mirror of
https://github.com/jedisct1/libsodium.git
synced 2024-12-19 10:05:05 -07:00
546 lines
23 KiB
C
546 lines
23 KiB
C
#define TEST_NAME "core_ed25519"
|
|
#include "cmptest.h"
|
|
|
|
static const unsigned char non_canonical_p[32] = {
|
|
0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
|
|
};
|
|
static const unsigned char non_canonical_invalid_p[32] = {
|
|
0xf5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
|
|
};
|
|
static const unsigned char max_canonical_p[32] = {
|
|
0xe4, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
|
|
};
|
|
static const unsigned char L_p1[32] = {
|
|
0xee, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
|
|
};
|
|
static const unsigned char L[32] = {
|
|
0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
|
|
};
|
|
static const unsigned char L_1[32] = {
|
|
0xec, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
|
|
};
|
|
static const unsigned char sc_8[32] = {
|
|
0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
|
|
};
|
|
static const unsigned char sc_highbit[32] = {
|
|
0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80
|
|
};
|
|
|
|
static void
|
|
add_P(unsigned char * const S)
|
|
{
|
|
static const unsigned char P[32] = {
|
|
0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
|
|
};
|
|
|
|
sodium_add(S, P, sizeof P);
|
|
}
|
|
|
|
static void
|
|
add_l64(unsigned char * const S)
|
|
{
|
|
static const unsigned char l[crypto_core_ed25519_NONREDUCEDSCALARBYTES] =
|
|
{ 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
|
|
0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,
|
|
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
|
|
|
|
sodium_add(S, l, sizeof l);
|
|
}
|
|
|
|
int
|
|
main(void)
|
|
{
|
|
unsigned char *h, *r;
|
|
unsigned char *p, *p2, *p3;
|
|
unsigned char *sc, *sc2, *sc3;
|
|
unsigned char *sc64;
|
|
unsigned char *seed;
|
|
char *hex;
|
|
unsigned int i, j;
|
|
|
|
h = (unsigned char *) sodium_malloc(crypto_core_ed25519_HASHBYTES);
|
|
r = (unsigned char *) sodium_malloc(crypto_core_ed25519_UNIFORMBYTES);
|
|
p = (unsigned char *) sodium_malloc(crypto_core_ed25519_BYTES);
|
|
for (i = 0; i < 500; i++) {
|
|
randombytes_buf(r, crypto_core_ed25519_UNIFORMBYTES);
|
|
if (crypto_core_ed25519_from_uniform(p, r) != 0) {
|
|
printf("crypto_core_ed25519_from_uniform() failed\n");
|
|
}
|
|
if (crypto_core_ed25519_is_valid_point(p) == 0) {
|
|
printf("crypto_core_ed25519_from_uniform() returned an invalid point\n");
|
|
}
|
|
crypto_core_ed25519_random(p);
|
|
if (crypto_core_ed25519_is_valid_point(p) == 0) {
|
|
printf("crypto_core_ed25519_random() returned an invalid point\n");
|
|
}
|
|
}
|
|
|
|
p2 = (unsigned char *) sodium_malloc(crypto_core_ed25519_BYTES);
|
|
p3 = (unsigned char *) sodium_malloc(crypto_core_ed25519_BYTES);
|
|
|
|
crypto_core_ed25519_random(p2);
|
|
|
|
j = 1 + (unsigned int) randombytes_uniform(100);
|
|
memcpy(p3, p, crypto_core_ed25519_BYTES);
|
|
for (i = 0; i < j; i++) {
|
|
crypto_core_ed25519_add(p, p, p2);
|
|
if (crypto_core_ed25519_is_valid_point(p) != 1) {
|
|
printf("crypto_core_add() returned an invalid point\n");
|
|
}
|
|
}
|
|
if (memcmp(p, p3, crypto_core_ed25519_BYTES) == 0) {
