kevin/libsodium
1
Fork 0
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-20 18:45:32 -07:00
Code Releases Wiki Activity

Use the generalized eddsa algorithm for non-deterministic r

Browse Source
This commit is contained in:
Frank Denis 2017-10-06 21:28:02 +02:00
parent 9080766246
commit b6bad22149
1 changed files with 47 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
src/libsodium/crypto_sign/ed25519/ref10/sign.c
View File

@ -24,6 +24,46 @@ _crypto_sign_ed25519_ref10_hinit(crypto_hash_sha512_state *hs, int prehashed)
} }
} }
static inline void
_crypto_sign_ed25519_clamp(unsigned char k[32])
{
k[0] &= 248;
k[31] &= 63;
k[31] |= 64;
}
#ifdef ED25519_NONDETERMINISTIC
/* r = hash(B || empty_labelset || Z || pad1 || k || pad2 || empty_labelset || K || extra || M) (mod q) */
static void
_crypto_sign_ed25519_synthetic_r_hv(crypto_hash_sha512_state *hs,
unsigned char nonce[64],
unsigned char sk_copy[64],
const unsigned char sk[64])
{
static const unsigned char B[32] = {
0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
};
static const unsigned char zeros[16] = { 0x00 };
static const unsigned char empty_labelset[3] = { 0x02, 0x00, 0x00 };
memcpy(sk_copy, sk, 32);
_crypto_sign_ed25519_clamp(sk_copy);
crypto_hash_sha512_update(hs, B, 32);
crypto_hash_sha512_update(hs, empty_labelset, 3);
randombytes_buf(nonce, 32);
crypto_hash_sha512_update(hs, nonce, 32);
crypto_hash_sha512_update(hs, zeros, 16 - (32 + 3 + 32) % 16);
crypto_hash_sha512_update(hs, sk_copy, 32);
/* empty pad2 */
crypto_hash_sha512_update(hs, empty_labelset, 3);
crypto_hash_sha512_update(hs, sk + 32, 32);
/* empty extra */
}
#endif
int int
_crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p, _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p,
const unsigned char *m, unsigned long long mlen, const unsigned char *m, unsigned long long mlen,
@ -35,17 +75,15 @@ _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p,
unsigned char hram[64]; unsigned char hram[64];
ge_p3 R; ge_p3 R;
crypto_hash_sha512(az, sk, 32);
az[0] &= 248;
az[31] &= 63;
az[31] |= 64;
_crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
#ifdef ED25519_NONDETERMINISTIC #ifdef ED25519_NONDETERMINISTIC
randombytes_buf(nonce, 32); _crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
crypto_hash_sha512_update(&hs, nonce, 32); _crypto_sign_ed25519_synthetic_r_hv(&hs, nonce, az, sk);
#endif #else
crypto_hash_sha512(az, sk, 32);
_crypto_sign_ed25519_clamp(az);
_crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
crypto_hash_sha512_update(&hs, az + 32, 32); crypto_hash_sha512_update(&hs, az + 32, 32);
#endif
crypto_hash_sha512_update(&hs, m, mlen); crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, nonce); crypto_hash_sha512_final(&hs, nonce);