(&g, &tp1p1); /* convert to p3 representation at the end */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	330 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	331 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	332 r->x = g.x;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	333 r->y = g.y;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	334 r->z = g.z;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	335 r->t = g.t;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	336 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	337
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	338 public unsafe static void ge25519_scalarmult_base(ge25519* r, sc25519* s) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	339 /* XXX: Better algorithm for known-base-point scalar multiplication */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	340 ge25519 t;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	341 fixed (Byte* ge25519_base_xp = ge25519_base_x) fe25519.fe25519_unpack(&t.x, ge25519_base_xp);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	342 fixed (Byte* ge25519_base_yp = ge25519_base_y) fe25519.fe25519_unpack(&t.y, ge25519_base_yp);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	343 fixed (Byte* ge25519_base_zp = ge25519_base_z) fe25519.fe25519_unpack(&t.z, ge25519_base_zp);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	344 fixed (Byte* ge25519_base_tp = ge25519_base_t) fe25519.fe25519_unpack(&t.t, ge25519_base_tp);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	345 ge25519_scalarmult(r, &t, s);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	346 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	347 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	348 unsafe struct fe25519 {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	349 public fixed UInt32 v[32]; // crypto_uint32 v[32];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	350
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	351 const int WINDOWSIZE = 4; //#define WINDOWSIZE 4 /* Should be 1,2, or 4 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	352 const int WINDOWMASK = ((1 << WINDOWSIZE) - 1); //#define WINDOWMASK ((1<<WINDOWSIZE)-1)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	353
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	354 static unsafe void reduce_add_sub(fe25519* r) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	355 for (int rep = 0; rep < 4; rep++) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	356 UInt32 t = r->v[31] >> 7;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	357 r->v[31] &= 127;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	358 t *= 19;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	359 r->v[0] += t;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	360 for (int i = 0; i < 31; i++) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	361 t = r->v[i] >> 8;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	362 r->v[i + 1] += t;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	363 r->v[i] &= 255;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	364 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	365 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	366 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	367
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	368 unsafe static void reduce_mul(fe25519* r) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	369 for (int rep = 0; rep < 2; rep++) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	370 UInt32 t = r->v[31] >> 7;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	371 r->v[31] &= 127;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	372 t *= 19;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	373 r->v[0] += t;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	374 for (int i = 0; i < 31; i++) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	375 t = r->v[i] >> 8;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	376 r->v[i + 1] += t;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	377 r->v[i] &= 255;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	378 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	379 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	380 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	381
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	382 /* reduction modulo 2^255-19 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	383 unsafe static void freeze(fe25519* r) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	384 UInt32 m = (r->v[31] == 127) ? 1u : 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	385 for (int i = 30; i > 1; i--)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	386 m *= (r->v[i] == 255) ? 1u : 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	387 m *= (r->v[0] >= 237) ? 1u : 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	388
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	389 r->v[31] -= m * 127;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	390 for (int i = 30; i > 0; i--)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	391 r->v[i] -= m * 255;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	392 r->v[0] -= m * 237;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	393 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	394
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	395 /freeze input before calling isone/
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	396 unsafe static Boolean isone(fe25519* x) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	397 bool r = x->v[0] == 1;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	398 for (int i = 1; i < 32; i++) r &= (x->v[i] == 0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	399 return r;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	400 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	401
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	402 /freeze input before calling iszero/
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	403 unsafe static Boolean iszero(fe25519* x) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	404 bool r = (x->v[0] == 0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	405 for (int i = 1; i < 32; i++) r &= (x->v[i] == 0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	406 return r;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	407 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	408
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	409
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	410 unsafe static Boolean issquare(fe25519* x) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	411 Byte[] e = new Byte[32] { 0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f }; /* (p-1)/2 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	412 fe25519 t;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	413
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	414 fixed (Byte* ep = e) fe25519_pow(&t, x, ep);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	415 freeze(&t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	416 return isone(&t) \|\| iszero(&t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	417 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	418
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	419 public static unsafe void fe25519_unpack(fe25519* r, Byte* x) { //const unsigned char x[32]
