public static int vxed25519_verify(ISha512 sha512provider, byte[] vrf_out, byte[] signature, byte[] curve25519_pubkey, byte[] msg, int msg_len) { int[] u = new int[10]; int[] y = new int[10]; byte[] ed_pubkey = new byte[32]; byte[] strict = new byte[32]; byte[] verifybuf = new byte[crypto_additions.MAX_MSG_LEN + 160]; /* working buffer */ byte[] verifybuf2 = new byte[crypto_additions.MAX_MSG_LEN + 160]; /* working buffer #2 ?? !!! */ Ge_p3 Bv = new Ge_p3(); if (msg_len > crypto_additions.MAX_MSG_LEN) { return(-1); } /* Convert the Curve25519 public key into an Ed25519 public key. * * y = (u - 1) / (u + 1) * * NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp */ Fe_frombytes.fe_frombytes(u, curve25519_pubkey); Fe_tobytes.fe_tobytes(strict, u); if (Crypto_verify_32.crypto_verify_32(strict, curve25519_pubkey) != 0) { return(0); } Fe_montx_to_edy.fe_montx_to_edy(y, u); Fe_tobytes.fe_tobytes(ed_pubkey, y); Elligator.calculate_Bv(sha512provider, Bv, verifybuf, ed_pubkey, msg, msg_len); Array.Copy(signature, 0, verifybuf, 0, 96); Array.Copy(msg, 0, verifybuf, 96, msg_len); /* Then perform a signature verification, return 0 on success */ /* The below call has a strange API: */ /* verifybuf = V || h || s || message */ /* verifybuf2 = used as buffer, gets the VRF output if success */ if (Vopen_modified.crypto_vsign_open_modified(sha512provider, verifybuf2, verifybuf, 96 + msg_len, ed_pubkey, Bv) == 0) { Array.Copy(verifybuf2, 0, vrf_out, 0, 32); return(0); } else { //memset(vrf_out, 0, 32); return(-1); } }
public static int curve25519_verify(ISha512 sha512provider, byte[] signature, byte[] curve25519_pubkey, byte[] msg, int msg_len) { int[] mont_x = new int[10]; int[] mont_x_minus_one = new int[10]; int[] mont_x_plus_one = new int[10]; int[] inv_mont_x_plus_one = new int[10]; int[] one = new int[10]; int[] ed_y = new int[10]; byte[] ed_pubkey = new byte[32]; long some_retval = 0; byte[] verifybuf = new byte[msg_len + 64]; /* working buffer */ byte[] verifybuf2 = new byte[msg_len + 64]; /* working buffer #2 */ /* Convert the Curve25519 public key into an Ed25519 public key. In * particular, convert Curve25519's "montgomery" x-coordinate into an * Ed25519 "edwards" y-coordinate: * * ed_y = (mont_x - 1) / (mont_x + 1) * * NOTE: mont_x=-1 is converted to ed_y=0 since fe_invert is mod-exp * * Then move the sign bit into the pubkey from the signature. */ Fe_frombytes.fe_frombytes(mont_x, curve25519_pubkey); Fe_1.fe_1(one); Fe_sub.fe_sub(mont_x_minus_one, mont_x, one); Fe_add.fe_add(mont_x_plus_one, mont_x, one); Fe_invert.fe_invert(inv_mont_x_plus_one, mont_x_plus_one); Fe_mul.fe_mul(ed_y, mont_x_minus_one, inv_mont_x_plus_one); Fe_tobytes.fe_tobytes(ed_pubkey, ed_y); /* Copy the sign bit, and remove it from signature */ ed_pubkey[31] &= 0x7F; /* bit should be zero already, but just in case */ ed_pubkey[31] |= (byte)(signature[63] & 0x80); Array.Copy(signature, 0, verifybuf, 0, 64); verifybuf[63] &= 0x7F; Array.Copy(msg, 0, verifybuf, 64, (int)msg_len); /* Then perform a normal Ed25519 verification, return 0 on success */ /* The below call has a strange API: */ /* verifybuf = R || S || message */ /* verifybuf2 = java to next call gets a copy of verifybuf, S gets * replaced with pubkey for hashing, then the whole thing gets zeroized * (if bad sig), or contains a copy of msg (good sig) */ return(Open.crypto_sign_open(sha512provider, verifybuf2, some_retval, verifybuf, 64 + msg_len, ed_pubkey)); }
public static int uxed25519_verify(ISha512 sha512provider, byte[] signature, byte[] curve25519_pubkey, byte[] msg, int msg_len) { // just return -1 as this shouldn't be used return(-1); int[] u = new int[10]; int[] y = new int[10]; byte[] ed_pubkey = new byte[32]; long some_retval = 0; byte[] verifybuf = new byte[crypto_additions.MAX_MSG_LEN + 160]; /* working buffer */ byte[] verifybuf2 = new byte[crypto_additions.MAX_MSG_LEN + 160]; /* working buffer #2 ?? !!! */ Ge_p3 Bu = new Ge_p3(); if (msg_len > crypto_additions.MAX_MSG_LEN) { return(-1); } //Elligator.calculate_Bv(sha512provider, Bu, verifybuf, msg, msg_len); /* Convert the Curve25519 public key (u) into an Ed25519 public key. * * y = (u - 