├── .editorconfig ├── .gitattributes ├── .github └── workflows │ └── docker-publish.yml ├── .gitignore ├── COPYING.txt ├── GNUmakefile.in ├── OPTIMISATION.txt ├── README.md ├── autogen.sh ├── base16.h ├── base16_from.c ├── base16_to.c ├── base32.h ├── base32_from.c ├── base32_to.c ├── base64.h ├── base64_from.c ├── base64_to.c ├── calcest.c ├── common.h ├── configure.ac ├── contrib ├── docker │ ├── Dockerfile │ └── README.md ├── release-scripts │ ├── .gitignore │ ├── README.md │ ├── release.sh │ └── sign.sh └── vagrant │ └── Vagrantfile ├── cpucount.c ├── cpucount.h ├── ed25519 ├── amd64-51-30k │ ├── api.h │ ├── architectures │ ├── choose_t.S │ ├── compat.h │ ├── consts.S │ ├── crypto_hash_sha512.h │ ├── crypto_int32.h │ ├── crypto_int64.h │ ├── crypto_sign.h │ ├── crypto_uint32.h │ ├── crypto_uint64.h │ ├── crypto_verify_32.h │ ├── ed25519.h │ ├── fe25519.h │ ├── fe25519_add.c │ ├── fe25519_batchinvert.c │ ├── fe25519_freeze.S │ ├── fe25519_getparity.c │ ├── fe25519_invert.c │ ├── fe25519_iseq.c │ ├── fe25519_iszero.c │ ├── fe25519_mul.S │ ├── fe25519_neg.c │ ├── fe25519_nsquare.S │ ├── fe25519_pack.c │ ├── fe25519_pow2523.c │ ├── fe25519_setint.c │ ├── fe25519_square.S │ ├── fe25519_sub.c │ ├── fe25519_unpack.c │ ├── ge25519.h │ ├── ge25519_add.c │ ├── ge25519_add_p1p1.S │ ├── ge25519_base.c │ ├── ge25519_base_niels_smalltables.data │ ├── ge25519_base_slide_multiples.data │ ├── ge25519_batchpack.c │ ├── ge25519_dbl_p1p1.S │ ├── ge25519_double.c │ ├── ge25519_double_scalarmult.c │ ├── ge25519_isneutral.c │ ├── ge25519_multi_scalarmult.c │ ├── ge25519_nielsadd2.S │ ├── ge25519_nielsadd_p1p1.S │ ├── ge25519_p1p1_to_p2.S │ ├── ge25519_p1p1_to_p3.S │ ├── ge25519_p1p1_to_pniels.S │ ├── ge25519_pack.c │ ├── ge25519_pnielsadd_p1p1.S │ ├── ge25519_scalarmult_base.c │ ├── ge25519_unpackneg.c │ ├── heap_rootreplaced.S │ ├── heap_rootreplaced_1limb.S │ ├── heap_rootreplaced_2limbs.S │ ├── heap_rootreplaced_3limbs.S │ ├── hram.c │ ├── hram.h │ ├── implementors │ ├── index_heap.c │ ├── index_heap.h │ ├── keypair.c │ ├── open.c │ ├── randombytes.h │ ├── sc25519.h │ ├── sc25519_add.S │ ├── sc25519_barrett.S │ ├── sc25519_from32bytes.c │ ├── sc25519_from64bytes.c │ ├── sc25519_from_shortsc.c │ ├── sc25519_iszero.c │ ├── sc25519_lt.S │ ├── sc25519_mul.c │ ├── sc25519_mul_shortsc.c │ ├── sc25519_slide.c │ ├── sc25519_sub_nored.S │ ├── sc25519_to32bytes.c │ ├── sc25519_window4.c │ ├── sign.c │ └── ull4_mul.S ├── amd64-64-24k │ ├── api.h │ ├── architectures │ ├── choose_t.S │ ├── compat.h │ ├── consts.S │ ├── crypto_hash_sha512.h │ ├── crypto_int32.h │ ├── crypto_int64.h │ ├── crypto_sign.h │ ├── crypto_uint32.h │ ├── crypto_uint64.h │ ├── crypto_verify_32.h │ ├── ed25519.h │ ├── fe25519.h │ ├── fe25519_add.S │ ├── fe25519_batchinvert.c │ ├── fe25519_freeze.S │ ├── fe25519_getparity.c │ ├── fe25519_invert.c │ ├── fe25519_iseq.c │ ├── fe25519_iszero.c │ ├── fe25519_mul.S │ ├── fe25519_neg.c │ ├── fe25519_pack.c │ ├── fe25519_pow2523.c │ ├── fe25519_setint.c │ ├── fe25519_square.S │ ├── fe25519_sub.S │ ├── fe25519_unpack.c │ ├── ge25519.h │ ├── ge25519_add.c │ ├── ge25519_add_p1p1.S │ ├── ge25519_base.c │ ├── ge25519_base_niels.data │ ├── ge25519_base_niels_smalltables.data │ ├── ge25519_base_slide_multiples.data │ ├── ge25519_batchpack.c │ ├── ge25519_dbl_p1p1.S │ ├── ge25519_double.c │ ├── ge25519_double_scalarmult.c │ ├── ge25519_isneutral.c │ ├── ge25519_multi_scalarmult.c │ ├── ge25519_nielsadd2.S │ ├── ge25519_nielsadd_p1p1.S │ ├── ge25519_p1p1_to_p2.S │ ├── ge25519_p1p1_to_p3.S │ ├── ge25519_pack.c │ ├── ge25519_pnielsadd_p1p1.S │ ├── ge25519_scalarmult_base.c │ ├── ge25519_unpackneg.c │ ├── heap_rootreplaced.S │ ├── heap_rootreplaced_1limb.S │ ├── heap_rootreplaced_2limbs.S │ ├── heap_rootreplaced_3limbs.S │ ├── hram.c │ ├── hram.h │ ├── implementors │ ├── index_heap.c │ ├── index_heap.h │ ├── keypair.c │ ├── open.c │ ├── randombytes.h │ ├── sc25519.h │ ├── sc25519_add.S │ ├── sc25519_barrett.S │ ├── sc25519_from32bytes.c │ ├── sc25519_from64bytes.c │ ├── sc25519_from_shortsc.c │ ├── sc25519_iszero.c │ ├── sc25519_lt.S │ ├── sc25519_mul.c │ ├── sc25519_mul_shortsc.c │ ├── sc25519_slide.c │ ├── sc25519_sub_nored.S │ ├── sc25519_to32bytes.c │ ├── sc25519_window4.c │ ├── sign.c │ └── ull4_mul.S ├── ed25519-donna │ ├── README.md │ ├── curve25519-donna-32bit.h │ ├── curve25519-donna-64bit.h │ ├── curve25519-donna-helpers.h │ ├── curve25519-donna-sse2.h │ ├── ed25519-donna-32bit-sse2.h │ ├── ed25519-donna-32bit-tables.h │ ├── ed25519-donna-64bit-sse2.h │ ├── ed25519-donna-64bit-tables.h │ ├── ed25519-donna-64bit-x86-32bit.h │ ├── ed25519-donna-64bit-x86.h │ ├── ed25519-donna-basepoint-table.h │ ├── ed25519-donna-batchverify.h │ ├── ed25519-donna-impl-base.h │ ├── ed25519-donna-impl-sse2.h │ ├── ed25519-donna-portable-identify.h │ ├── ed25519-donna-portable.h │ ├── ed25519-donna.h │ ├── ed25519-hash-custom.h │ ├── ed25519-hash.h │ ├── ed25519-randombytes-custom.h │ ├── ed25519-randombytes.h │ ├── ed25519.c │ ├── ed25519.h │ ├── modm-donna-32bit.h │ ├── modm-donna-64bit.h │ ├── regression.h │ ├── test-internals.c │ ├── test-ticks.h │ └── test.c ├── ed25519.h ├── ed25519_impl_post.h ├── ed25519_impl_pre.h └── ref10 │ ├── Makefile │ ├── README │ ├── api.h │ ├── base.h │ ├── base.py │ ├── base2.h │ ├── base2.py │ ├── crypto_hash_sha512.h │ ├── crypto_int32.h │ ├── crypto_int64.h │ ├── crypto_sign.h │ ├── crypto_uint32.h │ ├── crypto_uint64.h │ ├── crypto_verify_32.h │ ├── d.h │ ├── d.py │ ├── d2.h │ ├── d2.py │ ├── ed25519.h │ ├── fe.h │ ├── fe_0.c │ ├── fe_1.c │ ├── fe_add.c │ ├── fe_batchinvert.c │ ├── fe_cmov.c │ ├── fe_copy.c │ ├── fe_frombytes.c │ ├── fe_invert.c │ ├── fe_isnegative.c │ ├── fe_isnonzero.c │ ├── fe_mul.c │ ├── fe_neg.c │ ├── fe_pow22523.c │ ├── fe_sq.c │ ├── fe_sq2.c │ ├── fe_sub.c │ ├── fe_tobytes.c │ ├── ge.h │ ├── ge_add.c │ ├── ge_add.h │ ├── ge_add.q │ ├── ge_double_scalarmult.c │ ├── ge_frombytes.c │ ├── ge_madd.c │ ├── ge_madd.h │ ├── ge_madd.q │ ├── ge_msub.c │ ├── ge_msub.h │ ├── ge_msub.q │ ├── ge_p1p1_to_p2.c │ ├── ge_p1p1_to_p3.c │ ├── ge_p2_0.c │ ├── ge_p2_dbl.c │ ├── ge_p2_dbl.h │ ├── ge_p2_dbl.q │ ├── ge_p3_0.c │ ├── ge_p3_batchtobytes.c │ ├── ge_p3_dbl.c │ ├── ge_p3_to_cached.c │ ├── ge_p3_to_p2.c │ ├── ge_p3_tobytes.c │ ├── ge_precomp_0.c │ ├── ge_scalarmult_base.c │ ├── ge_sub.c │ ├── ge_sub.h │ ├── ge_sub.q │ ├── ge_tobytes.c │ ├── keypair.c │ ├── open.c │ ├── pow22523.h │ ├── pow22523.q │ ├── pow225521.h │ ├── pow225521.q │ ├── q2h.sh │ ├── randombytes.h │ ├── sc.h │ ├── sc_muladd.c │ ├── sc_reduce.c │ ├── sign.c │ ├── sqrtm1.h │ └── sqrtm1.py ├── filters.h ├── filters_common.inc.h ├── filters_inc.inc.h ├── filters_main.inc.h ├── filters_worker.inc.h ├── hex.h ├── ifilter_bitsum.h ├── ioutil.c ├── ioutil.h ├── keccak.c ├── keccak.h ├── likely.h ├── main.c ├── test_base16.c ├── test_base32.c ├── test_base64.c ├── test_ed25519.c ├── testutil.h ├── types.h ├── vec.c ├── vec.h ├── worker.c ├── worker.h ├── worker_batch.inc.h ├── worker_batch_pass.inc.h ├── worker_impl.inc.h ├── yaml.c └── yaml.h /.editorconfig: -------------------------------------------------------------------------------- 1 | [*] 2 | charset = utf-8 3 | end_of_line = lf 4 | insert_final_newline = true 5 | trim_trailing_whitespace = true 6 | 7 | [*.{c,h}] 8 | indent_style = tab 9 | 10 | [{GNUmakefile.in,configure.ac}] 11 | indent_style = tab 12 | 13 | [ed25519/{ref10,amd64-51-30k,amd64-64-24k}/*.{c,h,py}] 14 | indent_style = space 15 | indent_size = 2 16 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.c linguist-language=C 2 | *.h linguist-language=C 3 | -------------------------------------------------------------------------------- /.github/workflows/docker-publish.yml: -------------------------------------------------------------------------------- 1 | name: Docker 2 | 3 | # This workflow uses actions that are not certified by GitHub. 4 | # They are provided by a third-party and are governed by 5 | # separate terms of service, privacy policy, and support 6 | # documentation. 7 | 8 | on: 9 | push: 10 | branches: [ "master" ] 11 | pull_request: 12 | branches: [ "master" ] 13 | 14 | env: 15 | # Use docker.io for Docker Hub if empty 16 | REGISTRY: ghcr.io 17 | # github.repository as / 18 | IMAGE_NAME: ${{ github.repository }} 19 | 20 | 21 | jobs: 22 | build: 23 | 24 | runs-on: ubuntu-latest 25 | permissions: 26 | contents: read 27 | packages: write 28 | # This is used to complete the identity challenge 29 | # with sigstore/fulcio when running outside of PRs. 30 | id-token: write 31 | 32 | steps: 33 | - name: Checkout repository 34 | uses: actions/checkout@v3 35 | 36 | # Install the cosign tool except on PR 37 | # https://github.com/sigstore/cosign-installer 38 | - name: Install cosign 39 | if: github.event_name != 'pull_request' 40 | uses: sigstore/cosign-installer@v3 41 | 42 | - name: Setup Docker buildx 43 | uses: docker/setup-buildx-action@v2 44 | 45 | # Login against a Docker registry except on PR 46 | # https://github.com/docker/login-action 47 | - name: Log into registry ${{ env.REGISTRY }} 48 | if: github.event_name != 'pull_request' 49 | uses: docker/login-action@v2 50 | with: 51 | registry: ${{ env.REGISTRY }} 52 | username: ${{ github.actor }} 53 | password: ${{ secrets.GITHUB_TOKEN }} 54 | 55 | # Extract metadata (tags, labels) for Docker 56 | # https://github.com/docker/metadata-action 57 | - name: Extract Docker metadata 58 | id: meta 59 | uses: docker/metadata-action@v4 60 | with: 61 | images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} 62 | 63 | # Build and push Docker image with Buildx (don't push on PR) 64 | # https://github.com/docker/build-push-action 65 | - name: Build and push Docker image 66 | id: build-and-push 67 | uses: docker/build-push-action@v4 68 | with: 69 | file: ./contrib/docker/Dockerfile 70 | push: ${{ github.event_name != 'pull_request' }} 71 | tags: ${{ steps.meta.outputs.tags }} 72 | labels: ${{ steps.meta.outputs.labels }} 73 | cache-from: type=gha 74 | cache-to: type=gha,mode=max 75 | 76 | # Sign the resulting Docker image digest except on PRs. 77 | # This will only write to the public Rekor transparency log when the Docker 78 | # repository is public to avoid leaking data. If you would like to publish 79 | # transparency data even for private images, pass --force to cosign below. 80 | # https://github.com/sigstore/cosign 81 | - name: Sign the published Docker image 82 | if: ${{ github.event_name != 'pull_request' }} 83 | # This step uses the identity token to provision an ephemeral certificate 84 | # against the sigstore community Fulcio instance. 85 | run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }} 86 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # output files 2 | mkp224o 3 | calcest 4 | test_* 5 | *.o 6 | 7 | # generated onions 8 | *.onion 9 | 10 | # garbage 11 | configure 12 | configure~ 13 | GNUmakefile 14 | GNUmakefile.in.bak 15 | config.status 16 | config.log 17 | *.cache 18 | -------------------------------------------------------------------------------- /autogen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | exec autoconf -f 3 | -------------------------------------------------------------------------------- /base16.h: -------------------------------------------------------------------------------- 1 | // converts src[0:slen] to base16 string 2 | char *base16_to(char *dst,const u8 *src,size_t slen); 3 | // calculates length needed to store data converted to base16 4 | #define BASE16_TO_LEN(l) (((l) * 8 + 3) / 4) 5 | // converts src string from base16 6 | size_t base16_from(u8 *dst,u8 *dmask,const char *src); 7 | // calculates length needed to store data converted from base16 8 | #define BASE16_FROM_LEN(l) (((l) * 4 + 7) / 8) 9 | // validates base16 string and optionally stores length of valid data 10 | // returns 1 if whole string is good, 0 if string contains invalid data 11 | int base16_valid(const char *src,size_t *count); 12 | -------------------------------------------------------------------------------- /base16_from.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "types.h" 4 | #include "base16.h" 5 | 6 | static const u8 base16f[256] = { 7 | //00 01 02 03 04 05 06 07 8 | //08 09 0A 0B 0C 0D 0E 0F 9 | // 0x00..0x3F 10 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 0x00 11 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 0x08 12 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 0x10 13 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 0x18 14 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 0x20 15 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 0x28 16 | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 0x30 17 | 0x08, 0x09, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 0x38 18 | // 0x40..0x7F 19 | 0xFF, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0xFF, // 0x40 20 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 0x48 21 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 0x50 22 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 0x58 23 | 0xFF, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0xFF, // 0x60 24 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 0x68 25 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 0x70 26 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, // 0x78 27 | // 0x80..0xBF 28 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 29 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 30 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 31 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 32 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 33 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 34 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 35 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 36 | // 0xC0..0xFF 37 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 38 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 39 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 40 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 41 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 42 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 43 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 44 | 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 45 | }; 46 | 47 | size_t base16_from(u8 *dst,u8 *dmask,const char *src) 48 | { 49 | size_t i, j, k = (size_t)-1, l, sk = 0; 50 | u8 mask = 0, cmask = 0; 51 | for (i = 0;;i += 4) { 52 | j = i/4; 53 | if (!src[j]) { 54 | if (k != (size_t)-1) 55 | dst[k] &= cmask; 56 | if (dmask) 57 | *dmask = cmask; 58 | return k + 1; 59 | } 60 | l = i%8; 61 | k = i/8; 62 | if (k != sk) 63 | cmask = 0; 64 | sk = k; 65 | mask = (0x0F << 4) >> l; 66 | cmask |= mask; 67 | dst[k] &= ~mask; 68 | dst[k] |= (base16f[(u8)src[j]] << 4) >> l; 69 | } 70 | } 71 | 72 | int base16_valid(const char *src,size_t *count) 73 | { 74 | const char *p; 75 | 76 | for (p = src;base16f[(u8)*p] != 0xFF;++p) 77 | ; 78 | 79 | if (count) 80 | *count = (size_t) (p - src); 81 | return !*p; 82 | } 83 | -------------------------------------------------------------------------------- /base16_to.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "types.h" 4 | #include "base16.h" 5 | 6 | static const char base16t[16] = { 7 | '0', '1', '2', '3', 8 | '4', '5', '6', '7', 9 | '8', '9', 'A', 'B', 10 | 'C', 'D', 'E', 'F', 11 | }; 12 | 13 | char *base16_to(char *dst, const u8 *src, size_t slen) 14 | { 15 | for (size_t i = 0; i < slen; ++i) { 16 | *dst++ = base16t[src[i] >> 4]; 17 | *dst++ = base16t[src[i] & 15]; 18 | } 19 | *dst = 0; 20 | return dst; 21 | } 22 | -------------------------------------------------------------------------------- /base32.h: -------------------------------------------------------------------------------- 1 | // converts src[0:slen] to base32 string 2 | char *base32_to(char *dst,const u8 *src,size_t slen); 3 | // calculates length needed to store data converted to base32 4 | #define BASE32_TO_LEN(l) (((l) * 8 + 4) / 5) 5 | // converts src string from base32 6 | size_t base32_from(u8 *dst,u8 *dmask,const char *src); 7 | // calculates length needed to store data converted from base32 8 | #define BASE32_FROM_LEN(l) (((l) * 5 + 7) / 8) 9 | // validates base32 string and optionally stores length of valid data 10 | // returns 1 if whole string is good, 0 if string contains invalid data 11 | int base32_valid(const char *src,size_t *count); 12 | -------------------------------------------------------------------------------- /base32_to.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "types.h" 4 | #include "base32.h" 5 | 6 | static const char base32t[32] = { 7 | 'a', 'b', 'c', 'd', // 0 8 | 'e', 'f', 'g', 'h', // 1 9 | 'i', 'j', 'k', 'l', // 2 10 | 'm', 'n', 'o', 'p', // 3 11 | 'q', 'r', 's', 't', // 4 12 | 'u', 'v', 'w', 'x', // 5 13 | 'y', 'z', '2', '3', // 6 14 | '4', '5', '6', '7', // 7 15 | }; 16 | /* 17 | +--first octet--+-second octet--+--third octet--+--forth octet--+--fifth octet--+ 18 | |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0| 19 | +---------+-----+---+---------+-+-------+-------+-+---------+---+-----+---------+ 20 | |4 3 2 1 0|4 3 2 1 0|4 3 2 1 0|4 3 2 1 0|4 3 2 1 0|4 3 2 1 0|4 3 2 1 0|4 3 2 1 0| 21 | +-1.index-+-2.index-+-3.index-+-4.index-+-5.index-+-6.index-+-7.index-+-8.index-+ 22 | */ 23 | // masks: 24 | // 0xFF 0x7F 0x3F 0x1F 0x0F 0x07 0x03 0x01 25 | // 255 127 63 31 15 7 3 1 26 | char *base32_to(char *dst,const u8 *src,size_t slen) 27 | { 28 | //printf("slen = %d\n", slen); 29 | //printhex(base32t, 32); 30 | //printhex(base32f, 256); 31 | // base32 eats in 5bit pieces; 32 | // closest we can provide is 40, which is 5 bytes 33 | size_t i; 34 | for (i = 0; i + 4 < slen; i += 5) { 35 | //printf("ei!\n"); 36 | //char *od = dst; 37 | *dst++ = base32t[src[i+0] >> 3]; 38 | *dst++ = base32t[((src[i+0] & 7) << 2) | (src[i+1] >> 6)]; 39 | *dst++ = base32t[(src[i+1] >> 1) & 31]; 40 | *dst++ = base32t[((src[i+1] & 1) << 4) | (src[i+2] >> 4)]; 41 | *dst++ = base32t[((src[i+2] & 15) << 1) | (src[i+3] >> 7)]; 42 | *dst++ = base32t[((src[i+3]) >> 2) & 31]; 43 | *dst++ = base32t[((src[i+3] & 3) << 3) | (src[i+4] >> 5)]; 44 | *dst++ = base32t[src[i+4] & 31]; 45 | //printhex(od, 8); 46 | } 47 | //char *od = dst; 48 | if (i < slen) { 49 | //printf("oi!0\n"); 50 | *dst++ = base32t[src[i+0] >> 3]; 51 | if (i + 1 < slen) { 52 | //printf("oi!1\n"); 53 | *dst++ = base32t[((src[i+0] & 7) << 2) | (src[i+1] >> 6)]; 54 | *dst++ = base32t[(src[i+1] >> 1) & 31]; 55 | if (i + 2 < slen) { 56 | //printf("oi!2\n"); 57 | *dst++ = base32t[((src[i+1] & 1) << 4) | (src[i+2] >> 4)]; 58 | if (i + 3 < slen) { 59 | //printf("oi!3\n"); 60 | *dst++ = base32t[((src[i+2] & 15) << 1) | (src[i+3] >> 7)]; 61 | *dst++ = base32t[(src[i+3] >> 2) & 31]; 62 | *dst++ = base32t[(src[i+3] & 3) << 3]; 63 | } 64 | else { 65 | *dst++ = base32t[(src[i+2] & 15) << 1]; 66 | } 67 | } 68 | else 69 | *dst++ = base32t[(src[i+1] & 1) << 4]; 70 | } 71 | else 72 | *dst++ = base32t[(src[i+0] & 7) << 2]; 73 | } 74 | //printhex(od, dst-od); 75 | *dst = 0; 76 | return dst; 77 | } 78 | -------------------------------------------------------------------------------- /base64.h: -------------------------------------------------------------------------------- 1 | // converts src[0:slen] to base64 string 2 | char *base64_to(char *dst,const u8 *src,size_t slen); 3 | // calculates length needed to store data converted to base64 4 | #define BASE64_TO_LEN(l) ((((l) + 2) / 3) * 4) 5 | // converts src string from base64 6 | size_t base64_from(u8 *dst,const char *src,size_t slen); 7 | // calculates length needed to store data converted from base64 8 | #define BASE64_FROM_LEN(l) ((l) / 4 * 3) 9 | // validates base64 string and optionally stores length of valid data 10 | // returns 1 if whole string is good, 0 if string contains invalid data 11 | int base64_valid(const char *src,size_t *count); 12 | // aligns data length to something base64 can represent without padding 13 | #define BASE64_DATA_ALIGN(l) ((((l) + 2) / 3) * 3) 14 | -------------------------------------------------------------------------------- /base64_to.