|
|
printf("crypto_core_add() failed\n");
|
|
}
|
|
for (i = 0; i < j; i++) {
|
|
crypto_core_ed25519_sub(p, p, p2);
|
|
}
|
|
if (memcmp(p, p3, crypto_core_ed25519_BYTES) != 0) {
|
|
printf("crypto_core_add() or crypto_core_sub() failed\n");
|
|
}
|
|
sc = (unsigned char *) sodium_malloc(crypto_scalarmult_ed25519_SCALARBYTES);
|
|
memset(sc, 0, crypto_scalarmult_ed25519_SCALARBYTES);
|
|
sc[0] = 8;
|
|
memcpy(p2, p, crypto_core_ed25519_BYTES);
|
|
memcpy(p3, p, crypto_core_ed25519_BYTES);
|
|
|
|
for (i = 0; i < 254; i++) {
|
|
crypto_core_ed25519_add(p2, p2, p2);
|
|
}
|
|
for (i = 0; i < 8; i++) {
|
|
crypto_core_ed25519_add(p2, p2, p);
|
|
}
|
|
if (crypto_scalarmult_ed25519(p3, sc, p) != 0) {
|
|
printf("crypto_scalarmult_ed25519() failed\n");
|
|
}
|
|
if (memcmp(p2, p3, crypto_core_ed25519_BYTES) != 0) {
|
|
printf("crypto_scalarmult_ed25519() is inconsistent with crypto_core_ed25519_add()\n");
|
|
}
|
|
|
|
assert(crypto_core_ed25519_is_valid_point(p) == 1);
|
|
|
|
memset(p, 0, crypto_core_ed25519_BYTES);
|
|
assert(crypto_core_ed25519_is_valid_point(p) == 0);
|
|
|
|
p[0] = 1;
|
|
assert(crypto_core_ed25519_is_valid_point(p) == 0);
|
|
|
|
p[0] = 2;
|
|
assert(crypto_core_ed25519_is_valid_point(p) == 0);
|
|
|
|
p[0] = 9;
|
|
assert(crypto_core_ed25519_is_valid_point(p) == 1);
|
|
|
|
assert(crypto_core_ed25519_is_valid_point(max_canonical_p) == 1);
|
|
assert(crypto_core_ed25519_is_valid_point(non_canonical_invalid_p) == 0);
|
|
assert(crypto_core_ed25519_is_valid_point(non_canonical_p) == 0);
|
|
|
|
memcpy(p2, p, crypto_core_ed25519_BYTES);
|
|
add_P(p2);
|
|
crypto_core_ed25519_add(p3, p2, p2);
|
|
crypto_core_ed25519_sub(p3, p3, p2);
|
|
assert(memcmp(p2, p, crypto_core_ed25519_BYTES) != 0);
|
|
assert(memcmp(p3, p, crypto_core_ed25519_BYTES) == 0);
|
|
|
|
p[0] = 2;
|
|
assert(crypto_core_ed25519_add(p3, p2, p) == -1);
|
|
assert(crypto_core_ed25519_add(p3, p2, non_canonical_p) == 0);
|
|
assert(crypto_core_ed25519_add(p3, p2, non_canonical_invalid_p) == -1);
|
|
assert(crypto_core_ed25519_add(p3, p, p3) == -1);
|
|
assert(crypto_core_ed25519_add(p3, non_canonical_p, p3) == 0);
|
|
assert(crypto_core_ed25519_add(p3, non_canonical_invalid_p, p3) == -1);
|
|
|
|
assert(crypto_core_ed25519_sub(p3, p2, p) == -1);
|
|
assert(crypto_core_ed25519_sub(p3, p2, non_canonical_p) == 0);
|
|
assert(crypto_core_ed25519_sub(p3, p2, non_canonical_invalid_p) == -1);
|
|
assert(crypto_core_ed25519_sub(p3, p, p3) == -1);
|
|
assert(crypto_core_ed25519_sub(p3, non_canonical_p, p3) == 0);
|
|
assert(crypto_core_ed25519_sub(p3, non_canonical_invalid_p, p3) == -1);
|
|
|
|
for (i = 0; i < 1000; i++) {
|
|
crypto_core_ed25519_random(p);
|
|
do {
|
|
crypto_core_ed25519_scalar_random(sc);
|
|
} while (sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES));
|
|
if (crypto_scalarmult_ed25519_noclamp(p2, sc, p) != 0) {
|
|
printf("crypto_scalarmult_ed25519_noclamp() failed\n");
|
|
}
|
|
assert(crypto_core_ed25519_is_valid_point(p2));
|
|
if (crypto_core_ed25519_scalar_invert(sc, sc) != 0) {
|
|
printf("crypto_core_ed25519_scalar_invert() failed\n");
|
|
}
|
|
if (crypto_scalarmult_ed25519_noclamp(p3, sc, p2) != 0) {
