Example #1
0
        public static void curve25519_keygen(byte[] curve25519_pubkey_out,
                                             byte[] curve25519_privkey_in)
        {
            Ge_p3 ed = new Ge_p3(); /* Ed25519 pubkey point */

            int[] ed_y               = new int[10];
            int[] ed_y_plus_one      = new int[10];
            int[] one_minus_ed_y     = new int[10];
            int[] inv_one_minus_ed_y = new int[10];
            int[] mont_x             = new int[10];

            /* Perform a fixed-base multiplication of the Edwards base point,
             * (which is efficient due to precalculated tables), then convert
             * to the Curve25519 montgomery-format public key.  In particular,
             * convert Curve25519's "montgomery" x-coordinate into an Ed25519
             * "edwards" y-coordinate:
             *
             * mont_x = (ed_y + 1) / (1 - ed_y)
             *
             * with projective coordinates:
             *
             * mont_x = (ed_y + ed_z) / (ed_z - ed_y)
             *
             * NOTE: ed_y=1 is converted to mont_x=0 since fe_invert is mod-exp
             */

            Ge_scalarmult_base.ge_scalarmult_base(ed, curve25519_privkey_in);
            Fe_add.fe_add(ed_y_plus_one, ed.Y, ed.Z);
            Fe_sub.fe_sub(one_minus_ed_y, ed.Z, ed.Y);
            Fe_invert.fe_invert(inv_one_minus_ed_y, one_minus_ed_y);
            Fe_mul.fe_mul(mont_x, ed_y_plus_one, inv_one_minus_ed_y);
            Fe_tobytes.fe_tobytes(curve25519_pubkey_out, mont_x);
        }
Example #2
0
        public static int vxed25519_verify(ISha512 sha512provider,
                                           byte[] vrf_out,
                                           byte[] signature,
                                           byte[] curve25519_pubkey,
                                           byte[] msg, int msg_len)
        {
            int[]  u          = new int[10];
            int[]  y          = new int[10];
            byte[] ed_pubkey  = new byte[32];
            byte[] strict     = new byte[32];
            byte[] verifybuf  = new byte[crypto_additions.MAX_MSG_LEN + 160]; /* working buffer */
            byte[] verifybuf2 = new byte[crypto_additions.MAX_MSG_LEN + 160]; /* working buffer #2 ?? !!! */
            Ge_p3  Bv         = new Ge_p3();

            if (msg_len > crypto_additions.MAX_MSG_LEN)
            {
                return(-1);
            }

            /* Convert the Curve25519 public key into an Ed25519 public key.
             *
             * y = (u - 1) / (u + 1)
             *
             * NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp
             */
            Fe_frombytes.fe_frombytes(u, curve25519_pubkey);
            Fe_tobytes.fe_tobytes(strict, u);
            if (Crypto_verify_32.crypto_verify_32(strict, curve25519_pubkey) != 0)
            {
                return(0);
            }
            Fe_montx_to_edy.fe_montx_to_edy(y, u);
            Fe_tobytes.fe_tobytes(ed_pubkey, y);

            Elligator.calculate_Bv(sha512provider, Bv, verifybuf, ed_pubkey, msg, msg_len);

            Array.Copy(signature, 0, verifybuf, 0, 96);
            Array.Copy(msg, 0, verifybuf, 96, msg_len);

            /* Then perform a signature verification, return 0 on success */
            /* The below call has a strange API: */
            /* verifybuf = V || h || s || message */
            /* verifybuf2 = used as buffer, gets the VRF output if success */
            if (Vopen_modified.crypto_vsign_open_modified(sha512provider, verifybuf2, verifybuf, 96 + msg_len, ed_pubkey, Bv) == 0)
            {
                Array.Copy(verifybuf2, 0, vrf_out, 0, 32);
                return(0);
            }
            else
            {
                //memset(vrf_out, 0, 32);
                return(-1);
            }
        }
Example #3
0
        public static int curve25519_verify(ISha512 sha512provider, byte[] signature,
                                            byte[] curve25519_pubkey,
                                            byte[] msg, int msg_len)
        {
            int[]  mont_x              = new int[10];
            int[]  mont_x_minus_one    = new int[10];
            int[]  mont_x_plus_one     = new int[10];
            int[]  inv_mont_x_plus_one = new int[10];
            int[]  one         = new int[10];
            int[]  ed_y        = new int[10];
            byte[] ed_pubkey   = new byte[32];
            long   some_retval = 0;

            byte[] verifybuf  = new byte[msg_len + 64]; /* working buffer */
            byte[] verifybuf2 = new byte[msg_len + 64]; /* working buffer #2 */