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "types.h" 4 | #include "base64.h" 5 | 6 | static const char base64t[64] = { 7 | 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 8 | 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 9 | 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 10 | 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 11 | 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 12 | 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 13 | 'w', 'x', 'y', 'z', '0', '1', '2', '3', 14 | '4', '5', '6', '7', '8', '9', '+', '/', 15 | }; 16 | 17 | char *base64_to(char *dst,const u8 *src,size_t slen) 18 | { 19 | if (!slen) { 20 | *dst = '\0'; 21 | return dst; 22 | } 23 | 24 | for(size_t i = 0; i < slen;) { 25 | u32 threebytes = 0; 26 | threebytes |= (i < slen ? (unsigned char)src[i++] : (unsigned char)0) << (2 * 8); 27 | threebytes |= (i < slen ? (unsigned char)src[i++] : (unsigned char)0) << (1 * 8); 28 | threebytes |= (i < slen ? (unsigned char)src[i++] : (unsigned char)0) << (0 * 8); 29 | 30 | *dst++ = base64t[(threebytes >> (3 * 6)) & 63]; 31 | *dst++ = base64t[(threebytes >> (2 * 6)) & 63]; 32 | *dst++ = base64t[(threebytes >> (1 * 6)) & 63]; 33 | *dst++ = base64t[(threebytes >> (0 * 6)) & 63]; 34 | } 35 | 36 | switch (slen % 3) { 37 | case 0 : break; 38 | case 1 : { 39 | *(dst-2) = '='; 40 | *(dst-1) = '='; 41 | break; 42 | } 43 | case 2 : { 44 | *(dst-1) = '='; 45 | break; 46 | } 47 | } 48 | 49 | *dst = '\0'; 50 | return dst; 51 | } 52 | -------------------------------------------------------------------------------- /calcest.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | /* 6 | * as per scribblemaniac's explanation: 7 | * t - number of trials 8 | * n - character count 9 | * p - probability 10 | * condition: >=1 matches 11 | * formula: t = log(1-p)/log(1-1/32^n) 12 | * comes from: 13 | * distribution X~Binomial(t, 1/32^n) 14 | * P(X>=1)=p 15 | */ 16 | 17 | const double probs[] = { 0.5, 0.8, 0.9, 0.95, 0.99 }; 18 | const int charcounts[] = { 2, 3, 4, 5, 6, 7, 8, 9, 10 }; 19 | 20 | int main(int argc,char **argv) 21 | { 22 | // TODO 23 | (void) argc; 24 | (void) argv; 25 | 26 | printf(" |"); 27 | for (size_t i = 0; i < sizeof(probs)/sizeof(probs[0]); ++i) { 28 | printf(" %15d%% |",(int)((probs[i]*100)+0.5)); 29 | } 30 | printf("\n"); 31 | 32 | printf("---+"); 33 | for (size_t i = 0; i < sizeof(probs)/sizeof(probs[0]); ++i) { 34 | printf("------------------+"); 35 | } 36 | printf("\n"); 37 | 38 | for (size_t i = 0; i < sizeof(charcounts)/sizeof(charcounts[0]); ++i) { 39 | printf("%2d |",charcounts[i]); 40 | for (size_t j = 0; j < sizeof(probs)/sizeof(probs[0]); ++j) { 41 | double t = log2(1 - probs[j]) / log2(1 - (1 / pow(32,charcounts[i]))); 42 | printf(" %16.0f |",t); 43 | } 44 | printf("\n"); 45 | } 46 | 47 | return 0; 48 | } 49 | -------------------------------------------------------------------------------- /common.h: -------------------------------------------------------------------------------- 1 | #define SECRET_LEN 64 2 | #define PUBLIC_LEN 32 3 | #define SEED_LEN 32 4 | // with checksum + version num 5 | #define PUBONION_LEN (PUBLIC_LEN + 3) 6 | 7 | #define PKPREFIX_SIZE (29 + 3) 8 | #define SKPREFIX_SIZE (29 + 3) 9 | 10 | extern const char * const pkprefix; 11 | extern const char * const skprefix; 12 | 13 | #define FORMATTED_PUBLIC_LEN (PKPREFIX_SIZE + PUBLIC_LEN) 14 | #define FORMATTED_SECRET_LEN (SKPREFIX_SIZE + SECRET_LEN) 15 | 16 | // full onion address, WITHOUT newline or terminating nil char 17 | #define ONION_LEN 62 18 | 19 | extern pthread_mutex_t fout_mutex; 20 | extern FILE *fout; 21 | 22 | extern size_t onionendpos; // end of .onion within string 23 | extern size_t direndpos; // end of dir before .onion within string 24 | extern size_t printstartpos; // where to start printing from 25 | extern size_t printlen; // precalculated, related to printstartpos 26 | -------------------------------------------------------------------------------- /contrib/docker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:latest AS builder 2 | RUN apk add --no-cache gcc libc-dev libsodium-dev libsodium-static make autoconf git 3 | WORKDIR /app 4 | COPY . . 5 | RUN ./autogen.sh 6 | RUN ./configure --enable-amd64-51-30k CFLAGS="-O3 -march=x86-64 -mtune=generic -fomit-frame-pointer" LDFLAGS="-static" 7 | RUN make 8 | RUN strip mkp224o 9 | 10 | FROM scratch 11 | WORKDIR /app 12 | COPY --from=builder /app/mkp224o . 13 | 14 | ENTRYPOINT ["./mkp224o"] 15 | -------------------------------------------------------------------------------- /contrib/docker/README.md: -------------------------------------------------------------------------------- 1 | # Usage 2 | 3 | ## Building Image Locally 4 | `docker build -f contrib/docker/Dockerfile -t mkp224o .` 5 | 6 | ## Running Image Locally 7 | `docker run -it -v $(pwd):/root/data mkp224o neko` 8 | -------------------------------------------------------------------------------- /contrib/release-scripts/.gitignore: -------------------------------------------------------------------------------- 1 | /build 2 | /out 3 | -------------------------------------------------------------------------------- /contrib/release-scripts/README.md: -------------------------------------------------------------------------------- 1 | packages that work on archlinux: 2 | wine-wow64 mingw-w64-toolchain mingw-w64-ldd mingw-w64-pcre2 mingw-w64-libsodium zip zopfli 3 | -------------------------------------------------------------------------------- /contrib/release-scripts/release.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -eux 3 | 4 | V=$1 5 | 6 | D=$(realpath "$0") 7 | D=$(dirname "$D") 8 | cd "$D" 9 | 10 | export TZ=UTC 11 | 12 | mkdir -p build 13 | 14 | export WINEARCH=win64 15 | export WINEPREFIX=$(realpath ./build/winepfx) 16 | OPATH=$PATH 17 | 18 | rm -rf out 19 | mkdir -p out 20 | 21 | # prepare source 22 | SV=mkp224o-$V 23 | SO=$(realpath ./out/$SV) 24 | git clone ../../ "$SO" 25 | git -C ../../ diff | git -C "$SO" apply --allow-empty 26 | cd "$SO" 27 | rm -rf .git 28 | ./autogen.sh 29 | rm -rf *.cache 30 | echo v$V > version.txt 31 | cd ../.. 32 | 33 | # build windows bins 34 | B=$(realpath ./build) 35 | for w in x86_64 i686 36 | do 37 | cd "$B" 38 | rm -rf $w 39 | mkdir $w 40 | cd $w 41 | p=$w-w64-mingw32 42 | 43 | case $w in 44 | i686) 45 | CFLAGS="-march=i686 -mtune=generic" 46 | W=32 47 | ;; 48 | x86_64) 49 | CFLAGS="-march=x86-64 -mtune=generic" 50 | W=64 51 | ;; 52 | esac 53 | CFLAGS="-O3 $CFLAGS -fomit-frame-pointer" 54 | 55 | export PATH=/usr/$p/bin:$OPATH 56 | ../../out/$SV/configure --enable-regex --enable-donna --with-pcre2="/usr/$p/bin/pcre2-config" CC="${p}-gcc" CFLAGS="$CFLAGS" 57 | make main util 58 | $p-strip mkp224o.exe 59 | $p-strip calcest.exe 60 | cd .. 61 | 62 | BO="$SO-w$W" 63 | mkdir -p "$BO" 64 | cp $w/mkp224o.exe "$BO/" 65 | cp $w/calcest.exe "$BO/" 66 | cd "$BO" 67 | $p-ldd mkp224o.exe | grep -v 'not found' | awk '{print $3}' | xargs -r cp -v -t ./ 68 | done 69 | export PATH=$OPATH 70 | 71 | # compress stuff 72 | cd "$D/out" 73 | 74 | tar --portability --no-acls --no-selinux --no-xattrs --owner root:0 --group=root:0 --sort=name -c -f $SV-src.tar $SV 75 | zopfli -i100 -c $SV-src.tar > $SV-src.tar.gz 76 | zstd -19 -f $SV-src.tar -o $SV-src.tar.zst 77 | rm $SV-src.tar 78 | 79 | zip -9 -X -r $SV-w32.zip $SV-w32 80 | zip -9 -X -r $SV-w64.zip $SV-w64 81 | -------------------------------------------------------------------------------- /contrib/release-scripts/sign.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | if [ x"$1" = x ] 4 | then 5 | echo "Usage: $0 key-id" >&2 6 | exit 1 7 | fi 8 | 9 | D=$(realpath "$0") 10 | D=$(dirname "$D") 11 | cd "$D" 12 | 13 | export TZ=UTC 14 | 15 | cd out 16 | 17 | gpg --detach-sign -u "$1" mkp224o-*-src.tar.gz 18 | gpg --detach-sign -u "$1" mkp224o-*-src.tar.zst 19 | gpg --detach-sign -u "$1" mkp224o-*-w32.zip 20 | gpg --detach-sign -u "$1" mkp224o-*-w64.zip 21 | -------------------------------------------------------------------------------- /contrib/vagrant/Vagrantfile: -------------------------------------------------------------------------------- 1 | 2 | # set this to choose the starting prefix of the onion name 3 | filter = "prefix" 4 | 5 | Vagrant.configure("2") do |config| 6 | config.vm.box = "debian/bullseye64" 7 | config.vm.provider :libvirt do |libvirt| 8 | libvirt.cpus = 2 9 | end 10 | config.vm.synced_folder '.', '/vagrant', disabled: true 11 | config.vm.provision :shell, inline: <<-SHELL 12 | set -ex 13 | 14 | sed -i s,http:,https:, /etc/apt/sources.list 15 | apt-get update 16 | apt-get -qy dist-upgrade 17 | apt-get -qy install --no-install-recommends git gcc libc-dev libsodium-dev make autoconf htop screen 18 | SHELL 19 | 20 | config.vm.provision :shell, privileged: false, inline: <<-SHELL 21 | git clone https://github.com/cathugger/mkp224o.git /home/vagrant/mkp224o 22 | SHELL 23 | 24 | # disable internet access 25 | config.vm.provision "shell", 26 | run: "always", 27 | inline: "ip route del default || true" 28 | 29 | # disable root 30 | config.vm.provision "shell", inline: "passwd --lock root" 31 | config.vm.provision "shell", inline: "SUDO_FORCE_REMOVE=yes dpkg --purge sudo" 32 | 33 | config.vm.provision :shell, privileged: false, inline: <<-SHELL 34 | set -ex 35 | 36 | cd mkp224o 37 | ./autogen.sh 38 | ./configure 39 | make 40 | ./mkp224o -h 41 | 42 | mkdir ~/#{filter} 43 | cd ~/#{filter} 44 | screen -d -m -L -Logfile #{filter}.log -S run-#{filter} nice ~/mkp224o/mkp224o -S 300 #{filter} 45 | SHELL 46 | end 47 | -------------------------------------------------------------------------------- /cpucount.h: -------------------------------------------------------------------------------- 1 | int cpucount(void); 2 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/api.h: -------------------------------------------------------------------------------- 1 | #define CRYPTO_SECRETKEYBYTES 64 2 | #define CRYPTO_PUBLICKEYBYTES 32 3 | #define CRYPTO_BYTES 64 4 | #define CRYPTO_DETERMINISTIC 1 5 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/architectures: -------------------------------------------------------------------------------- 1 | amd64 2 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/compat.h: -------------------------------------------------------------------------------- 1 | #ifndef COMPAT_H 2 | #define COMPAT_H 3 | 4 | #if defined(_WIN32) && defined(__GNUC__) 5 | #define SYSVABI __attribute__((sysv_abi)) 6 | #else 7 | #define SYSVABI 8 | #endif 9 | 10 | #endif 11 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/consts.S: -------------------------------------------------------------------------------- 1 | #ifndef __APPLE__ 2 | .section .rodata 3 | #else 4 | .const 5 | #endif 6 | 7 | .globl CRYPTO_NAMESPACE(batch_REDMASK51) 8 | .globl CRYPTO_NAMESPACE(batch_121666_213) 9 | .globl CRYPTO_NAMESPACE(batch_2P0) 10 | .globl CRYPTO_NAMESPACE(batch_2P1234) 11 | .globl CRYPTO_NAMESPACE(batch_4P0) 12 | .globl CRYPTO_NAMESPACE(batch_4P1234) 13 | .globl CRYPTO_NAMESPACE(batch_MU0) 14 | .globl CRYPTO_NAMESPACE(batch_MU1) 15 | .globl CRYPTO_NAMESPACE(batch_MU2) 16 | .globl CRYPTO_NAMESPACE(batch_MU3) 17 | .globl CRYPTO_NAMESPACE(batch_MU4) 18 | .globl CRYPTO_NAMESPACE(batch_ORDER0) 19 | .globl CRYPTO_NAMESPACE(batch_ORDER1) 20 | .globl CRYPTO_NAMESPACE(batch_ORDER2) 21 | .globl CRYPTO_NAMESPACE(batch_ORDER3) 22 | .globl CRYPTO_NAMESPACE(batch_EC2D0) 23 | .globl CRYPTO_NAMESPACE(batch_EC2D1) 24 | .globl CRYPTO_NAMESPACE(batch_EC2D2) 25 | .globl CRYPTO_NAMESPACE(batch_EC2D3) 26 | .globl CRYPTO_NAMESPACE(batch_EC2D4) 27 | .globl CRYPTO_NAMESPACE(batch__38) 28 | 29 | .p2align 4 30 | 31 | CRYPTO_NAMESPACE(batch_REDMASK51): .quad 0x0007FFFFFFFFFFFF 32 | CRYPTO_NAMESPACE(batch_121666_213): .quad 996687872 33 | CRYPTO_NAMESPACE(batch_2P0): .quad 0xFFFFFFFFFFFDA 34 | CRYPTO_NAMESPACE(batch_2P1234): .quad 0xFFFFFFFFFFFFE 35 | CRYPTO_NAMESPACE(batch_4P0): .quad 0x1FFFFFFFFFFFB4 36 | CRYPTO_NAMESPACE(batch_4P1234): .quad 0x1FFFFFFFFFFFFC 37 | CRYPTO_NAMESPACE(batch_MU0): .quad 0xED9CE5A30A2C131B 38 | CRYPTO_NAMESPACE(batch_MU1): .quad 0x2106215D086329A7 39 | CRYPTO_NAMESPACE(batch_MU2): .quad 0xFFFFFFFFFFFFFFEB 40 | CRYPTO_NAMESPACE(batch_MU3): .quad 0xFFFFFFFFFFFFFFFF 41 | CRYPTO_NAMESPACE(batch_MU4): .quad 0x000000000000000F 42 | CRYPTO_NAMESPACE(batch_ORDER0): .quad 0x5812631A5CF5D3ED 43 | CRYPTO_NAMESPACE(batch_ORDER1): .quad 0x14DEF9DEA2F79CD6 44 | CRYPTO_NAMESPACE(batch_ORDER2): .quad 0x0000000000000000 45 | CRYPTO_NAMESPACE(batch_ORDER3): .quad 0x1000000000000000 46 | CRYPTO_NAMESPACE(batch_EC2D0): .quad 1859910466990425 47 | CRYPTO_NAMESPACE(batch_EC2D1): .quad 932731440258426 48 | CRYPTO_NAMESPACE(batch_EC2D2): .quad 1072319116312658 49 | CRYPTO_NAMESPACE(batch_EC2D3): .quad 1815898335770999 50 | CRYPTO_NAMESPACE(batch_EC2D4): .quad 633789495995903 51 | CRYPTO_NAMESPACE(batch__38): .quad 38 52 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/crypto_hash_sha512.h: -------------------------------------------------------------------------------- 1 | #include 2 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/crypto_int32.h: -------------------------------------------------------------------------------- 1 | #include 2 | #define crypto_int32 int32_t 3 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/crypto_int64.h: -------------------------------------------------------------------------------- 1 | #include 2 | #define crypto_int64 int64_t 3 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/crypto_sign.h: -------------------------------------------------------------------------------- 1 | #define crypto_sign CRYPTO_NAMESPACE(sign) 2 | #define crypto_sign_keypair CRYPTO_NAMESPACE(keygen) 3 | #define crypto_sign_seckey CRYPTO_NAMESPACE(seckey) 4 | #define crypto_sign_seckey_expand CRYPTO_NAMESPACE(seckey_expand) 5 | #define crypto_sign_pubkey CRYPTO_NAMESPACE(pubkey) 6 | #define crypto_sign_open CRYPTO_NAMESPACE(open) 7 | #define crypto_sign_open_batch CRYPTO_NAMESPACE(open_batch) 8 | 9 | #include "ed25519.h" 10 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/crypto_uint32.h: -------------------------------------------------------------------------------- 1 | #include 2 | #define crypto_uint32 uint32_t 3 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/crypto_uint64.h: -------------------------------------------------------------------------------- 1 | #include 2 | #define crypto_uint64 uint64_t 3 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/crypto_verify_32.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define crypto_verify_32(a,b) \ 4 | (!sodium_memcmp((a), (b), 32)) 5 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/ed25519.h: -------------------------------------------------------------------------------- 1 | int crypto_sign_seckey(unsigned char *sk); 2 | int crypto_sign_seckey_expand(unsigned char *sk,const unsigned char *seed); 3 | int crypto_sign_pubkey(unsigned char *pk,const unsigned char *sk); 4 | int crypto_sign_keypair(unsigned char *pk,unsigned char *sk); 5 | int crypto_sign( 6 | unsigned char *sm,unsigned long long *smlen, 7 | const unsigned char *m,unsigned long long mlen, 8 | const unsigned char *sk 9 | ); 10 | int crypto_sign_open( 11 | unsigned char *m,unsigned long long *mlen, 12 | const unsigned char *sm,unsigned long long smlen, 13 | const unsigned char *pk 14 | ); 15 | int crypto_sign_open_batch( 16 | unsigned char* const m[],unsigned long long mlen[], 17 | unsigned char* const sm[],const unsigned long long smlen[], 18 | unsigned char* const pk[], 19 | unsigned long long num 20 | ); 21 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/fe25519.h: -------------------------------------------------------------------------------- 1 | #ifndef FE25519_H 2 | #define FE25519_H 3 | 4 | #include 5 | #include "compat.h" 6 | 7 | #define fe25519 CRYPTO_NAMESPACE(batch_fe25519) 8 | #define fe25519_freeze CRYPTO_NAMESPACE(batch_fe25519_freeze) 9 | #define fe25519_unpack CRYPTO_NAMESPACE(batch_fe25519_unpack) 10 | #define fe25519_pack CRYPTO_NAMESPACE(batch_fe25519_pack) 11 | #define fe25519_iszero_vartime CRYPTO_NAMESPACE(batch_fe25519_iszero_vartime) 12 | #define fe25519_iseq_vartime CRYPTO_NAMESPACE(batch_fe25519_iseq_vartime) 13 | #define fe25519_cmov CRYPTO_NAMESPACE(batch_fe25519_cmov) 14 | #define fe25519_setint CRYPTO_NAMESPACE(batch_fe25519_setint) 15 | #define fe25519_neg CRYPTO_NAMESPACE(batch_fe25519_neg) 16 | #define fe25519_getparity CRYPTO_NAMESPACE(batch_fe25519_getparity) 17 | #define fe25519_add CRYPTO_NAMESPACE(batch_fe25519_add) 18 | #define fe25519_sub CRYPTO_NAMESPACE(batch_fe25519_sub) 19 | #define fe25519_mul CRYPTO_NAMESPACE(batch_fe25519_mul) 20 | #define fe25519_square CRYPTO_NAMESPACE(batch_fe25519_square) 21 | #define fe25519_nsquare CRYPTO_NAMESPACE(batch_fe25519_nsquare) 22 | #define fe25519_invert CRYPTO_NAMESPACE(batch_fe25519_invert) 23 | #define fe25519_batchinvert CRYPTO_NAMESPACE(batch_fe25519_batchinvert) 24 | #define fe25519_pow2523 CRYPTO_NAMESPACE(batch_fe25519_pow2523) 25 | 26 | typedef struct 27 | { 28 | unsigned long long v[5]; 29 | } 30 | fe25519; 31 | 32 | void fe25519_freeze(fe25519 *r) SYSVABI; 33 | 34 | void fe25519_unpack(fe25519 *r, const unsigned char x[32]); 35 | 36 | void fe25519_pack(unsigned char r[32], const fe25519 *x); 37 | 38 | void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b); 39 | 40 | void fe25519_cswap(fe25519 *r, fe25519 *x, unsigned char b); 41 | 42 | void fe25519_setint(fe25519 *r, unsigned int v); 43 | 44 | void fe25519_neg(fe25519 *r, const fe25519 *x); 45 | 46 | unsigned char fe25519_getparity(const fe25519 *x); 47 | 48 | int fe25519_iszero_vartime(const fe25519 *x); 49 | 50 | int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y); 51 | 52 | void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y); 53 | 54 | void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y); 55 | 56 | void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y) SYSVABI; 57 | 58 | void fe25519_square(fe25519 *r, const fe25519 *x) SYSVABI; 59 | 60 | void fe25519_nsquare(fe25519 *r, unsigned long long n) SYSVABI; 61 | 62 | void fe25519_invert(fe25519 *r, const fe25519 *x); 63 | 64 | void fe25519_batchinvert(fe25519 *out, const fe25519 *in, fe25519 *tmp, size_t num, size_t offset); 65 | 66 | void fe25519_pow2523(fe25519 *r, const fe25519 *x); 67 | 68 | #endif 69 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/fe25519_add.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y) 4 | { 5 | r->v[0] = x->v[0] + y->v[0]; 6 | r->v[1] = x->v[1] + y->v[1]; 7 | r->v[2] = x->v[2] + y->v[2]; 8 | r->v[3] = x->v[3] + y->v[3]; 9 | r->v[4] = x->v[4] + y->v[4]; 10 | } 11 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/fe25519_batchinvert.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | // tmp MUST != out or in 4 | // in MAY == out 5 | void fe25519_batchinvert(fe25519 *out, const fe25519 *in, fe25519 *tmp, size_t num, size_t offset) 6 | { 7 | fe25519 acc; 8 | fe25519 tmpacc; 9 | size_t i; 10 | const fe25519 *inp; 11 | fe25519 *outp; 12 | 13 | fe25519_setint(&acc,1); 14 | 15 | inp = in; 16 | for (i = 0;i < num;++i) { 17 | tmp[i] = acc; 18 | fe25519_mul(&acc,&acc,inp); 19 | inp = (const fe25519 *)((const char *)inp + offset); 20 | } 21 | 22 | fe25519_invert(&acc,&acc); 23 | 24 | i = num; 25 | inp = (const fe25519 *)((const char *)in + offset * num); 26 | outp = (fe25519 *)((char *)out + offset * num); 27 | while (i--) { 28 | inp = (const fe25519 *)((const char *)inp - offset); 29 | outp = (fe25519 *)((char *)outp - offset); 30 | fe25519_mul(&tmpacc,&acc,inp); 31 | fe25519_mul(outp,&acc,&tmp[i]); 32 | acc = tmpacc; 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/fe25519_getparity.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | unsigned char fe25519_getparity(const fe25519 *x) 4 | { 5 | fe25519 t = *x; 6 | fe25519_freeze(&t); 7 | return (unsigned char)t.v[0] & 1; 8 | } 9 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/fe25519_invert.