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	420 for (int i = 0; i < 32; i++) r->v[i] = x[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	421 r->v[31] &= 127;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	422 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	423
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	424 /* Assumes input x being reduced mod 2^255 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	425 public static unsafe void fe25519_pack(Byte* r, fe25519* x) { //unsigned char r[32]
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	426 for (int i = 0; i < 32; i++)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	427 r[i] = (byte)x->v[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	428
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	429 /* freeze byte array */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	430 UInt32 m = (r[31] == 127) ? 1u : 0; /* XXX: some compilers might use branches; fix */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	431 for (int i = 30; i > 1; i--)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	432 m *= (r[i] == 255) ? 1u : 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	433 m *= (r[0] >= 237) ? 1u : 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	434 r[31] -= (byte)(m * 127);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	435 for (int i = 30; i > 0; i--)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	436 r[i] -= (byte)(m * 255);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	437 r[0] -= (byte)(m * 237);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	438 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	439
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	440 public static unsafe void fe25519_cmov(fe25519* r, fe25519* x, Byte b) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	441 Byte nb = (Byte)(1 - b);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	442 for (int i = 0; i < 32; i++) r->v[i] = nb * r->v[i] + b * x->v[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	443 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	444
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	445 public static unsafe Byte fe25519_getparity(fe25519* x) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	446 fe25519 t = new fe25519();
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	447 for (int i = 0; i < 32; i++) t.v[i] = x->v[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	448 freeze(&t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	449 return (Byte)(t.v[0] & 1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	450 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	451
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	452 public static unsafe void fe25519_setone(fe25519* r) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	453 r->v[0] = 1;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	454 for (int i = 1; i < 32; i++) r->v[i] = 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	455 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	456
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	457 static unsafe void fe25519_setzero(fe25519* r) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	458 for (int i = 0; i < 32; i++) r->v[i] = 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	459 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	460
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	461 public static unsafe void fe25519_neg(fe25519* r, fe25519* x) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	462 fe25519 t = new fe25519();
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	463 for (int i = 0; i < 32; i++) t.v[i] = x->v[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	464 fe25519_setzero(r);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	465 fe25519_sub(r, r, &t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	466 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	467
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	468 public static unsafe void fe25519_add(fe25519* r, fe25519* x, fe25519* y) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	469 for (int i = 0; i < 32; i++) r->v[i] = x->v[i] + y->v[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	470 reduce_add_sub(r);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	471 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	472
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	473 public static unsafe void fe25519_sub(fe25519* r, fe25519* x, fe25519* y) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	474 UInt32* t = stackalloc UInt32[32];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	475 t[0] = x->v[0] + 0x1da;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	476 t[31] = x->v[31] + 0xfe;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	477 for (int i = 1; i < 31; i++) t[i] = x->v[i] + 0x1fe;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	478 for (int i = 0; i < 32; i++) r->v[i] = t[i] - y->v[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	479 reduce_add_sub(r);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	480 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	481
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	482 public static unsafe void fe25519_mul(fe25519* r, fe25519* x, fe25519* y) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	483 UInt32* t = stackalloc UInt32[63];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	484 for (int i = 0; i < 63; i++) t[i] = 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	485 for (int i = 0; i < 32; i++)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	486 for (int j = 0; j < 32; j++)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	487 t[i + j] += x->v[i] * y->v[j];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	488
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	489 for (int i = 32; i < 63; i++)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	490 r->v[i - 32] = t[i - 32] + 38 * t[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	491 r->v[31] = t[31]; /* result now in r[0]...r[31] */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	492
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	493 reduce_mul(r);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	494 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	495
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	496 public static unsafe void fe25519_square(fe25519* r, fe25519* x) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	497 fe25519_mul(r, x, x);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	498 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	499
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	500 /XXX: Make constant time! /
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	501 public static unsafe void fe25519_pow(fe25519* r, fe25519* x, Byte* e) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	502 /*
