mirror of
https://github.com/jedisct1/libsodium.git
synced 2024-12-28 22:21:15 -07:00
sign_keygen(): don't hash the secret scalar in non-deterministic mode
Improve clarity No need to clamp the key prior to computing a synthetic nonce nonce -> Z for clarity
This commit is contained in:
parent
b6bad22149
commit
f5e1767b22
@ -15,7 +15,11 @@ crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk,
|
||||
{
|
||||
ge_p3 A;
|
||||
|
||||
crypto_hash_sha512(sk, seed, 32);
|
||||
#ifdef ED25519_NONDETERMINISTIC
|
||||
memcpy(sk, seed, crypto_sign_ed25519_SECRETKEYBYTES);
|
||||
#else
|
||||
crypto_hash_sha512(sk, seed, crypto_sign_ed25519_SECRETKEYBYTES);
|
||||
#endif
|
||||
sk[0] &= 248;
|
||||
sk[31] &= 63;
|
||||
sk[31] |= 64;
|
||||
@ -23,8 +27,8 @@ crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk,
|
||||
ge_scalarmult_base(&A, sk);
|
||||
ge_p3_tobytes(pk, &A);
|
||||
|
||||
memmove(sk, seed, 32);
|
||||
memmove(sk + 32, pk, 32);
|
||||
memmove(sk, seed, crypto_sign_ed25519_SECRETKEYBYTES);
|
||||
memmove(sk + 32, pk, crypto_sign_ed25519_PUBLICKEYBYTES);
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -76,9 +80,13 @@ crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk,
|
||||
{
|
||||
unsigned char h[crypto_hash_sha512_BYTES];
|
||||
|
||||
#ifdef ED25519_NONDETERMINISTIC
|
||||
memcpy(h, ed25519_sk, crypto_sign_ed25519_SECRETKEYBYTES);
|
||||
#else
|
||||
crypto_hash_sha512(h, ed25519_sk,
|
||||
crypto_sign_ed25519_SECRETKEYBYTES -
|
||||
crypto_sign_ed25519_PUBLICKEYBYTES);
|
||||
#endif
|
||||
h[0] &= 248;
|
||||
h[31] &= 127;
|
||||
h[31] |= 64;
|
||||
|
@ -36,9 +36,8 @@ _crypto_sign_ed25519_clamp(unsigned char k[32])
|
||||
/* r = hash(B || empty_labelset || Z || pad1 || k || pad2 || empty_labelset || K || extra || M) (mod q) */
|
||||
static void
|
||||
_crypto_sign_ed25519_synthetic_r_hv(crypto_hash_sha512_state *hs,
|
||||
unsigned char nonce[64],
|
||||
unsigned char sk_copy[64],
|
||||
const unsigned char sk[64])
|
||||
unsigned char Z[32],
|
||||
const unsigned char sk[32])
|
||||
{
|
||||
static const unsigned char B[32] = {
|
||||
0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
|
||||
@ -49,14 +48,12 @@ _crypto_sign_ed25519_synthetic_r_hv(crypto_hash_sha512_state *hs,
|
||||
static const unsigned char zeros[16] = { 0x00 };
|
||||
static const unsigned char empty_labelset[3] = { 0x02, 0x00, 0x00 };
|
||||
|
||||
memcpy(sk_copy, sk, 32);
|
||||
_crypto_sign_ed25519_clamp(sk_copy);
|
||||
crypto_hash_sha512_update(hs, B, 32);
|
||||
crypto_hash_sha512_update(hs, empty_labelset, 3);
|
||||
randombytes_buf(nonce, 32);
|
||||
crypto_hash_sha512_update(hs, nonce, 32);
|
||||
randombytes_buf(Z, 32);
|
||||
crypto_hash_sha512_update(hs, Z, 32);
|
||||
crypto_hash_sha512_update(hs, zeros, 16 - (32 + 3 + 32) % 16);
|
||||
crypto_hash_sha512_update(hs, sk_copy, 32);
|
||||
crypto_hash_sha512_update(hs, sk, 32);
|
||||
/* empty pad2 */
|
||||
crypto_hash_sha512_update(hs, empty_labelset, 3);
|
||||
crypto_hash_sha512_update(hs, sk + 32, 32);
|
||||
@ -75,15 +72,16 @@ _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p,
|
||||
unsigned char hram[64];
|
||||
ge_p3 R;
|
||||
|
||||
#ifdef ED25519_NONDETERMINISTIC
|
||||
_crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
|
||||
_crypto_sign_ed25519_synthetic_r_hv(&hs, nonce, az, sk);
|
||||
|
||||
#ifdef ED25519_NONDETERMINISTIC
|
||||
memcpy(az, sk, 32);
|
||||
_crypto_sign_ed25519_synthetic_r_hv(&hs, nonce, az);
|
||||
#else
|
||||
crypto_hash_sha512(az, sk, 32);
|
||||
_crypto_sign_ed25519_clamp(az);
|
||||
_crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
|
||||
crypto_hash_sha512_update(&hs, az + 32, 32);
|
||||
#endif
|
||||
|
||||
crypto_hash_sha512_update(&hs, m, mlen);
|
||||
crypto_hash_sha512_final(&hs, nonce);
|
||||
|
||||
@ -99,6 +97,7 @@ _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p,
|
||||
crypto_hash_sha512_final(&hs, hram);
|
||||
|
||||
sc_reduce(hram);
|
||||
_crypto_sign_ed25519_clamp(az);
|
||||
sc_muladd(sig + 32, hram, az, nonce);
|
||||
|
||||
sodium_memzero(az, sizeof az);
|
||||
|
@ -18,9 +18,17 @@ main(void)
|
||||
unsigned char curve25519_sk[crypto_scalarmult_curve25519_BYTES];
|
||||
char curve25519_pk_hex[crypto_scalarmult_curve25519_BYTES * 2 + 1];
|
||||
char curve25519_sk_hex[crypto_scalarmult_curve25519_BYTES * 2 + 1];
|
||||
unsigned char hseed[crypto_hash_sha512_BYTES];
|
||||
unsigned int i;
|
||||
|
||||
crypto_sign_ed25519_seed_keypair(ed25519_pk, ed25519_skpk, keypair_seed);
|
||||
assert(crypto_sign_ed25519_SEEDBYTES <= crypto_hash_sha512_BYTES);
|
||||
#ifdef ED25519_NONDETERMINISTIC
|
||||
crypto_hash_sha512(hseed, keypair_seed, crypto_sign_ed25519_SEEDBYTES);
|
||||
#else
|
||||
memcpy(hseed, keypair_seed, crypto_sign_ed25519_SEEDBYTES);
|
||||
#endif
|
||||
crypto_sign_ed25519_seed_keypair(ed25519_pk, ed25519_skpk, hseed);
|
||||
|
||||
if (crypto_sign_ed25519_pk_to_curve25519(curve25519_pk, ed25519_pk) != 0) {
|
||||
printf("conversion failed\n");
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user