|
|
printf("crypto_scalarmult_ed25519_noclamp() failed\n");
|
|
}
|
|
assert(memcmp(p3, p, crypto_core_ed25519_BYTES) == 0);
|
|
}
|
|
|
|
sc64 = (unsigned char *) sodium_malloc(64);
|
|
crypto_core_ed25519_scalar_random(sc);
|
|
memcpy(sc64, sc, crypto_core_ed25519_BYTES);
|
|
memset(sc64 + crypto_core_ed25519_BYTES, 0,
|
|
64 - crypto_core_ed25519_BYTES);
|
|
i = (unsigned int) randombytes_uniform(100);
|
|
do {
|
|
add_l64(sc64);
|
|
} while (i-- > 0);
|
|
crypto_core_ed25519_scalar_reduce(sc64, sc64);
|
|
if (memcmp(sc64, sc, crypto_core_ed25519_BYTES) != 0) {
|
|
printf("crypto_core_ed25519_scalar_reduce() failed\n");
|
|
}
|
|
|
|
randombytes_buf(r, crypto_core_ed25519_UNIFORMBYTES);
|
|
crypto_core_ed25519_from_uniform(p, r);
|
|
memcpy(p2, p, crypto_core_ed25519_BYTES);
|
|
crypto_core_ed25519_scalar_random(sc);
|
|
if (crypto_scalarmult_ed25519_noclamp(p, sc, p) != 0) {
|
|
printf("crypto_scalarmult_ed25519_noclamp() failed (1)\n");
|
|
}
|
|
crypto_core_ed25519_scalar_complement(sc, sc);
|
|
if (crypto_scalarmult_ed25519_noclamp(p2, sc, p2) != 0) {
|
|
printf("crypto_scalarmult_ed25519_noclamp() failed (2)\n");
|
|
}
|
|
crypto_core_ed25519_add(p3, p, p2);
|
|
crypto_core_ed25519_from_uniform(p, r);
|
|
crypto_core_ed25519_sub(p, p, p3);
|
|
assert(p[0] == 0x01);
|
|
for (i = 1; i < crypto_core_ed25519_BYTES; i++) {
|
|
assert(p[i] == 0);
|
|
}
|
|
|
|
crypto_core_ed25519_random(p);
|
|
memcpy(p2, p, crypto_core_ed25519_BYTES);
|
|
crypto_core_ed25519_scalar_random(sc);
|
|
if (crypto_scalarmult_ed25519_noclamp(p, sc, p) != 0) {
|
|
printf("crypto_scalarmult_ed25519_noclamp() failed (3)\n");
|
|
}
|
|
crypto_core_ed25519_scalar_negate(sc, sc);
|
|
if (crypto_scalarmult_ed25519_noclamp(p2, sc, p2) != 0) {
|
|
printf("crypto_scalarmult_ed25519_noclamp() failed (4)\n");
|
|
}
|
|
crypto_core_ed25519_add(p, p, p2);
|
|
assert(p[0] == 0x01);
|
|
for (i = 1; i < crypto_core_ed25519_BYTES; i++) {
|
|
assert(p[i] == 0);
|
|
}
|
|
|
|
hex = (char *) sodium_malloc(crypto_core_ed25519_SCALARBYTES * 2 + 1);
|
|
|
|
for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) {
|
|
sc[i] = 255 - i;
|
|
}
|
|
if (crypto_core_ed25519_scalar_invert(sc, sc) != 0) {
|
|
printf("crypto_core_ed25519_scalar_invert() failed\n");
|
|
}
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("inv1: %s\n", hex);
|
|
if (crypto_core_ed25519_scalar_invert(sc, sc) != 0) {
|
|
printf("crypto_core_ed25519_scalar_invert() failed\n");
|
|
}
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("inv2: %s\n", hex);
|
|
for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) {
|
|
sc[i] = 32 - i;
|
|
}
|
|
if (crypto_core_ed25519_scalar_invert(sc, sc) != 0) {
|
|
printf("crypto_core_ed25519_scalar_invert() failed\n");
|
|
}
|
|
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("inv3: %s\n", hex);
|
|
if (crypto_core_ed25519_scalar_invert(sc, sc) != 0) {
|
|
printf("crypto_core_ed25519_scalar_invert() failed\n");
|
|
}
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("inv4: %s\n", hex);
|
|
|
|
for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) {
|
|
sc[i] = 255 - i;
|
|
}
|
|