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	503 fe25519 g;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	504 fe25519_setone(&g);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	505 int i;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	506 unsigned char j;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	507 for(i=32;i>0;i--)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	508 {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	509 for(j=128;j>0;j>>=1)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	510 {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	511 fe25519_square(&g,&g);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	512 if(e[i-1] & j)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	513 fe25519_mul(&g,&g,x);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	514 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	515 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	516 for(i=0;i<32;i++) r->v[i] = g.v[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	517 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	518 fe25519 g;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	519 fe25519_setone(&g);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	520 fe25519[] pre = new fe25519[(1 << WINDOWSIZE)];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	521 fe25519 t;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	522 Byte w;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	523
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	524 // Precomputation
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	525 fixed (fe25519* prep = pre) fe25519_setone(prep);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	526 pre[1] = *x;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	527 for (int i = 2; i < (1 << WINDOWSIZE); i += 2) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	528 fixed (fe25519* prep = pre) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	529 fe25519_square(prep + i, prep + i / 2);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	530 fe25519_mul(prep + i + 1, prep + i, prep + 1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	531 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	532 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	533
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	534 // Fixed-window scalar multiplication
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	535 for (int i = 32; i > 0; i--) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	536 for (int j = 8 - WINDOWSIZE; j >= 0; j -= WINDOWSIZE) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	537 for (int k = 0; k < WINDOWSIZE; k++)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	538 fe25519_square(&g, &g);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	539 // Cache-timing resistant loading of precomputed value:
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	540 w = (Byte)((e[i - 1] >> j) & WINDOWMASK);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	541 t = pre[0];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	542 for (int k = 1; k < (1 << WINDOWSIZE); k++) fixed (fe25519* prekp = &pre[k]) fe25519_cmov(&t, prekp, (k == w) ? (Byte)1 : (Byte)0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	543 fe25519_mul(&g, &g, &t);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	544 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	545 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	546 *r = g;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	547 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	548
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	549 /* Return 0 on success, 1 otherwise */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	550 public static unsafe Boolean fe25519_sqrt_vartime(fe25519* r, fe25519* x, Byte parity) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	551 /* See HAC, Alg. 3.37 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	552 if (!issquare(x)) return true;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	553 Byte[] e = new Byte[32] { 0xfb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f }; /* (p-1)/4 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	554 Byte[] e2 = new Byte[32] { 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f }; /* (p+3)/8 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	555 Byte[] e3 = new Byte[32] { 0xfd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f }; /* (p-5)/8 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	556 fe25519 p = new fe25519(); // { { 0 } };
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	557 fe25519 d;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	558 fixed (Byte* ep = e) fe25519.fe25519_pow(&d, x, ep);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	559 freeze(&d);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	560 if (isone(&d))
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	561 fixed (Byte* e2p = e2) fe25519.fe25519_pow(r, x, e2p);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	562 else {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	563 for (int i = 0; i < 32; i++)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	564 d.v[i] = 4 * x->v[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	565 fixed (Byte* e3p = e3) fe25519.fe25519_pow(&d, &d, e3p);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	566 for (int i = 0; i < 32; i++)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	567 r->v[i] = 2 * x->v[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	568 fe25519_mul(r, r, &d);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	569 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	570 freeze(r);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	571 if ((r->v[0] & 1) != (parity & 1)) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	572 fe25519_sub(r, &p, r);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	573 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	574 return false;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	575 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	576
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	577 public static unsafe void fe25519_invert(fe25519* r, fe25519* x) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	578 fe25519 z2;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	579 fe25519 z9;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	580 fe25519 z11;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	581 fe25519 z2_5_0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	582 fe25519 z2_10_0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	583 fe25519 z2_20_0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	584 fe25519 z2_50_0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	585 fe25519 z2_100_0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	586 fe25519 t0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	587 fe25519 t1;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	588
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	589 /* 2 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	590 fe25519_square(&z2, x);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	591 /* 4 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	592 fe25519_square(&t1, &z2);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	593 /* 8 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	594 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	595 /* 9 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	596 fe25519_mul(&z9, &t0, x);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	597 /* 11 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	598 fe25519_mul(&z11, &z9, &z2);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	599 /* 22 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	600 fe25519_square(&t0, &z11);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	601 /* 2^5 - 2^0 = 31 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	602 fe25519_mul(&z2_5_0, &t0, &z9);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	603
