From e2967396ac73cb7410787886cdaf072a184ffc49 Mon Sep 17 00:00:00 2001 From: irungentoo Date: Tue, 2 Jul 2013 09:53:34 -0400 Subject: Added NaCl crypto library. --- nacl/crypto_sign/edwards25519sha512batch/ref/api.h | 3 + .../edwards25519sha512batch/ref/fe25519.c | 345 +++++++++++++++++++++ .../edwards25519sha512batch/ref/fe25519.h | 54 ++++ .../edwards25519sha512batch/ref/ge25519.c | 227 ++++++++++++++ .../edwards25519sha512batch/ref/ge25519.h | 34 ++ .../edwards25519sha512batch/ref/sc25519.c | 146 +++++++++ .../edwards25519sha512batch/ref/sc25519.h | 51 +++ .../crypto_sign/edwards25519sha512batch/ref/sign.c | 103 ++++++ nacl/crypto_sign/edwards25519sha512batch/selected | 0 nacl/crypto_sign/edwards25519sha512batch/used | 0 nacl/crypto_sign/measure.c | 83 +++++ nacl/crypto_sign/try.c | 86 +++++ nacl/crypto_sign/wrapper-keypair.cpp | 12 + nacl/crypto_sign/wrapper-sign-open.cpp | 24 ++ nacl/crypto_sign/wrapper-sign.cpp | 23 ++ 15 files changed, 1191 insertions(+) create mode 100644 nacl/crypto_sign/edwards25519sha512batch/ref/api.h create mode 100644 nacl/crypto_sign/edwards25519sha512batch/ref/fe25519.c create mode 100644 nacl/crypto_sign/edwards25519sha512batch/ref/fe25519.h create mode 100644 nacl/crypto_sign/edwards25519sha512batch/ref/ge25519.c create mode 100644 nacl/crypto_sign/edwards25519sha512batch/ref/ge25519.h create mode 100644 nacl/crypto_sign/edwards25519sha512batch/ref/sc25519.c create mode 100644 nacl/crypto_sign/edwards25519sha512batch/ref/sc25519.h create mode 100644 nacl/crypto_sign/edwards25519sha512batch/ref/sign.c create mode 100644 nacl/crypto_sign/edwards25519sha512batch/selected create mode 100644 nacl/crypto_sign/edwards25519sha512batch/used create mode 100644 nacl/crypto_sign/measure.c create mode 100644 nacl/crypto_sign/try.c create mode 100644 nacl/crypto_sign/wrapper-keypair.cpp create mode 100644 nacl/crypto_sign/wrapper-sign-open.cpp create mode 100644 nacl/crypto_sign/wrapper-sign.cpp (limited to 'nacl/crypto_sign') diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/api.h b/nacl/crypto_sign/edwards25519sha512batch/ref/api.h new file mode 100644 index 00000000..352240c0 --- /dev/null +++ b/nacl/crypto_sign/edwards25519sha512batch/ref/api.h @@ -0,0 +1,3 @@ +#define CRYPTO_SECRETKEYBYTES 64 +#define CRYPTO_PUBLICKEYBYTES 32 +#define CRYPTO_BYTES 64 diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/fe25519.c b/nacl/crypto_sign/edwards25519sha512batch/ref/fe25519.c new file mode 100644 index 00000000..a9f806d2 --- /dev/null +++ b/nacl/crypto_sign/edwards25519sha512batch/ref/fe25519.c @@ -0,0 +1,345 @@ +#include "fe25519.h" + +#define WINDOWSIZE 4 /* Should be 1,2, or 4 */ +#define WINDOWMASK ((1<v[31] >> 7; + r->v[31] &= 127; + t *= 19; + r->v[0] += t; + for(i=0;i<31;i++) + { + t = r->v[i] >> 8; + r->v[i+1] += t; + r->v[i] &= 255; + } + } +} + +static void reduce_mul(fe25519 *r) +{ + crypto_uint32 t; + int i,rep; + + for(rep=0;rep<2;rep++) + { + t = r->v[31] >> 7; + r->v[31] &= 127; + t *= 19; + r->v[0] += t; + for(i=0;i<31;i++) + { + t = r->v[i] >> 8; + r->v[i+1] += t; + r->v[i] &= 255; + } + } +} + +/* reduction modulo 2^255-19 */ +static void freeze(fe25519 *r) +{ + int i; + unsigned int m = (r->v[31] == 127); + for(i=30;i>1;i--) + m *= (r->v[i] == 255); + m *= (r->v[0] >= 237); + + r->v[31] -= m*127; + for(i=30;i>0;i--) + r->v[i] -= m*255; + r->v[0] -= m*237; +} + +/*freeze input before calling isone*/ +static int isone(const fe25519 *x) +{ + int i; + int r = (x->v[0] == 1); + for(i=1;i<32;i++) + r *= (x->v[i] == 0); + return r; +} + +/*freeze input before calling iszero*/ +static int iszero(const fe25519 *x) +{ + int i; + int r = (x->v[0] == 0); + for(i=1;i<32;i++) + r *= (x->v[i] == 0); + return r; +} + + +static int issquare(const fe25519 *x) +{ + unsigned char e[32] = {0xf6,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x3f}; /* (p-1)/2 */ + fe25519 t; + + fe25519_pow(&t,x,e); + freeze(&t); + return isone(&t) || iszero(&t); +} + +void fe25519_unpack(fe25519 *r, const unsigned char x[32]) +{ + int i; + for(i=0;i<32;i++) r->v[i] = x[i]; + r->v[31] &= 127; +} + +/* Assumes input x being reduced mod 2^255 */ +void fe25519_pack(unsigned char r[32], const fe25519 *x) +{ + int i; + for(i=0;i<32;i++) + r[i] = x->v[i]; + + /* freeze byte array */ + unsigned int m = (r[31] == 127); /* XXX: some compilers might use branches; fix */ + for(i=30;i>1;i--) + m *= (r[i] == 255); + m *= (r[0] >= 237); + r[31] -= m*127; + for(i=30;i>0;i--) + r[i] -= m*255; + r[0] -= m*237; +} + +void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b) +{ + unsigned char nb = 1-b; + int i; + for(i=0;i<32;i++) r->v[i] = nb * r->v[i] + b * x->v[i]; +} + +unsigned char fe25519_getparity(const fe25519 *x) +{ + fe25519 t; + int i; + for(i=0;i<32;i++) t.v[i] = x->v[i]; + freeze(&t); + return t.v[0] & 1; +} + +void fe25519_setone(fe25519 *r) +{ + int i; + r->v[0] = 1; + for(i=1;i<32;i++) r->v[i]=0; +} + +void fe25519_setzero(fe25519 *r) +{ + int i; + for(i=0;i<32;i++) r->v[i]=0; +} + +void fe25519_neg(fe25519 *r, const fe25519 *x) +{ + fe25519 t; + int i; + for(i=0;i<32;i++) t.v[i]=x->v[i]; + fe25519_setzero(r); + fe25519_sub(r, r, &t); +} + +void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y) +{ + int i; + for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i]; + reduce_add_sub(r); +} + +void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y) +{ + int i; + crypto_uint32 t[32]; + t[0] = x->v[0] + 0x1da; + t[31] = x->v[31] + 0xfe; + for(i=1;i<31;i++) t[i] = x->v[i] + 0x1fe; + for(i=0;i<32;i++) r->v[i] = t[i] - y->v[i]; + reduce_add_sub(r); +} + +void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y) +{ + int i,j; + crypto_uint32 t[63]; + for(i=0;i<63;i++)t[i] = 0; + + for(i=0;i<32;i++) + for(j=0;j<32;j++) + t[i+j] += x->v[i] * y->v[j]; + + for(i=32;i<63;i++) + r->v[i-32] = t[i-32] + 38*t[i]; + r->v[31] = t[31]; /* result now in r[0]...r[31] */ + + reduce_mul(r); +} + +void fe25519_square(fe25519 *r, const fe25519 *x) +{ + fe25519_mul(r, x, x); +} + +/*XXX: Make constant time! */ +void fe25519_pow(fe25519 *r, const fe25519 *x, const unsigned char *e) +{ + /* + fe25519 g; + fe25519_setone(&g); + int i; + unsigned char j; + for(i=32;i>0;i--) + { + for(j=128;j>0;j>>=1) + { + fe25519_square(&g,&g); + if(e[i-1] & j) + fe25519_mul(&g,&g,x); + } + } + for(i=0;i<32;i++) r->v[i] = g.v[i]; + */ + fe25519 g; + fe25519_setone(&g); + int i,j,k; + fe25519 pre[(1 << WINDOWSIZE)]; + fe25519 t; + unsigned char w; + + // Precomputation + fe25519_setone(pre); + pre[1] = *x; + for(i=2;i<(1<0;i--) + { + for(j=8-WINDOWSIZE;j>=0;j-=WINDOWSIZE) + { + for(k=0;k>j) & WINDOWMASK; + t = pre[0]; + for(k=1;k<(1<v[i]; + fe25519_pow(&d,&d,e3); + for(i=0;i<32;i++) + r->v[i] = 2*x->v[i]; + fe25519_mul(r,r,&d); + } + freeze(r); + if((r->v[0] & 1) != (parity & 1)) + { + fe25519_sub(r,&p,r); + } + return 0; +} + +void fe25519_invert(fe25519 *r, const fe25519 *x) +{ + fe25519 z2; + fe25519 z9; + fe25519 z11; + fe25519 z2_5_0; + fe25519 z2_10_0; + fe25519 z2_20_0; + fe25519 z2_50_0; + fe25519 z2_100_0; + fe25519 t0; + fe25519 t1; + int i; + + /* 2 */ fe25519_square(&z2,x); + /* 4 */ fe25519_square(&t1,&z2); + /* 8 */ fe25519_square(&t0,&t1); + /* 9 */ fe25519_mul(&z9,&t0,x); + /* 11 */ fe25519_mul(&z11,&z9,&z2); + /* 22 */ fe25519_square(&t0,&z11); + /* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t0,&z9); + + /* 2^6 - 2^1 */ fe25519_square(&t0,&z2_5_0); + /* 2^7 - 2^2 */ fe25519_square(&t1,&t0); + /* 2^8 - 2^3 */ fe25519_square(&t0,&t1); + /* 2^9 - 2^4 */ fe25519_square(&t1,&t0); + /* 2^10 - 2^5 */ fe25519_square(&t0,&t1); + /* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t0,&z2_5_0); + + /* 2^11 - 2^1 */ fe25519_square(&t0,&z2_10_0); + /* 2^12 - 2^2 */ fe25519_square(&t1,&t0); + /* 2^20 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); } + /* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t1,&z2_10_0); + + /* 2^21 - 2^1 */ fe25519_square(&t0,&z2_20_0); + /* 2^22 - 2^2 */ fe25519_square(&t1,&t0); + /* 