diff options
Diffstat (limited to 'libs/libaxolotl/src/curve25519/ed25519')
39 files changed, 2071 insertions, 187 deletions
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h b/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h new file mode 100644 index 0000000000..da4a1cd07b --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h @@ -0,0 +1,69 @@ + +#ifndef __CRYPTO_ADDITIONS__ +#define __CRYPTO_ADDITIONS__ + +#include "crypto_uint32.h" +#include "fe.h" +#include "ge.h" + +#define MAX_MSG_LEN 256 + +void sc_neg(unsigned char *b, const unsigned char *a); +void sc_cmov(unsigned char* f, const unsigned char* g, unsigned char b); + +int fe_isequal(const fe f, const fe g); +void fe_mont_rhs(fe v2, const fe u); +void fe_montx_to_edy(fe y, const fe u); +void fe_sqrt(fe b, const fe a); + +int ge_is_small_order(const ge_p3 *p); +int ge_isneutral(const ge_p3* q); +void ge_neg(ge_p3* r, const ge_p3 *p); +void ge_montx_to_p3(ge_p3* p, const fe u, const unsigned char ed_sign_bit); +void ge_p3_to_montx(fe u, const ge_p3 *p); +void ge_scalarmult(ge_p3 *h, const unsigned char *a, const ge_p3 *A); +void ge_scalarmult_cofactor(ge_p3 *q, const ge_p3 *p); + +void elligator(fe u, const fe r); +void hash_to_point(ge_p3* p, const unsigned char* msg, const unsigned long in_len); +void calculate_Bv(ge_p3* Bv, + unsigned char* buf, + const unsigned char* A, + const unsigned char* msg, const unsigned long msg_len); +void calculate_Bv_and_V(ge_p3* Bv, + unsigned char* V, + unsigned char* buf, + const unsigned char* a, + const unsigned char* A, + const unsigned char* msg, const unsigned long msg_len); + +int crypto_sign_modified( + unsigned char *sm, + const unsigned char *m,unsigned long long mlen, + const unsigned char *sk, /* Curve/Ed25519 private key */ + const unsigned char *pk, /* Ed25519 public key */ + const unsigned char *random /* 64 bytes random to hash into nonce */ + ); + +int crypto_sign_open_modified( + unsigned char *m, + const unsigned char *sm,unsigned long long smlen, + const unsigned char *pk + ); + +int crypto_vsign_modified( + unsigned char *sm, + const unsigned char *M,unsigned long Mlen, + const unsigned char *a, + const unsigned char *A, + const unsigned char *random, + const ge_p3 *Bu, + const unsigned char *U); + +int crypto_vsign_open_modified( + unsigned char *m, + const unsigned char *sm,unsigned long long smlen, + const unsigned char *pk, const ge_p3* Bu); + + +#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c b/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c index 2a0aa54d4f..7a49b18aaa 100644 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c @@ -3,36 +3,7 @@ #include "ge.h" #include "curve_sigs.h" #include "crypto_sign.h" - -void curve25519_keygen(unsigned char* curve25519_pubkey_out, - const unsigned char* curve25519_privkey_in) -{ - ge_p3 ed; /* Ed25519 pubkey point */ - fe ed_y, ed_y_plus_one, one_minus_ed_y, inv_one_minus_ed_y; - fe mont_x; - - /* Perform a fixed-base multiplication of the Edwards base point, - (which is efficient due to precalculated tables), then convert - to the Curve25519 montgomery-format public key. In particular, - convert Curve25519's "montgomery" x-coordinate into an Ed25519 - "edwards" y-coordinate: - - mont_x = (ed_y + 1) / (1 - ed_y) - - with projective coordinates: - - mont_x = (ed_y + ed_z) / (ed_z - ed_y) - - NOTE: ed_y=1 is converted to mont_x=0 since fe_invert is mod-exp - */ - - ge_scalarmult_base(&ed, curve25519_privkey_in); - fe_add(ed_y_plus_one, ed.Y, ed.Z); - fe_sub(one_minus_ed_y, ed.Z, ed.Y); - fe_invert(inv_one_minus_ed_y, one_minus_ed_y); - fe_mul(mont_x, ed_y_plus_one, inv_one_minus_ed_y); - fe_tobytes(curve25519_pubkey_out, mont_x); -} +#include "crypto_additions.h" int curve25519_sign(unsigned char* signature_out, const unsigned char* curve25519_privkey, @@ -71,18 +42,16 @@ int curve25519_verify(const unsigned char* signature, const unsigned char* curve25519_pubkey, const unsigned char* msg, const unsigned long msg_len) { - fe mont_x, mont_x_minus_one, mont_x_plus_one, inv_mont_x_plus_one; - fe one; - fe ed_y; + fe u; + fe y; unsigned char ed_pubkey[32]; - unsigned long long some_retval; - unsigned char *verifybuf = NULL; /* working buffer */ + unsigned char *verifybuf = NULL; /* working buffer */ unsigned char *verifybuf2 = NULL; /* working buffer #2 */ int result; if ((verifybuf = malloc(msg_len + 64)) == 0) { - result = -1; - goto err; + result = -1; + goto err; } if ((verifybuf2 = malloc(msg_len + 64)) == 0) { @@ -91,22 +60,18 @@ int curve25519_verify(const unsigned char* signature, } /* Convert the Curve25519 public key into an Ed25519 public key. In - particular, convert Curve25519's "montgomery" x-coordinate into an + particular, convert Curve25519's "montgomery" x-coordinate (u) into an Ed25519 "edwards" y-coordinate: - ed_y = (mont_x - 1) / (mont_x + 1) + y = (u - 1) / (u + 1) - NOTE: mont_x=-1 is converted to ed_y=0 since fe_invert is mod-exp + NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp Then move the sign bit into the pubkey from the signature. */ - fe_frombytes(mont_x, curve25519_pubkey); - fe_1(one); - fe_sub(mont_x_minus_one, mont_x, one); - fe_add(mont_x_plus_one, mont_x, one); - fe_invert(inv_mont_x_plus_one, mont_x_plus_one); - fe_mul(ed_y, mont_x_minus_one, inv_mont_x_plus_one); - fe_tobytes(ed_pubkey, ed_y); + fe_frombytes(u, curve25519_pubkey); + fe_montx_to_edy(y, u); + fe_tobytes(ed_pubkey, y); /* Copy the sign bit, and remove it from signature */ ed_pubkey[31] &= 0x7F; /* bit should be zero already, but just in case */ @@ -120,9 +85,8 @@ int curve25519_verify(const unsigned char* signature, /* The below call has a strange API: */ /* verifybuf = R || S || message */ /* verifybuf2 = internal to next call gets a copy of verifybuf, S gets - replaced with pubkey for hashing, then the whole thing gets zeroized - (if bad sig), or contains a copy of msg (good sig) */ - result = crypto_sign_open(verifybuf2, &some_retval, verifybuf, 64 + msg_len, ed_pubkey); + replaced with pubkey for hashing */ + result = crypto_sign_open_modified(verifybuf2, verifybuf, 64 + msg_len, ed_pubkey); err: diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h b/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h index b3dbad0155..a2d819aef0 100644 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h @@ -2,47 +2,16 @@ #ifndef __CURVE_SIGS_H__ #define __CURVE_SIGS_H__ -void curve25519_keygen(unsigned char* curve25519_pubkey_out, /* 32 bytes */ - const unsigned char* curve25519_privkey_in); /* 32 bytes */ - /* returns 0 on success */ int curve25519_sign(unsigned char* signature_out, /* 64 bytes */ const unsigned char* curve25519_privkey, /* 32 bytes */ - const unsigned char* msg, const unsigned long msg_len, + const unsigned char* msg, const unsigned long msg_len, /* <= 256 bytes */ const unsigned char* random); /* 64 bytes */ /* returns 0 on success */ int curve25519_verify(const unsigned char* signature, /* 64 bytes */ const unsigned char* curve25519_pubkey, /* 32 bytes */ - const unsigned char* msg, const unsigned long msg_len); - -/* helper function - modified version of crypto_sign() to use - explicit private key. In particular: - - sk : private key - pk : public key - msg : message - prefix : 0xFE || [0xFF]*31 - random : 64 bytes random - q : main subgroup order - - The prefix is chosen to distinguish the two SHA512 uses below, since - prefix is an invalid encoding for R (it would encode a "field element" - of 2^255 - 2). 0xFF*32 is set aside for use in ECDH protocols, which - is why the first byte here ix 0xFE. + const unsigned char* msg, const unsigned long msg_len); /* <= 256 bytes */ - sig_nonce = SHA512(prefix || sk || msg || random) % q - R = g^sig_nonce - M = SHA512(R || pk || m) - S = sig_nonce + (m * sk) - signature = (R || S) - */ -int crypto_sign_modified( - unsigned char *sm, - const unsigned char *m,unsigned long long mlen, - const unsigned char *sk, /* Curve/Ed25519 private key */ - const unsigned char *pk, /* Ed25519 public key */ - const unsigned char *random /* 64 bytes random to hash into nonce */ - ); #endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c b/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c new file mode 100644 index 0000000000..8a8131ff2f --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c @@ -0,0 +1,111 @@ +#include <string.h> +#include "fe.h" +#include "ge.h" +#include "crypto_uint32.h" +#include "crypto_hash_sha512.h" +#include "crypto_additions.h" + +unsigned int legendre_is_nonsquare(fe in) +{ + fe temp; + fe_pow22523(temp, in); /* temp = in^((q-5)/8) */ + fe_sq(temp, temp); /* in^((q-5)/4) */ + fe_sq(temp, temp); /* in^((q-5)/2) */ + fe_mul(temp, temp, in); /* in^((q-3)/2) */ + fe_mul(temp, temp, in); /* in^((q-1)/2) */ + + /* temp is now the Legendre symbol: + * 1 = square + * 0 = input is zero + * -1 = nonsquare + */ + unsigned char bytes[32]; + fe_tobytes(bytes, temp); + return 1 & bytes[31]; +} + +void elligator(fe u, const fe r) +{ + /* r = input + * x = -A/(1+2r^2) # 2 is nonsquare + * e = (x^3 + Ax^2 + x)^((q-1)/2) # legendre symbol + * if e == 1 (square) or e == 0 (because x == 0 and 2r^2 + 1 == 0) + * u = x + * if e == -1 (nonsquare) + * u = -x - A + */ + fe A, one, twor2, twor2plus1, twor2plus1inv; + fe x, e, Atemp, uneg; + unsigned int nonsquare; + + fe_1(one); + fe_0(A); + A[0] = 486662; /* A = 486662 */ + + fe_sq2(twor2, r); /* 2r^2 */ + fe_add(twor2plus1, twor2, one); /* 1+2r^2 */ + fe_invert(twor2plus1inv, twor2plus1); /* 1/(1+2r^2) */ + fe_mul(x, twor2plus1inv, A); /* A/(1+2r^2) */ + fe_neg(x, x); /* x = -A/(1+2r^2) */ + + fe_mont_rhs(e, x); /* e = x^3 + Ax^2 + x */ + nonsquare = legendre_is_nonsquare(e); + + fe_0(Atemp); + fe_cmov(Atemp, A, nonsquare); /* 0, or A if nonsquare */ + fe_add(u, x, Atemp); /* x, or x+A if nonsquare */ + fe_neg(uneg, u); /* -x, or -x-A if nonsquare */ + fe_cmov(u, uneg, nonsquare); /* x, or -x-A if nonsquare */ +} + +void hash_to_point(ge_p3* p, const unsigned char* in, const unsigned long in_len) +{ + unsigned char hash[64]; + fe h, u; + unsigned char sign_bit; + ge_p3 p3; + + crypto_hash_sha512(hash, in, in_len); + + /* take the high bit as Edwards sign bit */ + sign_bit = (hash[31] & 0x80) >> 7; + hash[31] &= 0x7F; + fe_frombytes(h, hash); + elligator(u, h); + + ge_montx_to_p3(&p3, u, sign_bit); + ge_scalarmult_cofactor(p, &p3); +} + + +void calculate_Bv(ge_p3* Bv, + unsigned char* buf, + const unsigned char* A, + const unsigned char* msg, const unsigned long msg_len) +{ + int count; + + /* Calculate SHA512(label(2) || A || msg) */ + buf[0] = 0xFD; + for (count = 1; count < 32; count++) + buf[count] = 0xFF; + memmove(buf+32, A, 32); + memmove(buf+64, msg, msg_len); + + hash_to_point(Bv, buf, 64 + msg_len); +} + + +void calculate_Bv_and_V(ge_p3* Bv, + unsigned char* V, + unsigned char* buf, + const unsigned char* a, + const unsigned char* A, + const unsigned char* msg, const unsigned long msg_len) +{ + ge_p3 p3; + + calculate_Bv(Bv, buf, A, msg, msg_len); + ge_scalarmult(&p3, a, Bv); + ge_p3_tobytes(V, &p3); +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isequal.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isequal.c new file mode 100644 index 0000000000..67c5d33c96 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isequal.c @@ -0,0 +1,14 @@ +#include "fe.h" +#include "crypto_verify_32.h" + +/* +return 1 if f == g +return 0 if f != g +*/ + +int fe_isequal(const fe f, const fe g) +{ + fe h; + fe_sub(h, f, g); + return 1 ^ (1 & (fe_isnonzero(h) >> 8)); +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_mont_rhs.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_mont_rhs.c new file mode 100644 index 0000000000..bc8393620c --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_mont_rhs.c @@ -0,0 +1,17 @@ +#include "fe.h" + +void fe_mont_rhs(fe v2, fe u) { + fe A, one; + fe u2, Au, inner; + + fe_1(one); + fe_0(A); + A[0] = 486662; /* A = 486662 */ + + fe_sq(u2, u); /* u^2 */ + fe_mul(Au, A, u); /* Au */ + fe_add(inner, u2, Au); /* u^2 + Au */ + fe_add(inner, inner, one); /* u^2 + Au + 1 */ + fe_mul(v2, u, inner); /* u(u^2 + Au + 1) */ +} + diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_montx_to_edy.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_montx_to_edy.c new file mode 100644 index 0000000000..b0f8c63276 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_montx_to_edy.c @@ -0,0 +1,19 @@ + +#include "fe.h" +#include "crypto_additions.h" + +void fe_montx_to_edy(fe y, const fe u) +{ + /* + y = (u - 1) / (u + 1) + + NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp + */ + fe one, um1, up1; + + fe_1(one); + fe_sub(um1, u, one); + fe_add(up1, u, one); + fe_invert(up1, up1); + fe_mul(y, um1, up1); +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c new file mode 100644 index 0000000000..906d38b93e --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c @@ -0,0 +1,50 @@ +#include <assert.h> +#include "fe.h" +#include "crypto_additions.h" + +/* sqrt(-1) */ +static unsigned char i_bytes[32] = { + 0xb0, 0xa0, 0x0e, 0x4a, 0x27, 0x1b, 0xee, 0xc4, + 0x78, 0xe4, 0x2f, 0xad, 0x06, 0x18, 0x43, 0x2f, + 0xa7, 0xd7, 0xfb, 0x3d, 0x99, 0x00, 0x4d, 0x2b, + 0x0b, 0xdf, 0xc1, 0x4f, 0x80, 0x24, 0x83, 0x2b +}; + +/* Preconditions: a is square or zero */ + +void fe_sqrt(fe out, const fe a) +{ + fe exp, b, b2, bi, i; + + fe_frombytes(i, i_bytes); + fe_pow22523(exp, a); /* b = a^(q-5)/8 */ + + /* PRECONDITION: legendre symbol == 1 (square) or 0 (a == zero) */ +#ifndef NDEBUG + fe legendre, zero, one; + + fe_sq(legendre, exp); /* in^((q-5)/4) */ + fe_sq(legendre, legendre); /* in^((q-5)/2) */ + fe_mul(legendre, legendre, a); /* in^((q-3)/2) */ + fe_mul(legendre, legendre, a); /* in^((q-1)/2) */ + + fe_0(zero); + fe_1(one); + assert(fe_isequal(legendre, zero) || fe_isequal(legendre, one)); +#endif + + fe_mul(b, a, exp); /* b = a * a^(q-5)/8 */ + fe_sq(b2, b); /* b^2 = a * a^(q-1)/4 */ + + /* note b^4 == a^2, so b^2 == a or -a + * if b^2 != a, multiply it by sqrt(-1) */ + fe_mul(bi, b, i); + fe_cmov(b, bi, 1 ^ fe_isequal(b2, a)); + fe_copy(out, b); + + /* PRECONDITION: out^2 == a */ +#ifndef NDEBUG + fe_sq(b2, out); + assert(fe_isequal(a, b2)); +#endif +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_is_small_order.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_is_small_order.c new file mode 100644 index 0000000000..845941be2a --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_is_small_order.c @@ -0,0 +1,30 @@ +#include "crypto_additions.h" +#include "ge.h" +#include "utility.h" +#include "stdio.h" + +/* +return 1 if f == g +return 0 if f != g +*/ + +int ge_is_small_order(const ge_p3 *p) +{ + ge_p1p1 p1p1; + ge_p2 p2; + fe zero; + + ge_p3_dbl(&p1p1, p); + ge_p1p1_to_p2(&p2, &p1p1); + + ge_p2_dbl(&p1p1, &p2); + ge_p1p1_to_p2(&p2, &p1p1); + + ge_p2_dbl(&p1p1, &p2); + ge_p1p1_to_p2(&p2, &p1p1); + + fe_0(zero); + + /* Check if 8*p == neutral element == (0, 1) */ + return (fe_isequal(p2.X, zero) & fe_isequal(p2.Y, p2.Z)); +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_isneutral.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_isneutral.c new file mode 100644 index 0000000000..d40e443682 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_isneutral.c @@ -0,0 +1,16 @@ +#include "crypto_additions.h" +#include "ge.h" + +/* +return 1 if p is the neutral point +return 0 otherwise +*/ + +int ge_isneutral(const ge_p3 *p) +{ + fe zero; + fe_0(zero); + + /* Check if p == neutral element == (0, 1) */ + return (fe_isequal(p->X, zero) & fe_isequal(p->Y, p->Z)); +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p2.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p2.c new file mode 100644 index 0000000000..d123d03580 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p2.c @@ -0,0 +1,69 @@ +#include "fe.h" +#include "ge.h" +#include "assert.h" +#include "crypto_additions.h" +#include "utility.h" + +/* sqrt(-(A+2)) */ +static unsigned char A_bytes[32] = { + 0x06, 0x7e, 0x45, 0xff, 0xaa, 0x04, 0x6e, 0xcc, + 0x82, 0x1a, 0x7d, 0x4b, 0xd1, 0xd3, 0xa1, 0xc5, + 0x7e, 0x4f, 0xfc, 0x03, 0xdc, 0x08, 0x7b, 0xd2, + 0xbb, 0x06, 0xa0, 0x60, 0xf4, 0xed, 0x26, 0x0f +}; + +void ge_montx_to_p2(ge_p2* p, const fe u, const unsigned char ed_sign_bit) +{ + fe x, y, A, v, v2, iv, nx; + + fe_frombytes(A, A_bytes); + + /* given u, recover edwards y */ + /* given u, recover v */ + /* given u and v, recover edwards x */ + + fe_montx_to_edy(y, u); /* y = (u - 1) / (u + 1) */ + + fe_mont_rhs(v2, u); /* v^2 = u(u^2 + Au + 1) */ + fe_sqrt(v, v2); /* v = sqrt(v^2) */ + + fe_mul(x, u, A); /* x = u * sqrt(-(A+2)) */ + fe_invert(iv, v); /* 1/v */ + fe_mul(x, x, iv); /* x = (u/v) * sqrt(-(A+2)) */ + + fe_neg(nx, x); /* negate x to match sign bit */ + fe_cmov(x, nx, fe_isnegative(x) ^ ed_sign_bit); + + fe_copy(p->X, x); + fe_copy(p->Y, y); + fe_1(p->Z); + + /* POSTCONDITION: check that p->X and p->Y satisfy the Ed curve equation */ + /* -x^2 + y^2 = 1 + dx^2y^2 */ +#ifndef NDEBUG + { + fe one, d, x2, y2, x2y2, dx2y2; + + unsigned char dbytes[32] = { + 0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75, + 0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00, + 0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c, + 0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52 + }; + + fe_frombytes(d, dbytes); + fe_1(one); + fe_sq(x2, p->X); /* x^2 */ + fe_sq(y2, p->Y); /* y^2 */ + + fe_mul(dx2y2, x2, y2); /* x^2y^2 */ + fe_mul(dx2y2, dx2y2, d); /* dx^2y^2 */ + fe_add(dx2y2, dx2y2, one); /* dx^2y^2 + 1 */ + + fe_neg(x2y2, x2); /* -x^2 */ + fe_add(x2y2, x2y2, y2); /* -x^2 + y^2 */ + + assert(fe_isequal(x2y2, dx2y2)); + } +#endif +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p3.