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | void fe25519_invert(fe25519 *r, const fe25519 *x) 4 | { 5 | fe25519 z2; 6 | fe25519 z9; 7 | fe25519 z11; 8 | fe25519 z2_5_0; 9 | fe25519 z2_10_0; 10 | fe25519 z2_20_0; 11 | fe25519 z2_50_0; 12 | fe25519 z2_100_0; 13 | fe25519 t; 14 | 15 | /* 2 */ fe25519_square(&z2,x); 16 | /* 4 */ fe25519_square(&t,&z2); 17 | /* 8 */ fe25519_square(&t,&t); 18 | /* 9 */ fe25519_mul(&z9,&t,x); 19 | /* 11 */ fe25519_mul(&z11,&z9,&z2); 20 | /* 22 */ fe25519_square(&t,&z11); 21 | /* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t,&z9); 22 | 23 | /* 2^6 - 2^1 */ fe25519_square(&t,&z2_5_0); 24 | /* 2^10 - 2^5 */ fe25519_nsquare(&t,4); 25 | /* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t,&z2_5_0); 26 | 27 | /* 2^11 - 2^1 */ fe25519_square(&t,&z2_10_0); 28 | /* 2^20 - 2^10 */ fe25519_nsquare(&t,9); 29 | /* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t,&z2_10_0); 30 | 31 | /* 2^21 - 2^1 */ fe25519_square(&t,&z2_20_0); 32 | /* 2^40 - 2^20 */ fe25519_nsquare(&t,19); 33 | /* 2^40 - 2^0 */ fe25519_mul(&t,&t,&z2_20_0); 34 | 35 | /* 2^41 - 2^1 */ fe25519_square(&t,&t); 36 | /* 2^50 - 2^10 */ fe25519_nsquare(&t,9); 37 | /* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t,&z2_10_0); 38 | 39 | /* 2^51 - 2^1 */ fe25519_square(&t,&z2_50_0); 40 | /* 2^100 - 2^50 */ fe25519_nsquare(&t,49); 41 | /* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t,&z2_50_0); 42 | 43 | /* 2^101 - 2^1 */ fe25519_square(&t,&z2_100_0); 44 | /* 2^200 - 2^100 */ fe25519_nsquare(&t,99); 45 | /* 2^200 - 2^0 */ fe25519_mul(&t,&t,&z2_100_0); 46 | 47 | /* 2^201 - 2^1 */ fe25519_square(&t,&t); 48 | /* 2^250 - 2^50 */ fe25519_nsquare(&t,49); 49 | /* 2^250 - 2^0 */ fe25519_mul(&t,&t,&z2_50_0); 50 | 51 | /* 2^251 - 2^1 */ fe25519_square(&t,&t); 52 | /* 2^252 - 2^2 */ fe25519_square(&t,&t); 53 | /* 2^253 - 2^3 */ fe25519_square(&t,&t); 54 | 55 | /* 2^254 - 2^4 */ fe25519_square(&t,&t); 56 | 57 | /* 2^255 - 2^5 */ fe25519_square(&t,&t); 58 | /* 2^255 - 21 */ fe25519_mul(r,&t,&z11); 59 | } 60 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/fe25519_iseq.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y) 4 | { 5 | fe25519 t1 = *x; 6 | fe25519 t2 = *y; 7 | fe25519_freeze(&t1); 8 | fe25519_freeze(&t2); 9 | if(t1.v[0] != t2.v[0]) return 0; 10 | if(t1.v[1] != t2.v[1]) return 0; 11 | if(t1.v[2] != t2.v[2]) return 0; 12 | if(t1.v[3] != t2.v[3]) return 0; 13 | if(t1.v[4] != t2.v[4]) return 0; 14 | return 1; 15 | } 16 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/fe25519_iszero.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | int fe25519_iszero_vartime(const fe25519 *x) 4 | { 5 | fe25519 t = *x; 6 | fe25519_freeze(&t); 7 | if (t.v[0]) return 0; 8 | if (t.v[1]) return 0; 9 | if (t.v[2]) return 0; 10 | if (t.v[3]) return 0; 11 | if (t.v[4]) return 0; 12 | return 1; 13 | } 14 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/fe25519_neg.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | void fe25519_neg(fe25519 *r, const fe25519 *x) 4 | { 5 | fe25519 t; 6 | fe25519_setint(&t,0); 7 | fe25519_sub(r,&t,x); 8 | } 9 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/fe25519_pack.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | /* Assumes input x being reduced below 2^255 */ 4 | void fe25519_pack(unsigned char r[32], const fe25519 *x) 5 | { 6 | fe25519 t; 7 | t = *x; 8 | fe25519_freeze(&t); 9 | r[0] = (unsigned char) ( t.v[0] & 0xff); 10 | r[1] = (unsigned char) ((t.v[0] >> 8) & 0xff); 11 | r[2] = (unsigned char) ((t.v[0] >> 16) & 0xff); 12 | r[3] = (unsigned char) ((t.v[0] >> 24) & 0xff); 13 | r[4] = (unsigned char) ((t.v[0] >> 32) & 0xff); 14 | r[5] = (unsigned char) ((t.v[0] >> 40) & 0xff); 15 | r[6] = (unsigned char) ((t.v[0] >> 48)); 16 | 17 | r[6] ^= (unsigned char) ((t.v[1] << 3) & 0xf8); 18 | r[7] = (unsigned char) ((t.v[1] >> 5) & 0xff); 19 | r[8] = (unsigned char) ((t.v[1] >> 13) & 0xff); 20 | r[9] = (unsigned char) ((t.v[1] >> 21) & 0xff); 21 | r[10] = (unsigned char) ((t.v[1] >> 29) & 0xff); 22 | r[11] = (unsigned char) ((t.v[1] >> 37) & 0xff); 23 | r[12] = (unsigned char) ((t.v[1] >> 45)); 24 | 25 | r[12] ^= (unsigned char) ((t.v[2] << 6) & 0xc0); 26 | r[13] = (unsigned char) ((t.v[2] >> 2) & 0xff); 27 | r[14] = (unsigned char) ((t.v[2] >> 10) & 0xff); 28 | r[15] = (unsigned char) ((t.v[2] >> 18) & 0xff); 29 | r[16] = (unsigned char) ((t.v[2] >> 26) & 0xff); 30 | r[17] = (unsigned char) ((t.v[2] >> 34) & 0xff); 31 | r[18] = (unsigned char) ((t.v[2] >> 42) & 0xff); 32 | r[19] = (unsigned char) ((t.v[2] >> 50)); 33 | 34 | r[19] ^= (unsigned char) ((t.v[3] << 1) & 0xfe); 35 | r[20] = (unsigned char) ((t.v[3] >> 7) & 0xff); 36 | r[21] = (unsigned char) ((t.v[3] >> 15) & 0xff); 37 | r[22] = (unsigned char) ((t.v[3] >> 23) & 0xff); 38 | r[23] = (unsigned char) ((t.v[3] >> 31) & 0xff); 39 | r[24] = (unsigned char) ((t.v[3] >> 39) & 0xff); 40 | r[25] = (unsigned char) ((t.v[3] >> 47)); 41 | 42 | r[25] ^= (unsigned char) ((t.v[4] << 4) & 0xf0); 43 | r[26] = (unsigned char) ((t.v[4] >> 4) & 0xff); 44 | r[27] = (unsigned char) ((t.v[4] >> 12) & 0xff); 45 | r[28] = (unsigned char) ((t.v[4] >> 20) & 0xff); 46 | r[29] = (unsigned char) ((t.v[4] >> 28) & 0xff); 47 | r[30] = (unsigned char) ((t.v[4] >> 36) & 0xff); 48 | r[31] = (unsigned char) ((t.v[4] >> 44)); 49 | } 50 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/fe25519_pow2523.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | void fe25519_pow2523(fe25519 *r, const fe25519 *x) 4 | { 5 | fe25519 z2; 6 | fe25519 z9; 7 | fe25519 z11; 8 | fe25519 z2_5_0; 9 | fe25519 z2_10_0; 10 | fe25519 z2_20_0; 11 | fe25519 z2_50_0; 12 | fe25519 z2_100_0; 13 | fe25519 t; 14 | 15 | /* 2 */ fe25519_square(&z2,x); 16 | /* 4 */ fe25519_square(&t,&z2); 17 | /* 8 */ fe25519_square(&t,&t); 18 | /* 9 */ fe25519_mul(&z9,&t,x); 19 | /* 11 */ fe25519_mul(&z11,&z9,&z2); 20 | /* 22 */ fe25519_square(&t,&z11); 21 | /* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t,&z9); 22 | 23 | /* 2^6 - 2^1 */ fe25519_square(&t,&z2_5_0); 24 | /* 2^10 - 2^5 */ fe25519_nsquare(&t,4); 25 | /* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t,&z2_5_0); 26 | 27 | /* 2^11 - 2^1 */ fe25519_square(&t,&z2_10_0); 28 | /* 2^20 - 2^10 */ fe25519_nsquare(&t,9); 29 | /* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t,&z2_10_0); 30 | 31 | /* 2^21 - 2^1 */ fe25519_square(&t,&z2_20_0); 32 | /* 2^40 - 2^20 */ fe25519_nsquare(&t,19); 33 | /* 2^40 - 2^0 */ fe25519_mul(&t,&t,&z2_20_0); 34 | 35 | /* 2^41 - 2^1 */ fe25519_square(&t,&t); 36 | /* 2^50 - 2^10 */ fe25519_nsquare(&t,9); 37 | /* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t,&z2_10_0); 38 | 39 | /* 2^51 - 2^1 */ fe25519_square(&t,&z2_50_0); 40 | /* 2^100 - 2^50 */ fe25519_nsquare(&t,49); 41 | /* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t,&z2_50_0); 42 | 43 | /* 2^101 - 2^1 */ fe25519_square(&t,&z2_100_0); 44 | /* 2^200 - 2^100 */ fe25519_nsquare(&t,99); 45 | /* 2^200 - 2^0 */ fe25519_mul(&t,&t,&z2_100_0); 46 | 47 | /* 2^201 - 2^1 */ fe25519_square(&t,&t); 48 | /* 2^250 - 2^50 */ fe25519_nsquare(&t,49); 49 | /* 2^250 - 2^0 */ fe25519_mul(&t,&t,&z2_50_0); 50 | 51 | /* 2^251 - 2^1 */ fe25519_square(&t,&t); 52 | /* 2^252 - 2^2 */ fe25519_square(&t,&t); 53 | /* 2^252 - 3 */ fe25519_mul(r,&t,x); 54 | } 55 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/fe25519_setint.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | void fe25519_setint(fe25519 *r, unsigned int v) 4 | { 5 | r->v[0] = v; 6 | r->v[1] = 0; 7 | r->v[2] = 0; 8 | r->v[3] = 0; 9 | r->v[4] = 0; 10 | } 11 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/fe25519_sub.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y) 4 | { 5 | fe25519 yt = *y; 6 | /* Not required for reduced input */ 7 | 8 | unsigned long long t; 9 | t = yt.v[0] >> 51; 10 | yt.v[0] &= 2251799813685247; 11 | yt.v[1] += t; 12 | 13 | t = yt.v[1] >> 51; 14 | yt.v[1] &= 2251799813685247; 15 | yt.v[2] += t; 16 | 17 | t = yt.v[2] >> 51; 18 | yt.v[2] &= 2251799813685247; 19 | yt.v[3] += t; 20 | 21 | t = yt.v[3] >> 51; 22 | yt.v[3] &= 2251799813685247; 23 | yt.v[4] += t; 24 | 25 | t = yt.v[4] >> 51; 26 | yt.v[4] &= 2251799813685247; 27 | yt.v[0] += 19*t; 28 | 29 | r->v[0] = x->v[0] + 0xFFFFFFFFFFFDA - yt.v[0]; 30 | r->v[1] = x->v[1] + 0xFFFFFFFFFFFFE - yt.v[1]; 31 | r->v[2] = x->v[2] + 0xFFFFFFFFFFFFE - yt.v[2]; 32 | r->v[3] = x->v[3] + 0xFFFFFFFFFFFFE - yt.v[3]; 33 | r->v[4] = x->v[4] + 0xFFFFFFFFFFFFE - yt.v[4]; 34 | } 35 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/fe25519_unpack.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | void fe25519_unpack(fe25519 *r, const unsigned char x[32]) 4 | { 5 | r->v[0] = x[0]; 6 | r->v[0] += (unsigned long long)x[1] << 8; 7 | r->v[0] += (unsigned long long)x[2] << 16; 8 | r->v[0] += (unsigned long long)x[3] << 24; 9 | r->v[0] += (unsigned long long)x[4] << 32; 10 | r->v[0] += (unsigned long long)x[5] << 40; 11 | r->v[0] += ((unsigned long long)x[6] & 7) << 48; 12 | 13 | r->v[1] = x[6] >> 3; 14 | r->v[1] += (unsigned long long)x[7] << 5; 15 | r->v[1] += (unsigned long long)x[8] << 13; 16 | r->v[1] += (unsigned long long)x[9] << 21; 17 | r->v[1] += (unsigned long long)x[10] << 29; 18 | r->v[1] += (unsigned long long)x[11] << 37; 19 | r->v[1] += ((unsigned long long)x[12] & 63) << 45; 20 | 21 | r->v[2] = x[12] >> 6; 22 | r->v[2] += (unsigned long long)x[13] << 2; 23 | r->v[2] += (unsigned long long)x[14] << 10; 24 | r->v[2] += (unsigned long long)x[15] << 18; 25 | r->v[2] += (unsigned long long)x[16] << 26; 26 | r->v[2] += (unsigned long long)x[17] << 34; 27 | r->v[2] += (unsigned long long)x[18] << 42; 28 | r->v[2] += ((unsigned long long)x[19] & 1) << 50; 29 | 30 | r->v[3] = x[19] >> 1; 31 | r->v[3] += (unsigned long long)x[20] << 7; 32 | r->v[3] += (unsigned long long)x[21] << 15; 33 | r->v[3] += (unsigned long long)x[22] << 23; 34 | r->v[3] += (unsigned long long)x[23] << 31; 35 | r->v[3] += (unsigned long long)x[24] << 39; 36 | r->v[3] += ((unsigned long long)x[25] & 15) << 47; 37 | 38 | r->v[4] = x[25] >> 4; 39 | r->v[4] += (unsigned long long)x[26] << 4; 40 | r->v[4] += (unsigned long long)x[27] << 12; 41 | r->v[4] += (unsigned long long)x[28] << 20; 42 | r->v[4] += (unsigned long long)x[29] << 28; 43 | r->v[4] += (unsigned long long)x[30] << 36; 44 | r->v[4] += ((unsigned long long)x[31] & 127) << 44; 45 | } 46 | 47 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/ge25519_add.c: -------------------------------------------------------------------------------- 1 | #include "ge25519.h" 2 | 3 | void ge25519_add(ge25519_p3 *r, const ge25519_p3 *p, const ge25519_p3 *q) 4 | { 5 | ge25519_p1p1 grp1p1; 6 | ge25519_add_p1p1(&grp1p1, p, q); 7 | ge25519_p1p1_to_p3(r, &grp1p1); 8 | } 9 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/ge25519_base.c: -------------------------------------------------------------------------------- 1 | #include "ge25519.h" 2 | 3 | /* Base point in P^3 coordinates (with Z=1) */ 4 | const ge25519 ge25519_base = {{{0x00062d608f25d51a, 0x000412a4b4f6592a, 0x00075b7171a4b31d, 0x0001ff60527118fe, 0x000216936d3cd6e5}}, 5 | {{0x0006666666666658, 0x0004cccccccccccc, 0x0001999999999999, 0x0003333333333333, 0x0006666666666666}}, 6 | {{0x0000000000000001, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}}, 7 | {{0x00068AB3A5B7DDA3, 0x00000EEA2A5EADBB, 0x0002AF8DF483C27E, 0x000332B375274732, 0x00067875F0FD78B7}}}; 8 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/ge25519_batchpack.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | #include "ge25519.h" 3 | 4 | // NOTE: leaves in unfinished state 5 | void ge25519_batchpack_destructive_1(bytes32 *out, ge25519_p3 *in, fe25519 *tmp, size_t num) 6 | { 7 | fe25519 ty; 8 | 9 | fe25519_batchinvert(&in->z, &in->z, tmp, num, sizeof(ge25519_p3)); 10 | 11 | for (size_t i = 0; i < num; ++i) { 12 | fe25519_mul(&ty, &in[i].y, &in[i].z); 13 | fe25519_pack(out[i], &ty); 14 | } 15 | } 16 | 17 | void ge25519_batchpack_destructive_finish(bytes32 out, ge25519_p3 *unf) 18 | { 19 | fe25519 tx; 20 | // z of unfinished is inverted 21 | fe25519_mul(&tx, &unf->x, &unf->z); 22 | out[31] ^= fe25519_getparity(&tx) << 7; 23 | } 24 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/ge25519_double.c: -------------------------------------------------------------------------------- 1 | #include "ge25519.h" 2 | 3 | void ge25519_double(ge25519_p3 *r, const ge25519_p3 *p) 4 | { 5 | ge25519_p1p1 grp1p1; 6 | ge25519_dbl_p1p1(&grp1p1, (ge25519_p2 *)p); 7 | ge25519_p1p1_to_p3(r, &grp1p1); 8 | } 9 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/ge25519_double_scalarmult.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | #include "sc25519.h" 3 | #include "ge25519.h" 4 | 5 | #define S1_SWINDOWSIZE 5 6 | #define PRE1_SIZE (1<<(S1_SWINDOWSIZE-2)) 7 | #define S2_SWINDOWSIZE 7 8 | #define PRE2_SIZE (1<<(S2_SWINDOWSIZE-2)) 9 | 10 | static const ge25519_niels pre2[PRE2_SIZE] = { 11 | #include "ge25519_base_slide_multiples.data" 12 | }; 13 | 14 | static const fe25519 ec2d = {{1859910466990425, 932731440258426, 1072319116312658, 1815898335770999, 633789495995903}}; 15 | 16 | static void setneutral(ge25519 *r) 17 | { 18 | fe25519_setint(&r->x,0); 19 | fe25519_setint(&r->y,1); 20 | fe25519_setint(&r->z,1); 21 | fe25519_setint(&r->t,0); 22 | } 23 | 24 | /* computes [s1]p1 + [s2]p2 */ 25 | void ge25519_double_scalarmult_vartime(ge25519_p3 *r, const ge25519_p3 *p1, const sc25519 *s1, const sc25519 *s2) 26 | { 27 | signed char slide1[256], slide2[256]; 28 | ge25519_pniels pre1[PRE1_SIZE], neg; 29 | ge25519_p3 d1; 30 | ge25519_p1p1 t; 31 | ge25519_niels nneg; 32 | fe25519 d; 33 | int i; 34 | 35 | sc25519_slide(slide1, s1, S1_SWINDOWSIZE); 36 | sc25519_slide(slide2, s2, S2_SWINDOWSIZE); 37 | 38 | /* precomputation */ 39 | pre1[0] = *(ge25519_pniels *)p1; 40 | ge25519_dbl_p1p1(&t,(ge25519_p2 *)pre1); ge25519_p1p1_to_p3(&d1, &t); 41 | /* Convert pre[0] to projective Niels representation */ 42 | d = pre1[0].ysubx; 43 | fe25519_sub(&pre1[0].ysubx, &pre1[0].xaddy, &pre1[0].ysubx); 44 | fe25519_add(&pre1[0].xaddy, &pre1[0].xaddy, &d); 45 | fe25519_mul(&pre1[0].t2d, &pre1[0].t2d, &ec2d); 46 | 47 | for(i=0;i= 0;--i) { 54 | if (slide1[i] || slide2[i]) goto firstbit; 55 | } 56 | 57 | for(;i>=0;i--) 58 | { 59 | firstbit: 60 | 61 | ge25519_dbl_p1p1(&t, (ge25519_p2 *)r); 62 | 63 | if(slide1[i]>0) 64 | { 65 | ge25519_p1p1_to_p3(r, &t); 66 | ge25519_pnielsadd_p1p1(&t, r, &pre1[slide1[i]/2]); 67 | } 68 | else if(slide1[i]<0) 69 | { 70 | ge25519_p1p1_to_p3(r, &t); 71 | neg = pre1[-slide1[i]/2]; 72 | d = neg.ysubx; 73 | neg.ysubx = neg.xaddy; 74 | neg.xaddy = d; 75 | fe25519_neg(&neg.t2d, &neg.t2d); 76 | ge25519_pnielsadd_p1p1(&t, r, &neg); 77 | } 78 | 79 | if(slide2[i]>0) 80 | { 81 | ge25519_p1p1_to_p3(r, &t); 82 | ge25519_nielsadd_p1p1(&t, r, &pre2[slide2[i]/2]); 83 | } 84 | else if(slide2[i]<0) 85 | { 86 | ge25519_p1p1_to_p3(r, &t); 87 | nneg = pre2[-slide2[i]/2]; 88 | d = nneg.ysubx; 89 | nneg.ysubx = nneg.xaddy; 90 | nneg.xaddy = d; 91 | fe25519_neg(&nneg.t2d, &nneg.t2d); 92 | ge25519_nielsadd_p1p1(&t, r, &nneg); 93 | } 94 | 95 | ge25519_p1p1_to_p2((ge25519_p2 *)r, &t); 96 | } 97 | } 98 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/ge25519_isneutral.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | #include "ge25519.h" 3 | 4 | int ge25519_isneutral_vartime(const ge25519_p3 *p) 5 | { 6 | if(!fe25519_iszero_vartime(&p->x)) return 0; 7 | if(!fe25519_iseq_vartime(&p->y, &p->z)) return 0; 8 | return 1; 9 | } 10 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/ge25519_pack.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | #include "sc25519.h" 3 | #include "ge25519.h" 4 | 5 | void ge25519_pack(unsigned char r[32], const ge25519_p3 *p) 6 | { 7 | fe25519 tx, ty, zi; 8 | fe25519_invert(&zi, &p->z); 9 | fe25519_mul(&tx, &p->x, &zi); 10 | fe25519_mul(&ty, &p->y, &zi); 11 | fe25519_pack(r, &ty); 12 | r[31] ^= fe25519_getparity(&tx) << 7; 13 | } 14 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/ge25519_scalarmult_base.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | #include "sc25519.h" 3 | #include "ge25519.h" 4 | 5 | /* Multiples of the base point in Niels' representation */ 6 | static const ge25519_niels ge25519_base_multiples_niels[] = { 7 | #include "ge25519_base_niels_smalltables.data" 8 | }; 9 | 10 | /* d */ 11 | static const fe25519 ecd = {{929955233495203, 466365720129213, 1662059464998953, 2033849074728123, 1442794654840575}}; 12 | 13 | void ge25519_scalarmult_base(ge25519_p3 *r, const sc25519 *s) 14 | { 15 | signed char b[64]; 16 | int i; 17 | ge25519_niels t; 18 | fe25519 d; 19 | 20 | sc25519_window4(b,s); 21 | 22 | ge25519_p1p1 tp1p1; 23 | choose_t((ge25519_niels *)r, 0, (signed long long) b[1], ge25519_base_multiples_niels); 24 | fe25519_sub(&d, &r->y, &r->x); 25 | fe25519_add(&r->y, &r->y, &r->x); 26 | r->x = d; 27 | r->t = r->z; 28 | fe25519_setint(&r->z,2); 29 | for(i=3;i<64;i+=2) 30 | { 31 | choose_t(&t, (unsigned long long) i/2, (signed long long) b[i], ge25519_base_multiples_niels); 32 | ge25519_nielsadd2(r, &t); 33 | } 34 | ge25519_dbl_p1p1(&tp1p1,(ge25519_p2 *)r); 35 | ge25519_p1p1_to_p2((ge25519_p2 *)r, &tp1p1); 36 | ge25519_dbl_p1p1(&tp1p1,(ge25519_p2 *)r); 37 | ge25519_p1p1_to_p2((ge25519_p2 *)r, &tp1p1); 38 | ge25519_dbl_p1p1(&tp1p1,(ge25519_p2 *)r); 39 | ge25519_p1p1_to_p2((ge25519_p2 *)r, &tp1p1); 40 | ge25519_dbl_p1p1(&tp1p1,(ge25519_p2 *)r); 41 | ge25519_p1p1_to_p3(r, &tp1p1); 42 | choose_t(&t, (unsigned long long) 0, (signed long long) b[0], ge25519_base_multiples_niels); 43 | fe25519_mul(&t.t2d, &t.t2d, &ecd); 44 | ge25519_nielsadd2(r, &t); 45 | for(i=2;i<64;i+=2) 46 | { 47 | choose_t(&t, (unsigned long long) i/2, (signed long long) b[i], ge25519_base_multiples_niels); 48 | ge25519_nielsadd2(r, &t); 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/ge25519_unpackneg.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | #include "ge25519.h" 3 | 4 | /* d */ 5 | static const fe25519 ecd = {{929955233495203, 466365720129213, 1662059464998953, 2033849074728123, 1442794654840575}}; 6 | /* sqrt(-1) */ 7 | static const fe25519 sqrtm1 = {{1718705420411056, 234908883556509, 2233514472574048, 2117202627021982, 765476049583133}}; 8 | 9 | /* return 0 on success, -1 otherwise */ 10 | int ge25519_unpackneg_vartime(ge25519_p3 *r, const unsigned char p[32]) 11 | { 12 | fe25519 t, chk, num, den, den2, den4, den6; 13 | unsigned char par = p[31] >> 7; 14 | 15 | fe25519_setint(&r->z,1); 16 | fe25519_unpack(&r->y, p); 17 | fe25519_square(&num, &r->y); /* x = y^2 */ 18 | fe25519_mul(&den, &num, &ecd); /* den = dy^2 */ 19 | fe25519_sub(&num, &num, &r->z); /* x = y^2-1 */ 20 | fe25519_add(&den, &r->z, &den); /* den = dy^2+1 */ 21 | 22 | /* Computation of sqrt(num/den) 23 | 1.: computation of num^((p-5)/8)*den^((7p-35)/8) = (num*den^7)^((p-5)/8) 24 | */ 25 | fe25519_square(&den2, &den); 26 | fe25519_square(&den4, &den2); 27 | fe25519_mul(&den6, &den4, &den2); 28 | fe25519_mul(&t, &den6, &num); 29 | fe25519_mul(&t, &t, &den); 30 | 31 | fe25519_pow2523(&t, &t); 32 | /* 2. computation of r->x = t * num * den^3 33 | */ 34 | fe25519_mul(&t, &t, &num); 35 | fe25519_mul(&t, &t, &den); 36 | fe25519_mul(&t, &t, &den); 37 | fe25519_mul(&r->x, &t, &den); 38 | 39 | /* 3. Check whether sqrt computation gave correct result, multiply by sqrt(-1) if not: 40 | */ 41 | fe25519_square(&chk, &r->x); 42 | fe25519_mul(&chk, &chk, &den); 43 | if (!fe25519_iseq_vartime(&chk, &num)) 44 | fe25519_mul(&r->x, &r->x, &sqrtm1); 45 | 46 | /* 4. Now we have one of the two square roots, except if input was not a square 47 | */ 48 | fe25519_square(&chk, &r->x); 49 | fe25519_mul(&chk, &chk, &den); 50 | if (!fe25519_iseq_vartime(&chk, &num)) 51 | return -1; 52 | 53 | /* 5. Choose the desired square root according to parity: 54 | */ 55 | if(fe25519_getparity(&r->x) != (1-par)) 56 | fe25519_neg(&r->x, &r->x); 57 | 58 | fe25519_mul(&r->t, &r->x, &r->y); 59 | return 0; 60 | } 61 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/hram.c: -------------------------------------------------------------------------------- 1 | #include "crypto_hash_sha512.h" 2 | #include "hram.h" 3 | 4 | void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen) 5 | { 6 | unsigned long long i; 7 | 8 | for (i = 0;i < 32;++i) playground[i] = sm[i]; 9 | for (i = 32;i < 64;++i) playground[i] = pk[i-32]; 10 | for (i = 64;i < smlen;++i) playground[i] = sm[i]; 11 | 12 | crypto_hash_sha512(hram,playground,smlen); 13 | } 14 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/hram.h: -------------------------------------------------------------------------------- 1 | #ifndef HRAM_H 2 | #define HRAM_H 3 | 4 | #define get_hram CRYPTO_NAMESPACE(batch_get_hram) 5 | 6 | extern void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen); 7 | 8 | #endif 9 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/implementors: -------------------------------------------------------------------------------- 1 | Daniel J. Bernstein 2 | Niels Duif 3 | Tanja Lange 4 | lead: Peter Schwabe 5 | Bo-Yin Yang 6 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/index_heap.