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	604 /* 2^6 - 2^1 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	605 fe25519_square(&t0, &z2_5_0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	606 /* 2^7 - 2^2 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	607 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	608 /* 2^8 - 2^3 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	609 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	610 /* 2^9 - 2^4 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	611 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	612 /* 2^10 - 2^5 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	613 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	614 /* 2^10 - 2^0 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	615 fe25519_mul(&z2_10_0, &t0, &z2_5_0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	616
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	617 /* 2^11 - 2^1 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	618 fe25519_square(&t0, &z2_10_0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	619 /* 2^12 - 2^2 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	620 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	621 /* 2^20 - 2^10 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	622 for (int i = 2; i < 10; i += 2) { fe25519_square(&t0, &t1); fe25519_square(&t1, &t0); }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	623 /* 2^20 - 2^0 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	624 fe25519_mul(&z2_20_0, &t1, &z2_10_0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	625
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	626 /* 2^21 - 2^1 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	627 fe25519_square(&t0, &z2_20_0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	628 /* 2^22 - 2^2 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	629 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	630 /* 2^40 - 2^20 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	631 for (int i = 2; i < 20; i += 2) { fe25519_square(&t0, &t1); fe25519_square(&t1, &t0); }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	632 /* 2^40 - 2^0 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	633 fe25519_mul(&t0, &t1, &z2_20_0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	634
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	635 /* 2^41 - 2^1 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	636 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	637 /* 2^42 - 2^2 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	638 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	639 /* 2^50 - 2^10 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	640 for (int i = 2; i < 10; i += 2) { fe25519_square(&t1, &t0); fe25519_square(&t0, &t1); }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	641 /* 2^50 - 2^0 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	642 fe25519_mul(&z2_50_0, &t0, &z2_10_0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	643
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	644 /* 2^51 - 2^1 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	645 fe25519_square(&t0, &z2_50_0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	646 /* 2^52 - 2^2 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	647 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	648 /* 2^100 - 2^50 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	649 for (int i = 2; i < 50; i += 2) { fe25519_square(&t0, &t1); fe25519_square(&t1, &t0); }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	650 /* 2^100 - 2^0 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	651 fe25519_mul(&z2_100_0, &t1, &z2_50_0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	652
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	653 /* 2^101 - 2^1 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	654 fe25519_square(&t1, &z2_100_0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	655 /* 2^102 - 2^2 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	656 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	657 /* 2^200 - 2^100 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	658 for (int i = 2; i < 100; i += 2) { fe25519_square(&t1, &t0); fe25519_square(&t0, &t1); }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	659 /* 2^200 - 2^0 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	660 fe25519_mul(&t1, &t0, &z2_100_0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	661
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	662 /* 2^201 - 2^1 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	663 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	664 /* 2^202 - 2^2 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	665 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	666 /* 2^250 - 2^50 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	667 for (int i = 2; i < 50; i += 2) { fe25519_square(&t0, &t1); fe25519_square(&t1, &t0); }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	668 /* 2^250 - 2^0 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	669 fe25519_mul(&t0, &t1, &z2_50_0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	670
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	671 /* 2^251 - 2^1 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	672 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	673 /* 2^252 - 2^2 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	674 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	675 /* 2^253 - 2^3 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	676 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	677 /* 2^254 - 2^4 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	678 fe25519_square(&t0, &t1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	679 /* 2^255 - 2^5 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	680 fe25519_square(&t1, &t0);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	681 /* 2^255 - 21 */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	682 fe25519_mul(r, &t1, &z11);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	683 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	684 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	685
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	686 public static unsafe void crypto_sign_keypair(out Byte[] pk, out Byte[] sk) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	687 sc25519 scsk;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	688 ge25519 gepk;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	689
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	690 sk = new Byte[SECRETKEYBYTES];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	691 pk = new Byte[PUBLICKEYBYTES];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	692 randombytes.generate(sk);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	693 fixed (Byte* skp = sk) crypto_hash.sha512.crypto_hash(skp, skp, 32);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	694 sk[0] &= 248;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	695 sk[31] &= 127;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	696 sk[31] \|= 64;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	697
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	698 fixed (Byte* skp = sk) sc25519.sc25519_from32bytes(&scsk, skp);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	699
