From db6f43d25e77b001c53020dc350fdb1c16731afd Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 15 Apr 2019 10:12:19 +0200 Subject: [PATCH] Add crypto_core_{ed25519,ristretto255}_scalar_mul --- .../crypto_core/ed25519/core_ed25519.c | 7 ++++ .../crypto_core/ed25519/core_ristretto255.c | 7 ++++ .../crypto_core/ed25519/ref10/ed25519_ref10.c | 2 +- .../include/sodium/crypto_core_ed25519.h | 5 +++ .../include/sodium/crypto_core_ristretto255.h | 6 +++ test/default/core_ed25519.c | 37 +++++++++++++++++++ test/default/core_ed25519.exp | 1 + 7 files changed, 64 insertions(+), 1 deletion(-) diff --git a/src/libsodium/crypto_core/ed25519/core_ed25519.c b/src/libsodium/crypto_core/ed25519/core_ed25519.c index 15c004b9..ac1eed17 100644 --- a/src/libsodium/crypto_core/ed25519/core_ed25519.c +++ b/src/libsodium/crypto_core/ed25519/core_ed25519.c @@ -158,6 +158,13 @@ crypto_core_ed25519_scalar_sub(unsigned char *z, const unsigned char *x, crypto_core_ed25519_scalar_add(z, x, yn); } +void +crypto_core_ed25519_scalar_mul(unsigned char *z, const unsigned char *x, + const unsigned char *y) +{ + sc25519_mul(z, x, y); +} + void crypto_core_ed25519_scalar_reduce(unsigned char *r, const unsigned char *s) diff --git a/src/libsodium/crypto_core/ed25519/core_ristretto255.c b/src/libsodium/crypto_core/ed25519/core_ristretto255.c index fbd5372c..94cc64a6 100644 --- a/src/libsodium/crypto_core/ed25519/core_ristretto255.c +++ b/src/libsodium/crypto_core/ed25519/core_ristretto255.c @@ -108,6 +108,13 @@ crypto_core_ristretto255_scalar_sub(unsigned char *z, const unsigned char *x, crypto_core_ed25519_scalar_sub(z, x, y); } +void +crypto_core_ristretto255_scalar_mul(unsigned char *z, const unsigned char *x, + const unsigned char *y) +{ + sc25519_mul(z, x, y); +} + void crypto_core_ristretto255_scalar_reduce(unsigned char *r, const unsigned char *s) diff --git a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c index ccb8d340..e7b44493 100644 --- a/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c +++ b/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c @@ -1081,7 +1081,7 @@ ge25519_has_small_order(const unsigned char s[32]) where l = 2^252 + 27742317777372353535851937790883648493. */ -static void +void sc25519_mul(unsigned char s[32], const unsigned char a[32], const unsigned char b[32]) { int64_t a0 = 2097151 & load_3(a); diff --git a/src/libsodium/include/sodium/crypto_core_ed25519.h b/src/libsodium/include/sodium/crypto_core_ed25519.h index eb736ffb..a63d8382 100644 --- a/src/libsodium/include/sodium/crypto_core_ed25519.h +++ b/src/libsodium/include/sodium/crypto_core_ed25519.h @@ -68,6 +68,11 @@ void crypto_core_ed25519_scalar_sub(unsigned char *z, const unsigned char *x, const unsigned char *y) __attribute__ ((nonnull)); +SODIUM_EXPORT +void crypto_core_ed25519_scalar_mul(unsigned char *z, const unsigned char *x, + const unsigned char *y) + __attribute__ ((nonnull)); + /* * The interval `s` is sampled from should be at least 317 bits to ensure almost * uniformity of `r` over `L`. diff --git a/src/libsodium/include/sodium/crypto_core_ristretto255.h b/src/libsodium/include/sodium/crypto_core_ristretto255.h index 2f2c1f29..33522b07 100644 --- a/src/libsodium/include/sodium/crypto_core_ristretto255.h +++ b/src/libsodium/include/sodium/crypto_core_ristretto255.h @@ -74,6 +74,12 @@ void crypto_core_ristretto255_scalar_sub(unsigned char *z, const unsigned char *y) __attribute__ ((nonnull)); +SODIUM_EXPORT +void crypto_core_ristretto255_scalar_mul(unsigned char *z, + const unsigned char *x, + const unsigned char *y) + __attribute__ ((nonnull)); + /* * The interval `s` is sampled from should be at least 317 bits to ensure almost * uniformity of `r` over `L`. diff --git a/test/default/core_ed25519.c b/test/default/core_ed25519.c index d796e01a..0a3d158c 100644 --- a/test/default/core_ed25519.c +++ b/test/default/core_ed25519.c @@ -334,6 +334,43 @@ main(void) sc, crypto_core_ed25519_SCALARBYTES); printf("sub2: %s\n", hex); + memset(sc, 0x69, crypto_core_ed25519_SCALARBYTES); + memset(sc2, 0x42, crypto_core_ed25519_SCALARBYTES); + for (i = 0; i < 100; i++) { + crypto_core_ed25519_scalar_mul(sc, sc, sc2); + crypto_core_ed25519_scalar_mul(sc2, sc, sc2); + } + sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, + sc2, crypto_core_ed25519_SCALARBYTES); + printf("mul: %s\n", hex); + for (i = 0; i < 1000; i++) { + crypto_core_ed25519_scalar_random(sc); + memset(sc2, 0, crypto_core_ed25519_SCALARBYTES); + crypto_core_ed25519_scalar_mul(sc3, sc, sc2); + assert(sodium_is_zero(sc3, crypto_core_ed25519_SCALARBYTES)); + + sc2[0]++; + crypto_core_ed25519_scalar_mul(sc3, sc, sc2); + assert(memcmp(sc3, sc, crypto_core_ed25519_SCALARBYTES) == 0); + + sc2[0]++; + crypto_core_ed25519_scalar_mul(sc3, sc, sc2); + crypto_core_ed25519_scalar_sub(sc3, sc3, sc); + crypto_core_ed25519_scalar_sub(sc3, sc3, sc); + assert(sodium_is_zero(sc3, crypto_core_ed25519_SCALARBYTES)); + + crypto_core_ed25519_scalar_random(sc2); + crypto_core_ed25519_scalar_mul(sc3, sc, sc2); + crypto_core_ed25519_scalar_invert(sc2, sc2); + crypto_core_ed25519_scalar_mul(sc3, sc3, sc2); + assert(memcmp(sc3, sc, crypto_core_ed25519_SCALARBYTES) == 0); + + sc[31] |= 0x11; + memset(sc2, 0, crypto_core_ed25519_SCALARBYTES); + sc2[0] = 1; + crypto_core_ed25519_scalar_mul(sc3, sc, sc2); + assert(memcmp(sc3, sc, crypto_core_ed25519_SCALARBYTES) != 0); + } sodium_free(hex); sodium_free(sc64); sodium_free(sc3); diff --git a/test/default/core_ed25519.exp b/test/default/core_ed25519.exp index 89fbaa33..65295bfa 100644 --- a/test/default/core_ed25519.exp +++ b/test/default/core_ed25519.exp @@ -14,4 +14,5 @@ add1: f7567cd87c82ec1c355a6304c143bcc9ecedededededededededededededed0d sub1: f67c79849de0253ba142949e1db6224b13121212121212121212121212121202 add2: b02e8581ce62f69922427c23f970f7e951525252525252525252525252525202 sub2: 3da570db4b001cbeb35a7b7fe588e72aaeadadadadadadadadadadadadadad0d +mul: 4453ef38408c06677c1b810e4bf8b1991f01c88716fbfa2f075a518b77da400b OK