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p3.c new file mode 100644 index 0000000000..7a716c5a72 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p3.c @@ -0,0 +1,70 @@ +#include "fe.h" +#include "ge.h" +#include "assert.h" +#include "crypto_additions.h" +#include "utility.h" + +/* sqrt(-(A+2)) */ +static unsigned char A_bytes[32] = { + 0x06, 0x7e, 0x45, 0xff, 0xaa, 0x04, 0x6e, 0xcc, + 0x82, 0x1a, 0x7d, 0x4b, 0xd1, 0xd3, 0xa1, 0xc5, + 0x7e, 0x4f, 0xfc, 0x03, 0xdc, 0x08, 0x7b, 0xd2, + 0xbb, 0x06, 0xa0, 0x60, 0xf4, 0xed, 0x26, 0x0f +}; + +void ge_montx_to_p3(ge_p3* p, const fe u, const unsigned char ed_sign_bit) +{ + fe x, y, A, v, v2, iv, nx; + + fe_frombytes(A, A_bytes); + + /* given u, recover edwards y */ + /* given u, recover v */ + /* given u and v, recover edwards x */ + + fe_montx_to_edy(y, u); /* y = (u - 1) / (u + 1) */ + + fe_mont_rhs(v2, u); /* v^2 = u(u^2 + Au + 1) */ + fe_sqrt(v, v2); /* v = sqrt(v^2) */ + + fe_mul(x, u, A); /* x = u * sqrt(-(A+2)) */ + fe_invert(iv, v); /* 1/v */ + fe_mul(x, x, iv); /* x = (u/v) * sqrt(-(A+2)) */ + + fe_neg(nx, x); /* negate x to match sign bit */ + fe_cmov(x, nx, fe_isnegative(x) ^ ed_sign_bit); + + fe_copy(p->X, x); + fe_copy(p->Y, y); + fe_1(p->Z); + fe_mul(p->T, p->X, p->Y); + + /* POSTCONDITION: check that p->X and p->Y satisfy the Ed curve equation */ + /* -x^2 + y^2 = 1 + dx^2y^2 */ +#ifndef NDEBUG + { + fe one, d, x2, y2, x2y2, dx2y2; + + unsigned char dbytes[32] = { + 0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75, + 0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00, + 0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c, + 0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52 + }; + + fe_frombytes(d, dbytes); + fe_1(one); + fe_sq(x2, p->X); /* x^2 */ + fe_sq(y2, p->Y); /* y^2 */ + + fe_mul(dx2y2, x2, y2); /* x^2y^2 */ + fe_mul(dx2y2, dx2y2, d); /* dx^2y^2 */ + fe_add(dx2y2, dx2y2, one); /* dx^2y^2 + 1 */ + + fe_neg(x2y2, x2); /* -x^2 */ + fe_add(x2y2, x2y2, y2); /* -x^2 + y^2 */ + + assert(fe_isequal(x2y2, dx2y2)); + } +#endif +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_neg.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_neg.c new file mode 100644 index 0000000000..d679713fe0 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_neg.c @@ -0,0 +1,15 @@ +#include "crypto_additions.h" +#include "ge.h" + +/* +return r = -p +*/ + + +void ge_neg(ge_p3* r, const ge_p3 *p) +{ + fe_neg(r->X, p->X); + fe_copy(r->Y, p->Y); + fe_copy(r->Z, p->Z); + fe_neg(r->T, p->T); +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_p3_to_montx.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_p3_to_montx.c new file mode 100644 index 0000000000..b539b2f17f --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_p3_to_montx.c @@ -0,0 +1,21 @@ +#include "fe.h" +#include "crypto_additions.h" + +void ge_p3_to_montx(fe u, const ge_p3 *ed) +{ + /* + u = (y + 1) / (1 - y) + or + u = (y + z) / (z - y) + + NOTE: y=1 is converted to u=0 since fe_invert is mod-exp + */ + + fe y_plus_one, one_minus_y, inv_one_minus_y; + + fe_add(y_plus_one, ed->Y, ed->Z); + fe_sub(one_minus_y, ed->Z, ed->Y); + fe_invert(inv_one_minus_y, one_minus_y); + fe_mul(u, y_plus_one, inv_one_minus_y); +} + diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult.c new file mode 100644 index 0000000000..e4f741b8d8 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult.c @@ -0,0 +1,140 @@ +#include "crypto_uint32.h" +#include "ge.h" +#include "crypto_additions.h" + +static unsigned char equal(signed char b,signed char c) +{ + unsigned char ub = b; + unsigned char uc = c; + unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */ + crypto_uint32 y = x; /* 0: yes; 1..255: no */ + y -= 1; /* 4294967295: yes; 0..254: no */ + y >>= 31; /* 1: yes; 0: no */ + return y; +} + +static unsigned char negative(signed char b) +{ + unsigned long long x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */ + x >>= 63; /* 1: yes; 0: no */ + return x; +} + +static void cmov(ge_cached *t,const ge_cached *u,unsigned char b) +{ + fe_cmov(t->YplusX,u->YplusX,b); + fe_cmov(t->YminusX,u->YminusX,b); + fe_cmov(t->Z,u->Z,b); + fe_cmov(t->T2d,u->T2d,b); +} + +static void select(ge_cached *t,const ge_cached *pre, signed char b) +{ + ge_cached minust; + unsigned char bnegative = negative(b); + unsigned char babs = b - (((-bnegative) & b) << 1); + + fe_1(t->YplusX); + fe_1(t->YminusX); + fe_1(t->Z); + fe_0(t->T2d); + + cmov(t,pre+0,equal(babs,1)); + cmov(t,pre+1,equal(babs,2)); + cmov(t,pre+2,equal(babs,3)); + cmov(t,pre+3,equal(babs,4)); + cmov(t,pre+4,equal(babs,5)); + cmov(t,pre+5,equal(babs,6)); + cmov(t,pre+6,equal(babs,7)); + cmov(t,pre+7,equal(babs,8)); + fe_copy(minust.YplusX,t->YminusX); + fe_copy(minust.YminusX,t->YplusX); + fe_copy(minust.Z,t->Z); + fe_neg(minust.T2d,t->T2d); + cmov(t,&minust,bnegative); +} + +/* +h = a * B +where a = a[0]+256*a[1]+...+256^31 a[31] +B is the Ed25519 base point (x,4/5) with x positive. + +Preconditions: + a[31] <= 127 +*/ + +void ge_scalarmult(ge_p3 *h, const unsigned char *a, const ge_p3 *A) +{ + signed char e[64]; + signed char carry; + ge_p1p1 r; + ge_p2 s; + ge_p3 t0, t1, t2; + ge_cached t, pre[8]; + int i; + + for (i = 0;i < 32;++i) { + e[2 * i + 0] = (a[i] >> 0) & 15; + e[2 * i + 1] = (a[i] >> 4) & 15; + } + /* each e[i] is between 0 and 15 */ + /* e[63] is between 0 and 7 */ + + carry = 0; + for (i = 0;i < 63;++i) { + e[i] += carry; + carry = e[i] + 8; + carry >>= 4; + e[i] -= carry << 4; + } + e[63] += carry; + /* each e[i] is between -8 and 8 */ + + // Precomputation: + ge_p3_to_cached(pre+0, A); // A + + ge_p3_dbl(&r, A); + ge_p1p1_to_p3(&t0, &r); + ge_p3_to_cached(pre+1, &t0); // 2A + + ge_add(&r, A, pre+1); + ge_p1p1_to_p3(&t1, &r); + ge_p3_to_cached(pre+2, &t1); // 3A + + ge_p3_dbl(&r, &t0); + ge_p1p1_to_p3(&t0, &r); + ge_p3_to_cached(pre+3, &t0); // 4A + + ge_add(&r, A, pre+3); + ge_p1p1_to_p3(&t2, &r); + ge_p3_to_cached(pre+4, &t2); // 5A + + ge_p3_dbl(&r, &t1); + ge_p1p1_to_p3(&t1, &r); + ge_p3_to_cached(pre+5, &t1); // 6A + + ge_add(&r, A, pre+5); + ge_p1p1_to_p3(&t1, &r); + ge_p3_to_cached(pre+6, &t1); // 7A + + ge_p3_dbl(&r, &t0); + ge_p1p1_to_p3(&t0, &r); + ge_p3_to_cached(pre+7, &t0); // 8A + + ge_p3_0(h); + + for (i = 63;i > 0; i--) { + select(&t,pre,e[i]); + ge_add(&r, h, &t); + ge_p1p1_to_p2(&s,&r); + + ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); + ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); + ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); + ge_p2_dbl(&r,&s); ge_p1p1_to_p3(h,&r); + + } + select(&t,pre,e[0]); + ge_add(&r, h, &t); + ge_p1p1_to_p3(h,&r); +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult_cofactor.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult_cofactor.c new file mode 100644 index 0000000000..6affbb05d5 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult_cofactor.c @@ -0,0 +1,21 @@ +#include "crypto_additions.h" +#include "ge.h" + +/* +return 8 * p +*/ + +void ge_scalarmult_cofactor(ge_p3 *q, const ge_p3 *p) +{ + ge_p1p1 p1p1; + ge_p2 p2; + + ge_p3_dbl(&p1p1, p); + ge_p1p1_to_p2(&p2, &p1p1); + + ge_p2_dbl(&p1p1, &p2); + ge_p1p1_to_p2(&p2, &p1p1); + + ge_p2_dbl(&p1p1, &p2); + ge_p1p1_to_p3(q, &p1p1); +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.c b/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.c new file mode 100644 index 0000000000..de7cdcd598 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.c @@ -0,0 +1,21 @@ +#include "ge.h" +#include "keygen.h" +#include "crypto_additions.h" + +void curve25519_keygen(unsigned char* curve25519_pubkey_out, + const unsigned char* curve25519_privkey_in) +{ + /* Perform a fixed-base multiplication of the Edwards base point, + (which is efficient due to precalculated tables), then convert + to the Curve25519 montgomery-format public key. + + NOTE: y=1 is converted to u=0 since fe_invert is mod-exp + */ + + ge_p3 ed; /* Ed25519 pubkey point */ + fe u; + + ge_scalarmult_base(&ed, curve25519_privkey_in); + ge_p3_to_montx(u, &ed); + fe_tobytes(curve25519_pubkey_out, u); +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.h b/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.h new file mode 100644 index 0000000000..e86e7c5582 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.h @@ -0,0 +1,12 @@ + +#ifndef __KEYGEN_H__ +#define __KEYGEN_H__ + +/* Sets and clears bits to make a random 32 bytes into a private key */ +void sc_clamp(unsigned char* a); + +/* The private key should be 32 random bytes "clamped" by sc_clamp() */ +void curve25519_keygen(unsigned char* curve25519_pubkey_out, /* 32 bytes */ + const unsigned char* curve25519_privkey_in); /* 32 bytes */ + +#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/open_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/open_modified.c new file mode 100644 index 0000000000..a156098191 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/open_modified.c @@ -0,0 +1,45 @@ +#include <string.h> +#include "crypto_sign.h" +#include "crypto_hash_sha512.h" +#include "crypto_verify_32.h" +#include "ge.h" +#include "sc.h" +#include "crypto_additions.h" + +int crypto_sign_open_modified( + unsigned char *m, + const unsigned char *sm,unsigned long long smlen, + const unsigned char *pk +) +{ + unsigned char pkcopy[32]; + unsigned char rcopy[32]; + unsigned char scopy[32]; + unsigned char h[64]; + unsigned char rcheck[32]; + ge_p3 A; + ge_p2 R; + + if (smlen < 64) goto badsig; + if (sm[63] & 224) goto badsig; /* strict parsing of s */ + if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig; + + memmove(pkcopy,pk,32); + memmove(rcopy,sm,32); + memmove(scopy,sm + 32,32); + + memmove(m,sm,smlen); + memmove(m + 32,pkcopy,32); + crypto_hash_sha512(h,m,smlen); + sc_reduce(h); + + ge_double_scalarmult_vartime(&R,h,&A,scopy); + ge_tobytes(rcheck,&R); + + if (crypto_verify_32(rcheck,rcopy) == 0) { + return 0; + } + +badsig: + return -1; +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_clamp.