Add ge25519_p2_to_p3(), ge25519_p3_add(), ge25519_p3_sub()

src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c

@@ -471,6 +471,18 @@ ge25519_p1p1_to_p3(ge25519_p3 *r, const ge25519_p1p1 *p)
     fe25519_mul(r->T, p->X, p->Y);
 }
 
+/*
+ r = p
+ */
+void
+ge25519_p2_to_p3(ge25519_p3 *r, const ge25519_p2 *p)
+{
+    fe25519_copy(r->X, p->X);
+    fe25519_copy(r->Y, p->Y);
+    fe25519_copy(r->Z, p->Z);
+    fe25519_mul(r->T, p->X, p->Y);
+}
+
 static void
 ge25519_p2_0(ge25519_p2 *h)
 {
@@ -988,8 +1000,18 @@ ge25519_p3p3_dbl(ge25519_p3 *r, const ge25519_p3 *p)
     ge25519_p1p1_to_p3(r, &p1p1);
 }
 
-/* r = p+q */
+/* r = -p */
 static void
+ge25519_p3_neg(ge25519_p3 *r, const ge25519_p3 *p)
+{
+    fe25519_neg(r->X, p->X);
+    fe25519_copy(r->Y, p->Y);
+    fe25519_copy(r->Z, p->Z);
+    fe25519_neg(r->T, p->T);
+}
+
+/* r = p+q */
+void
 ge25519_p3_add(ge25519_p3 *r, const ge25519_p3 *p, const ge25519_p3 *q)
 {
     ge25519_cached q_cached;
@@ -1000,6 +1022,16 @@ ge25519_p3_add(ge25519_p3 *r, const ge25519_p3 *p, const ge25519_p3 *q)
     ge25519_p1p1_to_p3(r, &p1p1);
 }
 
+/* r = p-q */
+void
+ge25519_p3_sub(ge25519_p3 *r, const ge25519_p3 *p, const ge25519_p3 *q)
+{
+    ge25519_p3 q_neg;
+
+    ge25519_p3_neg(&q_neg, q);
+    ge25519_p3_add(r, p, &q_neg);
+}
+
 /* r = r*(2^n)+q */
 static void
 ge25519_p3_dbladd(ge25519_p3 *r, const int n, const ge25519_p3 *q)

src/libsodium/crypto_sign/ed25519/ref10/open.c

@@ -24,8 +24,8 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
     ge25519_p3               check;
     ge25519_p3               expected_r;
     ge25519_p3               A;
-    ge25519_p2               sb_ah;
-    ge25519_cached           sb_ah_;
+    ge25519_p3               sb_ah;
+    ge25519_p2               sb_ah_p2;
 
     ACQUIRE_FENCE;
 #ifdef ED25519_COMPAT
@@ -48,6 +48,9 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
     if (ge25519_frombytes_negate_vartime(&A, pk) != 0) {
         return -1;
     }
+    if (ge25519_frombytes(&expected_r, sig) != 0) {
+        return -1;
+    }
     _crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
     crypto_hash_sha512_update(&hs, sig, 32);
     crypto_hash_sha512_update(&hs, pk, 32);
@@ -55,14 +58,9 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
     crypto_hash_sha512_final(&hs, h);
     sc25519_reduce(h);
 
-    ge25519_double_scalarmult_vartime(&sb_ah_, h, &A, sig + 32);
-
-
-    if (ge25519_frombytes(&expected_r, sig) != 0) {
-        return -1;
-    }
-    ge25519_p3_to_cached(&sb_ah, &sb_ah_);
-    ge25519_sub_cached(&check, &expected_r, &sb_ah);
+    ge25519_double_scalarmult_vartime(&sb_ah_p2, h, &A, sig + 32);
+    ge25519_p2_to_p3(&sb_ah, &sb_ah_p2);
+    ge25519_p3_sub(&check, &expected_r, &sb_ah);
     ge25519_clear_cofactor(&check);
 
     return fe25519_iszero(check.X) - 1;

src/libsodium/include/sodium/private/ed25519_ref10.h

@@ -89,10 +89,16 @@ void ge25519_p1p1_to_p2(ge25519_p2 *r, const ge25519_p1p1 *p);
 
 void ge25519_p1p1_to_p3(ge25519_p3 *r, const ge25519_p1p1 *p);
 
+void ge25519_p2_to_p3(ge25519_p3 *r, const ge25519_p2 *p);
+
 void ge25519_add_cached(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_cached *q);
 
 void ge25519_sub_cached(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_cached *q);
 
+void ge25519_p3_add(ge25519_p3 *r, const ge25519_p3 *p, const ge25519_p3 *q);
+
+void ge25519_p3_sub(ge25519_p3 *r, const ge25519_p3 *p, const ge25519_p3 *q);
+
 void ge25519_scalarmult_base(ge25519_p3 *h, const unsigned char *a);
 
 void ge25519_double_scalarmult_vartime(ge25519_p2 *r, const unsigned char *a,

test/default/sign2.exp

@@ -0,0 +1 @@
+OK