2^40 - 2^20 */ for (i = 2;i < 20;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); } + /* 2^40 - 2^0 */ fe25519_mul(&t0,&t1,&z2_20_0); + + /* 2^41 - 2^1 */ fe25519_square(&t1,&t0); + /* 2^42 - 2^2 */ fe25519_square(&t0,&t1); + /* 2^50 - 2^10 */ for (i = 2;i < 10;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); } + /* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t0,&z2_10_0); + + /* 2^51 - 2^1 */ fe25519_square(&t0,&z2_50_0); + /* 2^52 - 2^2 */ fe25519_square(&t1,&t0); + /* 2^100 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); } + /* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t1,&z2_50_0); + + /* 2^101 - 2^1 */ fe25519_square(&t1,&z2_100_0); + /* 2^102 - 2^2 */ fe25519_square(&t0,&t1); + /* 2^200 - 2^100 */ for (i = 2;i < 100;i += 2) { fe25519_square(&t1,&t0); fe25519_square(&t0,&t1); } + /* 2^200 - 2^0 */ fe25519_mul(&t1,&t0,&z2_100_0); + + /* 2^201 - 2^1 */ fe25519_square(&t0,&t1); + /* 2^202 - 2^2 */ fe25519_square(&t1,&t0); + /* 2^250 - 2^50 */ for (i = 2;i < 50;i += 2) { fe25519_square(&t0,&t1); fe25519_square(&t1,&t0); } + /* 2^250 - 2^0 */ fe25519_mul(&t0,&t1,&z2_50_0); + + /* 2^251 - 2^1 */ fe25519_square(&t1,&t0); + /* 2^252 - 2^2 */ fe25519_square(&t0,&t1); + /* 2^253 - 2^3 */ fe25519_square(&t1,&t0); + /* 2^254 - 2^4 */ fe25519_square(&t0,&t1); + /* 2^255 - 2^5 */ fe25519_square(&t1,&t0); + /* 2^255 - 21 */ fe25519_mul(r,&t1,&z11); +} diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/fe25519.h b/nacl/crypto_sign/edwards25519sha512batch/ref/fe25519.h new file mode 100644 index 00000000..e07ddba7 --- /dev/null +++ b/nacl/crypto_sign/edwards25519sha512batch/ref/fe25519.h @@ -0,0 +1,54 @@ +#ifndef FE25519_H +#define FE25519_H + +#define fe25519 crypto_sign_edwards25519sha512batch_fe25519 +#define fe25519_unpack crypto_sign_edwards25519sha512batch_fe25519_unpack +#define fe25519_pack crypto_sign_edwards25519sha512batch_fe25519_pack +#define fe25519_cmov crypto_sign_edwards25519sha512batch_fe25519_cmov +#define fe25519_setone crypto_sign_edwards25519sha512batch_fe25519_setone +#define fe25519_setzero crypto_sign_edwards25519sha512batch_fe25519_setzero +#define fe25519_neg crypto_sign_edwards25519sha512batch_fe25519_neg +#define fe25519_getparity crypto_sign_edwards25519sha512batch_fe25519_getparity +#define fe25519_add crypto_sign_edwards25519sha512batch_fe25519_add +#define fe25519_sub crypto_sign_edwards25519sha512batch_fe25519_sub +#define fe25519_mul crypto_sign_edwards25519sha512batch_fe25519_mul +#define fe25519_square crypto_sign_edwards25519sha512batch_fe25519_square +#define fe25519_pow crypto_sign_edwards25519sha512batch_fe25519_pow +#define fe25519_sqrt_vartime crypto_sign_edwards25519sha512batch_fe25519_sqrt_vartime +#define fe25519_invert crypto_sign_edwards25519sha512batch_fe25519_invert + +#include "crypto_uint32.h" + +typedef struct { + crypto_uint32 v[32]; +} fe25519; + +void fe25519_unpack(fe25519 *r, const unsigned char x[32]); + +void fe25519_pack(unsigned char r[32], const fe25519 *x); + +void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b); + +void fe25519_setone(fe25519 *r); + +void fe25519_setzero(fe25519 *r); + +void fe25519_neg(fe25519 *r, const fe25519 *x); + +unsigned char fe25519_getparity(const fe25519 *x); + +void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y); + +void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y); + +void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y); + +void fe25519_square(fe25519 *r, const fe25519 *x); + +void fe25519_pow(fe25519 *r, const fe25519 *x, const unsigned char *e); + +int fe25519_sqrt_vartime(fe25519 *r, const fe25519 *x, unsigned char parity); + +void fe25519_invert(fe25519 *r, const fe25519 *x); + +#endif diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/ge25519.c b/nacl/crypto_sign/edwards25519sha512batch/ref/ge25519.c new file mode 100644 index 00000000..a57b8f3c --- /dev/null +++ b/nacl/crypto_sign/edwards25519sha512batch/ref/ge25519.c @@ -0,0 +1,227 @@ +#include "fe25519.h" +#include "sc25519.h" +#include "ge25519.h" + +/* + * Arithmetic on the twisted Edwards curve -x^2 + y^2 = 1 + dx^2y^2 + * with d = -(121665/121666) = 37095705934669439343138083508754565189542113879843219016388785533085940283555 + * Base point: (15112221349535400772501151409588531511454012693041857206046113283949847762202,46316835694926478169428394003475163141307993866256225615783033603165251855960); + */ + +typedef struct +{ + fe25519 x; + fe25519 z; + fe25519 y; + fe25519 t; +} ge25519_p1p1; + +typedef struct +{ + fe25519 x; + fe25519 y; + fe25519 z; +} ge25519_p2; + +#define ge25519_p3 ge25519 + +/* Windowsize for fixed-window scalar multiplication */ +#define WINDOWSIZE 2 /* Should be 1,2, or 4 */ +#define WINDOWMASK ((1<x, &p->x, &p->t); + fe25519_mul(&r->y, &p->y, &p->z); + fe25519_mul(&r->z, &p->z, &p->t); +} + +static void p1p1_to_p3(ge25519_p3 *r, const ge25519_p1p1 *p) +{ + p1p1_to_p2((ge25519_p2 *)r, p); + fe25519_mul(&r->t, &p->x, &p->y); +} + +/* Constant-time version of: if(b) r = p */ +static void cmov_p3(ge25519_p3 *r, const ge25519_p3 *p, unsigned char b) +{ + fe25519_cmov(&r->x, &p->x, b); + fe25519_cmov(&r->y, &p->y, b); + fe25519_cmov(&r->z, &p->z, b); + fe25519_cmov(&r->t, &p->t, b); +} + +/* See http://www.hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#doubling-dbl-2008-hwcd */ +static void dbl_p1p1(ge25519_p1p1 *r, const ge25519_p2 *p) +{ + fe25519 a,b,c,d; + fe25519_square(&a, &p->x); + fe25519_square(&b, &p->y); + fe25519_square(&c, &p->z); + fe25519_add(&c, &c, &c); + fe25519_neg(&d, &a); + + fe25519_add(&r->x, &p->x, &p->y); + fe25519_square(&r->x, &r->x); + fe25519_sub(&r->x, &r->x, &a); + fe25519_sub(&r->x, &r->x, &b); + fe25519_add(&r->z, &d, &b); + fe25519_sub(&r->t, &r->z, &c); + fe25519_sub(&r->y, &d, &b); +} + +static void add_p1p1(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_p3 *q) +{ + fe25519 a, b, c, d, t, fd; + fe25519_unpack(&fd, ecd); + + fe25519_sub(&a, &p->y, &p->x); // A = (Y1-X1)*(Y2-X2) + fe25519_sub(&t, &q->y, &q->x); + fe25519_mul(&a, &a, &t); + fe25519_add(&b, &p->x, &p->y); // B = (Y1+X1)*(Y2+X2) + fe25519_add(&t, &q->x, &q->y); + fe25519_mul(&b, &b, &t); + fe25519_mul(&c, &p->t, &q->t); //C = T1*k*T2 + fe25519_mul(&c, &c, &fd); + fe25519_add(&c, &c, &c); //XXX: Can save this addition by precomputing 2*ecd + fe25519_mul(&d, &p->z, &q->z); //D = Z1*2*Z2 + fe25519_add(&d, &d, &d); + fe25519_sub(&r->x, &b, &a); // E = B-A + fe25519_sub(&r->t, &d, &c); // F = D-C + fe25519_add(&r->z, &d, &c); // G = D+C + fe25519_add(&r->y, &b, &a); // H = B+A +} + +/* ******************************************************************** + * EXPORTED FUNCTIONS + ******************************************************************** */ + +/* return 0 on success, -1 otherwise */ +int ge25519_unpack_vartime(ge25519_p3 *r, const unsigned char p[32]) +{ + int ret; + fe25519 t, fd; + fe25519_setone(&r->z); + fe25519_unpack(&fd, ecd); + unsigned char par = p[31] >> 7; + fe25519_unpack(&r->y, p); + fe25519_square(&r->x, &r->y); + fe25519_mul(&t, &r->x, &fd); + fe25519_sub(&r->x, &r->x, &r->z); + fe25519_add(&t, &r->z, &t); + fe25519_invert(&t, &t); + fe25519_mul(&r->x, &r->x, &t); + ret = fe25519_sqrt_vartime(&r->x, &r->x, par); + fe25519_mul(&r->t, &r->x, &r->y); + return ret; +} + +void ge25519_pack(unsigned char r[32], const ge25519_p3 *p) +{ + fe25519 tx, ty, zi; + fe25519_invert(&zi, &p->z); + fe25519_mul(&tx, &p->x, &zi); + fe25519_mul(&ty, &p->y, &zi); + fe25519_pack(r, &ty); + r[31] ^= fe25519_getparity(&tx) << 7; +} + +void ge25519_add(ge25519_p3 *r, const ge25519_p3 *p, const ge25519_p3 *q) +{ + ge25519_p1p1 grp1p1; + add_p1p1(&grp1p1, p, q); + p1p1_to_p3(r, &grp1p1); +} + +void ge25519_double(ge25519_p3 *r, const ge25519_p3 *p) +{ + ge25519_p1p1 grp1p1; + dbl_p1p1(&grp1p1, (ge25519_p2 *)p); + p1p1_to_p3(r, &grp1p1); +} + +void ge25519_scalarmult(ge25519_p3 *r, const ge25519_p3 *p, const sc25519 *s) +{ + int i,j,k; + ge25519_p3 