crypto_core_ed25519_scalar_negate(sc, sc);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("neg1: %s\n", hex);
|
|
crypto_core_ed25519_scalar_negate(sc, sc);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("neg2: %s\n", hex);
|
|
for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) {
|
|
sc[i] = 32 - i;
|
|
}
|
|
crypto_core_ed25519_scalar_negate(sc, sc);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("neg3: %s\n", hex);
|
|
crypto_core_ed25519_scalar_negate(sc, sc);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("neg4: %s\n", hex);
|
|
|
|
for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) {
|
|
sc[i] = 255 - i;
|
|
}
|
|
crypto_core_ed25519_scalar_complement(sc, sc);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("comp1: %s\n", hex);
|
|
crypto_core_ed25519_scalar_complement(sc, sc);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("comp2: %s\n", hex);
|
|
for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) {
|
|
sc[i] = 32 - i;
|
|
}
|
|
crypto_core_ed25519_scalar_complement(sc, sc);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("comp3: %s\n", hex);
|
|
crypto_core_ed25519_scalar_complement(sc, sc);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("comp4: %s\n", hex);
|
|
|
|
sc2 = (unsigned char *) sodium_malloc(crypto_core_ed25519_SCALARBYTES);
|
|
sc3 = (unsigned char *) sodium_malloc(crypto_core_ed25519_SCALARBYTES);
|
|
for (i = 0; i < 1000; i++) {
|
|
randombytes_buf(sc, crypto_core_ed25519_SCALARBYTES);
|
|
randombytes_buf(sc2, crypto_core_ed25519_SCALARBYTES);
|
|
sc[crypto_core_ed25519_SCALARBYTES - 1] &= 0x7f;
|
|
sc2[crypto_core_ed25519_SCALARBYTES - 1] &= 0x7f;
|
|
crypto_core_ed25519_scalar_add(sc3, sc, sc2);
|
|
assert(!sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES));
|
|
crypto_core_ed25519_scalar_sub(sc3, sc3, sc2);
|
|
assert(!sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES));
|
|
crypto_core_ed25519_scalar_sub(sc3, sc3, sc);
|
|
assert(sodium_is_zero(sc3, crypto_core_ed25519_SCALARBYTES));
|
|
}
|
|
|
|
memset(sc, 0x69, crypto_core_ed25519_SCALARBYTES);
|
|
memset(sc2, 0x42, crypto_core_ed25519_SCALARBYTES);
|
|
crypto_core_ed25519_scalar_add(sc, sc, sc2);
|
|
crypto_core_ed25519_scalar_add(sc, sc2, sc);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("add1: %s\n", hex);
|
|
|
|
crypto_core_ed25519_scalar_sub(sc, sc2, sc);
|
|
crypto_core_ed25519_scalar_sub(sc, sc, sc2);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("sub1: %s\n", hex);
|
|
|
|
memset(sc, 0xcd, crypto_core_ed25519_SCALARBYTES);
|
|
memset(sc2, 0x42, crypto_core_ed25519_SCALARBYTES);
|
|
crypto_core_ed25519_scalar_add(sc, sc, sc2);
|
|
crypto_core_ed25519_scalar_add(sc, sc2, sc);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("add2: %s\n", hex);
|
|
|
|
crypto_core_ed25519_scalar_sub(sc, sc2, sc);
|
|
crypto_core_ed25519_scalar_sub(sc, sc, sc2);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("sub2: %s\n", hex);
|
|
|
|
memset(sc, 0x69, crypto_core_ed25519_SCALARBYTES);
|
|
memset(sc2, 0x42, crypto_core_ed25519_SCALARBYTES);
|
|
for (i = 0; i < 100; i++) {
|
|
crypto_core_ed25519_scalar_mul(sc, sc, sc2);
|
|
crypto_core_ed25519_scalar_mul(sc2, sc, sc2);
|
|
}
