1 /* $OpenBSD: mod_ed25519.c,v 1.1 2014/01/08 05:00:01 tedu Exp $ */
2
3 /*
4 * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
5 * Peter Schwabe, Bo-Yin Yang.
6 * Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c
7 */
8
9 #include "crypto_api.h"
10
11 #include "ge25519.h"
12
get_hram(unsigned char * hram,const unsigned char * sm,const unsigned char * pk,unsigned char * playground,unsigned long long smlen)13 static void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen)
14 {
15 unsigned long long i;
16
17 for (i = 0;i < 32;++i) playground[i] = sm[i];
18 for (i = 32;i < 64;++i) playground[i] = pk[i-32];
19 for (i = 64;i < smlen;++i) playground[i] = sm[i];
20
21 crypto_hash_sha512(hram,playground,smlen);
22 }
23
24 #ifndef VERIFYONLY
crypto_sign_ed25519_keypair(unsigned char * pk,unsigned char * sk)25 int crypto_sign_ed25519_keypair(
26 unsigned char *pk,
27 unsigned char *sk
28 )
29 {
30 sc25519 scsk;
31 ge25519 gepk;
32 unsigned char extsk[64];
33 int i;
34
35 randombytes(sk, 32);
36 crypto_hash_sha512(extsk, sk, 32);
37 extsk[0] &= 248;
38 extsk[31] &= 127;
39 extsk[31] |= 64;
40
41 sc25519_from32bytes(&scsk,extsk);
42
43 ge25519_scalarmult_base(&gepk, &scsk);
44 ge25519_pack(pk, &gepk);
45 for(i=0;i<32;i++)
46 sk[32 + i] = pk[i];
47 return 0;
48 }
49
crypto_sign_ed25519(unsigned char * sm,unsigned long long * smlen,const unsigned char * m,unsigned long long mlen,const unsigned char * sk)50 int crypto_sign_ed25519(
51 unsigned char *sm,unsigned long long *smlen,
52 const unsigned char *m,unsigned long long mlen,
53 const unsigned char *sk
54 )
55 {
56 sc25519 sck, scs, scsk;
57 ge25519 ger;
58 unsigned char r[32];
59 unsigned char s[32];
60 unsigned char extsk[64];
61 unsigned long long i;
62 unsigned char hmg[crypto_hash_sha512_BYTES];
63 unsigned char hram[crypto_hash_sha512_BYTES];
64
65 crypto_hash_sha512(extsk, sk, 32);
66 extsk[0] &= 248;
67 extsk[31] &= 127;
68 extsk[31] |= 64;
69
70 *smlen = mlen+64;
71 for(i=0;i<mlen;i++)
72 sm[64 + i] = m[i];
73 for(i=0;i<32;i++)
74 sm[32 + i] = extsk[32+i];
75
76 crypto_hash_sha512(hmg, sm+32, mlen+32); /* Generate k as h(extsk[32],...,extsk[63],m) */
77
78 /* Computation of R */
79 sc25519_from64bytes(&sck, hmg);
80 ge25519_scalarmult_base(&ger, &sck);
81 ge25519_pack(r, &ger);
82
83 /* Computation of s */
84 for(i=0;i<32;i++)
85 sm[i] = r[i];
86
87 get_hram(hram, sm, sk+32, sm, mlen+64);
88
89 sc25519_from64bytes(&scs, hram);
90 sc25519_from32bytes(&scsk, extsk);
91 sc25519_mul(&scs, &scs, &scsk);
92
93 sc25519_add(&scs, &scs, &sck);
94
95 sc25519_to32bytes(s,&scs); /* cat s */
96 for(i=0;i<32;i++)
97 sm[32 + i] = s[i];
98
99 return 0;
100 }
101 #endif
crypto_sign_ed25519_open(unsigned char * m,unsigned long long * mlen,const unsigned char * sm,unsigned long long smlen,const unsigned char * pk)102 int crypto_sign_ed25519_open(
103 unsigned char *m,unsigned long long *mlen,
104 const unsigned char *sm,unsigned long long smlen,
105 const unsigned char *pk
106 )
107 {
108 unsigned int i;
109 int ret;
110 unsigned char t2[32];
111 ge25519 get1, get2;
112 sc25519 schram, scs;
113 unsigned char hram[crypto_hash_sha512_BYTES];
114
115 *mlen = (unsigned long long) -1;
116 if (smlen < 64) return -1;
117
118 if (ge25519_unpackneg_vartime(&get1, pk)) return -1;
119
120 get_hram(hram,sm,pk,m,smlen);
121
122 sc25519_from64bytes(&schram, hram);
123
124 sc25519_from32bytes(&scs, sm+32);
125
126 ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &ge25519_base, &scs);
127 ge25519_pack(t2, &get2);
128
129 ret = crypto_verify_32(sm, t2);
130
131 if (!ret)
132 {
133 for(i=0;i<smlen-64;i++)
134 m[i] = sm[i + 64];
135 *mlen = smlen-64;
136 }
137 else
138 {
139 for(i=0;i<smlen-64;i++)
140 m[i] = 0;
141 }
142 return ret;
143 }
144