1) / (u + 1) * * NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp */ Fe_frombytes.fe_frombytes(u, curve25519_pubkey); Fe_montx_to_edy.fe_montx_to_edy(y, u); Fe_tobytes.fe_tobytes(ed_pubkey, y); Array.Copy(signature, 0, verifybuf, 0, 96); Array.Copy(msg, 0, verifybuf, 96, msg_len); /* Then perform a signature verification, return 0 on success */ /* The below call has a strange API: */ /* verifybuf = U || h || s || message */ /* verifybuf2 = internal to next call gets a copy of verifybuf, S gets * replaced with pubkey for hashing, then the whole thing gets zeroized * (if bad sig), or contains a copy of msg (good sig) */ return(uopen_modified.crypto_usign_open_modified(sha512provider, verifybuf2, some_retval, verifybuf, 96 + msg_len, ed_pubkey, Bu)); }
public static void hash_to_point(ISha512 sha512provider, Ge_p3 p, byte[] iIn, int in_len) { byte[] hash = new byte[64]; int[] h = new int[10]; int[] u = new int[10]; byte sign_bit; Ge_p3 p3 = new Ge_p3(); sha512provider.calculateDigest(hash, iIn, in_len); /* take the high bit as Edwards sign bit */ sign_bit = (byte)(((uint)hash[31] & 0x80) >> 7); hash[31] &= 0x7F; Fe_frombytes.fe_frombytes(h, hash); elligator(u, h); Ge_montx_to_p3.ge_montx_to_p3(p3, u, sign_bit); Ge_scalarmult_cofactor.ge_scalarmult_cofactor(p, p3); }
public static int curve25519_verify(ISha512 sha512provider, byte[] signature, byte[] curve25519_pubkey, byte[] msg, int msg_len) { int[] u = new int[10]; int[] y = new int[10]; byte[] ed_pubkey = new byte[32]; byte[] verifybuf = new byte[msg_len + 64]; /* working buffer */ byte[] verifybuf2 = new byte[msg_len + 64]; /* working buffer #2 */ /* Convert the Curve25519 public key into an Ed25519 public key. In * particular, convert Curve25519's "montgomery" x-coordinate (u) into an * Ed25519 "edwards" y-coordinate: * * y = (u - 1) / (u + 1) * * NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp * * Then move the sign bit into the pubkey from the signature. */ Fe_frombytes.fe_frombytes(u, curve25519_pubkey); Fe_montx_to_edy.fe_montx_to_edy(y, u); Fe_tobytes.fe_tobytes(ed_pubkey, y); /* Copy the sign bit, and remove it from signature */ ed_pubkey[31] &= 0x7F; /* bit should be zero already, but just in case */ ed_pubkey[31] |= (byte)(signature[63] & 0x80); Array.Copy(signature, 0, verifybuf, 0, 64); verifybuf[63] &= 0x7F; Array.Copy(msg, 0, verifybuf, 64, (int)msg_len); /* Then perform a normal Ed25519 verification, return 0 on success */ /* The below call has a strange API: */ /* verifybuf = R || S || message */ /* verifybuf2 = java to next call gets a copy of verifybuf, S gets * replaced with pubkey for hashing, then the whole thing gets zeroized * (if bad sig), or contains a copy of msg (good sig) */ return(open_modified.crypto_sign_open_modified(sha512provider, verifybuf2, verifybuf, 64 + msg_len, ed_pubkey)); }
public static int xed25519_verify(ISha512 sha512provider, byte[] signature, byte[] curve25519_pubkey, byte[] msg, int msg_len) { int[] u = new int[10]; int[] y = new int[10]; byte[] ed_pubkey = new byte[32]; byte[] strict = new byte[32]; byte[] verifybuf = new byte[crypto_additions.MAX_MSG_LEN + 64]; /* working buffer */ byte[] verifybuf2 = new byte[crypto_additions.MAX_MSG_LEN + 64]; /* working buffer #2 */ if (msg_len > crypto_additions.MAX_MSG_LEN) { return(-1); } /* Convert the Curve25519 public key into an Ed25519 public key. * * y = (u - 1) / (u + 1) * * NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp */ Fe_frombytes.fe_frombytes(u, curve25519_pubkey); Fe_tobytes.fe_tobytes(strict, u); if (Crypto_verify_32.crypto_verify_32(strict, curve25519_pubkey) != 0) { return(0); } Fe_montx_to_edy.fe_montx_to_edy(y, u); Fe_tobytes.fe_tobytes(ed_pubkey, y); Array.Copy(signature, 0, verifybuf, 0, 64); Array.Copy(msg, 0, verifybuf, 64, msg_len); /* Then perform a normal Ed25519 verification, return 0 on success */ /* The below call has a strange API: */ /* verifybuf = R || S || message */ /* verifybuf2 = internal to next call gets a copy of verifybuf, S gets * replaced with pubkey for hashing*/ return(open_modified.crypto_sign_open_modified(sha512provider, verifybuf2, verifybuf, 64 + msg_len, ed_pubkey)); }