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_clamp.c new file mode 100644 index 0000000000..7788be9071 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_clamp.c @@ -0,0 +1,8 @@ +#include "crypto_additions.h" + +void sc_clamp(unsigned char* a) +{ + a[0] &= 248; + a[31] &= 127; + a[31] |= 64; +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_cmov.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_cmov.c new file mode 100644 index 0000000000..443a5bb71e --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_cmov.c @@ -0,0 +1,21 @@ +#include "crypto_additions.h" + +/* +Replace (f,g) with (g,g) if b == 1; +replace (f,g) with (f,g) if b == 0. + +Preconditions: b in {0,1}. +*/ + +void sc_cmov(unsigned char* f, const unsigned char* g, unsigned char b) +{ + int count=32; + unsigned char x[32]; + for (count=0; count < 32; count++) + x[count] = f[count] ^ g[count]; + b = -b; + for (count=0; count < 32; count++) + x[count] &= b; + for (count=0; count < 32; count++) + f[count] = f[count] ^ x[count]; +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_neg.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_neg.c new file mode 100644 index 0000000000..ef407d405e --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_neg.c @@ -0,0 +1,25 @@ +#include <string.h> +#include "crypto_additions.h" +#include "sc.h" + +/* l = order of base point = 2^252 + 27742317777372353535851937790883648493 */ + +/* +static unsigned char l[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, + 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0, 0x10}; +*/ + +static unsigned char lminus1[32] = {0xec, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, + 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10}; + +/* b = -a (mod l) */ +void sc_neg(unsigned char *b, const unsigned char *a) +{ + unsigned char zero[32]; + memset(zero, 0, 32); + sc_muladd(b, lminus1, a, zero); /* b = (-1)a + 0 (mod l) */ +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c index 61332e70e7..b2fb8c20d3 100644 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c @@ -4,6 +4,7 @@ #include "ge.h" #include "sc.h" #include "zeroize.h" +#include "crypto_additions.h" /* NEW: Compare to pristine crypto_sign() Uses explicit private key for nonce derivation and as scalar, @@ -36,6 +37,7 @@ int crypto_sign_modified( memmove(sm + 32,pk,32); sc_reduce(nonce); + ge_scalarmult_base(&R,nonce); ge_p3_tobytes(sm,&R); @@ -43,5 +45,9 @@ int crypto_sign_modified( sc_reduce(hram); sc_muladd(sm + 32,hram,sk,nonce); /* NEW: Use privkey directly */ + /* Erase any traces of private scalar or + nonce left in the stack from sc_muladd */ + zeroize_stack(); + zeroize(nonce, 64); return 0; } diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/uopen_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/uopen_modified.c new file mode 100644 index 0000000000..412f8c4c9b --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/uopen_modified.c @@ -0,0 +1,100 @@ +#include <string.h> +#include "sc.h" +#include "ge.h" +#include "crypto_hash_sha512.h" +#include "crypto_verify_32.h" +#include "crypto_additions.h" +#include "crypto_sign.h" + +int crypto_usign_open_modified( + unsigned char *m,unsigned long long *mlen, + const unsigned char *sm,unsigned long long smlen, + const unsigned char *pk, const ge_p3* Bu +) +{ + ge_p3 U; + unsigned char h[64]; + unsigned char s[64]; + unsigned char strict[64]; + ge_p3 A; + ge_p2 R; + unsigned char hcheck[64]; + int count; + + if (smlen < 96) goto badsig; + if (sm[63] & 224) goto badsig; /* strict parsing of h */ + if (sm[95] & 224) goto badsig; /* strict parsing of s */ + + /* Load -A */ + if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig; + + /* Load -U, h, s */ + ge_frombytes_negate_vartime(&U, sm); + memset(h, 0, 64); + memset(s, 0, 64); + memmove(h, sm + 32, 32); + memmove(s, sm + 64, 32); + + /* Insist that s and h are reduced scalars (strict parsing) */ + memcpy(strict, h, 64); + sc_reduce(strict); + if (memcmp(strict, h, 32) != 0) + goto badsig; + memcpy(strict, s, 64); + sc_reduce(strict); + if (memcmp(strict, s, 32) != 0) + goto badsig; + + /* Reject U (actually -U) if small order */ + if (ge_is_small_order(&U)) + goto badsig; + + // R = sB + h(-A) + ge_double_scalarmult_vartime(&R,h,&A,s); + + // Ru = sBu + h(-U) + ge_p3 sBu, hU; + + // sBu + ge_scalarmult(&sBu, s, Bu); + + // h(-U) + ge_scalarmult(&hU, h, &U); + + // Ru = sBu + h(-U) + ge_p1p1 Rp1p1; + ge_p3 Ru; + ge_cached hUcached; + ge_p3_to_cached(&hUcached, &hU); + ge_add(&Rp1p1, &sBu, &hUcached); + ge_p1p1_to_p3(&Ru, &Rp1p1); + + + // Check h == SHA512(label(4) || A || U || R || Ru || M) + m[0] = 0xFB; + for (count = 1; count < 32; count++) + m[count] = 0xFF; + memmove(m+32, pk, 32); + /* undo the negation for U */ + fe_neg(U.X, U.X); + fe_neg(U.T, U.T); + ge_p3_tobytes(m+64, &U); + ge_tobytes(m+96, &R); + ge_p3_tobytes(m+128, &Ru); + memmove(m+160, sm+96, smlen - 96); + + crypto_hash_sha512(hcheck, m, smlen + 64); + sc_reduce(hcheck); + + if (crypto_verify_32(hcheck, h) == 0) { + memmove(m,m + 64,smlen - 64); + memset(m + smlen - 64,0,64); + *mlen = smlen - 64; + return 0; + } + +badsig: + *mlen = -1; + memset(m,0,smlen); + return -1; +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/usign_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/usign_modified.c new file mode 100644 index 0000000000..3bbd871b7a --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/usign_modified.c @@ -0,0 +1,62 @@ +#include <string.h> +#include "crypto_sign.h" +#include "crypto_hash_sha512.h" +#include "ge.h" +#include "sc.h" +#include "zeroize.h" +#include "crypto_additions.h" + +/* NEW: Compare to pristine crypto_sign() + Uses explicit private key for nonce derivation and as scalar, + instead of deriving both from a master key. +*/ +int crypto_usign_modified( + unsigned char *sm, + const unsigned char *M,unsigned long Mlen, + const unsigned char *a, + const unsigned char *A, + const unsigned char *random, + const ge_p3 *Bu, + const unsigned char *U +) +{ + unsigned char r[64]; + unsigned char h[64]; + ge_p3 R, Ru; + int count=0; + + /* r = SHA512(label(3) || a || U || random(64)) */ + sm[0] = 0xFC; + for (count = 1; count < 32; count++) + sm[count] = 0xFF; + + memmove(sm + 32, a, 32); /* Use privkey directly for nonce derivation */ + memmove(sm + 64, U, 32); + + memmove(sm + 96, random, 64); /* Add suffix of random data */ + crypto_hash_sha512(r, sm, 160); + + sc_reduce(r); + ge_scalarmult_base(&R, r); + ge_scalarmult(&Ru, r, Bu); + + /* h = SHA512(label(4) || A || U || R || Ru || M) */ + sm[0] = 0xFB; + memmove(sm + 32, A, 32); + memmove(sm + 64, U, 32); + ge_p3_tobytes(sm+96, &R); + ge_p3_tobytes(sm+128, &Ru); + memmove(sm + 160, M, Mlen); + + crypto_hash_sha512(h, sm, Mlen + 160); + sc_reduce(h); + + memmove(sm, h, 32); /* Write h */ + sc_muladd(sm + 32, h, a, r); /* Write s */ + + /* Erase any traces of private scalar or + nonce left in the stack from sc_muladd. */ + zeroize_stack(); + zeroize(r, 64); + return 0; +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/utility.c b/libs/libaxolotl/src/curve25519/ed25519/additions/utility.c new file mode 100644 index 0000000000..c59099a9e3 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/utility.c @@ -0,0 +1,29 @@ +#include <stdlib.h> +#include <stdio.h> +#include "utility.h" + +void print_vector(const char* name, const unsigned char* v) +{ + int count; + printf("%s = \n", name); + for (count = 0; count < 32; count++) + printf("%02x ", v[count]); + printf("\n"); +} + +void print_bytes(const char* name, const unsigned char* v, int numbytes) +{ + int count; + printf("%s = \n", name); + for (count = 0; count < numbytes; count++) + printf("%02x ", v[count]); + printf("\n"); +} + +void print_fe(const char* name, const fe in) +{ + unsigned char bytes[32]; + fe_tobytes(bytes, in); + print_vector(name, bytes); +} + diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/utility.h b/libs/libaxolotl/src/curve25519/ed25519/additions/utility.h new file mode 100644 index 0000000000..35348782df --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/utility.h @@ -0,0 +1,11 @@ + +#ifndef __UTILITY_H__ +#define __UTILITY_H__ + +#include "fe.h" + +void print_vector(const char* name, const unsigned char* v); +void print_bytes(const char* name, const unsigned char* v, int numbytes); +void print_fe(const char* name, const fe in); + +#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c new file mode 100644 index 0000000000..3dfc7fba6f --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c @@ -0,0 +1,85 @@ +#include <string.h> +#include "sc.h" +#include "ge.h" +#include "crypto_hash_sha512.h" +#include "crypto_verify_32.h" +#include "crypto_additions.h" +#include "crypto_sign.h" + +int crypto_vsign_open_modified( + unsigned char *m, + const unsigned char *sm,unsigned long long smlen, + const unsigned char *pk, const ge_p3* Bv +) +{ + ge_p3 Vneg, V, Aneg, A, c_V, c_A, h_Vneg, s_Bv; + unsigned char h[32]; + unsigned char s[32]; + ge_p2 R; + unsigned char hcheck[64]; + unsigned char vrf_output[64]; + int count; + + if (smlen < 96) goto badsig; + if (sm[63] & 224) goto badsig; /* strict parsing of h */ + if (sm[95] & 224) goto badsig; /* strict parsing of s */ + + /* Load -A */ + if (ge_frombytes_negate_vartime(&Aneg,pk) != 0) goto badsig; + + /* Load -V, h, s */ + if (ge_frombytes_negate_vartime(&Vneg, sm) != 0) goto badsig; + memmove(h, sm + 32, 32); + memmove(s, sm + 64, 32); + if (h[31] & 224) goto badsig; /* strict parsing of h */ + if (s[31] & 224) goto badsig; /* strict parsing of s */ + + ge_neg(&A, &Aneg); + ge_neg(&V, &Vneg); + ge_scalarmult_cofactor(&c_A, &A); + ge_scalarmult_cofactor(&c_V, &V); + if (ge_isneutral(&c_A) || ge_isneutral(&c_V) || ge_isneutral(Bv)) + goto badsig; + + // R = (s*B) + (h * -A)) + ge_double_scalarmult_vartime(&R, h, &Aneg, s); + + // s * Bv + ge_scalarmult(&s_Bv, s, Bv); + + // h * -V + ge_scalarmult(&h_Vneg, h, &Vneg); + + // Rv = (sc * Bv) + (hc * (-V)) + ge_p1p1 Rp1p1; + ge_p3 Rv; + ge_cached h_Vnegcached; + ge_p3_to_cached(&h_Vnegcached, &h_Vneg); + ge_add(&Rp1p1, &s_Bv, &h_Vnegcached); + ge_p1p1_to_p3(&Rv, &Rp1p1); + + // Check h == SHA512(label(4) || A || V || R || Rv || M) + m[0] = 0xFB; // label 4 + for (count = 1; count < 32; count++) + m[count] = 0xFF; + memmove(m+32, pk, 32); + ge_p3_tobytes(m+64, &V); + ge_tobytes(m+96, &R); + ge_p3_tobytes(m+128, &Rv); + memmove(m+160, sm+96, smlen - 96); + + crypto_hash_sha512(hcheck, m, smlen + 64); + sc_reduce(hcheck); + + if (crypto_verify_32(hcheck, h) == 0) { + ge_p3_tobytes(m+32, &c_V); + m[0] = 0xFA; // label 5 + crypto_hash_sha512(vrf_output, m, 64); + memmove(m, vrf_output, 32); + return 0; + } + +badsig: + memset(m, 0, 32); + return -1; +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/vsign_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/vsign_modified.c new file mode 100644 index 0000000000..518b851d63 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/vsign_modified.c @@ -0,0 +1,62 @@ +#include <string.h> +#include "crypto_sign.h" +#include "crypto_hash_sha512.h" +#include "ge.h" +#include "sc.h" +#include "zeroize.h" +#include "crypto_additions.h" + +/* NEW: Compare to pristine crypto_sign() + Uses explicit private key for nonce derivation and as scalar, + instead of deriving both from a master key. +*/ +int crypto_vsign_modified( + unsigned char *sm, + const unsigned char *M,unsigned long Mlen, + const unsigned char *a, + const unsigned char *A, + const unsigned char *random, + const ge_p3 *Bv, + const unsigned char *V +) +{ + unsigned char r[64]; + unsigned char h[64]; + ge_p3 R, Rv; + int count=0; + + /* r = SHA512(label(3) || a || V || random(64)) */ + sm[0] = 0xFC; + for (count = 1; count < 32; count++) + sm[count] = 0xFF; + + memmove(sm + 32, a, 32); /* Use privkey directly for nonce derivation */ + memmove(sm + 64, V, 32); + + memmove(sm + 96, random, 64); /* Add suffix of random data */ + crypto_hash_sha512(r, sm, 160); + + sc_reduce(r); + ge_scalarmult_base(&R, r); + ge_scalarmult(&Rv, r, Bv); + + /* h = SHA512(label(4) || A || V || R || Rv || M) */ + sm[0] = 0xFB; + memmove(sm + 32, A, 32); + memmove(sm + 64, V, 32); + ge_p3_tobytes(sm+96, &R); + ge_p3_tobytes(sm+128, &Rv); + memmove(sm + 160, M, Mlen); + + crypto_hash_sha512(h, sm, Mlen + 160); + sc_reduce(h); + + memmove(sm, h, 32); /* Write h */ + sc_muladd(sm + 32, h, a, r); /* Write s */ + + /* Erase any traces of private scalar or + nonce left in the stack from sc_muladd. */ + zeroize_stack(); + zeroize(r, 64); + return 0; +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c new file mode 100644 index 0000000000..802a73563d --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c @@ -0,0 +1,91 @@ +#include <string.h> +#include "ge.h" +#include "crypto_additions.h" +#include "zeroize.h" +#include "vxeddsa.h" +#include "crypto_verify_32.h" + +int vxed25519_sign(unsigned char* signature_out, + const unsigned char* curve25519_privkey, + const unsigned char* msg, const unsigned long msg_len, + const unsigned char* random) +{ + unsigned char a[32], aneg[32]; + unsigned char A[32]; + ge_p3 Bv, ed_pubkey_point; + unsigned char sigbuf[MAX_MSG_LEN + 160]; /* working buffer */ + unsigned char sign_bit = 0; + + if (msg_len > MAX_MSG_LEN) { + memset(signature_out, 0, 96); + return -1; + } + /* Convert the Curve25519 privkey to an Ed25519 public key */ + ge_scalarmult_base(&ed_pubkey_point, curve25519_privkey); + ge_p3_tobytes(A, &ed_pubkey_point); + + /* Force Edwards sign bit to zero */ + sign_bit = (A[31] & 0x80) >> 7; + memcpy(a, curve25519_privkey, 32); + sc_neg(aneg, a); + sc_cmov(a, aneg, sign_bit); + A[31] &= 0x7F; + + calculate_Bv_and_V(&Bv, signature_out, sigbuf, a, A, msg, msg_len); + + /* Perform an Ed25519 signature with explicit private key */ + crypto_vsign_modified(sigbuf, msg, msg_len, a, A, random, &Bv, signature_out /*V*/); + memmove(signature_out+32, sigbuf, 64); + + zeroize(a, 32); + zeroize(aneg, 32); + return 0; +} + +int vxed25519_verify(unsigned char* vrf_out, + const unsigned char* signature, + const unsigned char* curve25519_pubkey, + const unsigned char* msg, const unsigned long msg_len) +{ + fe u; + fe y; + unsigned char ed_pubkey[32]; + unsigned char strict[32]; + unsigned char verifybuf[MAX_MSG_LEN + 160]; /* working buffer */ + unsigned char verifybuf2[MAX_MSG_LEN + 160]; /* working buffer #2 ?? !!! */ + ge_p3 Bv; + + if (msg_len > MAX_MSG_LEN) { + return -1; + } + + /* Convert the Curve25519 public key (u) into an Ed25519 public key. + + y = (u - 1) / (u + 1) + + NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp + */ + fe_frombytes(u, curve25519_pubkey); + fe_tobytes(strict, u); + if (crypto_verify_32(strict, curve25519_pubkey) != 0) + return 0; + fe_montx_to_edy(y, u); + fe_tobytes(ed_pubkey, y); + + calculate_Bv(&Bv, verifybuf, ed_pubkey, msg, msg_len); + + memmove(verifybuf, signature, 96); + memmove(verifybuf+96, msg, msg_len); + + /* Then perform a signature verification, return 0 on success */ + /* The below call has a strange API: */ + /* verifybuf = V || h || s || message */ + /* verifybuf2 = used as buffer, gets the VRF output if success */ + if (crypto_vsign_open_modified(verifybuf2, verifybuf, 96 + msg_len, ed_pubkey, &Bv) == 0) { + memmove(vrf_out, verifybuf2, 32); + return 0; + } else { + memset(vrf_out, 0, 32); + return -1; + } +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.h b/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.h new file mode 100644 index 0000000000..4e48844170 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.h @@ -0,0 +1,18 @@ + +#ifndef __VXEDDSA_H__ +#define __VXEDDSA_H__ + +/* returns 0 on success */ +int vxed25519_sign(unsigned char* signature_out, /* 96 bytes */ + const unsigned char* curve25519_privkey, /* 32 bytes */ + const unsigned char* msg, const unsigned long msg_len, /* <= 256 bytes */ + const unsigned char* random); /* 64 bytes */ + +/* returns 0 on success */ +int vxed25519_verify(unsigned char* vrf_out, /* 32 bytes */ + const unsigned char* signature, /* 96 bytes */ + const unsigned char* curve25519_pubkey, /* 32 bytes */ + const unsigned char* msg, const unsigned long msg_len); /* <= 256 bytes */ + + +#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c new file mode 100644 index 0000000000..ee2964a0d5 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c @@ -0,0 +1,82 @@ +#include <string.h> +#include "ge.h" +#include "crypto_additions.h" +#include "zeroize.h" +#include "xeddsa.h" +#include "crypto_verify_32.h" + +int xed25519_sign(unsigned char* signature_out, + const unsigned char* curve25519_privkey, + const unsigned char* msg, const unsigned long msg_len, + const unsigned char* random) +{ + unsigned char a[32], aneg[32]; + unsigned char A[32]; + ge_p3 ed_pubkey_point; + unsigned char *sigbuf; /* working buffer */ + unsigned char sign_bit = 0; + + if ((sigbuf = malloc(msg_len + 128)) == 0) { + memset(signature_out, 0, 64); + return -1; + } + + /* Convert the Curve25519 privkey to an Ed25519 public key */ + ge_scalarmult_base(&ed_pubkey_point, curve25519_privkey); + ge_p3_tobytes(A, &ed_pubkey_point); + + /* Force Edwards sign bit to zero */ + sign_bit = (A[31] & 0x80) >> 7; + memcpy(a, curve25519_privkey, 32); + sc_neg(aneg, a); + sc_cmov(a, aneg, sign_bit); + A[31] &= 0x7F; + + /* Perform an Ed25519 signature with explicit private key */ + crypto_sign_modified(sigbuf, msg, msg_len, a, A, random); + memmove(signature_out, sigbuf, 64); + + zeroize(a, 32); + zeroize(aneg, 32); + free(sigbuf); + return 0; +} + +int xed25519_verify(const unsigned char* signature, + const unsigned char* curve25519_pubkey, + const unsigned char* msg, const unsigned long msg_len) +{ + fe u; + fe y; + unsigned char ed_pubkey[32]; + unsigned char strict[32]; + unsigned char verifybuf[MAX_MSG_LEN + 64]; /* working buffer */ + unsigned char verifybuf2[MAX_MSG_LEN + 64]; /* working buffer #2 */ + + if (msg_len > MAX_MSG_LEN) { + return -1; + } + + /* Convert the Curve25519 public key into an Ed25519 public key. + + y = (u - 1) / (u + 1) + + NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp + */ + fe_frombytes(u, curve25519_pubkey); + fe_tobytes(strict, u); + if (crypto_verify_32(strict, curve25519_pubkey) != 0) + return 0; + fe_montx_to_edy(y, u); + fe_tobytes(ed_pubkey, y); + + memmove(verifybuf, signature, 