            /* Convert the Curve25519 public key into an Ed25519 public key.  In
             * particular, convert Curve25519's "montgomery" x-coordinate into an
             * Ed25519 "edwards" y-coordinate:
             *
             * ed_y = (mont_x - 1) / (mont_x + 1)
             *
             * NOTE: mont_x=-1 is converted to ed_y=0 since fe_invert is mod-exp
             *
             * Then move the sign bit into the pubkey from the signature.
             */
            Fe_frombytes.fe_frombytes(mont_x, curve25519_pubkey);
            Fe_1.fe_1(one);
            Fe_sub.fe_sub(mont_x_minus_one, mont_x, one);
            Fe_add.fe_add(mont_x_plus_one, mont_x, one);
            Fe_invert.fe_invert(inv_mont_x_plus_one, mont_x_plus_one);
            Fe_mul.fe_mul(ed_y, mont_x_minus_one, inv_mont_x_plus_one);
            Fe_tobytes.fe_tobytes(ed_pubkey, ed_y);

            /* Copy the sign bit, and remove it from signature */
            ed_pubkey[31] &= 0x7F;  /* bit should be zero already, but just in case */
            ed_pubkey[31] |= (byte)(signature[63] & 0x80);
            Array.Copy(signature, 0, verifybuf, 0, 64);
            verifybuf[63] &= 0x7F;

            Array.Copy(msg, 0, verifybuf, 64, (int)msg_len);

            /* Then perform a normal Ed25519 verification, return 0 on success */
            /* The below call has a strange API: */
            /* verifybuf = R || S || message */

            /* verifybuf2 = java to next call gets a copy of verifybuf, S gets
             * replaced with pubkey for hashing, then the whole thing gets zeroized
             * (if bad sig), or contains a copy of msg (good sig) */
            return(Open.crypto_sign_open(sha512provider, verifybuf2, some_retval, verifybuf, 64 + msg_len, ed_pubkey));
        }
Example #4
0
        public static int uxed25519_verify(ISha512 sha512provider, byte[] signature, byte[] curve25519_pubkey, byte[] msg, int msg_len)
        {
            // just return -1 as this shouldn't be used
            return(-1);

            int[] u = new int[10];
            int[] y = new int[10];

            byte[] ed_pubkey   = new byte[32];
            long   some_retval = 0;

            byte[] verifybuf  = new byte[crypto_additions.MAX_MSG_LEN + 160]; /* working buffer */
            byte[] verifybuf2 = new byte[crypto_additions.MAX_MSG_LEN + 160]; /* working buffer #2 ?? !!! */
            Ge_p3  Bu         = new Ge_p3();

            if (msg_len > crypto_additions.MAX_MSG_LEN)
            {
                return(-1);
            }

            //Elligator.calculate_Bv(sha512provider, Bu, verifybuf, msg, msg_len);

            /* Convert the Curve25519 public key (u) into an Ed25519 public key.
             *
             * y = (u - 1) / (u + 1)
             *
             * NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp
             */
            Fe_frombytes.fe_frombytes(u, curve25519_pubkey);
            Fe_montx_to_edy.fe_montx_to_edy(y, u);
            Fe_tobytes.fe_tobytes(ed_pubkey, y);

            Array.Copy(signature, 0, verifybuf, 0, 96);
            Array.Copy(msg, 0, verifybuf, 96, msg_len);

            /* Then perform a signature verification, return 0 on success */
            /* The below call has a strange API: */
            /* verifybuf = U || h || s || message */

            /* verifybuf2 = internal to next call gets a copy of verifybuf, S gets
             * replaced with pubkey for hashing, then the whole thing gets zeroized
             * (if bad sig), or contains a copy of msg (good sig) */
            return(uopen_modified.crypto_usign_open_modified(sha512provider, verifybuf2, some_retval, verifybuf, 96 + msg_len, ed_pubkey, Bu));
        }
Example #5
0
        public static int legendre_is_nonsquare(int[] iIn)
        {
            int[] temp = new int[10];
            Fe_pow22523.fe_pow22523(temp, iIn); /* temp = in^((q-5)/8) */
            Fe_sq.fe_sq(temp, temp);            /*        in^((q-5)/4) */
            Fe_sq.fe_sq(temp, temp);            /*        in^((q-5)/2) */
            Fe_mul.fe_mul(temp, temp, iIn);     /*        in^((q-3)/2) */
            Fe_mul.fe_mul(temp, temp, iIn);     /*        in^((q-1)/2) */