g; + fe25519_unpack(&g.x, ge25519_neutral_x); + fe25519_unpack(&g.y, ge25519_neutral_y); + fe25519_unpack(&g.z, ge25519_neutral_z); + fe25519_unpack(&g.t, ge25519_neutral_t); + + ge25519_p3 pre[(1 << WINDOWSIZE)]; + ge25519_p3 t; + ge25519_p1p1 tp1p1; + unsigned char w; + unsigned char sb[32]; + sc25519_to32bytes(sb, s); + + // Precomputation + pre[0] = g; + pre[1] = *p; + for(i=2;i<(1<0;i--) + { + for(j=8-WINDOWSIZE;j>=0;j-=WINDOWSIZE) + { + for(k=0;k>j) & WINDOWMASK; + t = pre[0]; + for(k=1;k<(1<x = g.x; + r->y = g.y; + r->z = g.z; + r->t = g.t; +} + +void ge25519_scalarmult_base(ge25519_p3 *r, const sc25519 *s) +{ + /* XXX: Better algorithm for known-base-point scalar multiplication */ + ge25519_p3 t; + fe25519_unpack(&t.x, ge25519_base_x); + fe25519_unpack(&t.y, ge25519_base_y); + fe25519_unpack(&t.z, ge25519_base_z); + fe25519_unpack(&t.t, ge25519_base_t); + ge25519_scalarmult(r, &t, s); +} diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/ge25519.h b/nacl/crypto_sign/edwards25519sha512batch/ref/ge25519.h new file mode 100644 index 00000000..49ad163a --- /dev/null +++ b/nacl/crypto_sign/edwards25519sha512batch/ref/ge25519.h @@ -0,0 +1,34 @@ +#ifndef GE25519_H +#define GE25519_H + +#include "fe25519.h" +#include "sc25519.h" + +#define ge25519 crypto_sign_edwards25519sha512batch_ge25519 +#define ge25519_unpack_vartime crypto_sign_edwards25519sha512batch_ge25519_unpack_vartime +#define ge25519_pack crypto_sign_edwards25519sha512batch_ge25519_pack +#define ge25519_add crypto_sign_edwards25519sha512batch_ge25519_add +#define ge25519_double crypto_sign_edwards25519sha512batch_ge25519_double +#define ge25519_scalarmult crypto_sign_edwards25519sha512batch_ge25519_scalarmult +#define ge25519_scalarmult_base crypto_sign_edwards25519sha512batch_ge25519_scalarmult_base + +typedef struct { + fe25519 x; + fe25519 y; + fe25519 z; + fe25519 t; +} ge25519; + +int ge25519_unpack_vartime(ge25519 *r, const unsigned char p[32]); + +void ge25519_pack(unsigned char r[32], const ge25519 *p); + +void ge25519_add(ge25519 *r, const ge25519 *p, const ge25519 *q); + +void ge25519_double(ge25519 *r, const ge25519 *p); + +void ge25519_scalarmult(ge25519 *r, const ge25519 *p, const sc25519 *s); + +void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s); + +#endif diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/sc25519.c b/nacl/crypto_sign/edwards25519sha512batch/ref/sc25519.c new file mode 100644 index 00000000..5f27eb1b --- /dev/null +++ b/nacl/crypto_sign/edwards25519sha512batch/ref/sc25519.c @@ -0,0 +1,146 @@ +#include "sc25519.h" + +/*Arithmetic modulo the group order n = 2^252 + 27742317777372353535851937790883648493 = 7237005577332262213973186563042994240857116359379907606001950938285454250989 */ + +static const crypto_uint32 m[32] = {0xED, 0xD3, 0xF5, 0x5C, 0x1A, 0x63, 0x12, 0x58, 0xD6, 0x9C, 0xF7, 0xA2, 0xDE, 0xF9, 0xDE, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10}; + +static const crypto_uint32 mu[33] = {0x1B, 0x13, 0x2C, 0x0A, 0xA3, 0xE5, 0x9C, 0xED, 0xA7, 0x29, 0x63, 0x08, 0x5D, 0x21, 0x06, 0x21, + 0xEB, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F}; + +/* Reduce coefficients of r before calling reduce_add_sub */ +static void reduce_add_sub(sc25519 *r) +{ + int i, b, pb=0, nb; + unsigned char t[32]; + + for(i=0;i<32;i++) + { + b = (r->v[i]v[i]-pb-m[i]+b*256; + pb = b; + } + nb = 1-b; + for(i=0;i<32;i++) + r->v[i] = r->v[i]*b + t[i]*nb; +} + +/* Reduce coefficients of x before calling barrett_reduce */ +static void barrett_reduce(sc25519 *r, const crypto_uint32 x[64]) +{ + /* See HAC, Alg. 14.42 */ + int i,j; + crypto_uint32 q2[66] = {0}; + crypto_uint32 *q3 = q2 + 33; + crypto_uint32 r1[33]; + crypto_uint32 r2[33] = {0}; + crypto_uint32 carry; + int b, pb=0; + + for(i=0;i<33;i++) + for(j=0;j<33;j++) + if(i+j >= 31) q2[i+j] += mu[i]*x[j+31]; + carry = q2[31] >> 8; + q2[32] += carry; + carry = q2[32] >> 8; + q2[33] += carry; + + for(i=0;i<33;i++)r1[i] = x[i]; + for(i=0;i<32;i++) + for(j=0;j<33;j++) + if(i+j < 33) r2[i+j] += m[i]*q3[j]; + + for(i=0;i<32;i++) + { + carry = r2[i] >> 8; + r2[i+1] += carry; + r2[i] &= 0xff; + } + + for(i=0;i<32;i++) + { + b = (r1[i]v[i] = r1[i]-pb-r2[i]+b*256; + pb = b; + } + + /* XXX: Can it really happen that r<0?, See HAC, Alg 14.42, Step 3 + * If so: Handle it here! + */ + + reduce_add_sub(r); + reduce_add_sub(r); +} + +/* +static int iszero(const sc25519 *x) +{ + // Implement + return 0; +} +*/ + +void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]) +{ + int i; + crypto_uint32 t[64] = {0}; + for(i=0;i<32;i++) t[i] = x[i]; + barrett_reduce(r, t); +} + +void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]) +{ + int i; + crypto_uint32 t[64] = {0}; + for(i=0;i<64;i++) t[i] = x[i]; + barrett_reduce(r, t); +} + +/* XXX: What we actually want for crypto_group is probably just something like + * void sc25519_frombytes(sc25519 *r, const unsigned char *x, size_t xlen) + */ + +void sc25519_to32bytes(unsigned char r[32], const sc25519 *x) +{ + int i; + for(i=0;i<32;i++) r[i] = x->v[i]; +} + +void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y) +{ + int i, carry; + for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i]; + for(i=0;i<31;i++) + { + carry = r->v[i] >> 8; + r->v[i+1] += carry; + r->v[i] &= 0xff; + } + reduce_add_sub(r); +} + +void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y) +{ + int i,j,carry; + crypto_uint32 t[64]; + for(i=0;i<64;i++)t[i] = 0; + + for(i=0;i<32;i++) + for(j=0;j<32;j++) + t[i+j] += x->v[i] * y->v[j]; + + /* Reduce coefficients */ + for(i=0;i<63;i++) + { + carry = t[i] >> 8; + t[i+1] += carry; + t[i] &= 0xff; + } + + barrett_reduce(r, t); +} + +void sc25519_square(sc25519 *r, const sc25519 *x) +{ + sc25519_mul(r, x, x); +} diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/sc25519.h b/nacl/crypto_sign/edwards25519sha512batch/ref/sc25519.h new file mode 100644 index 00000000..48584a85 --- /dev/null +++ b/nacl/crypto_sign/edwards25519sha512batch/ref/sc25519.h @@ -0,0 +1,51 @@ +#ifndef SC25519_H +#define SC25519_H + +#define sc25519 crypto_sign_edwards25519sha512batch_sc25519 +#define sc25519_from32bytes crypto_sign_edwards25519sha512batch_sc25519_from32bytes +#define sc25519_from64bytes crypto_sign_edwards25519sha512batch_sc25519_from64bytes +#define sc25519_to32bytes crypto_sign_edwards25519sha512batch_sc25519_to32bytes +#define sc25519_pack crypto_sign_edwards25519sha512batch_sc25519_pack +#define sc25519_getparity crypto_sign_edwards25519sha512batch_sc25519_getparity +#define sc25519_setone crypto_sign_edwards25519sha512batch_sc25519_setone +#define sc25519_setzero crypto_sign_edwards25519sha512batch_sc25519_setzero +#define sc25519_neg crypto_sign_edwards25519sha512batch_sc25519_neg +#define sc25519_add crypto_sign_edwards25519sha512batch_sc25519_add +#define sc25519_sub crypto_sign_edwards25519sha512batch_sc25519_sub +#define sc25519_mul crypto_sign_edwards25519sha512batch_sc25519_mul +#define sc25519_square crypto_sign_edwards25519sha512batch_sc25519_square +#define sc25519_invert crypto_sign_edwards25519sha512batch_sc25519_invert + +#include "crypto_uint32.h" + +typedef struct { + crypto_uint32 v[32]; +} sc25519; + +void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]); + +void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]); + +void sc25519_to32bytes(unsigned char r[32], const sc25519 *x); + +void sc25519_pack(unsigned char r[32], const sc25519 *x); + +unsigned char sc25519_getparity(const sc25519 *x); + +void sc25519_setone(sc25519 *r); + +void sc25519_setzero(sc25519 *r); + +void sc25519_neg(sc25519 *r, const sc25519 *x); + +void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y); + +void sc25519_sub(sc25519 *r, const sc25519 *x, const sc25519 *y); + +void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y); + +void sc25519_square(sc25519 *r, const sc25519 *x); + +void sc25519_invert(sc25519 *r, const sc25519 *x); + +#endif diff --git a/nacl/crypto_sign/edwards25519sha512batch/ref/sign.c