64); + memmove(verifybuf+64, msg, msg_len); + + /* Then perform a normal Ed25519 verification, return 0 on success */ + /* The below call has a strange API: */ + /* verifybuf = R || S || message */ + /* verifybuf2 = internal to next call gets a copy of verifybuf, S gets + replaced with pubkey for hashing */ + return crypto_sign_open_modified(verifybuf2, verifybuf, 64 + msg_len, ed_pubkey); +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.h b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.h new file mode 100644 index 0000000000..b86d7f0d9d --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.h @@ -0,0 +1,16 @@ + +#ifndef __XEDDSA_H__ +#define __XEDDSA_H__ + +/* returns 0 on success */ +int xed25519_sign(unsigned char* signature_out, /* 64 bytes */ + const unsigned char* curve25519_privkey, /* 32 bytes */ + const unsigned char* msg, const unsigned long msg_len, /* <= 256 bytes */ + const unsigned char* random); /* 64 bytes */ + +/* returns 0 on success */ +int xed25519_verify(const unsigned char* signature, /* 64 bytes */ + const unsigned char* curve25519_pubkey, /* 32 bytes */ + const unsigned char* msg, const unsigned long msg_len); /* <= 256 bytes */ + +#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c b/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c index 37c1f708bc..187e725eb5 100644 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c @@ -3,7 +3,6 @@ void zeroize(unsigned char* b, size_t len) { size_t count = 0; - unsigned long retval = 0; volatile unsigned char *p = b; for (count = 0; count < len; count++) @@ -13,5 +12,5 @@ void zeroize(unsigned char* b, size_t len) void zeroize_stack() { unsigned char m[ZEROIZE_STACK_SIZE]; - zeroize(m, sizeof m); + zeroize(m, ZEROIZE_STACK_SIZE); } diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h b/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h index 80fcffb768..0db68bb4c6 100644 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h @@ -3,7 +3,7 @@ #include <stdlib.h> -#define ZEROIZE_STACK_SIZE 2048 +#define ZEROIZE_STACK_SIZE 1024 void zeroize(unsigned char* b, size_t len); diff --git a/libs/libaxolotl/src/curve25519/ed25519/fe_isnonzero.c b/libs/libaxolotl/src/curve25519/ed25519/fe_isnonzero.c index 47568001ce..0e087a783d 100644 --- a/libs/libaxolotl/src/curve25519/ed25519/fe_isnonzero.c +++ b/libs/libaxolotl/src/curve25519/ed25519/fe_isnonzero.c @@ -2,13 +2,22 @@ #include "crypto_verify_32.h" /* -return 1 if f == 0 +return nonzero if f == 0 return 0 if f != 0 Preconditions: |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */ +/* TREVOR'S COMMENT + * + * I think the above comment is wrong. Instead: + * + * return 0 if f == 0 + * return -1 if f != 0 + * + * */ + static const unsigned char zero[32]; int fe_isnonzero(const fe f) diff --git a/libs/libaxolotl/src/curve25519/ed25519/main/main.c b/libs/libaxolotl/src/curve25519/ed25519/main/main.c index 5fbe39956d..a6ff569b9e 100644 --- a/libs/libaxolotl/src/curve25519/ed25519/main/main.c +++ b/libs/libaxolotl/src/curve25519/ed25519/main/main.c @@ -1,106 +1,13 @@ -#include <stdio.h> -#include <string.h> -#include "crypto_hash_sha512.h" -#include "curve_sigs.h" +#include "tests.h" -#define MSG_LEN 200 int main(int argc, char* argv[]) { - unsigned char privkey[32]; - unsigned char pubkey[32]; - unsigned char signature[64]; - unsigned char msg[MSG_LEN]; - unsigned char random[64]; + all_fast_tests(0); + curvesigs_slow_test(0, 10000); + xeddsa_slow_test(0, 10000); + xeddsa_to_curvesigs_slow_test(0, 10000); + vxeddsa_slow_test(0, 10000000); - /* Initialize pubkey, privkey, msg */ - memset(msg, 0, MSG_LEN); - memset(privkey, 0, 32); - memset(pubkey, 0, 32); - privkey[0] &= 248; - privkey[31] &= 63; - privkey[31] |= 64; - - privkey[8] = 189; /* just so there's some bits set */ - - - /* SHA512 test */ - unsigned char sha512_input[112] = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"; - unsigned char sha512_correct_output[64] = -{ -0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA, -0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F, -0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1, -0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18, -0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4, -0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A, -0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54, -0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 -}; - unsigned char sha512_actual_output[64]; - - crypto_hash_sha512(sha512_actual_output, sha512_input, sizeof(sha512_input)); - if (memcmp(sha512_actual_output, sha512_correct_output, 64) != 0) - printf("SHA512 bad #1\n"); - else - printf("SHA512 good #1\n"); - - sha512_input[111] ^= 1; - - crypto_hash_sha512(sha512_actual_output, sha512_input, sizeof(sha512_input)); - if (memcmp(sha512_actual_output, sha512_correct_output, 64) != 0) - printf("SHA512 good #2\n"); - else - printf("SHA512 bad #2\n"); - - /* Signature test */ - curve25519_keygen(pubkey, privkey); - - curve25519_sign(signature, privkey, msg, MSG_LEN, random); - - if (curve25519_verify(signature, pubkey, msg, MSG_LEN) == 0) - printf("Signature good #1\n"); - else - printf("Signature bad #1\n"); - - signature[0] ^= 1; - - if (curve25519_verify(signature, pubkey, msg, MSG_LEN) == 0) - printf("Signature bad #2\n"); - else - printf("Signature good #2\n"); - - - printf("Random testing...\n"); - for (int count = 0; count < 10000; count++) { - unsigned char b[64]; - crypto_hash_sha512(b, privkey, 32); - memmove(privkey, b, 32); - crypto_hash_sha512(b, privkey, 32); - memmove(random, b, 64); - - privkey[0] &= 248; - privkey[31] &= 63; - privkey[31] |= 64; - - curve25519_keygen(pubkey, privkey); - - curve25519_sign(signature, privkey, msg, MSG_LEN, random); - - if (curve25519_verify(signature, pubkey, msg, MSG_LEN) != 0) { - printf("failure #1 %d\n", count); - return -1; - } - - if (b[63] & 1) - signature[count % 64] ^= 1; - else - msg[count % MSG_LEN] ^= 1; - if (curve25519_verify(signature, pubkey, msg, MSG_LEN) == 0) { - printf("failure #2 %d\n", count); - return -1; - } - } - printf("OK\n"); - return 1; + return 0; } diff --git a/libs/libaxolotl/src/curve25519/ed25519/tests/tests.c b/libs/libaxolotl/src/curve25519/ed25519/tests/tests.c new file mode 100644 index 0000000000..79adae5d16 --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/tests/tests.c @@ -0,0 +1,658 @@ +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include "crypto_hash_sha512.h" +#include "keygen.h" +#include "curve_sigs.h" +#include "xeddsa.h" +#include "vxeddsa.h" +#include "crypto_additions.h" +#include "ge.h" +#include "utility.h" +#include "tests.h" +#include <assert.h> + + +#define ERROR(...) do {if (!silent) { printf(__VA_ARGS__); abort(); } else return -1; } while (0) +#define INFO(...) do {if (!silent) printf(__VA_ARGS__);} while (0) + +#define TEST(msg, cond) \ + do { \ + if ((cond)) { \ + INFO("%s good\n", msg); \ + } \ + else { \ + ERROR("%s BAD!!!\n", msg); \ + } \ + } while (0) + + +int sha512_fast_test(int silent) +{ + unsigned char sha512_input[112] = + "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"; + unsigned char sha512_correct_output[64] = + { + 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA, + 0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F, + 0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1, + 0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18, + 0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4, + 0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A, + 0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54, + 0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 + }; + unsigned char sha512_actual_output[64]; + + crypto_hash_sha512(sha512_actual_output, sha512_input, sizeof(sha512_input)); + TEST("SHA512 #1", memcmp(sha512_actual_output, sha512_correct_output, 64) == 0); + + sha512_input[111] ^= 1; + + crypto_hash_sha512(sha512_actual_output, sha512_input, sizeof(sha512_input)); + TEST("SHA512 #2", memcmp(sha512_actual_output, sha512_correct_output, 64) != 0); + + return 0; +} + +int elligator_fast_test(int silent) +{ + unsigned char elligator_correct_output[32] = + { + 0x5f, 0x35, 0x20, 0x00, 0x1c, 0x6c, 0x99, 0x36, + 0xa3, 0x12, 0x06, 0xaf, 0xe7, 0xc7, 0xac, 0x22, + 0x4e, 0x88, 0x61, 0x61, 0x9b, 0xf9, 0x88, 0x72, + 0x44, 0x49, 0x15, 0x89, 0x9d, 0x95, 0xf4, 0x6e + }; + + unsigned char hashtopoint_correct_output1[32] = + { + 0xce, 0x89, 0x9f, 0xb2, 0x8f, 0xf7, 0x20, 0x91, + 0x5e, 0x14, 0xf5, 0xb7, 0x99, 0x08, 0xab, 0x17, + 0xaa, 0x2e, 0xe2, 0x45, 0xb4, 0xfc, 0x2b, 0xf6, + 0x06, 0x36, 0x29, 0x40, 0xed, 0x7d, 0xe7, 0xed + }; + + unsigned char hashtopoint_correct_output2[32] = + { + 0xa0, 0x35, 0xbb, 0xa9, 0x4d, 0x30, 0x55, 0x33, + 0x0d, 0xce, 0xc2, 0x7f, 0x83, 0xde, 0x79, 0xd0, + 0x89, 0x67, 0x72, 0x4c, 0x07, 0x8d, 0x68, 0x9d, + 0x61, 0x52, 0x1d, 0xf9, 0x2c, 0x5c, 0xba, 0x77 + }; + + unsigned char calculatev_correct_output[32] = + { + 0x1b, 0x77, 0xb5, 0xa0, 0x44, 0x84, 0x7e, 0xb9, + 0x23, 0xd7, 0x93, 0x18, 0xce, 0xc2, 0xc5, 0xe2, + 0x84, 0xd5, 0x79, 0x6f, 0x65, 0x63, 0x1b, 0x60, + 0x9b, 0xf1, 0xf8, 0xce, 0x88, 0x0b, 0x50, 0x9c, + }; + + int count; + fe