summaryrefslogtreecommitdiff
path: root/nacl/crypto_sign/edwards25519sha512batch/ref/sign.c
diff options
context:
space:
mode:
Diffstat (limited to 'nacl/crypto_sign/edwards25519sha512batch/ref/sign.c')
-rw-r--r--nacl/crypto_sign/edwards25519sha512batch/ref/sign.c103
1 files changed, 103 insertions, 0 deletions
diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/sign.c b/nacl/crypto_sign/edwards25519sha512batch/ref/sign.c
new file mode 100644
index 00000000..f40e548b
--- /dev/null
+++ b/nacl/crypto_sign/edwards25519sha512batch/ref/sign.c
@@ -0,0 +1,103 @@
1#include "api.h"
2#include "crypto_sign.h"
3#include "crypto_hash_sha512.h"
4#include "randombytes.h"
5#include "crypto_verify_32.h"
6
7#include "ge25519.h"
8
9int crypto_sign_keypair(
10 unsigned char *pk,
11 unsigned char *sk
12 )
13{
14 sc25519 scsk;
15 ge25519 gepk;
16
17 randombytes(sk, 32);
18 crypto_hash_sha512(sk, sk, 32);
19 sk[0] &= 248;
20 sk[31] &= 127;
21 sk[31] |= 64;
22
23 sc25519_from32bytes(&scsk,sk);
24
25 ge25519_scalarmult_base(&gepk, &scsk);
26 ge25519_pack(pk, &gepk);
27 return 0;
28}
29
30int crypto_sign(
31 unsigned char *sm,unsigned long long *smlen,
32 const unsigned char *m,unsigned long long mlen,
33 const unsigned char *sk
34 )
35{
36 sc25519 sck, scs, scsk;
37 ge25519 ger;
38 unsigned char r[32];
39 unsigned char s[32];
40 unsigned long long i;
41 unsigned char hmg[crypto_hash_sha512_BYTES];
42 unsigned char hmr[crypto_hash_sha512_BYTES];
43
44 *smlen = mlen+64;
45 for(i=0;i<mlen;i++)
46 sm[32 + i] = m[i];
47 for(i=0;i<32;i++)
48 sm[i] = sk[32+i];
49 crypto_hash_sha512(hmg, sm, mlen+32); /* Generate k as h(m,sk[32],...,sk[63]) */
50
51 sc25519_from64bytes(&sck, hmg);
52 ge25519_scalarmult_base(&ger, &sck);
53 ge25519_pack(r, &ger);
54
55 for(i=0;i<32;i++)
56 sm[i] = r[i];
57
58 crypto_hash_sha512(hmr, sm, mlen+32); /* Compute h(m,r) */
59 sc25519_from64bytes(&scs, hmr);
60 sc25519_mul(&scs, &scs, &sck);
61
62 sc25519_from32bytes(&scsk, sk);
63 sc25519_add(&scs, &scs, &scsk);
64
65 sc25519_to32bytes(s,&scs); /* cat s */
66 for(i=0;i<32;i++)
67 sm[mlen+32+i] = s[i];
68
69 return 0;
70}
71
72int crypto_sign_open(
73 unsigned char *m,unsigned long long *mlen,
74 const unsigned char *sm,unsigned long long smlen,
75 const unsigned char *pk
76 )
77{
78 int i;
79 unsigned char t1[32], t2[32];
80 ge25519 get1, get2, gepk;
81 sc25519 schmr, scs;
82 unsigned char hmr[crypto_hash_sha512_BYTES];
83
84 if (ge25519_unpack_vartime(&get1, sm)) return -1;
85 if (ge25519_unpack_vartime(&gepk, pk)) return -1;
86
87 crypto_hash_sha512(hmr,sm,smlen-32);
88
89 sc25519_from64bytes(&schmr, hmr);
90 ge25519_scalarmult(&get1, &get1, &schmr);
91 ge25519_add(&get1, &get1, &gepk);
92 ge25519_pack(t1, &get1);
93
94 sc25519_from32bytes(&scs, &sm[smlen-32]);
95 ge25519_scalarmult_base(&get2, &scs);
96 ge25519_pack(t2, &get2);
97
98 for(i=0;i<smlen-64;i++)
99 m[i] = sm[i + 32];
100 *mlen = smlen-64;
101
102 return crypto_verify_32(t1, t2);
103}