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | #include "index_heap.h" 3 | 4 | /* caller's responsibility to ensure hlen>=3 */ 5 | void heap_init(unsigned long long *h, unsigned long long hlen, sc25519 *scalars) 6 | { 7 | h[0] = 0; 8 | unsigned long long i=1; 9 | while(i 0) 30 | { 31 | /* if(sc25519_lt_vartime(&scalars[h[ppos]], &scalars[h[pos]])) */ 32 | if(sc25519_lt(&scalars[h[ppos]], &scalars[h[pos]])) 33 | { 34 | t = h[ppos]; 35 | h[ppos] = h[pos]; 36 | h[pos] = t; 37 | pos = ppos; 38 | ppos = (pos-1)/2; 39 | } 40 | else break; 41 | } 42 | (*hlen)++; 43 | } 44 | 45 | /* Put the largest value in the heap in max1, the second largest in max2 */ 46 | void heap_get2max(unsigned long long *h, unsigned long long *max1, unsigned long long *max2, sc25519 *scalars) 47 | { 48 | *max1 = h[0]; 49 | *max2 = h[1]; 50 | if(sc25519_lt(&scalars[h[1]],&scalars[h[2]])) 51 | *max2 = h[2]; 52 | } 53 | 54 | /* After the root has been replaced, restore heap property */ 55 | /* extern void heap_rootreplaced(unsigned long long *h, unsigned long long hlen, sc25519 *scalars); 56 | */ 57 | /* extern void heap_rootreplaced_shortscalars(unsigned long long *h, unsigned long long hlen, sc25519 *scalars); 58 | */ 59 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/index_heap.h: -------------------------------------------------------------------------------- 1 | #ifndef INDEX_HEAP_H 2 | #define INDEX_HEAP_H 3 | 4 | #include "sc25519.h" 5 | #include "compat.h" 6 | 7 | #define heap_init CRYPTO_NAMESPACE(batch_heap_init) 8 | #define heap_extend CRYPTO_NAMESPACE(batch_heap_extend) 9 | #define heap_pop CRYPTO_NAMESPACE(batch_heap_pop) 10 | #define heap_push CRYPTO_NAMESPACE(batch_heap_push) 11 | #define heap_get2max CRYPTO_NAMESPACE(batch_heap_get2max) 12 | #define heap_rootreplaced CRYPTO_NAMESPACE(batch_heap_rootreplaced) 13 | #define heap_rootreplaced_3limbs CRYPTO_NAMESPACE(batch_heap_rootreplaced_3limbs) 14 | #define heap_rootreplaced_2limbs CRYPTO_NAMESPACE(batch_heap_rootreplaced_2limbs) 15 | #define heap_rootreplaced_1limb CRYPTO_NAMESPACE(batch_heap_rootreplaced_1limb) 16 | 17 | void heap_init(unsigned long long *h, unsigned long long hlen, sc25519 *scalars); 18 | 19 | void heap_extend(unsigned long long *h, unsigned long long oldlen, unsigned long long newlen, sc25519 *scalars); 20 | 21 | unsigned long long heap_pop(unsigned long long *h, unsigned long long *hlen, sc25519 *scalars); 22 | 23 | void heap_push(unsigned long long *h, unsigned long long *hlen, unsigned long long elem, sc25519 *scalars); 24 | 25 | void heap_get2max(unsigned long long *h, unsigned long long *max1, unsigned long long *max2, sc25519 *scalars); 26 | 27 | void heap_rootreplaced(unsigned long long *h, unsigned long long hlen, sc25519 *scalars) SYSVABI; 28 | void heap_rootreplaced_3limbs(unsigned long long *h, unsigned long long hlen, sc25519 *scalars) SYSVABI; 29 | void heap_rootreplaced_2limbs(unsigned long long *h, unsigned long long hlen, sc25519 *scalars) SYSVABI; 30 | void heap_rootreplaced_1limb(unsigned long long *h, unsigned long long hlen, sc25519 *scalars) SYSVABI; 31 | 32 | #endif 33 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/keypair.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "crypto_sign.h" 3 | #include "crypto_hash_sha512.h" 4 | #include "randombytes.h" 5 | #include "ge25519.h" 6 | 7 | int crypto_sign_seckey_expand(unsigned char *sk,const unsigned char *seed) 8 | { 9 | crypto_hash_sha512(sk,seed,32); 10 | sk[0] &= 248; 11 | sk[31] &= 63; 12 | sk[31] |= 64; 13 | 14 | return 0; 15 | } 16 | 17 | int crypto_sign_seckey(unsigned char *sk) 18 | { 19 | unsigned char seed[32]; 20 | 21 | if (randombytes(seed,32) < 0) 22 | return -1; 23 | 24 | crypto_sign_seckey_expand(sk,seed); 25 | 26 | return 0; 27 | } 28 | 29 | int crypto_sign_pubkey(unsigned char *pk,const unsigned char *sk) 30 | { 31 | sc25519 scsk; 32 | ge25519_p3 gepk; 33 | 34 | sc25519_from32bytes(&scsk,sk); 35 | ge25519_scalarmult_base(&gepk,&scsk); 36 | ge25519_pack(pk,&gepk); 37 | 38 | return 0; 39 | } 40 | 41 | int crypto_sign_keypair(unsigned char *pk,unsigned char *sk) 42 | { 43 | crypto_sign_seckey(sk); 44 | crypto_sign_pubkey(pk,sk); 45 | return 0; 46 | } 47 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/open.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "crypto_sign.h" 3 | #include "crypto_verify_32.h" 4 | #include "crypto_hash_sha512.h" 5 | #include "ge25519.h" 6 | 7 | int crypto_sign_open( 8 | unsigned char *m,unsigned long long *mlen, 9 | const unsigned char *sm,unsigned long long smlen, 10 | const unsigned char *pk 11 | ) 12 | { 13 | unsigned char pkcopy[32]; 14 | unsigned char rcopy[32]; 15 | unsigned char hram[64]; 16 | unsigned char rcheck[32]; 17 | ge25519 get1, get2; 18 | sc25519 schram, scs; 19 | 20 | if (smlen < 64) goto badsig; 21 | if (sm[63] & 224) goto badsig; 22 | if (ge25519_unpackneg_vartime(&get1,pk)) goto badsig; 23 | 24 | memmove(pkcopy,pk,32); 25 | memmove(rcopy,sm,32); 26 | 27 | sc25519_from32bytes(&scs, sm+32); 28 | 29 | memmove(m,sm,smlen); 30 | memmove(m + 32,pkcopy,32); 31 | crypto_hash_sha512(hram,m,smlen); 32 | 33 | sc25519_from64bytes(&schram, hram); 34 | 35 | ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &scs); 36 | ge25519_pack(rcheck, &get2); 37 | 38 | if (crypto_verify_32(rcopy,rcheck) == 0) { 39 | memmove(m,m + 64,smlen - 64); 40 | memset(m + smlen - 64,0,64); 41 | *mlen = smlen - 64; 42 | return 0; 43 | } 44 | 45 | badsig: 46 | *mlen = (unsigned long long) -1; 47 | memset(m,0,smlen); 48 | return -1; 49 | } 50 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/randombytes.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | static inline int randombytes_wrap(unsigned char *b,size_t l) 4 | { 5 | randombytes(b,l); 6 | return 0; 7 | } 8 | #define randombytes randombytes_wrap 9 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/sc25519.h: -------------------------------------------------------------------------------- 1 | #ifndef SC25519_H 2 | #define SC25519_H 3 | 4 | #include "compat.h" 5 | 6 | #define sc25519 CRYPTO_NAMESPACE(batch_sc25519) 7 | #define shortsc25519 CRYPTO_NAMESPACE(batch_shortsc25519) 8 | #define sc25519_from32bytes CRYPTO_NAMESPACE(batch_sc25519_from32bytes) 9 | #define shortsc25519_from16bytes CRYPTO_NAMESPACE(batch_shortsc25519_from16bytes) 10 | #define sc25519_from64bytes CRYPTO_NAMESPACE(batch_sc25519_from64bytes) 11 | #define sc25519_from_shortsc CRYPTO_NAMESPACE(batch_sc25519_from_shortsc) 12 | #define sc25519_to32bytes CRYPTO_NAMESPACE(batch_sc25519_to32bytes) 13 | #define sc25519_iszero_vartime CRYPTO_NAMESPACE(batch_sc25519_iszero_vartime) 14 | #define sc25519_isshort_vartime CRYPTO_NAMESPACE(batch_sc25519_isshort_vartime) 15 | #define sc25519_lt CRYPTO_NAMESPACE(batch_sc25519_lt) 16 | #define sc25519_add CRYPTO_NAMESPACE(batch_sc25519_add) 17 | #define sc25519_sub_nored CRYPTO_NAMESPACE(batch_sc25519_sub_nored) 18 | #define sc25519_mul CRYPTO_NAMESPACE(batch_sc25519_mul) 19 | #define sc25519_mul_shortsc CRYPTO_NAMESPACE(batch_sc25519_mul_shortsc) 20 | #define sc25519_window4 CRYPTO_NAMESPACE(batch_sc25519_window4) 21 | #define sc25519_window5 CRYPTO_NAMESPACE(batch_sc25519_window5) 22 | #define sc25519_slide CRYPTO_NAMESPACE(batch_sc25519_slide) 23 | #define sc25519_2interleave2 CRYPTO_NAMESPACE(batch_sc25519_2interleave2) 24 | #define sc25519_barrett CRYPTO_NAMESPACE(batch_sc25519_barrett) 25 | 26 | typedef struct 27 | { 28 | unsigned long long v[4]; 29 | } 30 | sc25519; 31 | 32 | typedef struct 33 | { 34 | unsigned long long v[2]; 35 | } 36 | shortsc25519; 37 | 38 | void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]); 39 | 40 | void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]); 41 | 42 | void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x); 43 | 44 | void sc25519_to32bytes(unsigned char r[32], const sc25519 *x); 45 | 46 | int sc25519_iszero_vartime(const sc25519 *x); 47 | 48 | int sc25519_lt(const sc25519 *x, const sc25519 *y) SYSVABI; 49 | 50 | void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y) SYSVABI; 51 | 52 | void sc25519_sub_nored(sc25519 *r, const sc25519 *x, const sc25519 *y) SYSVABI; 53 | 54 | void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y); 55 | 56 | void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519 *y); 57 | 58 | /* Convert s into a representation of the form \sum_{i=0}^{63}r[i]2^(4*i) 59 | * with r[i] in {-8,...,7} 60 | */ 61 | void sc25519_window4(signed char r[64], const sc25519 *s); 62 | 63 | void sc25519_window5(signed char r[51], const sc25519 *s); 64 | 65 | void sc25519_slide(signed char r[256], const sc25519 *s, int swindowsize); 66 | 67 | void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2); 68 | 69 | void sc25519_barrett(sc25519 *r, unsigned long long x[8]) SYSVABI; 70 | 71 | #endif 72 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/sc25519_from32bytes.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | /*Arithmetic modulo the group order n = 2^252 + 27742317777372353535851937790883648493 4 | * = 7237005577332262213973186563042994240857116359379907606001950938285454250989 5 | */ 6 | 7 | /* Contains order, 2*order, 4*order, 8*order, each represented in 4 consecutive unsigned long long */ 8 | static const unsigned long long order[16] = {0x5812631A5CF5D3EDULL, 0x14DEF9DEA2F79CD6ULL, 9 | 0x0000000000000000ULL, 0x1000000000000000ULL, 10 | 0xB024C634B9EBA7DAULL, 0x29BDF3BD45EF39ACULL, 11 | 0x0000000000000000ULL, 0x2000000000000000ULL, 12 | 0x60498C6973D74FB4ULL, 0x537BE77A8BDE7359ULL, 13 | 0x0000000000000000ULL, 0x4000000000000000ULL, 14 | 0xC09318D2E7AE9F68ULL, 0xA6F7CEF517BCE6B2ULL, 15 | 0x0000000000000000ULL, 0x8000000000000000ULL}; 16 | 17 | static unsigned long long smaller(unsigned long long a,unsigned long long b) 18 | { 19 | unsigned long long atop = a >> 32; 20 | unsigned long long abot = a & 4294967295; 21 | unsigned long long btop = b >> 32; 22 | unsigned long long bbot = b & 4294967295; 23 | unsigned long long atopbelowbtop = (atop - btop) >> 63; 24 | unsigned long long atopeqbtop = ((atop ^ btop) - 1) >> 63; 25 | unsigned long long abotbelowbbot = (abot - bbot) >> 63; 26 | return atopbelowbtop | (atopeqbtop & abotbelowbbot); 27 | } 28 | 29 | void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]) 30 | { 31 | unsigned long long t[4]; 32 | unsigned long long b; 33 | unsigned long long mask; 34 | int i, j; 35 | 36 | /* assuming little-endian */ 37 | r->v[0] = *(unsigned long long *)x; 38 | r->v[1] = *(((unsigned long long *)x)+1); 39 | r->v[2] = *(((unsigned long long *)x)+2); 40 | r->v[3] = *(((unsigned long long *)x)+3); 41 | 42 | for(j=3;j>=0;j--) 43 | { 44 | b=0; 45 | for(i=0;i<4;i++) 46 | { 47 | b += order[4*j+i]; /* no overflow for this particular order */ 48 | t[i] = r->v[i] - b; 49 | b = smaller(r->v[i],b); 50 | } 51 | mask = b - 1; 52 | for(i=0;i<4;i++) 53 | r->v[i] ^= mask & (r->v[i] ^ t[i]); 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/sc25519_from64bytes.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]) 4 | { 5 | /* assuming little-endian representation of unsigned long long */ 6 | sc25519_barrett(r, (unsigned long long *)x); 7 | } 8 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/sc25519_from_shortsc.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x) 4 | { 5 | r->v[0] = x->v[0]; 6 | r->v[1] = x->v[1]; 7 | r->v[2] = 0; 8 | r->v[3] = 0; 9 | } 10 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/sc25519_iszero.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | int sc25519_iszero_vartime(const sc25519 *x) 4 | { 5 | if(x->v[0] != 0) return 0; 6 | if(x->v[1] != 0) return 0; 7 | if(x->v[2] != 0) return 0; 8 | if(x->v[3] != 0) return 0; 9 | return 1; 10 | } 11 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/sc25519_lt.S: -------------------------------------------------------------------------------- 1 | 2 | # qhasm: int64 xp 3 | 4 | # qhasm: int64 yp 5 | 6 | # qhasm: int64 ret 7 | 8 | # qhasm: input xp 9 | 10 | # qhasm: input yp 11 | 12 | # qhasm: output ret 13 | 14 | # qhasm: int64 t0 15 | 16 | # qhasm: int64 t1 17 | 18 | # qhasm: int64 t2 19 | 20 | # qhasm: int64 t3 21 | 22 | # qhasm: int64 doof 23 | 24 | # qhasm: int64 caller1 25 | 26 | # qhasm: int64 caller2 27 | 28 | # qhasm: int64 caller3 29 | 30 | # qhasm: int64 caller4 31 | 32 | # qhasm: int64 caller5 33 | 34 | # qhasm: int64 caller6 35 | 36 | # qhasm: int64 caller7 37 | 38 | # qhasm: caller caller1 39 | 40 | # qhasm: caller caller2 41 | 42 | # qhasm: caller caller3 43 | 44 | # qhasm: caller caller4 45 | 46 | # qhasm: caller caller5 47 | 48 | # qhasm: caller caller6 49 | 50 | # qhasm: caller caller7 51 | 52 | # qhasm: stack64 caller4_stack 53 | 54 | # qhasm: stack64 caller5_stack 55 | 56 | # qhasm: stack64 caller6_stack 57 | 58 | # qhasm: stack64 caller7_stack 59 | 60 | # qhasm: enter CRYPTO_NAMESPACE(batch_sc25519_lt) 61 | .text 62 | .p2align 5 63 | .globl _CRYPTO_NAMESPACE(batch_sc25519_lt) 64 | .globl CRYPTO_NAMESPACE(batch_sc25519_lt) 65 | _CRYPTO_NAMESPACE(batch_sc25519_lt): 66 | CRYPTO_NAMESPACE(batch_sc25519_lt): 67 | mov %rsp,%r11 68 | and $31,%r11 69 | add $0,%r11 70 | sub %r11,%rsp 71 | 72 | # qhasm: t0 = *(uint64 *)(xp + 0) 73 | # asm 1: movq 0(t0=int64#3 74 | # asm 2: movq 0(t0=%rdx 75 | movq 0(%rdi),%rdx 76 | 77 | # qhasm: t1 = *(uint64 *)(xp + 8) 78 | # asm 1: movq 8(t1=int64#4 79 | # asm 2: movq 8(t1=%rcx 80 | movq 8(%rdi),%rcx 81 | 82 | # qhasm: t2 = *(uint64 *)(xp + 16) 83 | # asm 1: movq 16(t2=int64#5 84 | # asm 2: movq 16(t2=%r8 85 | movq 16(%rdi),%r8 86 | 87 | # qhasm: t3 = *(uint64 *)(xp + 24) 88 | # asm 1: movq 24(t3=int64#1 89 | # asm 2: movq 24(t3=%rdi 90 | movq 24(%rdi),%rdi 91 | 92 | # qhasm: carry? t0 -= *(uint64 *)(yp + 0) 93 | # asm 1: subq 0(ret=int64#1 114 | # asm 2: mov $0,>ret=%rdi 115 | mov $0,%rdi 116 | 117 | # qhasm: doof = 1 118 | # asm 1: mov $1,>doof=int64#2 119 | # asm 2: mov $1,>doof=%rsi 120 | mov $1,%rsi 121 | 122 | # qhasm: ret = doof if carry 123 | # asm 1: cmovc v, y->v); 12 | sc25519_barrett(r, t); 13 | } 14 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/sc25519_mul_shortsc.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519 *y) 4 | { 5 | /* XXX: This wants to be faster */ 6 | sc25519 t; 7 | sc25519_from_shortsc(&t, y); 8 | sc25519_mul(r, x, &t); 9 | } 10 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/sc25519_slide.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | void sc25519_slide(signed char r[256], const sc25519 *s, int swindowsize) 4 | { 5 | int i,j,k,b,m=(1<<(swindowsize-1))-1, soplen=256; 6 | unsigned long long sv0 = s->v[0]; 7 | unsigned long long sv1 = s->v[1]; 8 | unsigned long long sv2 = s->v[2]; 9 | unsigned long long sv3 = s->v[3]; 10 | 11 | /* first put the binary expansion into r */ 12 | for(i=0;i<64;i++) { 13 | r[i] = sv0 & 1; 14 | r[i+64] = sv1 & 1; 15 | r[i+128] = sv2 & 1; 16 | r[i+192] = sv3 & 1; 17 | sv0 >>= 1; 18 | sv1 >>= 1; 19 | sv2 >>= 1; 20 | sv3 >>= 1; 21 | } 22 | 23 | /* Making it sliding window */ 24 | for (j = 0;j < soplen;++j) 25 | { 26 | if (r[j]) { 27 | for (b = 1;b < soplen - j && b <= 6;++b) { 28 | if (r[j] + (r[j + b] << b) <= m) 29 | { 30 | r[j] += r[j + b] << b; r[j + b] = 0; 31 | } 32 | else if (r[j] - (r[j + b] << b) >= -m) 33 | { 34 | r[j] -= r[j + b] << b; 35 | for (k = j + b;k < soplen;++k) 36 | { 37 | if (!r[k]) { 38 | r[k] = 1; 39 | break; 40 | } 41 | r[k] = 0; 42 | } 43 | } 44 | else if (r[j + b]) 45 | break; 46 | } 47 | } 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/sc25519_to32bytes.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | void sc25519_to32bytes(unsigned char r[32], const sc25519 *x) 4 | { 5 | /* assuming little-endian */ 6 | int i; 7 | for(i=0;i<32;i++) r[i] = i[(unsigned char *)x->v]; 8 | } 9 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/sc25519_window4.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | void sc25519_window4(signed char r[64], const sc25519 *s) 4 | { 5 | char carry; 6 | int i; 7 | for(i=0;i<16;i++) 8 | r[i] = (s->v[0] >> (4*i)) & 15; 9 | for(i=0;i<16;i++) 10 | r[i+16] = (s->v[1] >> (4*i)) & 15; 11 | for(i=0;i<16;i++) 12 | r[i+32] = (s->v[2] >> (4*i)) & 15; 13 | for(i=0;i<16;i++) 14 | r[i+48] = (s->v[3] >> (4*i)) & 15; 15 | 16 | /* Making it signed */ 17 | carry = 0; 18 | for(i=0;i<63;i++) 19 | { 20 | r[i] += carry; 21 | r[i+1] += r[i] >> 4; 22 | r[i] &= 15; 23 | carry = r[i] >> 3; 24 | r[i] -= carry << 4; 25 | } 26 | r[63] += carry; 27 | } 28 | -------------------------------------------------------------------------------- /ed25519/amd64-51-30k/sign.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "crypto_sign.h" 3 | #include "crypto_hash_sha512.h" 4 | #include "ge25519.h" 5 | 6 | int crypto_sign( 7 | unsigned char *sm,unsigned long long *smlen, 8 | const unsigned char *m,unsigned long long mlen, 9 | const unsigned char *sk 10 | ) 11 | { 12 | unsigned char pk[32]; 13 | unsigned char nonce[64]; 14 | unsigned char hram[64]; 15 | sc25519 sck, scs, scsk; 16 | ge25519 ger; 17 | 18 | /* sk: 32-byte scalar a, 32-byte randomizer z */ 19 | crypto_sign_pubkey(pk,sk); 20 | /* pk: 32-byte public key A */ 21 | 22 | *smlen = mlen + 64; 23 | memmove(sm + 64,m,mlen); 24 | memmove(sm + 32,sk + 32,32); 25 | /* sm: 32-byte uninit, 32-byte z, mlen-byte m */ 26 | 27 | crypto_hash_sha512(nonce, sm+32, mlen+32); 28 | /* nonce: 64-byte H(z,m) */ 29 | 30 | sc25519_from64bytes(&sck, nonce); 31 | ge25519_scalarmult_base(&ger, &sck); 32 | ge25519_pack(sm, &ger); 33 | /* sm: 32-byte R, 32-byte z, mlen-byte m */ 34 | 35 | memmove(sm + 32,pk,32); 36 | /* sm: 32-byte R, 32-byte A, mlen-byte m */ 37 | 38 | crypto_hash_sha512(hram,sm,mlen + 64); 39 | /* hram: 64-byte H(R,A,m) */ 40 | 41 | sc25519_from64bytes(&scs, hram); 42 | sc25519_from32bytes(&scsk, sk); 43 | sc25519_mul(&scs, &scs, &scsk); 44 | sc25519_add(&scs, &scs, &sck); 45 | /* scs: S = nonce + H(R,A,m)a */ 46 | 47 | sc25519_to32bytes(sm + 32,&scs); 48 | /* sm: 32-byte R, 32-byte S, mlen-byte m */ 49 | 50 | return 0; 51 | } 52 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/api.h: -------------------------------------------------------------------------------- 1 | #define CRYPTO_SECRETKEYBYTES 64 2 | #define CRYPTO_PUBLICKEYBYTES 32 3 | #define CRYPTO_BYTES 64 4 | #define CRYPTO_DETERMINISTIC 1 5 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/architectures: -------------------------------------------------------------------------------- 1 | amd64 2 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/compat.h: -------------------------------------------------------------------------------- 1 | #ifndef COMPAT_H 2 | #define COMPAT_H 3 | 4 | #if defined(_WIN32) && defined(__GNUC__) 5 | #define SYSVABI __attribute__((sysv_abi)) 6 | #else 7 | #define SYSVABI 8 | #endif 9 | 10 | #endif 11 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/consts.S: -------------------------------------------------------------------------------- 1 | #ifndef __APPLE__ 2 | .section .rodata 3 | #else 4 | .const 5 | #endif 6 | 7 | .globl CRYPTO_NAMESPACE(121666) 8 | .globl CRYPTO_NAMESPACE(MU0) 9 | .globl CRYPTO_NAMESPACE(MU1) 10 | .globl CRYPTO_NAMESPACE(MU2) 11 | .globl CRYPTO_NAMESPACE(MU3) 12 | .globl CRYPTO_NAMESPACE(MU4) 13 | .globl CRYPTO_NAMESPACE(ORDER0) 14 | .globl CRYPTO_NAMESPACE(ORDER1) 15 | .globl CRYPTO_NAMESPACE(ORDER2) 16 | .globl CRYPTO_NAMESPACE(ORDER3) 17 | .globl CRYPTO_NAMESPACE(EC2D0) 18 | .globl CRYPTO_NAMESPACE(EC2D1) 19 | .globl CRYPTO_NAMESPACE(EC2D2) 20 | .globl CRYPTO_NAMESPACE(EC2D3) 21 | .globl CRYPTO_NAMESPACE(38) 22 | 23 | .p2align 4 24 | 25 | CRYPTO_NAMESPACE(121666): .quad 121666 26 | 27 | CRYPTO_NAMESPACE(MU0): .quad 0xED9CE5A30A2C131B 28 | CRYPTO_NAMESPACE(MU1): .quad 0x2106215D086329A7 29 | CRYPTO_NAMESPACE(MU2): .quad 0xFFFFFFFFFFFFFFEB 30 | CRYPTO_NAMESPACE(MU3): .quad 0xFFFFFFFFFFFFFFFF 31 | CRYPTO_NAMESPACE(MU4): .quad 0x000000000000000F 32 | 33 | CRYPTO_NAMESPACE(ORDER0): .quad 0x5812631A5CF5D3ED 34 | CRYPTO_NAMESPACE(ORDER1): .quad 0x14DEF9DEA2F79CD6 35 | CRYPTO_NAMESPACE(ORDER2): .quad 0x0000000000000000 36 | CRYPTO_NAMESPACE(ORDER3): .quad 0x1000000000000000 37 | 38 | CRYPTO_NAMESPACE(EC2D0): .quad 0xEBD69B9426B2F146 39 | CRYPTO_NAMESPACE(EC2D1): .quad 0x00E0149A8283B156 40 | CRYPTO_NAMESPACE(EC2D2): .quad 0x198E80F2EEF3D130 41 | CRYPTO_NAMESPACE(EC2D3): .quad 0xA406D9DC56DFFCE7 42 | 43 | CRYPTO_NAMESPACE(38): .quad 38 44 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/crypto_hash_sha512.h: -------------------------------------------------------------------------------- 1 | #include 2 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/crypto_int32.h: -------------------------------------------------------------------------------- 1 | #include 2 | #define crypto_int32 int32_t 3 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/crypto_int64.h: -------------------------------------------------------------------------------- 1 | #include 2 | #define crypto_int64 int64_t 3 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/crypto_sign.h: -------------------------------------------------------------------------------- 1 | #define crypto_sign CRYPTO_NAMESPACE(sign) 2 | #define crypto_sign_keypair CRYPTO_NAMESPACE(keygen) 3 | #define crypto_sign_seckey CRYPTO_NAMESPACE(seckey) 4 | #define crypto_sign_seckey_expand CRYPTO_NAMESPACE(seckey_expand) 5 | #define crypto_sign_pubkey CRYPTO_NAMESPACE(pubkey) 6 | #define crypto_sign_open CRYPTO_NAMESPACE(open) 7 | #define crypto_sign_open_batch CRYPTO_NAMESPACE(open_batch) 8 | 9 | #include "ed25519.h" 10 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/crypto_uint32.h: -------------------------------------------------------------------------------- 1 | #include 2 | #define crypto_uint32 uint32_t 3 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/crypto_uint64.h: -------------------------------------------------------------------------------- 1 | #include 2 | #define crypto_uint64 uint64_t 3 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/crypto_verify_32.