in, out; + unsigned char bytes[32]; + fe_0(in); + fe_0(out); + for (count = 0; count < 32; count++) { + bytes[count] = count; + } + fe_frombytes(in, bytes); + elligator(out, in); + fe_tobytes(bytes, out); + TEST("Elligator vector", memcmp(bytes, elligator_correct_output, 32) == 0); + + /* Elligator(0) == 0 test */ + fe_0(in); + elligator(out, in); + TEST("Elligator(0) == 0", memcmp(in, out, 32) == 0); + + /* ge_montx_to_p3(0) -> order2 point test */ + fe one, negone, zero; + fe_1(one); + fe_0(zero); + fe_sub(negone, zero, one); + ge_p3 p3; + ge_montx_to_p3(&p3, zero, 0); + TEST("ge_montx_to_p3(0) == order 2 point", + fe_isequal(p3.X, zero) && + fe_isequal(p3.Y, negone) && + fe_isequal(p3.Z, one) && + fe_isequal(p3.T, zero)); + + /* Hash to point vector test */ + unsigned char htp[32]; + + for (count=0; count < 32; count++) { + htp[count] = count; + } + + hash_to_point(&p3, htp, 32); + ge_p3_tobytes(htp, &p3); + TEST("hash_to_point #1", memcmp(htp, hashtopoint_correct_output1, 32) == 0); + + for (count=0; count < 32; count++) { + htp[count] = count+1; + } + + hash_to_point(&p3, htp, 32); + ge_p3_tobytes(htp, &p3); + TEST("hash_to_point #2", memcmp(htp, hashtopoint_correct_output2, 32) == 0); + + /* calculate_U vector test */ + ge_p3 Bv; + unsigned char V[32]; + unsigned char Vbuf[200]; + unsigned char a[32]; + unsigned char A[32]; + unsigned char Vmsg[3]; + Vmsg[0] = 0; + Vmsg[1] = 1; + Vmsg[2] = 2; + for (count=0; count < 32; count++) { + a[count] = 8 + count; + A[count] = 9 + count; + } + sc_clamp(a); + calculate_Bv_and_V(&Bv, V, Vbuf, a, A, Vmsg, 3); + TEST("calculate_Bv_and_V vector", memcmp(V, calculatev_correct_output, 32) == 0); + return 0; +} + +int curvesigs_fast_test(int silent) +{ + unsigned char signature_correct[64] = { + 0xcf, 0x87, 0x3d, 0x03, 0x79, 0xac, 0x20, 0xe8, + 0x89, 0x3e, 0x55, 0x67, 0xee, 0x0f, 0x89, 0x51, + 0xf8, 0xdb, 0x84, 0x0d, 0x26, 0xb2, 0x43, 0xb4, + 0x63, 0x52, 0x66, 0x89, 0xd0, 0x1c, 0xa7, 0x18, + 0xac, 0x18, 0x9f, 0xb1, 0x67, 0x85, 0x74, 0xeb, + 0xdd, 0xe5, 0x69, 0x33, 0x06, 0x59, 0x44, 0x8b, + 0x0b, 0xd6, 0xc1, 0x97, 0x3f, 0x7d, 0x78, 0x0a, + 0xb3, 0x95, 0x18, 0x62, 0x68, 0x03, 0xd7, 0x82, + }; + const int MSG_LEN = 200; + unsigned char privkey[32]; + unsigned char pubkey[32]; + unsigned char signature[64]; + unsigned char msg[MSG_LEN]; + unsigned char random[64]; + + memset(privkey, 0, 32); + memset(pubkey, 0, 32); + memset(signature, 0, 64); + memset(msg, 0, MSG_LEN); + memset(random, 0, 64); + + privkey[8] = 189; /* just so there's some bits set */ + sc_clamp(privkey); + + /* Signature vector test */ + curve25519_keygen(pubkey, privkey); + + curve25519_sign(signature, privkey, msg, MSG_LEN, random); + + TEST("Curvesig sign", memcmp(signature, signature_correct, 64) == 0); + TEST("Curvesig verify #1", curve25519_verify(signature, pubkey, msg, MSG_LEN) == 0); + signature[0] ^= 1; + TEST("Curvesig verify #2", curve25519_verify(signature, pubkey, msg, MSG_LEN) != 0); + return 0; +} + +int xeddsa_fast_test(int silent) +{ + unsigned char signature_correct[64] = { + 0x11, 0xc7, 0xf3, 0xe6, 0xc4, 0xdf, 0x9e, 0x8a, + 0x51, 0x50, 0xe1, 0xdb, 0x3b, 0x30, 0xf9, 0x2d, + 0xe3, 0xa3, 0xb3, 0xaa, 0x43, 0x86, 0x56, 0x54, + 0x5f, 0xa7, 0x39, 0x0f, 0x4b, 0xcc, 0x7b, 0xb2, + 0x6c, 0x43, 0x1d, 0x9e, 0x90, 0x64, 0x3e, 0x4f, + 0x0e, 0xaa, 0x0e, 0x9c, 0x55, 0x77, 0x66, 0xfa, + 0x69, 0xad, 0xa5, 0x76, 0xd6, 0x3d, 0xca, 0xf2, + 0xac, 0x32, 0x6c, 0x11, 0xd0, 0xb9, 0x77, 0x02, + }; + const int MSG_LEN = 200; + unsigned char privkey[32]; + unsigned char pubkey[32]; + unsigned char signature[64]; + unsigned char msg[MSG_LEN]; + unsigned char random[64]; + + memset(privkey, 0, 32); + memset(pubkey, 0, 32); + memset(signature, 0, 64); + memset(msg, 0, MSG_LEN); + memset(random, 0, 64); + + privkey[8] = 189; /* just so there's some bits set */ + sc_clamp(privkey); + + /* Signature vector test */ + curve25519_keygen(pubkey, privkey); + + xed25519_sign(signature, privkey, msg, MSG_LEN, random); + TEST("XEdDSA sign", memcmp(signature, signature_correct, 64) == 0); + TEST("XEdDSA verify #1", xed25519_verify(signature, pubkey, msg, MSG_LEN) == 0); + signature[0] ^= 1; + TEST("XEdDSA verify #2", xed25519_verify(signature, pubkey, msg, MSG_LEN) != 0); + return 0; +} + +int vxeddsa_fast_test(int silent) +{ + unsigned char signature_correct[96] = { + 0x23, 0xc6, 0xe5, 0x93, 0x3f, 0xcd, 0x56, 0x47, + 0x7a, 0x86, 0xc9, 0x9b, 0x76, 0x2c, 0xb5, 0x24, + 0xc3, 0xd6, 0x05, 0x55, 0x38, 0x83, 0x4d, 0x4f, + 0x8d, 0xb8, 0xf0, 0x31, 0x07, 0xec, 0xeb, 0xa0, + 0xa0, 0x01, 0x50, 0xb8, 0x4c, 0xbb, 0x8c, 0xcd, + 0x23, 0xdc, 0x65, 0xfd, 0x0e, 0x81, 0xb2, 0x86, + 0x06, 0xa5, 0x6b, 0x0c, 0x4f, 0x53, 0x6d, 0xc8, + 0x8b, 0x8d, 0xc9, 0x04, 0x6e, 0x4a, 0xeb, 0x08, + 0xce, 0x08, 0x71, 0xfc, 0xc7, 0x00, 0x09, 0xa4, + 0xd6, 0xc0, 0xfd, 0x2d, 0x1a, 0xe5, 0xb6, 0xc0, + 0x7c, 0xc7, 0x22, 0x3b, 0x69, 0x59, 0xa8, 0x26, + 0x2b, 0x57, 0x78, 0xd5, 0x46, 0x0e, 0x0f, 0x05, + }; + const int MSG_LEN = 200; + unsigned char privkey[32]; + unsigned char pubkey[32]; + unsigned char signature[96]; + unsigned char msg[MSG_LEN]; + unsigned char random[64]; + unsigned char vrf_out[32]; + unsigned char vrf_outprev[32]; + + memset(privkey, 0, 32); + memset(pubkey, 0, 32); + memset(signature, 0, 96); + memset(msg, 0, MSG_LEN); + memset(random, 0, 64); + + privkey[8] = 189; /* just so there's some bits set */ + sc_clamp(privkey); + + /* Signature vector test */ + curve25519_keygen(pubkey, privkey); + + vxed25519_sign(signature, privkey, msg, MSG_LEN, random); + + TEST("VXEdDSA sign", memcmp(signature, signature_correct, 96) == 0); + TEST("VXEdDSA verify #1", vxed25519_verify(vrf_out, signature, pubkey, msg, MSG_LEN) == 0); + memcpy(vrf_outprev, vrf_out, 32); + signature[0] ^= 1; + TEST("VXEdDSA verify #2", vxed25519_verify(vrf_out, signature, pubkey, msg, MSG_LEN) != 0); + + /* Test U */ + unsigned char sigprev[96]; + memcpy(sigprev, signature, 96); + sigprev[0] ^= 1; /* undo prev disturbance */ + + random[0] ^= 1; + vxed25519_sign(signature, privkey, msg, MSG_LEN, random); + TEST("VXEdDSA verify #3", vxed25519_verify(vrf_out, signature, pubkey, msg, MSG_LEN) == 0); + + TEST("VXEdDSA VRF value unchanged", memcmp(vrf_out, vrf_outprev, 32) == 0); + TEST("VXEdDSA (h, s) changed", memcmp(signature+32, sigprev+32, 64) != 0); + return 0; +} + +int curvesigs_slow_test(int silent, int iterations) +{ + + unsigned char signature_10k_correct[64] = { + 0xfc, 0xba, 0x55, 0xc4, 0x85, 0x4a, 0x42, 0x25, + 0x19, 0xab, 0x08, 0x8d, 0xfe, 0xb5, 0x13, 0xb6, + 0x0d, 0x24, 0xbb, 0x16, 0x27, 0x55, 0x71, 0x48, + 0xdd, 0x20, 0xb1, 0xcd, 0x2a, 0xd6, 0x7e, 0x35, + 0xef, 0x33, 0x4c, 0x7b, 0x6d, 0x94, 0x6f, 0x52, + 0xec, 0x43, 0xd7, 0xe6, 0x35, 0x24, 0xcd, 0x5b, + 0x5d, 0xdc, 0xb2, 0x32, 0xc6, 0x22, 0x53, 0xf3, + 0x38, 0x02, 0xf8, 0x28, 0x28, 0xc5, 0x65, 0x05, + }; + + int count; + const int MSG_LEN = 200; + unsigned char privkey[32]; + unsigned char pubkey[32]; + unsigned char signature[64]; + unsigned char msg[MSG_LEN]; + unsigned char random[64]; + + memset(privkey, 0, 32); + memset(pubkey, 0, 32); + memset(signature, 0, 64); + memset(msg, 0, MSG_LEN); + memset(random, 0, 64); + + /* Signature random test */ + INFO("Pseudorandom curvesigs...\n"); + for (count = 1; count <= iterations; count++) { + unsigned char b[64]; + crypto_hash_sha512(b, signature, 64); + memmove(privkey, b, 32); + crypto_hash_sha512(b, privkey, 32); + memmove(random, b, 64); + + sc_clamp(privkey); + curve25519_keygen(pubkey, privkey); + + curve25519_sign(signature, privkey, msg, MSG_LEN, random); + + if (curve25519_verify(signature, pubkey, msg, MSG_LEN) != 0) + ERROR("Curvesig verify failure #1 %d\n", count); + + if (b[63] & 1) + signature[count % 64] ^= 1; + else + msg[count % MSG_LEN] ^= 1; + if (curve25519_verify(signature, pubkey, msg, MSG_LEN) == 0) + ERROR("Curvesig verify failure #2 %d\n", count); + + if (count == 10000) { + if (memcmp(signature, signature_10k_correct, 64) != 0) + ERROR("Curvesig signature 10K doesn't match %d\n", count); + } + if (count == 100000) + print_bytes("100K curvesigs", signature, 64); + if (count == 1000000) + print_bytes("1M curvesigs", signature, 64); + if (count == 10000000) + print_bytes("10M curvesigs", signature, 64); + } + INFO("good\n"); + return 0; +} + +int xeddsa_slow_test(int silent, int iterations) +{ + + unsigned char signature_10k_correct[64] = { + 0x15, 0x29, 0x03, 0x38, 0x66, 0x16, 0xcd, 0x26, + 0xbb, 0x3e, 0xec, 0xe2, 0x9f, 0x72, 0xa2, 0x5c, + 0x7d, 0x05, 0xc9, 0xcb, 0x84, 0x3f, 0x92, 0x96, + 0xb3, 0xfb, 0xb9, 0xdd, 0xd6, 0xed, 0x99, 0x04, + 0xc1, 0xa8, 0x02, 0x16, 0xcf, 0x49, 0x3f, 0xf1, + 0xbe, 0x69, 0xf9, 0xf1, 0xcc, 0x16, 0xd7, 0xdc, + 0x6e, 0xd3, 0x78, 0xaa, 0x04, 0xeb, 0x71, 0x51, + 0x9d, 0xe8, 0x7a, 0x5b, 0xd8, 0x49, 0x7b, 0x05, + }; + + int count; + const int MSG_LEN = 200; + unsigned char privkey[32]; + unsigned char pubkey[32]; + unsigned char signature[96]; + unsigned char msg[MSG_LEN]; + unsigned char random[64]; + + memset(privkey, 0, 32); + memset(pubkey, 0, 32); + memset(signature, 1, 64); + memset(msg, 0, MSG_LEN); + memset(random, 0, 64); + + /* Signature random test */ + INFO("Pseudorandom XEdDSA...