1
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-28 22:21:15 -07:00

sign_keygen(): don't hash the secret scalar in non-deterministic mode

Improve clarity
No need to clamp the key prior to computing a synthetic nonce
nonce -> Z for clarity
This commit is contained in:
Frank Denis 2017-10-11 18:04:43 +02:00
parent b6bad22149
commit f5e1767b22
3 changed files with 31 additions and 16 deletions

View File

@ -15,7 +15,11 @@ crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk,
{
ge_p3 A;
crypto_hash_sha512(sk, seed, 32);
#ifdef ED25519_NONDETERMINISTIC
memcpy(sk, seed, crypto_sign_ed25519_SECRETKEYBYTES);
#else
crypto_hash_sha512(sk, seed, crypto_sign_ed25519_SECRETKEYBYTES);
#endif
sk[0] &= 248;
sk[31] &= 63;
sk[31] |= 64;
@ -23,8 +27,8 @@ crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk,
ge_scalarmult_base(&A, sk);
ge_p3_tobytes(pk, &A);
memmove(sk, seed, 32);
memmove(sk + 32, pk, 32);
memmove(sk, seed, crypto_sign_ed25519_SECRETKEYBYTES);
memmove(sk + 32, pk, crypto_sign_ed25519_PUBLICKEYBYTES);
return 0;
}
@ -76,9 +80,13 @@ crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk,
{
unsigned char h[crypto_hash_sha512_BYTES];
#ifdef ED25519_NONDETERMINISTIC
memcpy(h, ed25519_sk, crypto_sign_ed25519_SECRETKEYBYTES);
#else
crypto_hash_sha512(h, ed25519_sk,
crypto_sign_ed25519_SECRETKEYBYTES -
crypto_sign_ed25519_PUBLICKEYBYTES);
#endif
h[0] &= 248;
h[31] &= 127;
h[31] |= 64;

View File

@ -36,9 +36,8 @@ _crypto_sign_ed25519_clamp(unsigned char k[32])
/* r = hash(B || empty_labelset || Z || pad1 || k || pad2 || empty_labelset || K || extra || M) (mod q) */
static void
_crypto_sign_ed25519_synthetic_r_hv(crypto_hash_sha512_state *hs,
unsigned char nonce[64],
unsigned char sk_copy[64],
const unsigned char sk[64])
unsigned char Z[32],
const unsigned char sk[32])
{
static const unsigned char B[32] = {
0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
@ -49,14 +48,12 @@ _crypto_sign_ed25519_synthetic_r_hv(crypto_hash_sha512_state *hs,
static const unsigned char zeros[16] = { 0x00 };
static const unsigned char empty_labelset[3] = { 0x02, 0x00, 0x00 };
memcpy(sk_copy, sk, 32);
_crypto_sign_ed25519_clamp(sk_copy);
crypto_hash_sha512_update(hs, B, 32);
crypto_hash_sha512_update(hs, empty_labelset, 3);
randombytes_buf(nonce, 32);
crypto_hash_sha512_update(hs, nonce, 32);
randombytes_buf(Z, 32);
crypto_hash_sha512_update(hs, Z, 32);
crypto_hash_sha512_update(hs, zeros, 16 - (32 + 3 + 32) % 16);
crypto_hash_sha512_update(hs, sk_copy, 32);
crypto_hash_sha512_update(hs, sk, 32);
/* empty pad2 */
crypto_hash_sha512_update(hs, empty_labelset, 3);
crypto_hash_sha512_update(hs, sk + 32, 32);
@ -75,15 +72,16 @@ _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p,
unsigned char hram[64];
ge_p3 R;
#ifdef ED25519_NONDETERMINISTIC
_crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
_crypto_sign_ed25519_synthetic_r_hv(&hs, nonce, az, sk);
#ifdef ED25519_NONDETERMINISTIC
memcpy(az, sk, 32);
_crypto_sign_ed25519_synthetic_r_hv(&hs, nonce, az);
#else
crypto_hash_sha512(az, sk, 32);
_crypto_sign_ed25519_clamp(az);
_crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
crypto_hash_sha512_update(&hs, az + 32, 32);
#endif
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, nonce);
@ -99,6 +97,7 @@ _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p,
crypto_hash_sha512_final(&hs, hram);
sc_reduce(hram);
_crypto_sign_ed25519_clamp(az);
sc_muladd(sig + 32, hram, az, nonce);
sodium_memzero(az, sizeof az);

View File

@ -18,9 +18,17 @@ main(void)
unsigned char curve25519_sk[crypto_scalarmult_curve25519_BYTES];
char curve25519_pk_hex[crypto_scalarmult_curve25519_BYTES * 2 + 1];
char curve25519_sk_hex[crypto_scalarmult_curve25519_BYTES * 2 + 1];
unsigned char hseed[crypto_hash_sha512_BYTES];
unsigned int i;
crypto_sign_ed25519_seed_keypair(ed25519_pk, ed25519_skpk, keypair_seed);
assert(crypto_sign_ed25519_SEEDBYTES <= crypto_hash_sha512_BYTES);
#ifdef ED25519_NONDETERMINISTIC
crypto_hash_sha512(hseed, keypair_seed, crypto_sign_ed25519_SEEDBYTES);
#else
memcpy(hseed, keypair_seed, crypto_sign_ed25519_SEEDBYTES);
#endif
crypto_sign_ed25519_seed_keypair(ed25519_pk, ed25519_skpk, hseed);
if (crypto_sign_ed25519_pk_to_curve25519(curve25519_pk, ed25519_pk) != 0) {
printf("conversion failed\n");
}