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define crypto_verify_32(a,b) \ 4 | (!sodium_memcmp((a), (b), 32)) 5 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/ed25519.h: -------------------------------------------------------------------------------- 1 | int crypto_sign_seckey(unsigned char *sk); 2 | int crypto_sign_seckey_expand(unsigned char *sk,const unsigned char *seed); 3 | int crypto_sign_pubkey(unsigned char *pk,const unsigned char *sk); 4 | int crypto_sign_keypair(unsigned char *pk,unsigned char *sk); 5 | int crypto_sign( 6 | unsigned char *sm,unsigned long long *smlen, 7 | const unsigned char *m,unsigned long long mlen, 8 | const unsigned char *sk 9 | ); 10 | int crypto_sign_open( 11 | unsigned char *m,unsigned long long *mlen, 12 | const unsigned char *sm,unsigned long long smlen, 13 | const unsigned char *pk 14 | ); 15 | int crypto_sign_open_batch( 16 | unsigned char* const m[],unsigned long long mlen[], 17 | unsigned char* const sm[],const unsigned long long smlen[], 18 | unsigned char* const pk[], 19 | unsigned long long num 20 | ); 21 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/fe25519.h: -------------------------------------------------------------------------------- 1 | #ifndef FE25519_H 2 | #define FE25519_H 3 | 4 | #include 5 | #include "compat.h" 6 | 7 | #define fe25519 CRYPTO_NAMESPACE(fe25519) 8 | #define fe25519_freeze CRYPTO_NAMESPACE(fe25519_freeze) 9 | #define fe25519_unpack CRYPTO_NAMESPACE(fe25519_unpack) 10 | #define fe25519_pack CRYPTO_NAMESPACE(fe25519_pack) 11 | #define fe25519_iszero_vartime CRYPTO_NAMESPACE(fe25519_iszero_vartime) 12 | #define fe25519_iseq_vartime CRYPTO_NAMESPACE(fe25519_iseq_vartime) 13 | #define fe25519_cmov CRYPTO_NAMESPACE(fe25519_cmov) 14 | #define fe25519_setint CRYPTO_NAMESPACE(fe25519_setint) 15 | #define fe25519_neg CRYPTO_NAMESPACE(fe25519_neg) 16 | #define fe25519_getparity CRYPTO_NAMESPACE(fe25519_getparity) 17 | #define fe25519_add CRYPTO_NAMESPACE(fe25519_add) 18 | #define fe25519_sub CRYPTO_NAMESPACE(fe25519_sub) 19 | #define fe25519_mul CRYPTO_NAMESPACE(fe25519_mul) 20 | #define fe25519_square CRYPTO_NAMESPACE(fe25519_square) 21 | #define fe25519_invert CRYPTO_NAMESPACE(fe25519_invert) 22 | #define fe25519_batchinvert CRYPTO_NAMESPACE(fe25519_batchinvert) 23 | #define fe25519_pow2523 CRYPTO_NAMESPACE(fe25519_pow2523) 24 | 25 | typedef struct 26 | { 27 | unsigned long long v[4]; 28 | } 29 | fe25519; 30 | 31 | void fe25519_freeze(fe25519 *r) SYSVABI; 32 | 33 | void fe25519_unpack(fe25519 *r, const unsigned char x[32]); 34 | 35 | void fe25519_pack(unsigned char r[32], const fe25519 *x); 36 | 37 | void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b); 38 | 39 | void fe25519_cswap(fe25519 *r, fe25519 *x, unsigned char b); 40 | 41 | void fe25519_setint(fe25519 *r, unsigned int v); 42 | 43 | void fe25519_neg(fe25519 *r, const fe25519 *x); 44 | 45 | unsigned char fe25519_getparity(const fe25519 *x); 46 | 47 | int fe25519_iszero_vartime(const fe25519 *x); 48 | 49 | int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y); 50 | 51 | void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y) SYSVABI; 52 | 53 | void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y) SYSVABI; 54 | 55 | void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y) SYSVABI; 56 | 57 | void fe25519_square(fe25519 *r, const fe25519 *x) SYSVABI; 58 | 59 | void fe25519_pow(fe25519 *r, const fe25519 *x, const unsigned char *e); 60 | 61 | void fe25519_invert(fe25519 *r, const fe25519 *x); 62 | 63 | void fe25519_batchinvert(fe25519 *out, const fe25519 *in, fe25519 *tmp, size_t num, size_t offset); 64 | 65 | void fe25519_pow2523(fe25519 *r, const fe25519 *x); 66 | 67 | #endif 68 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/fe25519_batchinvert.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | // tmp MUST != out or in 4 | // in MAY == out 5 | void fe25519_batchinvert(fe25519 *out, const fe25519 *in, fe25519 *tmp, size_t num, size_t offset) 6 | { 7 | fe25519 acc; 8 | fe25519 tmpacc; 9 | size_t i; 10 | const fe25519 *inp; 11 | fe25519 *outp; 12 | 13 | fe25519_setint(&acc,1); 14 | 15 | inp = in; 16 | for (i = 0;i < num;++i) { 17 | tmp[i] = acc; 18 | fe25519_mul(&acc,&acc,inp); 19 | inp = (const fe25519 *)((const char *)inp + offset); 20 | } 21 | 22 | fe25519_invert(&acc,&acc); 23 | 24 | i = num; 25 | inp = (const fe25519 *)((const char *)in + offset * num); 26 | outp = (fe25519 *)((char *)out + offset * num); 27 | while (i--) { 28 | inp = (const fe25519 *)((const char *)inp - offset); 29 | outp = (fe25519 *)((char *)outp - offset); 30 | fe25519_mul(&tmpacc,&acc,inp); 31 | fe25519_mul(outp,&acc,&tmp[i]); 32 | acc = tmpacc; 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/fe25519_getparity.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | unsigned char fe25519_getparity(const fe25519 *x) 4 | { 5 | fe25519 t = *x; 6 | fe25519_freeze(&t); 7 | return (unsigned char)t.v[0] & 1; 8 | } 9 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/fe25519_invert.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | void fe25519_invert(fe25519 *r, const fe25519 *x) 4 | { 5 | fe25519 z2; 6 | fe25519 z9; 7 | fe25519 z11; 8 | fe25519 z2_5_0; 9 | fe25519 z2_10_0; 10 | fe25519 z2_20_0; 11 | fe25519 z2_50_0; 12 | fe25519 z2_100_0; 13 | fe25519 t; 14 | int i; 15 | 16 | /* 2 */ fe25519_square(&z2,x); 17 | /* 4 */ fe25519_square(&t,&z2); 18 | /* 8 */ fe25519_square(&t,&t); 19 | /* 9 */ fe25519_mul(&z9,&t,x); 20 | /* 11 */ fe25519_mul(&z11,&z9,&z2); 21 | /* 22 */ fe25519_square(&t,&z11); 22 | /* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t,&z9); 23 | 24 | /* 2^6 - 2^1 */ fe25519_square(&t,&z2_5_0); 25 | /* 2^20 - 2^10 */ for (i = 1;i < 5;i++) { fe25519_square(&t,&t); } 26 | /* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t,&z2_5_0); 27 | 28 | /* 2^11 - 2^1 */ fe25519_square(&t,&z2_10_0); 29 | /* 2^20 - 2^10 */ for (i = 1;i < 10;i++) { fe25519_square(&t,&t); } 30 | /* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t,&z2_10_0); 31 | 32 | /* 2^21 - 2^1 */ fe25519_square(&t,&z2_20_0); 33 | /* 2^40 - 2^20 */ for (i = 1;i < 20;i++) { fe25519_square(&t,&t); } 34 | /* 2^40 - 2^0 */ fe25519_mul(&t,&t,&z2_20_0); 35 | 36 | /* 2^41 - 2^1 */ fe25519_square(&t,&t); 37 | /* 2^50 - 2^10 */ for (i = 1;i < 10;i++) { fe25519_square(&t,&t); } 38 | /* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t,&z2_10_0); 39 | 40 | /* 2^51 - 2^1 */ fe25519_square(&t,&z2_50_0); 41 | /* 2^100 - 2^50 */ for (i = 1;i < 50;i++) { fe25519_square(&t,&t); } 42 | /* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t,&z2_50_0); 43 | 44 | /* 2^101 - 2^1 */ fe25519_square(&t,&z2_100_0); 45 | /* 2^200 - 2^100 */ for (i = 1;i < 100;i++) { fe25519_square(&t,&t); } 46 | /* 2^200 - 2^0 */ fe25519_mul(&t,&t,&z2_100_0); 47 | 48 | /* 2^201 - 2^1 */ fe25519_square(&t,&t); 49 | /* 2^250 - 2^50 */ for (i = 1;i < 50;i++) { fe25519_square(&t,&t); } 50 | /* 2^250 - 2^0 */ fe25519_mul(&t,&t,&z2_50_0); 51 | 52 | /* 2^251 - 2^1 */ fe25519_square(&t,&t); 53 | /* 2^252 - 2^2 */ fe25519_square(&t,&t); 54 | /* 2^253 - 2^3 */ fe25519_square(&t,&t); 55 | 56 | /* 2^254 - 2^4 */ fe25519_square(&t,&t); 57 | 58 | /* 2^255 - 2^5 */ fe25519_square(&t,&t); 59 | /* 2^255 - 21 */ fe25519_mul(r,&t,&z11); 60 | } 61 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/fe25519_iseq.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y) 4 | { 5 | fe25519 t1 = *x; 6 | fe25519 t2 = *y; 7 | fe25519_freeze(&t1); 8 | fe25519_freeze(&t2); 9 | if(t1.v[0] != t2.v[0]) return 0; 10 | if(t1.v[1] != t2.v[1]) return 0; 11 | if(t1.v[2] != t2.v[2]) return 0; 12 | if(t1.v[3] != t2.v[3]) return 0; 13 | return 1; 14 | } 15 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/fe25519_iszero.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | int fe25519_iszero_vartime(const fe25519 *x) 4 | { 5 | fe25519 t = *x; 6 | fe25519_freeze(&t); 7 | if (t.v[0]) return 0; 8 | if (t.v[1]) return 0; 9 | if (t.v[2]) return 0; 10 | if (t.v[3]) return 0; 11 | return 1; 12 | } 13 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/fe25519_neg.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | void fe25519_neg(fe25519 *r, const fe25519 *x) 4 | { 5 | fe25519 t; 6 | fe25519_setint(&t,0); 7 | fe25519_sub(r,&t,x); 8 | } 9 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/fe25519_pack.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | /* Assumes input x being reduced below 2^255 */ 4 | void fe25519_pack(unsigned char r[32], const fe25519 *x) 5 | { 6 | int i; 7 | fe25519 t; 8 | t = *x; 9 | fe25519_freeze(&t); 10 | /* assuming little-endian */ 11 | for(i=0;i<32;i++) r[i] = i[(unsigned char *)&t.v]; 12 | } 13 | 14 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/fe25519_pow2523.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | void fe25519_pow2523(fe25519 *r, const fe25519 *x) 4 | { 5 | fe25519 z2; 6 | fe25519 z9; 7 | fe25519 z11; 8 | fe25519 z2_5_0; 9 | fe25519 z2_10_0; 10 | fe25519 z2_20_0; 11 | fe25519 z2_50_0; 12 | fe25519 z2_100_0; 13 | fe25519 t; 14 | int i; 15 | 16 | /* 2 */ fe25519_square(&z2,x); 17 | /* 4 */ fe25519_square(&t,&z2); 18 | /* 8 */ fe25519_square(&t,&t); 19 | /* 9 */ fe25519_mul(&z9,&t,x); 20 | /* 11 */ fe25519_mul(&z11,&z9,&z2); 21 | /* 22 */ fe25519_square(&t,&z11); 22 | /* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_5_0,&t,&z9); 23 | 24 | /* 2^6 - 2^1 */ fe25519_square(&t,&z2_5_0); 25 | /* 2^10 - 2^5 */ for (i = 1;i < 5;i++) { fe25519_square(&t,&t); } 26 | /* 2^10 - 2^0 */ fe25519_mul(&z2_10_0,&t,&z2_5_0); 27 | 28 | /* 2^11 - 2^1 */ fe25519_square(&t,&z2_10_0); 29 | /* 2^20 - 2^10 */ for (i = 1;i < 10;i++) { fe25519_square(&t,&t); } 30 | /* 2^20 - 2^0 */ fe25519_mul(&z2_20_0,&t,&z2_10_0); 31 | 32 | /* 2^21 - 2^1 */ fe25519_square(&t,&z2_20_0); 33 | /* 2^40 - 2^20 */ for (i = 1;i < 20;i++) { fe25519_square(&t,&t); } 34 | /* 2^40 - 2^0 */ fe25519_mul(&t,&t,&z2_20_0); 35 | 36 | /* 2^41 - 2^1 */ fe25519_square(&t,&t); 37 | /* 2^50 - 2^10 */ for (i = 1;i < 10;i++) { fe25519_square(&t,&t); } 38 | /* 2^50 - 2^0 */ fe25519_mul(&z2_50_0,&t,&z2_10_0); 39 | 40 | /* 2^51 - 2^1 */ fe25519_square(&t,&z2_50_0); 41 | /* 2^100 - 2^50 */ for (i = 1;i < 50;i++) { fe25519_square(&t,&t); } 42 | /* 2^100 - 2^0 */ fe25519_mul(&z2_100_0,&t,&z2_50_0); 43 | 44 | /* 2^101 - 2^1 */ fe25519_square(&t,&z2_100_0); 45 | /* 2^200 - 2^100 */ for (i = 1;i < 100;i++) { fe25519_square(&t,&t); } 46 | /* 2^200 - 2^0 */ fe25519_mul(&t,&t,&z2_100_0); 47 | 48 | /* 2^201 - 2^1 */ fe25519_square(&t,&t); 49 | /* 2^250 - 2^50 */ for (i = 1;i < 50;i++) { fe25519_square(&t,&t); } 50 | /* 2^250 - 2^0 */ fe25519_mul(&t,&t,&z2_50_0); 51 | 52 | /* 2^251 - 2^1 */ fe25519_square(&t,&t); 53 | /* 2^252 - 2^2 */ fe25519_square(&t,&t); 54 | /* 2^252 - 3 */ fe25519_mul(r,&t,x); 55 | } 56 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/fe25519_setint.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | void fe25519_setint(fe25519 *r, unsigned int v) 4 | { 5 | r->v[0] = v; 6 | r->v[1] = 0; 7 | r->v[2] = 0; 8 | r->v[3] = 0; 9 | } 10 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/fe25519_unpack.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | 3 | void fe25519_unpack(fe25519 *r, const unsigned char x[32]) 4 | { 5 | /* assuming little-endian */ 6 | r->v[0] = *(unsigned long long *)x; 7 | r->v[1] = *(((unsigned long long *)x)+1); 8 | r->v[2] = *(((unsigned long long *)x)+2); 9 | r->v[3] = *(((unsigned long long *)x)+3); 10 | r->v[3] &= 0x7fffffffffffffffULL; 11 | } 12 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/ge25519_add.c: -------------------------------------------------------------------------------- 1 | #include "ge25519.h" 2 | 3 | void ge25519_add(ge25519_p3 *r, const ge25519_p3 *p, const ge25519_p3 *q) 4 | { 5 | ge25519_p1p1 grp1p1; 6 | ge25519_add_p1p1(&grp1p1, p, q); 7 | ge25519_p1p1_to_p3(r, &grp1p1); 8 | } 9 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/ge25519_base.c: -------------------------------------------------------------------------------- 1 | #include "ge25519.h" 2 | 3 | const ge25519 ge25519_base = {{{0xC9562D608F25D51A, 0x692CC7609525A7B2, 0xC0A4E231FDD6DC5C, 0x216936D3CD6E53FE}}, 4 | {{0x6666666666666658, 0x6666666666666666, 0x6666666666666666, 0x6666666666666666}}, 5 | {{0x0000000000000001, 0x0000000000000000, 0x0000000000000000, 000000000000000000}}, 6 | {{0x6DDE8AB3A5B7DDA3, 0x20F09F80775152F5, 0x66EA4E8E64ABE37D, 0x67875F0FD78B7665}}}; 7 | 8 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/ge25519_batchpack.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | #include "ge25519.h" 3 | 4 | // NOTE: leaves in unfinished state 5 | void ge25519_batchpack_destructive_1(bytes32 *out, ge25519_p3 *in, fe25519 *tmp, size_t num) 6 | { 7 | fe25519 ty; 8 | 9 | fe25519_batchinvert(&in->z, &in->z, tmp, num, sizeof(ge25519_p3)); 10 | 11 | for (size_t i = 0; i < num; ++i) { 12 | fe25519_mul(&ty, &in[i].y, &in[i].z); 13 | fe25519_pack(out[i], &ty); 14 | } 15 | } 16 | 17 | void ge25519_batchpack_destructive_finish(bytes32 out, ge25519_p3 *unf) 18 | { 19 | fe25519 tx; 20 | // z of unfinished is inverted 21 | fe25519_mul(&tx, &unf->x, &unf->z); 22 | out[31] ^= fe25519_getparity(&tx) << 7; 23 | } 24 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/ge25519_double.c: -------------------------------------------------------------------------------- 1 | #include "ge25519.h" 2 | 3 | void ge25519_double(ge25519_p3 *r, const ge25519_p3 *p) 4 | { 5 | ge25519_p1p1 grp1p1; 6 | ge25519_dbl_p1p1(&grp1p1, (ge25519_p2 *)p); 7 | ge25519_p1p1_to_p3(r, &grp1p1); 8 | } 9 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/ge25519_isneutral.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | #include "ge25519.h" 3 | 4 | int ge25519_isneutral_vartime(const ge25519_p3 *p) 5 | { 6 | if(!fe25519_iszero_vartime(&p->x)) return 0; 7 | if(!fe25519_iseq_vartime(&p->y, &p->z)) return 0; 8 | return 1; 9 | } 10 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/ge25519_pack.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | #include "sc25519.h" 3 | #include "ge25519.h" 4 | 5 | void ge25519_pack(unsigned char r[32], const ge25519_p3 *p) 6 | { 7 | fe25519 tx, ty, zi; 8 | fe25519_invert(&zi, &p->z); 9 | fe25519_mul(&tx, &p->x, &zi); 10 | fe25519_mul(&ty, &p->y, &zi); 11 | fe25519_pack(r, &ty); 12 | r[31] ^= fe25519_getparity(&tx) << 7; 13 | } 14 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/ge25519_scalarmult_base.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | #include "sc25519.h" 3 | #include "ge25519.h" 4 | 5 | /* Multiples of the base point in Niels' representation */ 6 | static const ge25519_niels ge25519_base_multiples_niels[] = { 7 | #ifdef SMALLTABLES 8 | #include "ge25519_base_niels_smalltables.data" 9 | #else 10 | #include "ge25519_base_niels.data" 11 | #endif 12 | }; 13 | 14 | /* d */ 15 | static const fe25519 ecd = {{0x75EB4DCA135978A3, 0x00700A4D4141D8AB, 0x8CC740797779E898, 0x52036CEE2B6FFE73}}; 16 | 17 | void ge25519_scalarmult_base(ge25519_p3 *r, const sc25519 *s) 18 | { 19 | signed char b[64]; 20 | int i; 21 | ge25519_niels t; 22 | fe25519 d; 23 | 24 | sc25519_window4(b,s); 25 | 26 | #ifdef SMALLTABLES 27 | ge25519_p1p1 tp1p1; 28 | choose_t((ge25519_niels *)r, 0, (signed long long) b[1], ge25519_base_multiples_niels); 29 | fe25519_sub(&d, &r->y, &r->x); 30 | fe25519_add(&r->y, &r->y, &r->x); 31 | r->x = d; 32 | r->t = r->z; 33 | fe25519_setint(&r->z,2); 34 | for(i=3;i<64;i+=2) 35 | { 36 | choose_t(&t, (unsigned long long) i/2, (signed long long) b[i], ge25519_base_multiples_niels); 37 | ge25519_nielsadd2(r, &t); 38 | } 39 | ge25519_dbl_p1p1(&tp1p1,(ge25519_p2 *)r); 40 | ge25519_p1p1_to_p2((ge25519_p2 *)r, &tp1p1); 41 | ge25519_dbl_p1p1(&tp1p1,(ge25519_p2 *)r); 42 | ge25519_p1p1_to_p2((ge25519_p2 *)r, &tp1p1); 43 | ge25519_dbl_p1p1(&tp1p1,(ge25519_p2 *)r); 44 | ge25519_p1p1_to_p2((ge25519_p2 *)r, &tp1p1); 45 | ge25519_dbl_p1p1(&tp1p1,(ge25519_p2 *)r); 46 | ge25519_p1p1_to_p3(r, &tp1p1); 47 | choose_t(&t, (unsigned long long) 0, (signed long long) b[0], ge25519_base_multiples_niels); 48 | fe25519_mul(&t.t2d, &t.t2d, &ecd); 49 | ge25519_nielsadd2(r, &t); 50 | for(i=2;i<64;i+=2) 51 | { 52 | choose_t(&t, (unsigned long long) i/2, (signed long long) b[i], ge25519_base_multiples_niels); 53 | ge25519_nielsadd2(r, &t); 54 | } 55 | #else 56 | choose_t((ge25519_niels *)r, 0, (signed long long) b[0], ge25519_base_multiples_niels); 57 | fe25519_sub(&d, &r->y, &r->x); 58 | fe25519_add(&r->y, &r->y, &r->x); 59 | r->x = d; 60 | r->t = r->z; 61 | fe25519_setint(&r->z,2); 62 | for(i=1;i<64;i++) 63 | { 64 | choose_t(&t, (unsigned long long) i, (signed long long) b[i], ge25519_base_multiples_niels); 65 | ge25519_nielsadd2(r, &t); 66 | } 67 | #endif 68 | } 69 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/ge25519_unpackneg.c: -------------------------------------------------------------------------------- 1 | #include "fe25519.h" 2 | #include "ge25519.h" 3 | 4 | /* d */ 5 | static const fe25519 ecd = {{0x75EB4DCA135978A3, 0x00700A4D4141D8AB, 0x8CC740797779E898, 0x52036CEE2B6FFE73}}; 6 | /* sqrt(-1) */ 7 | static const fe25519 sqrtm1 = {{0xC4EE1B274A0EA0B0, 0x2F431806AD2FE478, 0x2B4D00993DFBD7A7, 0x2B8324804FC1DF0B}}; 8 | 9 | /* return 0 on success, -1 otherwise */ 10 | int ge25519_unpackneg_vartime(ge25519_p3 *r, const unsigned char p[32]) 11 | { 12 | fe25519 t, chk, num, den, den2, den4, den6; 13 | unsigned char par = p[31] >> 7; 14 | 15 | fe25519_setint(&r->z,1); 16 | fe25519_unpack(&r->y, p); 17 | fe25519_square(&num, &r->y); /* x = y^2 */ 18 | fe25519_mul(&den, &num, &ecd); /* den = dy^2 */ 19 | fe25519_sub(&num, &num, &r->z); /* x = y^2-1 */ 20 | fe25519_add(&den, &r->z, &den); /* den = dy^2+1 */ 21 | 22 | /* Computation of sqrt(num/den) 23 | 1.: computation of num^((p-5)/8)*den^((7p-35)/8) = (num*den^7)^((p-5)/8) 24 | */ 25 | fe25519_square(&den2, &den); 26 | fe25519_square(&den4, &den2); 27 | fe25519_mul(&den6, &den4, &den2); 28 | fe25519_mul(&t, &den6, &num); 29 | fe25519_mul(&t, &t, &den); 30 | 31 | fe25519_pow2523(&t, &t); 32 | /* 2. computation of r->x = t * num * den^3 33 | */ 34 | fe25519_mul(&t, &t, &num); 35 | fe25519_mul(&t, &t, &den); 36 | fe25519_mul(&t, &t, &den); 37 | fe25519_mul(&r->x, &t, &den); 38 | 39 | /* 3. Check whether sqrt computation gave correct result, multiply by sqrt(-1) if not: 40 | */ 41 | fe25519_square(&chk, &r->x); 42 | fe25519_mul(&chk, &chk, &den); 43 | if (!fe25519_iseq_vartime(&chk, &num)) 44 | fe25519_mul(&r->x, &r->x, &sqrtm1); 45 | 46 | /* 4. Now we have one of the two square roots, except if input was not a square 47 | */ 48 | fe25519_square(&chk, &r->x); 49 | fe25519_mul(&chk, &chk, &den); 50 | if (!fe25519_iseq_vartime(&chk, &num)) 51 | return -1; 52 | 53 | /* 5. Choose the desired square root according to parity: 54 | */ 55 | if(fe25519_getparity(&r->x) != (1-par)) 56 | fe25519_neg(&r->x, &r->x); 57 | 58 | fe25519_mul(&r->t, &r->x, &r->y); 59 | return 0; 60 | } 61 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/hram.c: -------------------------------------------------------------------------------- 1 | #include "crypto_hash_sha512.h" 2 | #include "hram.h" 3 | 4 | void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen) 5 | { 6 | unsigned long long i; 7 | 8 | for (i = 0;i < 32;++i) playground[i] = sm[i]; 9 | for (i = 32;i < 64;++i) playground[i] = pk[i-32]; 10 | for (i = 64;i < smlen;++i) playground[i] = sm[i]; 11 | 12 | crypto_hash_sha512(hram,playground,smlen); 13 | } 14 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/hram.h: -------------------------------------------------------------------------------- 1 | #ifndef HRAM_H 2 | #define HRAM_H 3 | 4 | #define get_hram CRYPTO_NAMESPACE(get_hram) 5 | 6 | extern void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen); 7 | 8 | #endif 9 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/implementors: -------------------------------------------------------------------------------- 1 | Daniel J. Bernstein 2 | Niels Duif 3 | Tanja Lange 4 | lead: Peter Schwabe 5 | Bo-Yin Yang 6 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/index_heap.