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	700 ge25519.ge25519_scalarmult_base(&gepk, &scsk);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	701 fixed (Byte* pkp = pk) ge25519.ge25519_pack(pkp, &gepk);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	702 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	703
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	704 public static unsafe Byte[] crypto_sign(Byte[] m, Byte[] sk) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	705 if (sk.Length != SECRETKEYBYTES) throw new ArgumentException("sk.Length != SECRETKEYBYTES");
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	706 Byte[] sm = new Byte[m.Length + 64];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	707 UInt64 smlen;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	708 fixed (Byte* smp = sm, mp = m, skp = sk) crypto_sign(smp, out smlen, mp, (ulong)m.Length, skp);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	709 return sm;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	710 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	711 public static unsafe void crypto_sign(Byte* sm, out UInt64 smlen, Byte* m, UInt64 mlen, Byte* sk) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	712 sc25519 sck, scs, scsk;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	713 ge25519 ger;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	714 Byte* r = stackalloc Byte[32];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	715 Byte* s = stackalloc Byte[32];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	716 Byte* hmg = stackalloc Byte[crypto_hash.sha512.BYTES];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	717 Byte* hmr = stackalloc Byte[crypto_hash.sha512.BYTES];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	718
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	719 smlen = mlen + 64;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	720 for (UInt64 i = 0; i < mlen; i++) sm[32 + i] = m[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	721 for (int i = 0; i < 32; i++) sm[i] = sk[32 + i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	722 crypto_hash.sha512.crypto_hash(hmg, sm, mlen + 32); /* Generate k as h(m,sk[32],...,sk[63]) */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	723
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	724 sc25519.sc25519_from64bytes(&sck, hmg);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	725 ge25519.ge25519_scalarmult_base(&ger, &sck);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	726 ge25519.ge25519_pack(r, &ger);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	727
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	728 for (int i = 0; i < 32; i++) sm[i] = r[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	729
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	730 crypto_hash.sha512.crypto_hash(hmr, sm, mlen + 32); /* Compute h(m,r) */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	731 sc25519.sc25519_from64bytes(&scs, hmr);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	732 sc25519.sc25519_mul(&scs, &scs, &sck);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	733
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	734 sc25519.sc25519_from32bytes(&scsk, sk);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	735 sc25519.sc25519_add(&scs, &scs, &scsk);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	736
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	737 sc25519.sc25519_to32bytes(s, &scs); /* cat s */
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	738 for (UInt64 i = 0; i < 32; i++)
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	739 sm[mlen + 32 + i] = s[i];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	740 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	741
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	742 public static unsafe Byte[] crypto_sign_open(Byte[] sm, Byte[] pk) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	743 if (pk.Length != PUBLICKEYBYTES) throw new ArgumentException("pk.Length != PUBLICKEYBYTES");
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	744 Byte[] m = new Byte[sm.Length - 64];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	745 UInt64 mlen;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	746 fixed (Byte* smp = sm, mp = m, pkp = pk) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	747 if (crypto_sign_open(mp, out mlen, smp, (ulong)sm.Length, pkp) != 0) return null;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	748 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	749 return m;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	750 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	751 public static unsafe int crypto_sign_open(Byte* m, out UInt64 mlen, Byte* sm, UInt64 smlen, Byte* pk) {
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	752 mlen = 0;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	753 if (smlen < 64) return -1;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	754
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	755 Byte* t1 = stackalloc Byte[32], t2 = stackalloc Byte[32];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	756 ge25519 get1, get2, gepk;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	757 sc25519 schmr, scs;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	758 Byte* hmr = stackalloc Byte[crypto_hash.sha512.BYTES];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	759
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	760 if (ge25519.ge25519_unpack_vartime(&get1, sm)) return -1;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	761 if (ge25519.ge25519_unpack_vartime(&gepk, pk)) return -1;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	762
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	763 crypto_hash.sha512.crypto_hash(hmr, sm, smlen - 32);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	764
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	765 sc25519.sc25519_from64bytes(&schmr, hmr);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	766 ge25519.ge25519_scalarmult(&get1, &get1, &schmr);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	767 ge25519.ge25519_add(&get1, &get1, &gepk);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	768 ge25519.ge25519_pack(t1, &get1);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	769
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	770 sc25519.sc25519_from32bytes(&scs, &sm[smlen - 32]);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	771 ge25519.ge25519_scalarmult_base(&get2, &scs);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	772 ge25519.ge25519_pack(t2, &get2);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	773
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	774 if (m != null) for (UInt64 i = 0; i < smlen - 64; i++) m[i] = sm[i + 32];
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	775 mlen = smlen - 64;
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	776
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	777 return crypto_verify._32.crypto_verify(t1, t2);
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	778 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	779 }
c873e3dd73fe Added NaCl cryptography code Ivo Smits <Ivo@UCIS.nl> parents: diff changeset	780 }

Mercurial > hg > ucis.core

annotate NaCl/crypto_sign/edwards25519sha512batch.cs @ 68:e811297f5aa4