            /* temp is now the Legendre symbol:
             * 1 = square
             * 0 = input is zero
             * -1 = nonsquare
             */
            byte[] bytes = new byte[32];
            Fe_tobytes.fe_tobytes(bytes, temp);
            return(1 & bytes[31]);
        }
Example #6
0
        public static int curve25519_verify(ISha512 sha512provider, byte[] signature,
                                            byte[] curve25519_pubkey,
                                            byte[] msg, int msg_len)
        {
            int[]  u          = new int[10];
            int[]  y          = new int[10];
            byte[] ed_pubkey  = new byte[32];
            byte[] verifybuf  = new byte[msg_len + 64]; /* working buffer */
            byte[] verifybuf2 = new byte[msg_len + 64]; /* working buffer #2 */

            /* Convert the Curve25519 public key into an Ed25519 public key.  In
             * particular, convert Curve25519's "montgomery" x-coordinate (u) into an
             * Ed25519 "edwards" y-coordinate:
             *
             * y = (u - 1) / (u + 1)
             *
             * NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp
             *
             * Then move the sign bit into the pubkey from the signature.
             */
            Fe_frombytes.fe_frombytes(u, curve25519_pubkey);
            Fe_montx_to_edy.fe_montx_to_edy(y, u);
            Fe_tobytes.fe_tobytes(ed_pubkey, y);

            /* Copy the sign bit, and remove it from signature */
            ed_pubkey[31] &= 0x7F;  /* bit should be zero already, but just in case */
            ed_pubkey[31] |= (byte)(signature[63] & 0x80);
            Array.Copy(signature, 0, verifybuf, 0, 64);
            verifybuf[63] &= 0x7F;

            Array.Copy(msg, 0, verifybuf, 64, (int)msg_len);

            /* Then perform a normal Ed25519 verification, return 0 on success */
            /* The below call has a strange API: */
            /* verifybuf = R || S || message */

            /* verifybuf2 = java to next call gets a copy of verifybuf, S gets
             * replaced with pubkey for hashing, then the whole thing gets zeroized
             * (if bad sig), or contains a copy of msg (good sig) */
            return(open_modified.crypto_sign_open_modified(sha512provider, verifybuf2, verifybuf, 64 + msg_len, ed_pubkey));
        }
Example #7
0
        public static int xed25519_verify(ISha512 sha512provider, byte[] signature, byte[] curve25519_pubkey, byte[] msg, int msg_len)
        {
            int[]  u          = new int[10];
            int[]  y          = new int[10];
            byte[] ed_pubkey  = new byte[32];
            byte[] strict     = new byte[32];
            byte[] verifybuf  = new byte[crypto_additions.MAX_MSG_LEN + 64]; /* working buffer */
            byte[] verifybuf2 = new byte[crypto_additions.MAX_MSG_LEN + 64]; /* working buffer #2 */

            if (msg_len > crypto_additions.MAX_MSG_LEN)
            {
                return(-1);
            }

            /* Convert the Curve25519 public key into an Ed25519 public key.
             *
             * y = (u - 1) / (u + 1)
             *
             * NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp
             */
            Fe_frombytes.fe_frombytes(u, curve25519_pubkey);
            Fe_tobytes.fe_tobytes(strict, u);
            if (Crypto_verify_32.crypto_verify_32(strict, curve25519_pubkey) != 0)
            {
                return(0);
            }
            Fe_montx_to_edy.fe_montx_to_edy(y, u);
            Fe_tobytes.fe_tobytes(ed_pubkey, y);

            Array.Copy(signature, 0, verifybuf, 0, 64);
            Array.Copy(msg, 0, verifybuf, 64, msg_len);

            /* Then perform a normal Ed25519 verification, return 0 on success */
            /* The below call has a strange API: */
            /* verifybuf = R || S || message */

            /* verifybuf2 = internal to next call gets a copy of verifybuf, S gets
             * replaced with pubkey for hashing*/
            return(open_modified.crypto_sign_open_modified(sha512provider, verifybuf2, verifybuf, 64 + msg_len, ed_pubkey));
        }
 public static void print_fe(string name, int[] iIn)
 {
     byte[] bytes = new byte[32];
     Fe_tobytes.fe_tobytes(bytes, iIn);
     print_vector(name, bytes);
 }