\n"); + for (count = 1; count <= iterations; count++) { + unsigned char b[64]; + crypto_hash_sha512(b, signature, 64); + memmove(privkey, b, 32); + crypto_hash_sha512(b, privkey, 32); + memmove(random, b, 64); + + sc_clamp(privkey); + curve25519_keygen(pubkey, privkey); + + xed25519_sign(signature, privkey, msg, MSG_LEN, random); + + if (xed25519_verify(signature, pubkey, msg, MSG_LEN) != 0) + ERROR("XEdDSA verify failure #1 %d\n", count); + + if (b[63] & 1) + signature[count % 64] ^= 1; + else + msg[count % MSG_LEN] ^= 1; + if (xed25519_verify(signature, pubkey, msg, MSG_LEN) == 0) + ERROR("XEdDSA verify failure #2 %d\n", count); + + if (count == 10000) { + if (memcmp(signature, signature_10k_correct, 64) != 0) + ERROR("XEDSA signature 10K doesn't match %d\n", count); + } + if (count == 100000) + print_bytes("100K XEdDSA", signature, 64); + if (count == 1000000) + print_bytes("1M XEdDSA", signature, 64); + if (count == 10000000) + print_bytes("10M XEdDSA", signature, 64); + } + INFO("good\n"); + return 0; +} + +int xeddsa_to_curvesigs_slow_test(int silent, int iterations) +{ + + unsigned char signature_10k_correct[64] = { + 0x33, 0x50, 0xa8, 0x68, 0xcd, 0x9e, 0x74, 0x99, + 0xa3, 0x5c, 0x33, 0x75, 0x2b, 0x22, 0x03, 0xf8, + 0xb5, 0x0f, 0xea, 0x8c, 0x33, 0x1c, 0x68, 0x8b, + 0xbb, 0xf3, 0x31, 0xcf, 0x7c, 0x42, 0x37, 0x35, + 0xa0, 0x0e, 0x15, 0xb8, 0x5d, 0x2b, 0xe1, 0xa2, + 0x03, 0x77, 0x94, 0x3d, 0x13, 0x5c, 0xd4, 0x9b, + 0x6a, 0x31, 0xf4, 0xdc, 0xfe, 0x24, 0xad, 0x54, + 0xeb, 0xd2, 0x98, 0x47, 0xf1, 0xcc, 0xbf, 0x0d + + }; + + int count; + const int MSG_LEN = 200; + unsigned char privkey[32]; + unsigned char pubkey[32]; + unsigned char signature[96]; + unsigned char msg[MSG_LEN]; + unsigned char random[64]; + + memset(privkey, 0, 32); + memset(pubkey, 0, 32); + memset(signature, 2, 64); + memset(msg, 0, MSG_LEN); + memset(random, 0, 64); + + /* Signature random test */ + INFO("Pseudorandom XEdDSA/Curvesigs...\n"); + for (count = 1; count <= iterations; count++) { + unsigned char b[64]; + crypto_hash_sha512(b, signature, 64); + memmove(privkey, b, 32); + crypto_hash_sha512(b, privkey, 32); + memmove(random, b, 64); + + sc_clamp(privkey); + curve25519_keygen(pubkey, privkey); + + xed25519_sign(signature, privkey, msg, MSG_LEN, random); + + if (curve25519_verify(signature, pubkey, msg, MSG_LEN) != 0) + ERROR("XEdDSA/Curvesigs verify failure #1 %d\n", count); + + if (b[63] & 1) + signature[count % 64] ^= 1; + else + msg[count % MSG_LEN] ^= 1; + if (curve25519_verify(signature, pubkey, msg, MSG_LEN) == 0) + ERROR("XEdDSA/Curvesigs verify failure #2 %d\n", count); + + if (count == 10000) { + if (memcmp(signature, signature_10k_correct, 64) != 0) + ERROR("XEdDSA/Curvesigs signature 10K doesn't match %d\n", count); + } + if (count == 100000) + print_bytes("100K XEdDSA/C", signature, 64); + if (count == 1000000) + print_bytes("1M XEdDSA/C", signature, 64); + if (count == 10000000) + print_bytes("10M XEdDSA/C", signature, 64); + } + INFO("good\n"); + return 0; +} + +int vxeddsa_slow_test(int silent, int iterations) +{ + + unsigned char signature_10k_correct[96] = { + 0xa1, 0x96, 0x96, 0xe5, 0x87, 0x3f, 0x6e, 0x5c, + 0x2e, 0xd3, 0x73, 0xab, 0x04, 0x0c, 0x1f, 0x26, + 0x3c, 0xca, 0x52, 0xc4, 0x7e, 0x49, 0xaa, 0xce, + 0xb5, 0xd6, 0xa2, 0x29, 0x46, 0x3f, 0x1b, 0x54, + 0x45, 0x94, 0x9b, 0x6c, 0x27, 0xf9, 0x2a, 0xed, + 0x17, 0xa4, 0x72, 0xbf, 0x35, 0x37, 0xc1, 0x90, + 0xac, 0xb3, 0xfd, 0x2d, 0xf1, 0x01, 0x05, 0xbe, + 0x56, 0x5c, 0xaf, 0x63, 0x65, 0xad, 0x38, 0x04, + 0x70, 0x53, 0xdf, 0x2b, 0xc1, 0x45, 0xc8, 0xee, + 0x02, 0x0d, 0x2b, 0x22, 0x23, 0x7a, 0xbf, 0xfa, + 0x43, 0x31, 0xb3, 0xac, 0x26, 0xd9, 0x76, 0xfc, + 0xfe, 0x30, 0xa1, 0x7c, 0xce, 0x10, 0x67, 0x0e, + }; + + unsigned char signature_100k_correct[96] = { + 0xc9, 0x11, 0x2b, 0x55, 0xfa, 0xc4, 0xb2, 0xfe, + 0x00, 0x7d, 0xf6, 0x45, 0xcb, 0xd2, 0x73, 0xc9, + 0x43, 0xba, 0x20, 0xf6, 0x9c, 0x18, 0x84, 0xef, + 0x6c, 0x65, 0x7a, 0xdb, 0x49, 0xfc, 0x1e, 0xbe, + 0x31, 0xb3, 0xe6, 0xa4, 0x68, 0x2f, 0xd0, 0x30, + 0x81, 0xfc, 0x0d, 0xcd, 0x2d, 0x00, 0xab, 0xae, + 0x9f, 0x08, 0xf0, 0x99, 0xff, 0x9f, 0xdc, 0x2d, + 0x68, 0xd6, 0xe7, 0xe8, 0x44, 0x2a, 0x5b, 0x0e, + 0x48, 0x67, 0xe2, 0x41, 0x4a, 0xd9, 0x0c, 0x2a, + 0x2b, 0x4e, 0x66, 0x09, 0x87, 0xa0, 0x6b, 0x3b, + 0xd1, 0xd9, 0xa3, 0xe3, 0xa5, 0x69, 0xed, 0xc1, + 0x42, 0x03, 0x93, 0x0d, 0xbc, 0x7e, 0xe9, 0x08, + }; + + unsigned char signature_1m_correct[96] = { + 0xf8, 0xb1, 0x20, 0xf2, 0x1e, 0x5c, 0xbf, 0x5f, + 0xea, 0x07, 0xcb, 0xb5, 0x77, 0xb8, 0x03, 0xbc, + 0xcb, 0x6d, 0xf1, 0xc1, 0xa5, 0x03, 0x05, 0x7b, + 0x01, 0x63, 0x9b, 0xf9, 0xed, 0x3e, 0x57, 0x47, + 0xd2, 0x5b, 0xf4, 0x7e, 0x7c, 0x45, 0xce, 0xfc, + 0x06, 0xb3, 0xf4, 0x05, 0x81, 0x9f, 0x53, 0xb0, + 0x18, 0xe3, 0xfa, 0xcb, 0xb2, 0x52, 0x3e, 0x57, + 0xcb, 0x34, 0xcc, 0x81, 0x60, 0xb9, 0x0b, 0x04, + 0x07, 0x79, 0xc0, 0x53, 0xad, 0xc4, 0x4b, 0xd0, + 0xb5, 0x7d, 0x95, 0x4e, 0xbe, 0xa5, 0x75, 0x0c, + 0xd4, 0xbf, 0xa7, 0xc0, 0xcf, 0xba, 0xe7, 0x7c, + 0xe2, 0x90, 0xef, 0x61, 0xa9, 0x29, 0x66, 0x0d, + }; + + unsigned char signature_10m_correct[96] = { + 0xf5, 0xa4, 0xbc, 0xec, 0xc3, 0x3d, 0xd0, 0x43, + 0xd2, 0x81, 0x27, 0x9e, 0xf0, 0x4c, 0xbe, 0xf3, + 0x77, 0x01, 0x56, 0x41, 0x0e, 0xff, 0x0c, 0xb9, + 0x66, 0xec, 0x4d, 0xe0, 0xb7, 0x25, 0x63, 0x6b, + 0x5c, 0x08, 0x39, 0x80, 0x4e, 0x37, 0x1b, 0x2c, + 0x46, 0x6f, 0x86, 0x99, 0x1c, 0x4e, 0x31, 0x60, + 0xdb, 0x4c, 0xfe, 0xc5, 0xa2, 0x4d, 0x71, 0x2b, + 0xd6, 0xd0, 0xc3, 0x98, 0x88, 0xdb, 0x0e, 0x0c, + 0x68, 0x4a, 0xd3, 0xc7, 0x56, 0xac, 0x8d, 0x95, + 0x7b, 0xbd, 0x99, 0x50, 0xe8, 0xd3, 0xea, 0xf3, + 0x7b, 0x26, 0xf2, 0xa2, 0x2b, 0x02, 0x58, 0xca, + 0xbd, 0x2c, 0x2b, 0xf7, 0x77, 0x58, 0xfe, 0x09, + }; + + int count; + const int MSG_LEN = 200; + unsigned char privkey[32]; + unsigned char pubkey[32]; + unsigned char signature[96]; + unsigned char msg[MSG_LEN]; + unsigned char random[64]; + unsigned char vrf_out[32]; + + memset(privkey, 0, 32); + memset(pubkey, 0, 32); + memset(signature, 3, 96); + memset(msg, 0, MSG_LEN); + memset(random, 0, 64); + + INFO("Pseudorandom VXEdDSA...\n"); + for (count = 1; count <= iterations; count++) { + unsigned char b[64]; + crypto_hash_sha512(b, signature, 96); + memmove(privkey, b, 32); + crypto_hash_sha512(b, privkey, 32); + memmove(random, b, 64); + + sc_clamp(privkey); + curve25519_keygen(pubkey, privkey); + + vxed25519_sign(signature, privkey, msg, MSG_LEN, random); + + if (vxed25519_verify(vrf_out, signature, pubkey, msg, MSG_LEN) != 0) + ERROR("VXEdDSA verify failure #1 %d\n", count); + + if (b[63] & 1) + signature[count % 96] ^= 1; + else + msg[count % MSG_LEN] ^= 1; + + if (vxed25519_verify(vrf_out, signature, pubkey, msg, MSG_LEN) == 0) + ERROR("VXEdDSA verify failure #2 %d\n", count); + + if (count == 10000) + print_bytes("10K VXEdDSA", signature, 96); + if (count == 100000) + print_bytes("100K VXEdDSA", signature, 96); + if (count == 1000000) + print_bytes("1M VXEdDSA", signature, 96); + if (count == 10000000) + print_bytes("10M VXEdDSA", signature, 96); + if (count == 100000000) + print_bytes("100M VXEdDSA", signature, 96); + + if (count == 10000) { + if (memcmp(signature, signature_10k_correct, 96) != 0) + ERROR("VXEDDSA 10K doesn't match %d\n", count); + } + if (count == 100000) { + if (memcmp(signature, signature_100k_correct, 96) != 0) + ERROR("VXEDDSA 100K doesn't match %d\n", count); + } + if (count == 1000000) { + if (memcmp(signature, signature_1m_correct, 96) != 0) + ERROR("VXEDDSA 1m doesn't match %d\n", count); + } + if (count == 10000000) { + if (memcmp(signature, signature_10m_correct, 96) != 0) + ERROR("VXEDDSA 10m doesn't match %d\n", count); + } + /* + if (count == 100000000) { + if (memcmp(signature, signature_100m_correct, 96) != 0) + ERROR("VXEDDSA 100m doesn't match %d\n", count); + } + */ + } + INFO("good\n"); + return 0; +} + +int all_fast_tests(int silent) +{ + int result; + if ((result = sha512_fast_test(silent)) != 0) + return result; + if ((result = elligator_fast_test(silent)) != 0) + return result; + if ((result = curvesigs_fast_test(silent)) != 0) + return result; + if ((result = xeddsa_fast_test(silent)) != 0) + return result; + if ((result = vxeddsa_fast_test(silent)) != 0) + return result; + + return 0; +} + diff --git a/libs/libaxolotl/src/curve25519/ed25519/tests/tests.h b/libs/libaxolotl/src/curve25519/ed25519/tests/tests.h new file mode 100644 index 0000000000..1623268bde --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/tests/tests.h @@ -0,0 +1,22 @@ +#ifndef __TESTS_H__ +#define __TESTS_H__ + +/* silent = 0 : prints info+error messages to stdout, abort() on test failure + * silent = 1 : returns 0 for success, anything else for failure + * iterations : hardcoded known-good values are at 10000, so run at least this many + */ + +int sha512_fast_test(int silent); +int elligator_fast_test(int silent); +int curvesigs_fast_test(int silent); +int xeddsa_fast_test(int silent); +int vxeddsa_fast_test(int silent); + +int curvesigs_slow_test(int silent, int iterations); +int xeddsa_slow_test(int silent, int iterations); +int xeddsa_to_curvesigs_slow_test(int silent, int iterations); +int vxeddsa_slow_test(int silent, int iterations); + +int all_fast_tests(int silent); + +#endif |