b/nacl/crypto_sign/edwards25519sha512batch/ref/sign.c new file mode 100644 index 00000000..f40e548b --- /dev/null +++ b/nacl/crypto_sign/edwards25519sha512batch/ref/sign.c @@ -0,0 +1,103 @@ +#include "api.h" +#include "crypto_sign.h" +#include "crypto_hash_sha512.h" +#include "randombytes.h" +#include "crypto_verify_32.h" + +#include "ge25519.h" + +int crypto_sign_keypair( + unsigned char *pk, + unsigned char *sk + ) +{ + sc25519 scsk; + ge25519 gepk; + + randombytes(sk, 32); + crypto_hash_sha512(sk, sk, 32); + sk[0] &= 248; + sk[31] &= 127; + sk[31] |= 64; + + sc25519_from32bytes(&scsk,sk); + + ge25519_scalarmult_base(&gepk, &scsk); + ge25519_pack(pk, &gepk); + return 0; +} + +int crypto_sign( + unsigned char *sm,unsigned long long *smlen, + const unsigned char *m,unsigned long long mlen, + const unsigned char *sk + ) +{ + sc25519 sck, scs, scsk; + ge25519 ger; + unsigned char r[32]; + unsigned char s[32]; + unsigned long long i; + unsigned char hmg[crypto_hash_sha512_BYTES]; + unsigned char hmr[crypto_hash_sha512_BYTES]; + + *smlen = mlen+64; + for(i=0;i +#include "randombytes.h" +#include "cpucycles.h" +#include "crypto_sign.h" + +extern void printentry(long long,const char *,long long *,long long); +extern unsigned char *alignedcalloc(unsigned long long); +extern const char *primitiveimplementation; +extern const char *implementationversion; +extern const char *sizenames[]; +extern const long long sizes[]; +extern void allocate(void); +extern void measure(void); + +const char *primitiveimplementation = crypto_sign_IMPLEMENTATION; +const char *implementationversion = crypto_sign_VERSION; +const char *sizenames[] = { "outputbytes", "publickeybytes", "secretkeybytes", 0 }; +const long long sizes[] = { crypto_sign_BYTES, crypto_sign_PUBLICKEYBYTES, crypto_sign_SECRETKEYBYTES }; + +#define MAXTEST_BYTES 100000 + +static unsigned char *pk; +static unsigned char *sk; +static unsigned char *m; unsigned long long mlen; +static unsigned char *sm; unsigned long long smlen; +static unsigned char *t; unsigned long long tlen; + +void preallocate(void) +{ +#ifdef RAND_R_PRNG_NOT_SEEDED + RAND_status(); +#endif +} + +void allocate(void) +{ + pk = alignedcalloc(crypto_sign_PUBLICKEYBYTES); + sk = alignedcalloc(crypto_sign_SECRETKEYBYTES); + m = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES); + sm = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES); + t = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES); +} + +#define TIMINGS 31 +static long long cycles[TIMINGS + 1]; +static long long bytes[TIMINGS + 1]; + +void measure(void) +{ + int i; + int loop; + + for (loop = 0;loop < LOOPS;++loop) { + for (i = 0;i <= TIMINGS;++i) { + cycles[i] = cpucycles(); + crypto_sign_keypair(pk,sk); + } + for (i = 0;i < TIMINGS;++i) cycles[i] = cycles[i + 1] - cycles[i]; + printentry(-1,"keypair_cycles",cycles,TIMINGS); + + for (mlen = 0;mlen <= MAXTEST_BYTES;mlen += 1 + mlen / 4) { + randombytes(m,mlen); + + for (i = 0;i <= TIMINGS;++i) { + cycles[i] = cpucycles(); + bytes[i] = crypto_sign(sm,&smlen,m,mlen,sk); + if (bytes[i] == 0) bytes[i] = smlen; + } + for (i = 0;i < TIMINGS;++i) cycles[i] = cycles[i + 1] - cycles[i]; + printentry(mlen,"cycles",cycles,TIMINGS); + printentry(mlen,"bytes",bytes,TIMINGS); + + for (i = 0;i <= TIMINGS;++i) { + cycles[i] = cpucycles(); + bytes[i] = crypto_sign_open(t,&tlen,sm,smlen,pk); + if (bytes[i] == 0) bytes[i] = tlen; + } + for (i = 0;i < TIMINGS;++i) cycles[i] = cycles[i + 1] - cycles[i]; + printentry(mlen,"open_cycles",cycles,TIMINGS); + printentry(mlen,"open_bytes",bytes,TIMINGS); + } + } +} diff --git a/nacl/crypto_sign/try.c b/nacl/crypto_sign/try.c new file mode 100644 index 00000000..fc553416 --- /dev/null +++ b/nacl/crypto_sign/try.c @@ -0,0 +1,86 @@ +/* + * crypto_sign/try.c version 20090118 + * D. J. Bernstein + * Public domain. + */ + +#include +#include "randombytes.h" +#include "crypto_sign.h" + +#define MAXTEST_BYTES 10000 +#define TUNE_BYTES 1536 + +extern unsigned char *alignedcalloc(unsigned long long); + +const char *primitiveimplementation = crypto_sign_IMPLEMENTATION; + +static unsigned char *pk; +static unsigned char *sk; +static unsigned char *m; unsigned long long mlen; +static unsigned char *sm; unsigned long long smlen; +static unsigned char *t; unsigned long long tlen; + +void preallocate(void) +{ +#ifdef RAND_R_PRNG_NOT_SEEDED + RAND_status(); +#endif +} + +void allocate(void) +{ + pk = alignedcalloc(crypto_sign_PUBLICKEYBYTES); + sk = alignedcalloc(crypto_sign_SECRETKEYBYTES); + m = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES); + sm = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES); + t = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES); +} + +void predoit(void) +{ + crypto_sign_keypair(pk,sk); + mlen = TUNE_BYTES; + smlen = 0; + randombytes(m,mlen); + crypto_sign(sm,&smlen,m,mlen,sk); +} + +void doit(void) +{ + crypto_sign_open(t,&tlen,sm,smlen,pk); +} + +char checksum[crypto_sign_BYTES * 2 + 1]; + +const char *checksum_compute(void) +{ + long long mlen; + long long i; + long long j; + + if (crypto_sign_keypair(pk,sk) != 0) return "crypto_sign_keypair returns nonzero"; + for (mlen = 0;mlen < MAXTEST_BYTES;mlen += 1 + (mlen / 16)) { + if (crypto_sign(sm,&smlen,m,mlen,sk) != 0) return "crypto_sign returns nonzero"; + if (crypto_sign_open(t,&tlen,sm,smlen,pk) != 0) return "crypto_sign_open returns nonzero"; + if (tlen != mlen) return "crypto_sign_open does not match length"; + for (i = 0;i < tlen;++i) + if (t[i] != m[i]) + return "crypto_sign_open does not match contents"; + + j = random() % smlen; + sm[j] ^= 1; + if (crypto_sign_open(t,&tlen,sm,smlen,pk) == 0) { + if (tlen != mlen) return "crypto_sign_open allows trivial forgery of length"; + for (i = 0;i < tlen;++i) + if (t[i] != m[i]) + return "crypto_sign_open allows trivial forgery of contents"; + } + sm[j] ^= 1; + + } + + /* do some long-term checksum */ + checksum[0] = 0; + return 0; +} diff --git a/nacl/crypto_sign/wrapper-keypair.cpp b/nacl/crypto_sign/wrapper-keypair.cpp new file mode 100644 index 00000000..3687465d --- /dev/null +++ b/nacl/crypto_sign/wrapper-keypair.cpp @@ -0,0 +1,12 @@ +#include +using std::string; +#include "crypto_sign.h" + +string crypto_sign_keypair(string *sk_string) +{ + unsigned char pk[crypto_sign_PUBLICKEYBYTES]; + unsigned char sk[crypto_sign_SECRETKEYBYTES]; + crypto_sign_keypair(pk,sk); + *sk_string = string((char *) sk,sizeof sk); + return string((char *) pk,sizeof pk); +} diff --git a/nacl/crypto_sign/wrapper-sign-open.cpp b/nacl/crypto_sign/wrapper-sign-open.cpp new file mode 100644 index 00000000..346e9400 --- /dev/null +++ b/nacl/crypto_sign/wrapper-sign-open.cpp @@ -0,0 +1,24 @@ +#include +using std::string; +#include "crypto_sign.h" + +string crypto_sign_open(const string &sm_string, const string &pk_string) +{ + if (pk_string.size() != crypto_sign_PUBLICKEYBYTES) throw "incorrect public-key length"; + size_t smlen = sm_string.size(); + unsigned char m[smlen]; + unsigned long long mlen; + for (int i = 0;i < smlen;++i) m[i] = sm_string[i]; + if (crypto_sign_open( + m, + &mlen, + m, + smlen, + (const unsigned char *) pk_string.c_str() + ) != 0) + throw "ciphertext fails verification"; + return string( + (char *) m, + mlen + ); +} diff --git a/nacl/crypto_sign/wrapper-sign.cpp b/nacl/crypto_sign/wrapper-sign.cpp new file mode 100644 index 00000000..f0624b76 --- /dev/null +++ b/nacl/crypto_sign/wrapper-sign.cpp @@ -0,0 +1,23 @@ +#include +using std::string; +#include "crypto_sign.h" + +string crypto_sign(const string &m_string, const string &sk_string) +{ + if (sk_string.size() != crypto_sign_SECRETKEYBYTES) throw "incorrect secret-key length"; + size_t mlen = m_string.size(); + unsigned char m[mlen+crypto_sign_BYTES]; + unsigned long long smlen; + for (int i = 0;i < mlen;++i) m[i] = m_string[i]; + crypto_sign( + m, + &smlen, + m, + mlen, + (const unsigned char *) sk_string.c_str() + ); + return string( + (char *) m, + smlen + ); +} -- cgit v1.2.3