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | #include "index_heap.h" 3 | 4 | /* caller's responsibility to ensure hlen>=3 */ 5 | void heap_init(unsigned long long *h, unsigned long long hlen, sc25519 *scalars) 6 | { 7 | h[0] = 0; 8 | unsigned long long i=1; 9 | while(i 0) 30 | { 31 | /* if(sc25519_lt_vartime(&scalars[h[ppos]], &scalars[h[pos]])) */ 32 | if(sc25519_lt(&scalars[h[ppos]], &scalars[h[pos]])) 33 | { 34 | t = h[ppos]; 35 | h[ppos] = h[pos]; 36 | h[pos] = t; 37 | pos = ppos; 38 | ppos = (pos-1)/2; 39 | } 40 | else break; 41 | } 42 | (*hlen)++; 43 | } 44 | 45 | /* Put the largest value in the heap in max1, the second largest in max2 */ 46 | void heap_get2max(unsigned long long *h, unsigned long long *max1, unsigned long long *max2, sc25519 *scalars) 47 | { 48 | *max1 = h[0]; 49 | *max2 = h[1]; 50 | if(sc25519_lt(&scalars[h[1]],&scalars[h[2]])) 51 | *max2 = h[2]; 52 | } 53 | 54 | /* After the root has been replaced, restore heap property */ 55 | /* extern void heap_rootreplaced(unsigned long long *h, unsigned long long hlen, sc25519 *scalars); 56 | */ 57 | /* extern void heap_rootreplaced_shortscalars(unsigned long long *h, unsigned long long hlen, sc25519 *scalars); 58 | */ 59 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/index_heap.h: -------------------------------------------------------------------------------- 1 | #ifndef INDEX_HEAP_H 2 | #define INDEX_HEAP_H 3 | 4 | #include "sc25519.h" 5 | #include "compat.h" 6 | 7 | #define heap_init CRYPTO_NAMESPACE(heap_init) 8 | #define heap_extend CRYPTO_NAMESPACE(heap_extend) 9 | #define heap_pop CRYPTO_NAMESPACE(heap_pop) 10 | #define heap_push CRYPTO_NAMESPACE(heap_push) 11 | #define heap_get2max CRYPTO_NAMESPACE(heap_get2max) 12 | #define heap_rootreplaced CRYPTO_NAMESPACE(heap_rootreplaced) 13 | #define heap_rootreplaced_3limbs CRYPTO_NAMESPACE(heap_rootreplaced_3limbs) 14 | #define heap_rootreplaced_2limbs CRYPTO_NAMESPACE(heap_rootreplaced_2limbs) 15 | #define heap_rootreplaced_1limb CRYPTO_NAMESPACE(heap_rootreplaced_1limb) 16 | 17 | void heap_init(unsigned long long *h, unsigned long long hlen, sc25519 *scalars); 18 | 19 | void heap_extend(unsigned long long *h, unsigned long long oldlen, unsigned long long newlen, sc25519 *scalars); 20 | 21 | unsigned long long heap_pop(unsigned long long *h, unsigned long long *hlen, sc25519 *scalars); 22 | 23 | void heap_push(unsigned long long *h, unsigned long long *hlen, unsigned long long elem, sc25519 *scalars); 24 | 25 | void heap_get2max(unsigned long long *h, unsigned long long *max1, unsigned long long *max2, sc25519 *scalars); 26 | 27 | void heap_rootreplaced(unsigned long long *h, unsigned long long hlen, sc25519 *scalars) SYSVABI; 28 | void heap_rootreplaced_3limbs(unsigned long long *h, unsigned long long hlen, sc25519 *scalars) SYSVABI; 29 | void heap_rootreplaced_2limbs(unsigned long long *h, unsigned long long hlen, sc25519 *scalars) SYSVABI; 30 | void heap_rootreplaced_1limb(unsigned long long *h, unsigned long long hlen, sc25519 *scalars) SYSVABI; 31 | 32 | #endif 33 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/keypair.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "crypto_sign.h" 3 | #include "crypto_hash_sha512.h" 4 | #include "randombytes.h" 5 | #include "ge25519.h" 6 | 7 | int crypto_sign_seckey_expand(unsigned char *sk,const unsigned char *seed) 8 | { 9 | crypto_hash_sha512(sk,seed,32); 10 | sk[0] &= 248; 11 | sk[31] &= 63; 12 | sk[31] |= 64; 13 | 14 | return 0; 15 | } 16 | 17 | int crypto_sign_seckey(unsigned char *sk) 18 | { 19 | unsigned char seed[32]; 20 | 21 | if (randombytes(seed,32) < 0) 22 | return -1; 23 | 24 | crypto_sign_seckey_expand(sk,seed); 25 | 26 | return 0; 27 | } 28 | 29 | int crypto_sign_pubkey(unsigned char *pk,const unsigned char *sk) 30 | { 31 | sc25519 scsk; 32 | ge25519_p3 gepk; 33 | 34 | sc25519_from32bytes(&scsk,sk); 35 | ge25519_scalarmult_base(&gepk,&scsk); 36 | ge25519_pack(pk,&gepk); 37 | 38 | return 0; 39 | } 40 | 41 | int crypto_sign_keypair(unsigned char *pk,unsigned char *sk) 42 | { 43 | crypto_sign_seckey(sk); 44 | crypto_sign_pubkey(pk,sk); 45 | return 0; 46 | } 47 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/open.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "crypto_sign.h" 3 | #include "crypto_verify_32.h" 4 | #include "crypto_hash_sha512.h" 5 | #include "ge25519.h" 6 | 7 | int crypto_sign_open( 8 | unsigned char *m,unsigned long long *mlen, 9 | const unsigned char *sm,unsigned long long smlen, 10 | const unsigned char *pk 11 | ) 12 | { 13 | unsigned char pkcopy[32]; 14 | unsigned char rcopy[32]; 15 | unsigned char hram[64]; 16 | unsigned char rcheck[32]; 17 | ge25519 get1, get2; 18 | sc25519 schram, scs; 19 | 20 | if (smlen < 64) goto badsig; 21 | if (sm[63] & 224) goto badsig; 22 | if (ge25519_unpackneg_vartime(&get1,pk)) goto badsig; 23 | 24 | memmove(pkcopy,pk,32); 25 | memmove(rcopy,sm,32); 26 | 27 | sc25519_from32bytes(&scs, sm+32); 28 | 29 | memmove(m,sm,smlen); 30 | memmove(m + 32,pkcopy,32); 31 | crypto_hash_sha512(hram,m,smlen); 32 | 33 | sc25519_from64bytes(&schram, hram); 34 | 35 | ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &scs); 36 | ge25519_pack(rcheck, &get2); 37 | 38 | if (crypto_verify_32(rcopy,rcheck) == 0) { 39 | memmove(m,m + 64,smlen - 64); 40 | memset(m + smlen - 64,0,64); 41 | *mlen = smlen - 64; 42 | return 0; 43 | } 44 | 45 | badsig: 46 | *mlen = (unsigned long long) -1; 47 | memset(m,0,smlen); 48 | return -1; 49 | } 50 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/randombytes.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | static inline int randombytes_wrap(unsigned char *b,size_t l) 4 | { 5 | randombytes(b,l); 6 | return 0; 7 | } 8 | #define randombytes randombytes_wrap 9 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/sc25519.h: -------------------------------------------------------------------------------- 1 | #ifndef SC25519_H 2 | #define SC25519_H 3 | 4 | #include "compat.h" 5 | 6 | #define sc25519 CRYPTO_NAMESPACE(sc25519) 7 | #define shortsc25519 CRYPTO_NAMESPACE(shortsc25519) 8 | #define sc25519_from32bytes CRYPTO_NAMESPACE(sc25519_from32bytes) 9 | #define shortsc25519_from16bytes CRYPTO_NAMESPACE(shortsc25519_from16bytes) 10 | #define sc25519_from64bytes CRYPTO_NAMESPACE(sc25519_from64bytes) 11 | #define sc25519_from_shortsc CRYPTO_NAMESPACE(sc25519_from_shortsc) 12 | #define sc25519_to32bytes CRYPTO_NAMESPACE(sc25519_to32bytes) 13 | #define sc25519_iszero_vartime CRYPTO_NAMESPACE(sc25519_iszero_vartime) 14 | #define sc25519_isshort_vartime CRYPTO_NAMESPACE(sc25519_isshort_vartime) 15 | #define sc25519_lt CRYPTO_NAMESPACE(sc25519_lt) 16 | #define sc25519_add CRYPTO_NAMESPACE(sc25519_add) 17 | #define sc25519_sub_nored CRYPTO_NAMESPACE(sc25519_sub_nored) 18 | #define sc25519_mul CRYPTO_NAMESPACE(sc25519_mul) 19 | #define sc25519_mul_shortsc CRYPTO_NAMESPACE(sc25519_mul_shortsc) 20 | #define sc25519_window4 CRYPTO_NAMESPACE(sc25519_window4) 21 | #define sc25519_slide CRYPTO_NAMESPACE(sc25519_slide) 22 | #define sc25519_2interleave2 CRYPTO_NAMESPACE(sc25519_2interleave2) 23 | #define sc25519_barrett CRYPTO_NAMESPACE(sc25519_barrett) 24 | 25 | typedef struct 26 | { 27 | unsigned long long v[4]; 28 | } 29 | sc25519; 30 | 31 | typedef struct 32 | { 33 | unsigned long long v[2]; 34 | } 35 | shortsc25519; 36 | 37 | void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]); 38 | 39 | void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]); 40 | 41 | void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x); 42 | 43 | void sc25519_to32bytes(unsigned char r[32], const sc25519 *x); 44 | 45 | int sc25519_iszero_vartime(const sc25519 *x); 46 | 47 | int sc25519_lt(const sc25519 *x, const sc25519 *y) SYSVABI; 48 | 49 | void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y) SYSVABI; 50 | 51 | void sc25519_sub_nored(sc25519 *r, const sc25519 *x, const sc25519 *y) SYSVABI; 52 | 53 | void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y); 54 | 55 | void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519 *y); 56 | 57 | /* Convert s into a representation of the form \sum_{i=0}^{63}r[i]2^(4*i) 58 | * with r[i] in {-8,...,7} 59 | */ 60 | void sc25519_window4(signed char r[64], const sc25519 *s); 61 | 62 | void sc25519_slide(signed char r[256], const sc25519 *s, int swindowsize); 63 | 64 | void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2); 65 | 66 | void sc25519_barrett(sc25519 *r, unsigned long long x[8]) SYSVABI; 67 | 68 | #endif 69 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/sc25519_from32bytes.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | /*Arithmetic modulo the group order n = 2^252 + 27742317777372353535851937790883648493 4 | * = 7237005577332262213973186563042994240857116359379907606001950938285454250989 5 | */ 6 | 7 | /* Contains order, 2*order, 4*order, 8*order, each represented in 4 consecutive unsigned long long */ 8 | static const unsigned long long order[16] = {0x5812631A5CF5D3EDULL, 0x14DEF9DEA2F79CD6ULL, 9 | 0x0000000000000000ULL, 0x1000000000000000ULL, 10 | 0xB024C634B9EBA7DAULL, 0x29BDF3BD45EF39ACULL, 11 | 0x0000000000000000ULL, 0x2000000000000000ULL, 12 | 0x60498C6973D74FB4ULL, 0x537BE77A8BDE7359ULL, 13 | 0x0000000000000000ULL, 0x4000000000000000ULL, 14 | 0xC09318D2E7AE9F68ULL, 0xA6F7CEF517BCE6B2ULL, 15 | 0x0000000000000000ULL, 0x8000000000000000ULL}; 16 | 17 | static unsigned long long smaller(unsigned long long a,unsigned long long b) 18 | { 19 | unsigned long long atop = a >> 32; 20 | unsigned long long abot = a & 4294967295; 21 | unsigned long long btop = b >> 32; 22 | unsigned long long bbot = b & 4294967295; 23 | unsigned long long atopbelowbtop = (atop - btop) >> 63; 24 | unsigned long long atopeqbtop = ((atop ^ btop) - 1) >> 63; 25 | unsigned long long abotbelowbbot = (abot - bbot) >> 63; 26 | return atopbelowbtop | (atopeqbtop & abotbelowbbot); 27 | } 28 | 29 | void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]) 30 | { 31 | unsigned long long t[4]; 32 | unsigned long long b; 33 | unsigned long long mask; 34 | int i, j; 35 | 36 | /* assuming little-endian */ 37 | r->v[0] = *(unsigned long long *)x; 38 | r->v[1] = *(((unsigned long long *)x)+1); 39 | r->v[2] = *(((unsigned long long *)x)+2); 40 | r->v[3] = *(((unsigned long long *)x)+3); 41 | 42 | for(j=3;j>=0;j--) 43 | { 44 | b=0; 45 | for(i=0;i<4;i++) 46 | { 47 | b += order[4*j+i]; /* no overflow for this particular order */ 48 | t[i] = r->v[i] - b; 49 | b = smaller(r->v[i],b); 50 | } 51 | mask = b - 1; 52 | for(i=0;i<4;i++) 53 | r->v[i] ^= mask & (r->v[i] ^ t[i]); 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/sc25519_from64bytes.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]) 4 | { 5 | /* assuming little-endian representation of unsigned long long */ 6 | sc25519_barrett(r, (unsigned long long *)x); 7 | } 8 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/sc25519_from_shortsc.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x) 4 | { 5 | r->v[0] = x->v[0]; 6 | r->v[1] = x->v[1]; 7 | r->v[2] = 0; 8 | r->v[3] = 0; 9 | } 10 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/sc25519_iszero.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | int sc25519_iszero_vartime(const sc25519 *x) 4 | { 5 | if(x->v[0] != 0) return 0; 6 | if(x->v[1] != 0) return 0; 7 | if(x->v[2] != 0) return 0; 8 | if(x->v[3] != 0) return 0; 9 | return 1; 10 | } 11 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/sc25519_lt.S: -------------------------------------------------------------------------------- 1 | 2 | # qhasm: int64 xp 3 | 4 | # qhasm: int64 yp 5 | 6 | # qhasm: int64 ret 7 | 8 | # qhasm: input xp 9 | 10 | # qhasm: input yp 11 | 12 | # qhasm: output ret 13 | 14 | # qhasm: int64 t0 15 | 16 | # qhasm: int64 t1 17 | 18 | # qhasm: int64 t2 19 | 20 | # qhasm: int64 t3 21 | 22 | # qhasm: int64 doof 23 | 24 | # qhasm: int64 caller1 25 | 26 | # qhasm: int64 caller2 27 | 28 | # qhasm: int64 caller3 29 | 30 | # qhasm: int64 caller4 31 | 32 | # qhasm: int64 caller5 33 | 34 | # qhasm: int64 caller6 35 | 36 | # qhasm: int64 caller7 37 | 38 | # qhasm: caller caller1 39 | 40 | # qhasm: caller caller2 41 | 42 | # qhasm: caller caller3 43 | 44 | # qhasm: caller caller4 45 | 46 | # qhasm: caller caller5 47 | 48 | # qhasm: caller caller6 49 | 50 | # qhasm: caller caller7 51 | 52 | # qhasm: stack64 caller4_stack 53 | 54 | # qhasm: stack64 caller5_stack 55 | 56 | # qhasm: stack64 caller6_stack 57 | 58 | # qhasm: stack64 caller7_stack 59 | 60 | # qhasm: enter CRYPTO_NAMESPACE(sc25519_lt) 61 | .text 62 | .p2align 5 63 | .globl _CRYPTO_NAMESPACE(sc25519_lt) 64 | .globl CRYPTO_NAMESPACE(sc25519_lt) 65 | _CRYPTO_NAMESPACE(sc25519_lt): 66 | CRYPTO_NAMESPACE(sc25519_lt): 67 | mov %rsp,%r11 68 | and $31,%r11 69 | add $0,%r11 70 | sub %r11,%rsp 71 | 72 | # qhasm: t0 = *(uint64 *)(xp + 0) 73 | # asm 1: movq 0(t0=int64#3 74 | # asm 2: movq 0(t0=%rdx 75 | movq 0(%rdi),%rdx 76 | 77 | # qhasm: t1 = *(uint64 *)(xp + 8) 78 | # asm 1: movq 8(t1=int64#4 79 | # asm 2: movq 8(t1=%rcx 80 | movq 8(%rdi),%rcx 81 | 82 | # qhasm: t2 = *(uint64 *)(xp + 16) 83 | # asm 1: movq 16(t2=int64#5 84 | # asm 2: movq 16(t2=%r8 85 | movq 16(%rdi),%r8 86 | 87 | # qhasm: t3 = *(uint64 *)(xp + 24) 88 | # asm 1: movq 24(t3=int64#1 89 | # asm 2: movq 24(t3=%rdi 90 | movq 24(%rdi),%rdi 91 | 92 | # qhasm: carry? t0 -= *(uint64 *)(yp + 0) 93 | # asm 1: subq 0(ret=int64#1 114 | # asm 2: mov $0,>ret=%rdi 115 | mov $0,%rdi 116 | 117 | # qhasm: doof = 1 118 | # asm 1: mov $1,>doof=int64#2 119 | # asm 2: mov $1,>doof=%rsi 120 | mov $1,%rsi 121 | 122 | # qhasm: ret = doof if carry 123 | # asm 1: cmovc v, y->v); 12 | sc25519_barrett(r, t); 13 | } 14 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/sc25519_mul_shortsc.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519 *y) 4 | { 5 | /* XXX: This wants to be faster */ 6 | sc25519 t; 7 | sc25519_from_shortsc(&t, y); 8 | sc25519_mul(r, x, &t); 9 | } 10 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/sc25519_slide.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | void sc25519_slide(signed char r[256], const sc25519 *s, int swindowsize) 4 | { 5 | int i,j,k,b,m=(1<<(swindowsize-1))-1, soplen=256; 6 | unsigned long long sv0 = s->v[0]; 7 | unsigned long long sv1 = s->v[1]; 8 | unsigned long long sv2 = s->v[2]; 9 | unsigned long long sv3 = s->v[3]; 10 | 11 | /* first put the binary expansion into r */ 12 | for(i=0;i<64;i++) { 13 | r[i] = sv0 & 1; 14 | r[i+64] = sv1 & 1; 15 | r[i+128] = sv2 & 1; 16 | r[i+192] = sv3 & 1; 17 | sv0 >>= 1; 18 | sv1 >>= 1; 19 | sv2 >>= 1; 20 | sv3 >>= 1; 21 | } 22 | 23 | /* Making it sliding window */ 24 | for (j = 0;j < soplen;++j) 25 | { 26 | if (r[j]) { 27 | for (b = 1;b < soplen - j && b <= 6;++b) { 28 | if (r[j] + (r[j + b] << b) <= m) 29 | { 30 | r[j] += r[j + b] << b; r[j + b] = 0; 31 | } 32 | else if (r[j] - (r[j + b] << b) >= -m) 33 | { 34 | r[j] -= r[j + b] << b; 35 | for (k = j + b;k < soplen;++k) 36 | { 37 | if (!r[k]) { 38 | r[k] = 1; 39 | break; 40 | } 41 | r[k] = 0; 42 | } 43 | } 44 | else if (r[j + b]) 45 | break; 46 | } 47 | } 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/sc25519_to32bytes.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | void sc25519_to32bytes(unsigned char r[32], const sc25519 *x) 4 | { 5 | /* assuming little-endian */ 6 | int i; 7 | for(i=0;i<32;i++) r[i] = i[(unsigned char *)x->v]; 8 | } 9 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/sc25519_window4.c: -------------------------------------------------------------------------------- 1 | #include "sc25519.h" 2 | 3 | void sc25519_window4(signed char r[64], const sc25519 *s) 4 | { 5 | char carry; 6 | int i; 7 | for(i=0;i<16;i++) 8 | r[i] = (s->v[0] >> (4*i)) & 15; 9 | for(i=0;i<16;i++) 10 | r[i+16] = (s->v[1] >> (4*i)) & 15; 11 | for(i=0;i<16;i++) 12 | r[i+32] = (s->v[2] >> (4*i)) & 15; 13 | for(i=0;i<16;i++) 14 | r[i+48] = (s->v[3] >> (4*i)) & 15; 15 | 16 | /* Making it signed */ 17 | carry = 0; 18 | for(i=0;i<63;i++) 19 | { 20 | r[i] += carry; 21 | r[i+1] += r[i] >> 4; 22 | r[i] &= 15; 23 | carry = r[i] >> 3; 24 | r[i] -= carry << 4; 25 | } 26 | r[63] += carry; 27 | } 28 | -------------------------------------------------------------------------------- /ed25519/amd64-64-24k/sign.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "crypto_sign.h" 3 | #include "crypto_hash_sha512.h" 4 | #include "ge25519.h" 5 | 6 | int crypto_sign( 7 | unsigned char *sm,unsigned long long *smlen, 8 | const unsigned char *m,unsigned long long mlen, 9 | const unsigned char *sk 10 | ) 11 | { 12 | unsigned char pk[32]; 13 | unsigned char nonce[64]; 14 | unsigned char hram[64]; 15 | sc25519 sck, scs, scsk; 16 | ge25519 ger; 17 | 18 | /* sk: 32-byte scalar a, 32-byte randomizer z */ 19 | crypto_sign_pubkey(pk,sk); 20 | /* pk: 32-byte public key A */ 21 | 22 | *smlen = mlen + 64; 23 | memmove(sm + 64,m,mlen); 24 | memmove(sm + 32,sk + 32,32); 25 | /* sm: 32-byte uninit, 32-byte z, mlen-byte m */ 26 | 27 | crypto_hash_sha512(nonce, sm+32, mlen+32); 28 | /* nonce: 64-byte H(z,m) */ 29 | 30 | sc25519_from64bytes(&sck, nonce); 31 | ge25519_scalarmult_base(&ger, &sck); 32 | ge25519_pack(sm, &ger); 33 | /* sm: 32-byte R, 32-byte z, mlen-byte m */ 34 | 35 | memmove(sm + 32,pk,32); 36 | /* sm: 32-byte R, 32-byte A, mlen-byte m */ 37 | 38 | crypto_hash_sha512(hram,sm,mlen + 64); 39 | /* hram: 64-byte H(R,A,m) */ 40 | 41 | sc25519_from64bytes(&scs, hram); 42 | sc25519_from32bytes(&scsk, sk); 43 | sc25519_mul(&scs, &scs, &scsk); 44 | sc25519_add(&scs, &scs, &sck); 45 | /* scs: S = nonce + H(R,A,m)a */ 46 | 47 | sc25519_to32bytes(sm + 32,&scs); 48 | /* sm: 32-byte R, 32-byte S, mlen-byte m */ 49 | 50 | return 0; 51 | } 52 | -------------------------------------------------------------------------------- /ed25519/ed25519-donna/ed25519-donna.h: -------------------------------------------------------------------------------- 1 | /* 2 | Public domain by Andrew M. 3 | Modified from the amd64-51-30k implementation by 4 | Daniel J. Bernstein 5 | Niels Duif 6 | Tanja Lange 7 | Peter Schwabe 8 | Bo-Yin Yang 9 | */ 10 | 11 | 12 | #include "ed25519-donna-portable.h" 13 | 14 | #if defined(ED25519_SSE2) 15 | #else 16 | #if defined(HAVE_UINT128) && !defined(ED25519_FORCE_32BIT) 17 | #define ED25519_64BIT 18 | #else 19 | #define ED25519_32BIT 20 | #endif 21 | #endif 22 | 23 | #if !defined(ED25519_NO_INLINE_ASM) 24 | /* detect extra features first so un-needed functions can be disabled throughout */ 25 | #if defined(ED25519_SSE2) 26 | #if defined(COMPILER_GCC) && defined(CPU_X86) 27 | #define ED25519_GCC_32BIT_SSE_CHOOSE 28 | #elif defined(COMPILER_GCC) && defined(CPU_X86_64) 29 | #define ED25519_GCC_64BIT_SSE_CHOOSE 30 | #endif 31 | #else 32 | #if defined(CPU_X86_64) 33 | #if defined(COMPILER_GCC) 34 | #if defined(ED25519_64BIT) 35 | #define ED25519_GCC_64BIT_X86_CHOOSE 36 | #else 37 | #define ED25519_GCC_64BIT_32BIT_CHOOSE 38 | #endif 39 | #endif 40 | #endif 41 | #endif 42 | #endif 43 | 44 | #include "curve25519-donna-sse2.h" 45 | #include "curve25519-donna-64bit.h" 46 | #include "curve25519-donna-32bit.h" 47 | 48 | #include "curve25519-donna-helpers.h" 49 | 50 | #include "modm-donna-64bit.h" 51 | #include "modm-donna-32bit.h" 52 | 53 | typedef unsigned char hash_512bits[64]; 54 | 55 | /* 56 | Timing safe memory compare 57 | */ 58 | static int 59 | ed25519_verify(const unsigned char *x, const unsigned char *y, size_t len) { 60 | size_t differentbits = 0; 61 | while (len--) 62 | differentbits |= (*x++ ^ *y++); 63 | return (int) (1 & ((differentbits - 1) >> 8)); 64 | } 65 | 66 | 67 | /* 68 | * Arithmetic on the twisted Edwards curve -x^2 + y^2 = 1 + dx^2y^2 69 | * with d = -(121665/121666) = 37095705934669439343138083508754565189542113879843219016388785533085940283555 70 | * Base point: (15112221349535400772501151409588531511454012693041857206046113283949847762202,46316835694926478169428394003475163141307993866256225615783033603165251855960); 71 | */ 72 | 73 | typedef struct ge25519_t { 74 | bignum25519 x, y, z, t; 75 | } ge25519; 76 | 77 | typedef struct ge25519_p1p1_t { 78 | bignum25519 x, y, z, t; 79 | } ge25519_p1p1; 80 | 81 | typedef struct ge25519_niels_t { 82 | bignum25519 ysubx, xaddy, t2d; 83 | } ge25519_niels; 84 | 85 | typedef struct ge25519_pniels_t { 86 | bignum25519 ysubx, xaddy, z, t2d; 87 | } ge25519_pniels; 88 | 89 | typedef unsigned char bytes32[32]; 90 | 91 | #include "ed25519-donna-basepoint-table.h" 92 | 93 | #include "ed25519-donna-64bit-tables.h" 94 | #include "ed25519-donna-64bit-x86.h" 95 | 96 | #include "ed25519-donna-32bit-tables.h" 97 | #include "ed25519-donna-64bit-x86-32bit.h" 98 | 99 | 100 | #include "ed25519-donna-32bit-sse2.h" 101 | #include "ed25519-donna-64bit-sse2.h" 102 | #include "ed25519-donna-impl-sse2.h" 103 | 104 | #include "ed25519-donna-impl-base.h" 105 | -------------------------------------------------------------------------------- /ed25519/ed25519-donna/ed25519-hash-custom.h: -------------------------------------------------------------------------------- 1 | /* 2 | a custom hash must have a 512bit digest and implement: 3 | 4 | struct ed25519_hash_context; 5 | 6 | void ed25519_hash_init(ed25519_hash_context *ctx); 7 | void ed25519_hash_update(ed25519_hash_context *ctx, const uint8_t *in, size_t inlen); 8 | void ed25519_hash_final(ed25519_hash_context *ctx, uint8_t *hash); 9 | void ed25519_hash(uint8_t *hash, const uint8_t *in, size_t inlen); 10 | */ 11 | #include 12 | 13 | typedef crypto_hash_sha512_state ed25519_hash_context; 14 | 15 | static inline void ed25519_hash_init(ed25519_hash_context *ctx) 16 | { 17 | crypto_hash_sha512_init(ctx); 18 | } 19 | 20 | static inline void ed25519_hash_update(ed25519_hash_context *ctx, const uint8_t *in, size_t inlen) 21 | { 22 | crypto_hash_sha512_update(ctx,in,inlen); 23 | } 24 | 25 | static inline void ed25519_hash_final(ed25519_hash_context *ctx, uint8_t *hash) 26 | { 27 | crypto_hash_sha512_final(ctx,hash); 28 | } 29 | 30 | static inline void ed25519_hash(uint8_t *hash, const uint8_t *in, size_t inlen) 31 | { 32 | crypto_hash_sha512(hash,in,inlen); 33 | } 34 | -------------------------------------------------------------------------------- /ed25519/ed25519-donna/ed25519-randombytes-custom.h: -------------------------------------------------------------------------------- 1 | /* 2 | a custom randombytes must implement: 3 | 4 | void ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len); 5 | 6 | ed25519_randombytes_unsafe is used by the batch verification function 7 | to create random scalars 8 | */ 9 | #include 10 | 11 | void ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len) 12 | { 13 | randombytes(p,len); 14 | } 15 | -------------------------------------------------------------------------------- /ed25519/ed25519-donna/ed25519-randombytes.h: -------------------------------------------------------------------------------- 1 | #if defined(ED25519_TEST) 2 | /* 3 | ISAAC+ "variant", the paper is not clear on operator precedence and other 4 | things. This is the "first in, first out" option! 5 | 6 | Not threadsafe or securely initialized, only for deterministic testing 7 | */ 8 | typedef struct isaacp_state_t { 9 | uint32_t state[256]; 10 | unsigned char buffer[1024]; 11 | uint32_t a, b, c; 12 | size_t left; 13 | } isaacp_state; 14 | 15 | #define isaacp_step(offset, mix) \ 16 | x = mm[i + offset]; \ 17 | a = (a ^ (mix)) + (mm[(i + offset + 128) & 0xff]); \ 18 | y = (a ^ b) + mm[(x >> 2) & 0xff]; \ 19 | mm[i + offset] = y; \ 20 | b = (x + a) ^ mm[(y >> 10) & 0xff]; \ 21 | U32TO8_LE(out + (i + offset) * 4, b); 22 | 23 | static void 24 | isaacp_mix(isaacp_state *st) { 25 | uint32_t i, x, y; 26 | uint32_t a = st->a, b = st->b, c = st->c; 27 | uint32_t *mm = st->state; 28 | unsigned char *out = st->buffer; 29 | 30 | c = c + 1; 31 | b = b + c; 32 | 33 | for (i = 0; i < 256; i += 4) { 34 | isaacp_step(0, ROTL32(a,13)) 35 | isaacp_step(1, ROTR32(a, 6)) 36 | isaacp_step(2, ROTL32(a, 2)) 37 | isaacp_step(3, ROTR32(a,16)) 38 | } 39 | 40 | st->a = a; 41 | st->b = b; 42 | st->c = c; 43 | st->left = 1024; 44 | } 45 | 46 | static void 47 | isaacp_random(isaacp_state *st, void *p, size_t len) { 48 | size_t use; 49 | unsigned char *c = (unsigned char *)p; 50 | while (len) { 51 | use = (len > st->left) ? st->left : len; 52 | memcpy(c, st->buffer + (sizeof(st->buffer) - st->left), use); 53 | 54 | st->left -= use; 55 | c += use; 56 | len -= use; 57 | 58 | if (!st->left) 59 | isaacp_mix(st); 60 | } 61 | } 62 | 63 | void 64 | ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len) { 65 | static int initialized = 0; 66 | static isaacp_state rng; 67 | 68 | if (!initialized) { 69 | memset(&rng, 0, sizeof(rng)); 70 | isaacp_mix(&rng); 71 | isaacp_mix(&rng); 72 | initialized = 1; 73 | } 74 | 75 | isaacp_random(&rng, p, len); 76 | } 77 | #elif defined(ED25519_CUSTOMRANDOM) 78 | 79 | #include "ed25519-randombytes-custom.h" 80 | 81 | #else 82 | 83 | #include 84 | 85 | void 86 | ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len) { 87 | 88 | RAND_bytes(p, (int) len); 89 | 90 | } 91 | #endif 92 | -------------------------------------------------------------------------------- /ed25519/ed25519-donna/ed25519.h: -------------------------------------------------------------------------------- 1 | #ifndef ED25519_H 2 | #define ED25519_H 3 | 4 | #include 5 | 6 | #if defined(__cplusplus) 7 | extern "C" { 8 | #endif 9 | 10 | typedef unsigned char ed25519_signature[64]; 11 | typedef unsigned char ed25519_public_key[32]; 12 | typedef unsigned char ed25519_secret_key[32]; 13 | 14 | typedef unsigned char curved25519_key[32]; 15 | 16 | void ed25519_publickey(const ed25519_secret_key sk, ed25519_public_key pk); 17 | int ed25519_sign_open(const unsigned char *m, size_t mlen, const ed25519_public_key pk, const ed25519_signature RS); 18 | void ed25519_sign(const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_public_key pk, ed25519_signature RS); 19 | 20 | int ed25519_sign_open_batch(const unsigned char **m, size_t *mlen, const unsigned char **pk, const unsigned char **RS, size_t num, int *valid); 21 | 22 | void ed25519_randombytes_unsafe(void *out, size_t count); 23 | 24 | void curved25519_scalarmult_basepoint(curved25519_key pk, const curved25519_key e); 25 | 26 | #if defined(__cplusplus) 27 | } 28 | #endif 29 | 30 | #endif // ED25519_H 31 | -------------------------------------------------------------------------------- /ed25519/ed25519-donna/test-ticks.h: -------------------------------------------------------------------------------- 1 | #include "ed25519-donna-portable-identify.h" 2 | 3 | /* ticks - not tested on anything other than x86 */ 4 | static uint64_t 5 | get_ticks(void) { 6 | #if defined(CPU_X86) || defined(CPU_X86_64) 7 | #if defined(COMPILER_INTEL) 8 | return _rdtsc(); 9 | #elif defined(COMPILER_MSVC) 10 | return __rdtsc(); 11 | #elif defined(COMPILER_GCC) 12 | uint32_t lo, hi; 13 | __asm__ __volatile__("rdtsc" : "=a" (lo), "=d" (hi)); 14 | return ((uint64_t)lo | ((uint64_t)hi << 32)); 15 | #else 16 | need rdtsc for this compiler 17 | #endif 18 | #elif defined(OS_SOLARIS) 19 | return (uint64_t)gethrtime(); 20 | #elif defined(CPU_SPARC) && !defined(OS_OPENBSD) 21 | uint64_t t; 22 | __asm__ __volatile__("rd %%tick, %0" : "=r" (t)); 23 | return t; 24 | #elif defined(CPU_PPC) 25 | uint32_t lo = 0, hi = 0; 26 | __asm__ __volatile__("mftbu %0; mftb %1" : "=r" (hi), "=r" (lo)); 27 | return ((uint64_t)lo | ((uint64_t)hi << 32)); 28 | #elif defined(CPU_IA64) 29 | uint64_t t; 30 | __asm__ __volatile__("mov %0=ar.itc" : "=r" (t)); 31 | return t; 32 | #elif defined(OS_NIX) 33 | timeval t2; 34 | gettimeofday(&t2, NULL); 35 | t = ((uint64_t)t2.tv_usec << 32) | (uint64_t)t2.tv_sec; 36 | return t; 37 | #else 38 | need ticks for this platform 39 | #endif 40 | } 41 | 42 | #define timeit(x,minvar) \ 43 | ticks = get_ticks(); \ 44 | x; \ 45 | ticks = get_ticks() - ticks; \ 46 | if (ticks < minvar) \ 47 | minvar = ticks; 48 | 49 | #define maxticks 0xffffffffffffffffull 50 | 51 | -------------------------------------------------------------------------------- /ed25519/ed25519.h: -------------------------------------------------------------------------------- 1 | #define ED25519_SEEDBYTES 32 2 | #define ED25519_SECRETKEYBYTES 64 3 | #define ED25519_PUBLICKEYBYTES 32 4 | -------------------------------------------------------------------------------- /ed25519/ed25519_impl_post.h: -------------------------------------------------------------------------------- 1 | 2 | #undef ed25519_seckey 3 | #undef ed25519_seckey_expand 4 | #undef ed25519_pubkey 5 | #undef ed25519_keygen 6 | 7 | #undef ge_eightpoint 8 | #undef ge_initeightpoint 9 | 10 | #undef ge_add 11 | #undef ge_p3_batchtobytes_destructive_1 12 | #undef ge_p3_batchtobytes_destructive_finish 13 | #undef ge_scalarmult_base 14 | 15 | 16 | #ifdef ED25519_ref10 17 | 18 | #undef ge_frombytes_negate_vartime 19 | #undef ge_tobytes 20 | #undef ge_p3_tobytes 21 | #undef ge_p2_0 22 | #undef ge_p3_0 23 | #undef ge_precomp_0 24 | #undef ge_p3_to_p2 25 | #undef ge_p3_to_cached 26 | #undef ge_p1p1_to_p2 27 | #undef ge_p1p1_to_p3 28 | #undef ge_p2_dbl 29 | #undef ge_p3_dbl 30 | #undef ge_madd 31 | #undef ge_msub 32 | #undef ge_sub 33 | #undef ge_scalarmult_base 34 | #undef ge_double_scalarmult_vartime 35 | 36 | #endif 37 | 38 | 39 | #if defined(ED25519_amd64_51_30k) || defined(ED25519_amd64_64_24k) 40 | 41 | #undef ge25519 42 | #undef ge25519_base 43 | #undef ge25519_unpackneg_vartime 44 | #undef ge25519_pack 45 | #undef ge25519_isneutral_vartime 46 | #undef ge25519_add 47 | #undef ge25519_double 48 | #undef ge25519_double_scalarmult_vartime 49 | #undef ge25519_multi_scalarmult_vartime 50 | #undef ge25519_scalarmult_base 51 | #undef ge25519_p1p1_to_p2 52 | #undef ge25519_p1p1_to_p3 53 | #undef ge25519_p1p1_to_pniels 54 | #undef ge25519_add_p1p1 55 | #undef ge25519_dbl_p1p1 56 | #undef choose_t 57 | #undef ge25519_nielsadd2 58 | #undef ge25519_nielsadd_p1p1 59 | #undef ge25519_pnielsadd_p1p1 60 | #undef ge25519_p3 61 | 62 | #undef fe 63 | #undef ge_p1p1 64 | #undef ge_p3 65 | #undef ge_p1p1_to_p3 66 | #undef ge_p3_tobytes 67 | 68 | #endif 69 | 70 | 71 | #ifdef ED25519_donna 72 | 73 | #undef fe_ysubx 74 | #undef fe_xaddy 75 | #undef fe_z 76 | #undef fe_t2d 77 | 78 | #undef fe 79 | #undef ge_p1p1 80 | #undef ge_p3 81 | #undef ge_p1p1_to_p3 82 | #undef ge_p3_tobytes 83 | 84 | #endif 85 | -------------------------------------------------------------------------------- /ed25519/ref10/Makefile: -------------------------------------------------------------------------------- 1 | all: d.h d2.h sqrtm1.h base.h base2.h \ 2 | ge_add.h ge_sub.h \ 3 | ge_madd.h ge_msub.h \ 4 | ge_p2_dbl.h \ 5 | pow225521.h pow22523.h 6 | 7 | d.h: d.py 8 | python d.py > d.h 9 | 10 | d2.h: d2.py 11 | python d2.py > d2.h 12 | 13 | sqrtm1.h: sqrtm1.py 14 | python sqrtm1.py > sqrtm1.h 15 | 16 | base.h: base.py 17 | python base.py > base.h 18 | 19 | base2.h: base2.py 20 | python base2.py > base2.h 21 | 22 | ge_add.h: ge_add.q q2h.sh 23 | ./q2h.sh < ge_add.q > ge_add.h 24 | 25 | ge_sub.h: ge_sub.q q2h.sh 26 | ./q2h.sh < ge_sub.q > ge_sub.h 27 | 28 | ge_madd.h: ge_madd.q q2h.sh 29 | ./q2h.sh < ge_madd.q > ge_madd.h 30 | 31 | ge_msub.h: ge_msub.q q2h.sh 32 | ./q2h.sh < ge_msub.q > ge_msub.h 33 | 34 | ge_p2_dbl.h: ge_p2_dbl.q q2h.sh 35 | ./q2h.sh < ge_p2_dbl.q > ge_p2_dbl.h 36 | 37 | pow22523.h: pow22523.q q2h.sh 38 | ./q2h.sh < pow22523.q > pow22523.h 39 | 40 | pow225521.h: pow225521.q q2h.sh 41 | ./q2h.sh < pow225521.q > pow225521.h 42 | -------------------------------------------------------------------------------- /ed25519/ref10/README: -------------------------------------------------------------------------------- 1 | Public domain. 2 | -------------------------------------------------------------------------------- /ed25519/ref10/api.h: -------------------------------------------------------------------------------- 1 | #define CRYPTO_SECRETKEYBYTES 64 2 | #define CRYPTO_PUBLICKEYBYTES 32 3 | #define CRYPTO_BYTES 64 4 | #define CRYPTO_DETERMINISTIC 1 5 | -------------------------------------------------------------------------------- /ed25519/ref10/base.py: -------------------------------------------------------------------------------- 1 | b = 256 2 | q = 2**255 - 19 3 | l = 2**252 + 27742317777372353535851937790883648493 4 | 5 | def expmod(b,e,m): 6 | if e == 0: return 1 7 | t = expmod(b,e/2,m)**2 % m 8 | if e & 1: t = (t*b) % m 9 | return t 10 | 11 | def inv(x): 12 | return expmod(x,q-2,q) 13 | 14 | d = -121665 * inv(121666) 15 | I = expmod(2,(q-1)/4,q) 16 | 17 | def xrecover(y): 18 | xx = (y*y-1) * inv(d*y*y+1) 19 | x = expmod(xx,(q+3)/8,q) 20 | if (x*x - xx) % q != 0: x = (x*I) % q 21 | if x % 2 != 0: x = q-x 22 | return x 23 | 24 | By = 4 * inv(5) 25 | Bx = xrecover(By) 26 | B = [Bx % q,By % q] 27 | 28 | def edwards(P,Q): 29 | x1 = P[0] 30 | y1 = P[1] 31 | x2 = Q[0] 32 | y2 = Q[1] 33 | x3 = (x1*y2+x2*y1) * inv(1+d*x1*x2*y1*y2) 34 | y3 = (y1*y2+x1*x2) * inv(1-d*x1*x2*y1*y2) 35 | return [x3 % q,y3 % q] 36 | 37 | def radix255(x): 38 | x = x % q 39 | if x + x > q: x -= q 40 | x = [x,0,0,0,0,0,0,0,0,0] 41 | bits = [26,25,26,25,26,25,26,25,26,25] 42 | for i in range(9): 43 | carry = (x[i] + 2**(bits[i]-1)) / 2**bits[i] 44 | x[i] -= carry * 2**bits[i] 45 | x[i + 1] += carry 46 | result = "" 47 | for i in range(9): 48 | result = result+str(x[i])+"," 49 | result = result+str(x[9]) 50 | return result 51 | 52 | Bi = B 53 | for i in range(32): 54 | print "{" 55 | Bij = Bi 56 | for j in range(8): 57 | print " {" 58 | print " {",radix255(Bij[1]+Bij[0]),"}," 59 | print " {",radix255(Bij[1]-Bij[0]),"}," 60 | print " {",radix255(2*d*Bij[0]*Bij[1]),"}," 61 | Bij = edwards(Bij,Bi) 62 | print " }," 63 | print "}," 64 | for k in range(8): 65 | Bi = edwards(Bi,Bi) 66 | -------------------------------------------------------------------------------- /ed25519/ref10/base2.h: -------------------------------------------------------------------------------- 1 | { 2 | { 25967493,-14356035,29566456,3660896,-12694345,4014787,27544626,-11754271,-6079156,2047605 }, 3 | { -12545711,934262,-2722910,3049990,-727428,9406986,12720692,5043384,19500929,-15469378 }, 4 | { -8738181,4489570,9688441,-14785194,10184609,-12363380,29287919,11864899,-24514362,-4438546 }, 5 | }, 6 | { 7 | { 15636291,-9688557,24204773,-7912398,616977,-16685262,27787600,-14772189,28944400,-1550024 }, 8 | { 16568933,4717097,-11556148,-1102322,15682896,-11807043,16354577,-11775962,7689662,11199574 }, 9 | { 30464156,-5976125,-11779434,-15670865,23220365,15915852,7512774,10017326,-17749093,-9920357 }, 10 | }, 11 | { 12 | { 10861363,11473154,27284546,1981175,-30064349,12577861,32867885,14515107,-15438304,10819380 }, 13 | { 4708026,6336745,20377586,9066809,-11272109,6594696,-25653668,12483688,-12668491,5581306 }, 14 | { 19563160,16186464,-29386857,4097519,10237984,-4348115,28542350,13850243,-23678021,-15815942 }, 15 | }, 16 | { 17 | { 5153746,9909285,1723747,-2777874,30523605,5516873,19480852,5230134,-23952439,-15175766 }, 18 | { -30269007,-3463509,7665486,10083793,28475525,1649722,20654025,16520125,30598449,7715701 }, 19 | { 28881845,14381568,9657904,3680757,-20181635,7843316,-31400660,1370708,29794553,-1409300 }, 20 | }, 21 | { 22 | { -22518993,-6692182,14201702,-8745502,-23510406,8844726,18474211,-1361450,-13062696,13821877 }, 23 | { -6455177,-7839871,3374702,-4740862,-27098617,-10571707,31655028,-7212327,18853322,-14220951 }, 24 | { 4566830,-12963868,-28974889,-12240689,-7602672,-2830569,-8514358,-10431137,2207753,-3209784 }, 25 | }, 26 | { 27 | { -25154831,-4185821,29681144,7868801,-6854661,-9423865,-12437364,-663000,-31111463,-16132436 }, 28 | { 25576264,-2703214,7349804,-11814844,16472782,9300885,3844789,15725684,171356,6466918 }, 29 | { 23103977,13316479,9739013,-16149481,817875,-15038942,8965339,-14088058,-30714912,16193877 }, 30 | }, 31 | { 32 | { -33521811,3180713,-2394130,14003687,-16903474,-16270840,17238398,4729455,-18074513,9256800 }, 33 | { -25182317,-4174131,32336398,5036987,-21236817,11360617,22616405,9761698,-19827198,630305 }, 34 | { -13720693,2639453,-24237460,-7406481,9494427,-5774029,-6554551,-15960994,-2449256,-14291300 }, 35 | }, 36 | { 37 | { -3151181,-5046075,9282714,6866145,-31907062,-863023,-18940575,15033784,25105118,-7894876 }, 38 | { -24326370,15950226,-31801215,-14592823,-11662737,-5090925,1573892,-2625887,2198790,-15804619 }, 39 | { -3099351,10324967,-2241613,7453183,-5446979,-2735503,-13812022,-16236442,-32461234,-12290683 }, 40 | }, 41 | -------------------------------------------------------------------------------- /ed25519/ref10/base2.py: -------------------------------------------------------------------------------- 1 | b = 256 2 | q = 2**255 - 19 3 | l = 2**252 + 27742317777372353535851937790883648493 4 | 5 | def expmod(b,e,m): 6 | if e == 0: return 1 7 | t = expmod(b,e/2,m)**2 % m 8 | if e & 1: t = (t*b) % m 9 | return t 10 | 11 | def inv(x): 12 | return expmod(x,q-2,q) 13 | 14 | d = -121665 * inv(121666) 15 | I = expmod(2,(q-1)/4,q) 16 | 17 | def xrecover(y): 18 | xx = (y*y-1) * inv(d*y*y+1) 19 | x = expmod(xx,(q+3)/8,q) 20 | if (x*x - xx) % q != 0: x = (x*I) % q 21 | if x % 2 != 0: x = q-x 22 | return x 23 | 24 | By = 4 * inv(5) 25 | Bx = xrecover(By) 26 | B = [Bx % q,By % q] 27 | 28 | def edwards(P,Q): 29 | x1 = P[0] 30 | y1 = P[1] 31 | x2 = Q[0] 32 | y2 = Q[1] 33 | x3 = (x1*y2+x2*y1) * inv(1+d*x1*x2*y1*y2) 34 | y3 = (y1*y2+x1*x2) * inv(1-d*x1*x2*y1*y2) 35 | return [x3 % q,y3 % q] 36 | 37 | def radix255(x): 38 | x = x % q 39 | if x + x > q: x -= q 40 | x = [x,0,0,0,0,0,0,0,0,0] 41 | bits = [26,25,26,25,26,25,26,25,26,25] 42 | for i in range(9): 43 | carry = (x[i] + 2**(bits[i]-1)) / 2**bits[i] 44 | x[i] -= carry * 2**bits[i] 45 | x[i + 1] += carry 46 | result = "" 47 | for i in range(9): 48 | result = result+str(x[i])+"," 49 | result = result+str(x[9]) 50 | return result 51 | 52 | Bi = B 53 | 54 | for i in range(8): 55 | print " {" 56 | print " {",radix255(Bi[1]+Bi[0]),"}," 57 | print " {",radix255(Bi[1]-Bi[0]),"}," 58 | print " {",radix255(2*d*Bi[0]*Bi[1]),"}," 59 | print " }," 60 | Bi = edwards(B,edwards(B,Bi)) 61 | -------------------------------------------------------------------------------- /ed25519/ref10/crypto_hash_sha512.h: -------------------------------------------------------------------------------- 1 | #include 2 | -------------------------------------------------------------------------------- /ed25519/ref10/crypto_int32.h: -------------------------------------------------------------------------------- 1 | #include 2 | #define crypto_int32 int32_t 3 | -------------------------------------------------------------------------------- /ed25519/ref10/crypto_int64.h: -------------------------------------------------------------------------------- 1 | #include 2 | #define crypto_int64 int64_t 3 | -------------------------------------------------------------------------------- /ed25519/ref10/crypto_sign.h: -------------------------------------------------------------------------------- 1 | #define crypto_sign CRYPTO_NAMESPACE(sign) 2 | #define crypto_sign_keypair CRYPTO_NAMESPACE(keygen) 3 | #define crypto_sign_seckey CRYPTO_NAMESPACE(seckey) 4 | #define crypto_sign_seckey_expand CRYPTO_NAMESPACE(seckey_expand) 5 | #define crypto_sign_pubkey CRYPTO_NAMESPACE(pubkey) 6 | #define crypto_sign_open CRYPTO_NAMESPACE(open) 7 | #define crypto_sign_open_batch CRYPTO_NAMESPACE(open_batch) 8 | 9 | #include "ed25519.h" 10 | -------------------------------------------------------------------------------- /ed25519/ref10/crypto_uint32.h: -------------------------------------------------------------------------------- 1 | #include 2 | #define crypto_uint32 uint32_t 3 | -------------------------------------------------------------------------------- /ed25519/ref10/crypto_uint64.h: -------------------------------------------------------------------------------- 1 | #include 2 | #define crypto_uint64 uint64_t 3 | -------------------------------------------------------------------------------- /ed25519/ref10/crypto_verify_32.