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc2, crypto_core_ed25519_SCALARBYTES);
|
|
printf("mul: %s\n", hex);
|
|
for (i = 0; i < 1000; i++) {
|
|
crypto_core_ed25519_scalar_random(sc);
|
|
memset(sc2, 0, crypto_core_ed25519_SCALARBYTES);
|
|
crypto_core_ed25519_scalar_mul(sc3, sc, sc2);
|
|
assert(sodium_is_zero(sc3, crypto_core_ed25519_SCALARBYTES));
|
|
|
|
sc2[0]++;
|
|
crypto_core_ed25519_scalar_mul(sc3, sc, sc2);
|
|
assert(memcmp(sc3, sc, crypto_core_ed25519_SCALARBYTES) == 0);
|
|
|
|
sc2[0]++;
|
|
crypto_core_ed25519_scalar_mul(sc3, sc, sc2);
|
|
crypto_core_ed25519_scalar_sub(sc3, sc3, sc);
|
|
crypto_core_ed25519_scalar_sub(sc3, sc3, sc);
|
|
assert(sodium_is_zero(sc3, crypto_core_ed25519_SCALARBYTES));
|
|
|
|
do {
|
|
crypto_core_ed25519_scalar_random(sc2);
|
|
} while (sodium_is_zero(sc2, crypto_core_ed25519_SCALARBYTES));
|
|
crypto_core_ed25519_scalar_mul(sc3, sc, sc2);
|
|
crypto_core_ed25519_scalar_invert(sc2, sc2);
|
|
crypto_core_ed25519_scalar_mul(sc3, sc3, sc2);
|
|
assert(memcmp(sc3, sc, crypto_core_ed25519_SCALARBYTES) == 0);
|
|
|
|
sc[31] |= 0x11;
|
|
memset(sc2, 0, crypto_core_ed25519_SCALARBYTES);
|
|
sc2[0] = 1;
|
|
crypto_core_ed25519_scalar_mul(sc3, sc, sc2);
|
|
assert(memcmp(sc3, sc, crypto_core_ed25519_SCALARBYTES) != 0);
|
|
}
|
|
|
|
seed = (unsigned char *) sodium_malloc(randombytes_SEEDBYTES);
|
|
for (i = 0; i < 15; i++) {
|
|
randombytes_buf_deterministic(r, crypto_core_ed25519_UNIFORMBYTES, seed);
|
|
if (crypto_core_ed25519_from_uniform(p, r) != 0) {
|
|
printf("crypto_core_ed25519_from_uniform() failed\n");
|
|
}
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
p, crypto_core_ed25519_BYTES);
|
|
printf("from_uniform_deterministic (%u): %s\n", i, hex);
|
|
sodium_increment(seed, randombytes_SEEDBYTES);
|
|
}
|
|
crypto_core_ed25519_scalar_mul(sc, L_1, sc_8);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("(L-1)*8: %s\n", hex);
|
|
crypto_core_ed25519_scalar_mul(sc, sc_8, L_1);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("8(L-1): %s\n", hex);
|
|
crypto_core_ed25519_scalar_mul(sc, L_1, L_1);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("(L-1)^2: %s\n", hex);
|
|
crypto_core_ed25519_scalar_mul(sc, L, sc_8);
|
|
|
|
crypto_core_ed25519_scalar_mul(sc, L_p1, sc_8);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("(L+1)*8: %s\n", hex);
|
|
crypto_core_ed25519_scalar_mul(sc, sc_8, L_p1);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("8(L+1): %s\n", hex);
|
|
crypto_core_ed25519_scalar_mul(sc, L_p1, L_p1);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("(L+1)^2: %s\n", hex);
|
|
|
|
crypto_core_ed25519_scalar_mul(sc, L_1, sc_highbit);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("(L-1)h: %s\n", hex);
|
|
crypto_core_ed25519_scalar_mul(sc, sc_highbit, L_1);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("h(L-1): %s\n", hex);
|
|
crypto_core_ed25519_scalar_mul(sc, L_p1, sc_highbit);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("(L+1)h: %s\n", hex);
|
|
crypto_core_ed25519_scalar_mul(sc, sc_highbit, L_p1);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("h(L+1): %s\n", hex);
|
|
crypto_core_ed25519_scalar_mul(sc, sc_highbit, sc_highbit);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("h^2: %s\n", hex);
|
|
|
|
crypto_core_ed25519_scalar_mul(sc, L, sc_8);
|
|
assert(sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES));
|
|
crypto_core_ed25519_scalar_mul(sc, sc_8, L);
|
|
assert(sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES));
|
|
crypto_core_ed25519_scalar_mul(sc, L, L);
|
|
assert(sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES));
|
|
crypto_core_ed25519_scalar_mul(sc, L, L_1);
|
|
assert(sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES));
|
|
crypto_core_ed25519_scalar_mul(sc, L_1, L);
|
|
assert(sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES));
|
|
|
|
crypto_core_ed25519_scalar_add(sc, L_1, sc_8);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("(L-1)+8: %s\n", hex);
|
|
crypto_core_ed25519_scalar_add(sc, sc_8, L_1);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("8+(L-1): %s\n", hex);
|
|
crypto_core_ed25519_scalar_add(sc, L_1, L_1);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("(L-1)*2: %s\n", hex);
|
|
crypto_core_ed25519_scalar_add(sc, L, sc_8);
|
|
|
|
crypto_core_ed25519_scalar_add(sc, L_p1, sc_8);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("(L+1)+8: %s\n", hex);
|
|
crypto_core_ed25519_scalar_add(sc, sc_8, L_p1);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("8+(L+1): %s\n", hex);
|
|
crypto_core_ed25519_scalar_add(sc, L_p1, L_p1);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("(L+1)*2: %s\n", hex);
|
|
|
|
crypto_core_ed25519_scalar_add(sc, L_1, sc_highbit);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("(L-1)+h: %s\n", hex);
|
|
crypto_core_ed25519_scalar_add(sc, sc_highbit, L_1);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("h+(L-1): %s\n", hex);
|
|
crypto_core_ed25519_scalar_add(sc, L_p1, sc_highbit);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("(L+1)+h: %s\n", hex);
|
|
crypto_core_ed25519_scalar_add(sc, sc_highbit, L_p1);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("h+(L+1): %s\n", hex);
|
|
crypto_core_ed25519_scalar_add(sc, sc_highbit, sc_highbit);
|
|
sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1,
|
|
sc, crypto_core_ed25519_SCALARBYTES);
|
|
printf("h*2: %s\n", hex);
|
|
|
|
sodium_free(seed);
|
|
sodium_free(hex);
|
|
sodium_free(sc64);
|
|
sodium_free(sc3);
|
|
sodium_free(sc2);
|
|
sodium_free(sc);
|
|
sodium_free(p3);
|
|
sodium_free(p2);
|
|
sodium_free(p);
|
|
sodium_free(r);
|
|
sodium_free(h);
|
|
|
|
assert(crypto_core_ed25519_BYTES == crypto_core_ed25519_bytes());
|
|
assert(crypto_core_ed25519_SCALARBYTES == crypto_core_ed25519_scalarbytes());
|
|
assert(crypto_core_ed25519_NONREDUCEDSCALARBYTES == crypto_core_ed25519_nonreducedscalarbytes());
|
|
assert(crypto_core_ed25519_NONREDUCEDSCALARBYTES >= crypto_core_ed25519_SCALARBYTES);
|
|
assert(crypto_core_ed25519_UNIFORMBYTES == crypto_core_ed25519_uniformbytes());
|
|
assert(crypto_core_ed25519_UNIFORMBYTES >= crypto_core_ed25519_BYTES);
|
|
assert(crypto_core_ed25519_HASHBYTES == crypto_core_ed25519_hashbytes());
|
|
assert(crypto_core_ed25519_HASHBYTES >= 2 * crypto_core_ed25519_BYTES);
|
|
|
|
printf("OK\n");
|
|
|
|
return 0;
|
|
}
|