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define crypto_verify_32(a,b) \ 4 | (!sodium_memcmp((a), (b), 32)) 5 | -------------------------------------------------------------------------------- /ed25519/ref10/d.h: -------------------------------------------------------------------------------- 1 | -10913610,13857413,-15372611,6949391,114729,-8787816,-6275908,-3247719,-18696448,-12055116 2 | -------------------------------------------------------------------------------- /ed25519/ref10/d.py: -------------------------------------------------------------------------------- 1 | q = 2**255 - 19 2 | 3 | def expmod(b,e,m): 4 | if e == 0: return 1 5 | t = expmod(b,e/2,m)**2 % m 6 | if e & 1: t = (t*b) % m 7 | return t 8 | 9 | def inv(x): 10 | return expmod(x,q-2,q) 11 | 12 | def radix255(x): 13 | x = x % q 14 | if x + x > q: x -= q 15 | x = [x,0,0,0,0,0,0,0,0,0] 16 | bits = [26,25,26,25,26,25,26,25,26,25] 17 | for i in range(9): 18 | carry = (x[i] + 2**(bits[i]-1)) / 2**bits[i] 19 | x[i] -= carry * 2**bits[i] 20 | x[i + 1] += carry 21 | result = "" 22 | for i in range(9): 23 | result = result+str(x[i])+"," 24 | result = result+str(x[9]) 25 | return result 26 | 27 | d = -121665 * inv(121666) 28 | print radix255(d) 29 | -------------------------------------------------------------------------------- /ed25519/ref10/d2.h: -------------------------------------------------------------------------------- 1 | -21827239,-5839606,-30745221,13898782,229458,15978800,-12551817,-6495438,29715968,9444199 2 | -------------------------------------------------------------------------------- /ed25519/ref10/d2.py: -------------------------------------------------------------------------------- 1 | q = 2**255 - 19 2 | 3 | def expmod(b,e,m): 4 | if e == 0: return 1 5 | t = expmod(b,e/2,m)**2 % m 6 | if e & 1: t = (t*b) % m 7 | return t 8 | 9 | def inv(x): 10 | return expmod(x,q-2,q) 11 | 12 | def radix255(x): 13 | x = x % q 14 | if x + x > q: x -= q 15 | x = [x,0,0,0,0,0,0,0,0,0] 16 | bits = [26,25,26,25,26,25,26,25,26,25] 17 | for i in range(9): 18 | carry = (x[i] + 2**(bits[i]-1)) / 2**bits[i] 19 | x[i] -= carry * 2**bits[i] 20 | x[i + 1] += carry 21 | result = "" 22 | for i in range(9): 23 | result = result+str(x[i])+"," 24 | result = result+str(x[9]) 25 | return result 26 | 27 | d = -121665 * inv(121666) 28 | print radix255(d*2) 29 | -------------------------------------------------------------------------------- /ed25519/ref10/ed25519.h: -------------------------------------------------------------------------------- 1 | int crypto_sign_seckey(unsigned char *sk); 2 | int crypto_sign_seckey_expand(unsigned char *sk,const unsigned char *seed); 3 | int crypto_sign_pubkey(unsigned char *pk,const unsigned char *sk); 4 | int crypto_sign_keypair(unsigned char *pk,unsigned char *sk); 5 | int crypto_sign( 6 | unsigned char *sm,unsigned long long *smlen, 7 | const unsigned char *m,unsigned long long mlen, 8 | const unsigned char *sk 9 | ); 10 | int crypto_sign_open( 11 | unsigned char *m,unsigned long long *mlen, 12 | const unsigned char *sm,unsigned long long smlen, 13 | const unsigned char *pk 14 | ); 15 | -------------------------------------------------------------------------------- /ed25519/ref10/fe.h: -------------------------------------------------------------------------------- 1 | #ifndef FE_H 2 | #define FE_H 3 | 4 | #include "crypto_int32.h" 5 | #include 6 | 7 | typedef crypto_int32 fe[10]; 8 | 9 | /* 10 | fe means field element. 11 | Here the field is \Z/(2^255-19). 12 | An element t, entries t[0]...t[9], represents the integer 13 | t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. 14 | Bounds on each t[i] vary depending on context. 15 | */ 16 | 17 | #define fe_frombytes CRYPTO_NAMESPACE(fe_frombytes) 18 | #define fe_tobytes CRYPTO_NAMESPACE(fe_tobytes) 19 | #define fe_copy CRYPTO_NAMESPACE(fe_copy) 20 | #define fe_isnonzero CRYPTO_NAMESPACE(fe_isnonzero) 21 | #define fe_isnegative CRYPTO_NAMESPACE(fe_isnegative) 22 | #define fe_0 CRYPTO_NAMESPACE(fe_0) 23 | #define fe_1 CRYPTO_NAMESPACE(fe_1) 24 | #define fe_cswap CRYPTO_NAMESPACE(fe_cswap) 25 | #define fe_cmov CRYPTO_NAMESPACE(fe_cmov) 26 | #define fe_add CRYPTO_NAMESPACE(fe_add) 27 | #define fe_sub CRYPTO_NAMESPACE(fe_sub) 28 | #define fe_neg CRYPTO_NAMESPACE(fe_neg) 29 | #define fe_mul CRYPTO_NAMESPACE(fe_mul) 30 | #define fe_sq CRYPTO_NAMESPACE(fe_sq) 31 | #define fe_sq2 CRYPTO_NAMESPACE(fe_sq2) 32 | #define fe_invert CRYPTO_NAMESPACE(fe_invert) 33 | #define fe_batchinvert CRYPTO_NAMESPACE(fe_batchinvert) 34 | #define fe_pow22523 CRYPTO_NAMESPACE(fe_pow22523) 35 | 36 | extern void fe_frombytes(fe,const unsigned char *); 37 | extern void fe_tobytes(unsigned char *,const fe); 38 | 39 | extern void fe_copy(fe,const fe); 40 | extern int fe_isnonzero(const fe); 41 | extern int fe_isnegative(const fe); 42 | extern void fe_0(fe); 43 | extern void fe_1(fe); 44 | extern void fe_cswap(fe,fe,unsigned int); 45 | extern void fe_cmov(fe,const fe,unsigned int); 46 | 47 | extern void fe_add(fe,const fe,const fe); 48 | extern void fe_sub(fe,const fe,const fe); 49 | extern void fe_neg(fe,const fe); 50 | extern void fe_mul(fe,const fe,const fe); 51 | extern void fe_sq(fe,const fe); 52 | extern void fe_sq2(fe,const fe); 53 | extern void fe_invert(fe,const fe); 54 | extern void fe_batchinvert(fe *out,fe *in,fe *tmp,size_t num,size_t shift); 55 | extern void fe_pow22523(fe,const fe); 56 | 57 | #endif 58 | -------------------------------------------------------------------------------- /ed25519/ref10/fe_0.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | h = 0 5 | */ 6 | 7 | void fe_0(fe h) 8 | { 9 | h[0] = 0; 10 | h[1] = 0; 11 | h[2] = 0; 12 | h[3] = 0; 13 | h[4] = 0; 14 | h[5] = 0; 15 | h[6] = 0; 16 | h[7] = 0; 17 | h[8] = 0; 18 | h[9] = 0; 19 | } 20 | -------------------------------------------------------------------------------- /ed25519/ref10/fe_1.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | h = 1 5 | */ 6 | 7 | void fe_1(fe h) 8 | { 9 | h[0] = 1; 10 | h[1] = 0; 11 | h[2] = 0; 12 | h[3] = 0; 13 | h[4] = 0; 14 | h[5] = 0; 15 | h[6] = 0; 16 | h[7] = 0; 17 | h[8] = 0; 18 | h[9] = 0; 19 | } 20 | -------------------------------------------------------------------------------- /ed25519/ref10/fe_add.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | h = f + g 5 | Can overlap h with f or g. 6 | 7 | Preconditions: 8 | |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 9 | |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 10 | 11 | Postconditions: 12 | |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. 13 | */ 14 | 15 | void fe_add(fe h,const fe f,const fe g) 16 | { 17 | crypto_int32 f0 = f[0]; 18 | crypto_int32 f1 = f[1]; 19 | crypto_int32 f2 = f[2]; 20 | crypto_int32 f3 = f[3]; 21 | crypto_int32 f4 = f[4]; 22 | crypto_int32 f5 = f[5]; 23 | crypto_int32 f6 = f[6]; 24 | crypto_int32 f7 = f[7]; 25 | crypto_int32 f8 = f[8]; 26 | crypto_int32 f9 = f[9]; 27 | crypto_int32 g0 = g[0]; 28 | crypto_int32 g1 = g[1]; 29 | crypto_int32 g2 = g[2]; 30 | crypto_int32 g3 = g[3]; 31 | crypto_int32 g4 = g[4]; 32 | crypto_int32 g5 = g[5]; 33 | crypto_int32 g6 = g[6]; 34 | crypto_int32 g7 = g[7]; 35 | crypto_int32 g8 = g[8]; 36 | crypto_int32 g9 = g[9]; 37 | crypto_int32 h0 = f0 + g0; 38 | crypto_int32 h1 = f1 + g1; 39 | crypto_int32 h2 = f2 + g2; 40 | crypto_int32 h3 = f3 + g3; 41 | crypto_int32 h4 = f4 + g4; 42 | crypto_int32 h5 = f5 + g5; 43 | crypto_int32 h6 = f6 + g6; 44 | crypto_int32 h7 = f7 + g7; 45 | crypto_int32 h8 = f8 + g8; 46 | crypto_int32 h9 = f9 + g9; 47 | h[0] = h0; 48 | h[1] = h1; 49 | h[2] = h2; 50 | h[3] = h3; 51 | h[4] = h4; 52 | h[5] = h5; 53 | h[6] = h6; 54 | h[7] = h7; 55 | h[8] = h8; 56 | h[9] = h9; 57 | } 58 | -------------------------------------------------------------------------------- /ed25519/ref10/fe_batchinvert.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | // tmp MUST != out or in 4 | // in MAY == out 5 | void fe_batchinvert(fe *out,fe *in,fe *tmp,size_t num,size_t shift) 6 | { 7 | fe acc; 8 | fe tmpacc; 9 | size_t i; 10 | fe *inp; 11 | fe *outp; 12 | 13 | fe_1(acc); 14 | 15 | inp = in; 16 | for (i = 0;i < num;++i) { 17 | fe_copy(tmp[i],acc); 18 | fe_mul(acc,acc,*inp); 19 | inp = (fe *)((char *)inp + shift); 20 | } 21 | 22 | fe_invert(acc,acc); 23 | 24 | i = num; 25 | inp = (fe *)((char *)in + shift * num); 26 | outp = (fe *)((char *)out + shift * num); 27 | while (i--) { 28 | inp = (fe *)((char *)inp - shift); 29 | outp = (fe *)((char *)outp - shift); 30 | fe_mul(tmpacc,acc,*inp); 31 | fe_mul(*outp,acc,tmp[i]); 32 | fe_copy(acc,tmpacc); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /ed25519/ref10/fe_cmov.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | Replace (f,g) with (g,g) if b == 1; 5 | replace (f,g) with (f,g) if b == 0. 6 | 7 | Preconditions: b in {0,1}. 8 | */ 9 | 10 | void fe_cmov(fe f,const fe g,unsigned int b) 11 | { 12 | crypto_int32 f0 = f[0]; 13 | crypto_int32 f1 = f[1]; 14 | crypto_int32 f2 = f[2]; 15 | crypto_int32 f3 = f[3]; 16 | crypto_int32 f4 = f[4]; 17 | crypto_int32 f5 = f[5]; 18 | crypto_int32 f6 = f[6]; 19 | crypto_int32 f7 = f[7]; 20 | crypto_int32 f8 = f[8]; 21 | crypto_int32 f9 = f[9]; 22 | crypto_int32 g0 = g[0]; 23 | crypto_int32 g1 = g[1]; 24 | crypto_int32 g2 = g[2]; 25 | crypto_int32 g3 = g[3]; 26 | crypto_int32 g4 = g[4]; 27 | crypto_int32 g5 = g[5]; 28 | crypto_int32 g6 = g[6]; 29 | crypto_int32 g7 = g[7]; 30 | crypto_int32 g8 = g[8]; 31 | crypto_int32 g9 = g[9]; 32 | crypto_int32 x0 = f0 ^ g0; 33 | crypto_int32 x1 = f1 ^ g1; 34 | crypto_int32 x2 = f2 ^ g2; 35 | crypto_int32 x3 = f3 ^ g3; 36 | crypto_int32 x4 = f4 ^ g4; 37 | crypto_int32 x5 = f5 ^ g5; 38 | crypto_int32 x6 = f6 ^ g6; 39 | crypto_int32 x7 = f7 ^ g7; 40 | crypto_int32 x8 = f8 ^ g8; 41 | crypto_int32 x9 = f9 ^ g9; 42 | b = -b; 43 | x0 &= b; 44 | x1 &= b; 45 | x2 &= b; 46 | x3 &= b; 47 | x4 &= b; 48 | x5 &= b; 49 | x6 &= b; 50 | x7 &= b; 51 | x8 &= b; 52 | x9 &= b; 53 | f[0] = f0 ^ x0; 54 | f[1] = f1 ^ x1; 55 | f[2] = f2 ^ x2; 56 | f[3] = f3 ^ x3; 57 | f[4] = f4 ^ x4; 58 | f[5] = f5 ^ x5; 59 | f[6] = f6 ^ x6; 60 | f[7] = f7 ^ x7; 61 | f[8] = f8 ^ x8; 62 | f[9] = f9 ^ x9; 63 | } 64 | -------------------------------------------------------------------------------- /ed25519/ref10/fe_copy.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | h = f 5 | */ 6 | 7 | void fe_copy(fe h,const fe f) 8 | { 9 | crypto_int32 f0 = f[0]; 10 | crypto_int32 f1 = f[1]; 11 | crypto_int32 f2 = f[2]; 12 | crypto_int32 f3 = f[3]; 13 | crypto_int32 f4 = f[4]; 14 | crypto_int32 f5 = f[5]; 15 | crypto_int32 f6 = f[6]; 16 | crypto_int32 f7 = f[7]; 17 | crypto_int32 f8 = f[8]; 18 | crypto_int32 f9 = f[9]; 19 | h[0] = f0; 20 | h[1] = f1; 21 | h[2] = f2; 22 | h[3] = f3; 23 | h[4] = f4; 24 | h[5] = f5; 25 | h[6] = f6; 26 | h[7] = f7; 27 | h[8] = f8; 28 | h[9] = f9; 29 | } 30 | -------------------------------------------------------------------------------- /ed25519/ref10/fe_frombytes.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | #include "crypto_int64.h" 3 | #include "crypto_uint64.h" 4 | 5 | static crypto_uint64 load_3(const unsigned char *in) 6 | { 7 | crypto_uint64 result; 8 | result = (crypto_uint64) in[0]; 9 | result |= ((crypto_uint64) in[1]) << 8; 10 | result |= ((crypto_uint64) in[2]) << 16; 11 | return result; 12 | } 13 | 14 | static crypto_uint64 load_4(const unsigned char *in) 15 | { 16 | crypto_uint64 result; 17 | result = (crypto_uint64) in[0]; 18 | result |= ((crypto_uint64) in[1]) << 8; 19 | result |= ((crypto_uint64) in[2]) << 16; 20 | result |= ((crypto_uint64) in[3]) << 24; 21 | return result; 22 | } 23 | 24 | /* 25 | Ignores top bit of h. 26 | */ 27 | 28 | void fe_frombytes(fe h,const unsigned char *s) 29 | { 30 | crypto_int64 h0 = load_4(s); 31 | crypto_int64 h1 = load_3(s + 4) << 6; 32 | crypto_int64 h2 = load_3(s + 7) << 5; 33 | crypto_int64 h3 = load_3(s + 10) << 3; 34 | crypto_int64 h4 = load_3(s + 13) << 2; 35 | crypto_int64 h5 = load_4(s + 16); 36 | crypto_int64 h6 = load_3(s + 20) << 7; 37 | crypto_int64 h7 = load_3(s + 23) << 5; 38 | crypto_int64 h8 = load_3(s + 26) << 4; 39 | crypto_int64 h9 = (load_3(s + 29) & 8388607) << 2; 40 | crypto_int64 carry0; 41 | crypto_int64 carry1; 42 | crypto_int64 carry2; 43 | crypto_int64 carry3; 44 | crypto_int64 carry4; 45 | crypto_int64 carry5; 46 | crypto_int64 carry6; 47 | crypto_int64 carry7; 48 | crypto_int64 carry8; 49 | crypto_int64 carry9; 50 | 51 | carry9 = (h9 + (crypto_int64) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; 52 | carry1 = (h1 + (crypto_int64) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; 53 | carry3 = (h3 + (crypto_int64) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; 54 | carry5 = (h5 + (crypto_int64) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; 55 | carry7 = (h7 + (crypto_int64) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; 56 | 57 | carry0 = (h0 + (crypto_int64) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; 58 | carry2 = (h2 + (crypto_int64) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; 59 | carry4 = (h4 + (crypto_int64) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; 60 | carry6 = (h6 + (crypto_int64) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; 61 | carry8 = (h8 + (crypto_int64) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; 62 | 63 | h[0] = h0; 64 | h[1] = h1; 65 | h[2] = h2; 66 | h[3] = h3; 67 | h[4] = h4; 68 | h[5] = h5; 69 | h[6] = h6; 70 | h[7] = h7; 71 | h[8] = h8; 72 | h[9] = h9; 73 | } 74 | -------------------------------------------------------------------------------- /ed25519/ref10/fe_invert.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | void fe_invert(fe out,const fe z) 4 | { 5 | fe t0; 6 | fe t1; 7 | fe t2; 8 | fe t3; 9 | int i; 10 | 11 | #include "pow225521.h" 12 | 13 | return; 14 | } 15 | -------------------------------------------------------------------------------- /ed25519/ref10/fe_isnegative.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | return 1 if f is in {1,3,5,...,q-2} 5 | return 0 if f is in {0,2,4,...,q-1} 6 | 7 | Preconditions: 8 | |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. 9 | */ 10 | 11 | int fe_isnegative(const fe f) 12 | { 13 | unsigned char s[32]; 14 | fe_tobytes(s,f); 15 | return s[0] & 1; 16 | } 17 | -------------------------------------------------------------------------------- /ed25519/ref10/fe_isnonzero.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | #include "crypto_verify_32.h" 3 | 4 | /* 5 | return 1 if f == 0 6 | return 0 if f != 0 7 | 8 | Preconditions: 9 | |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. 10 | */ 11 | 12 | static const unsigned char zero[32]; 13 | 14 | int fe_isnonzero(const fe f) 15 | { 16 | unsigned char s[32]; 17 | fe_tobytes(s,f); 18 | return crypto_verify_32(s,zero); 19 | } 20 | -------------------------------------------------------------------------------- /ed25519/ref10/fe_neg.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | h = -f 5 | 6 | Preconditions: 7 | |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 8 | 9 | Postconditions: 10 | |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 11 | */ 12 | 13 | void fe_neg(fe h,const fe f) 14 | { 15 | crypto_int32 f0 = f[0]; 16 | crypto_int32 f1 = f[1]; 17 | crypto_int32 f2 = f[2]; 18 | crypto_int32 f3 = f[3]; 19 | crypto_int32 f4 = f[4]; 20 | crypto_int32 f5 = f[5]; 21 | crypto_int32 f6 = f[6]; 22 | crypto_int32 f7 = f[7]; 23 | crypto_int32 f8 = f[8]; 24 | crypto_int32 f9 = f[9]; 25 | crypto_int32 h0 = -f0; 26 | crypto_int32 h1 = -f1; 27 | crypto_int32 h2 = -f2; 28 | crypto_int32 h3 = -f3; 29 | crypto_int32 h4 = -f4; 30 | crypto_int32 h5 = -f5; 31 | crypto_int32 h6 = -f6; 32 | crypto_int32 h7 = -f7; 33 | crypto_int32 h8 = -f8; 34 | crypto_int32 h9 = -f9; 35 | h[0] = h0; 36 | h[1] = h1; 37 | h[2] = h2; 38 | h[3] = h3; 39 | h[4] = h4; 40 | h[5] = h5; 41 | h[6] = h6; 42 | h[7] = h7; 43 | h[8] = h8; 44 | h[9] = h9; 45 | } 46 | -------------------------------------------------------------------------------- /ed25519/ref10/fe_pow22523.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | void fe_pow22523(fe out,const fe z) 4 | { 5 | fe t0; 6 | fe t1; 7 | fe t2; 8 | int i; 9 | 10 | #include "pow22523.h" 11 | 12 | return; 13 | } 14 | -------------------------------------------------------------------------------- /ed25519/ref10/fe_sub.c: -------------------------------------------------------------------------------- 1 | #include "fe.h" 2 | 3 | /* 4 | h = f - g 5 | Can overlap h with f or g. 6 | 7 | Preconditions: 8 | |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 9 | |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. 10 | 11 | Postconditions: 12 | |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. 13 | */ 14 | 15 | void fe_sub(fe h,const fe f,const fe g) 16 | { 17 | crypto_int32 f0 = f[0]; 18 | crypto_int32 f1 = f[1]; 19 | crypto_int32 f2 = f[2]; 20 | crypto_int32 f3 = f[3]; 21 | crypto_int32 f4 = f[4]; 22 | crypto_int32 f5 = f[5]; 23 | crypto_int32 f6 = f[6]; 24 | crypto_int32 f7 = f[7]; 25 | crypto_int32 f8 = f[8]; 26 | crypto_int32 f9 = f[9]; 27 | crypto_int32 g0 = g[0]; 28 | crypto_int32 g1 = g[1]; 29 | crypto_int32 g2 = g[2]; 30 | crypto_int32 g3 = g[3]; 31 | crypto_int32 g4 = g[4]; 32 | crypto_int32 g5 = g[5]; 33 | crypto_int32 g6 = g[6]; 34 | crypto_int32 g7 = g[7]; 35 | crypto_int32 g8 = g[8]; 36 | crypto_int32 g9 = g[9]; 37 | crypto_int32 h0 = f0 - g0; 38 | crypto_int32 h1 = f1 - g1; 39 | crypto_int32 h2 = f2 - g2; 40 | crypto_int32 h3 = f3 - g3; 41 | crypto_int32 h4 = f4 - g4; 42 | crypto_int32 h5 = f5 - g5; 43 | crypto_int32 h6 = f6 - g6; 44 | crypto_int32 h7 = f7 - g7; 45 | crypto_int32 h8 = f8 - g8; 46 | crypto_int32 h9 = f9 - g9; 47 | h[0] = h0; 48 | h[1] = h1; 49 | h[2] = h2; 50 | h[3] = h3; 51 | h[4] = h4; 52 | h[5] = h5; 53 | h[6] = h6; 54 | h[7] = h7; 55 | h[8] = h8; 56 | h[9] = h9; 57 | } 58 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_add.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = p + q 5 | */ 6 | 7 | void ge_add(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q) 8 | { 9 | fe t0; 10 | #include "ge_add.h" 11 | } 12 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_add.h: -------------------------------------------------------------------------------- 1 | 2 | /* qhasm: enter ge_add */ 3 | 4 | /* qhasm: fe X1 */ 5 | 6 | /* qhasm: fe Y1 */ 7 | 8 | /* qhasm: fe Z1 */ 9 | 10 | /* qhasm: fe Z2 */ 11 | 12 | /* qhasm: fe T1 */ 13 | 14 | /* qhasm: fe ZZ */ 15 | 16 | /* qhasm: fe YpX2 */ 17 | 18 | /* qhasm: fe YmX2 */ 19 | 20 | /* qhasm: fe T2d2 */ 21 | 22 | /* qhasm: fe X3 */ 23 | 24 | /* qhasm: fe Y3 */ 25 | 26 | /* qhasm: fe Z3 */ 27 | 28 | /* qhasm: fe T3 */ 29 | 30 | /* qhasm: fe YpX1 */ 31 | 32 | /* qhasm: fe YmX1 */ 33 | 34 | /* qhasm: fe A */ 35 | 36 | /* qhasm: fe B */ 37 | 38 | /* qhasm: fe C */ 39 | 40 | /* qhasm: fe D */ 41 | 42 | /* qhasm: YpX1 = Y1+X1 */ 43 | /* asm 1: fe_add(>YpX1=fe#1,YpX1=r->X,Y,X); */ 45 | fe_add(r->X,p->Y,p->X); 46 | 47 | /* qhasm: YmX1 = Y1-X1 */ 48 | /* asm 1: fe_sub(>YmX1=fe#2,YmX1=r->Y,Y,X); */ 50 | fe_sub(r->Y,p->Y,p->X); 51 | 52 | /* qhasm: A = YpX1*YpX2 */ 53 | /* asm 1: fe_mul(>A=fe#3,A=r->Z,X,YplusX); */ 55 | fe_mul(r->Z,r->X,q->YplusX); 56 | 57 | /* qhasm: B = YmX1*YmX2 */ 58 | /* asm 1: fe_mul(>B=fe#2,B=r->Y,Y,YminusX); */ 60 | fe_mul(r->Y,r->Y,q->YminusX); 61 | 62 | /* qhasm: C = T2d2*T1 */ 63 | /* asm 1: fe_mul(>C=fe#4,C=r->T,T2d,T); */ 65 | fe_mul(r->T,q->T2d,p->T); 66 | 67 | /* qhasm: ZZ = Z1*Z2 */ 68 | /* asm 1: fe_mul(>ZZ=fe#1,ZZ=r->X,Z,Z); */ 70 | fe_mul(r->X,p->Z,q->Z); 71 | 72 | /* qhasm: D = 2*ZZ */ 73 | /* asm 1: fe_add(>D=fe#5,D=t0,X,X); */ 75 | fe_add(t0,r->X,r->X); 76 | 77 | /* qhasm: X3 = A-B */ 78 | /* asm 1: fe_sub(>X3=fe#1,X3=r->X,Z,Y); */ 80 | fe_sub(r->X,r->Z,r->Y); 81 | 82 | /* qhasm: Y3 = A+B */ 83 | /* asm 1: fe_add(>Y3=fe#2,Y3=r->Y,Z,Y); */ 85 | fe_add(r->Y,r->Z,r->Y); 86 | 87 | /* qhasm: Z3 = D+C */ 88 | /* asm 1: fe_add(>Z3=fe#3,Z3=r->Z,T); */ 90 | fe_add(r->Z,t0,r->T); 91 | 92 | /* qhasm: T3 = D-C */ 93 | /* asm 1: fe_sub(>T3=fe#4,T3=r->T,T); */ 95 | fe_sub(r->T,t0,r->T); 96 | 97 | /* qhasm: return */ 98 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_add.q: -------------------------------------------------------------------------------- 1 | :name:fe:r->X:r->Y:r->Z:r->T:t0:t1:t2:t3:t4:t5:p->X:p->Y:p->Z:p->T:q->YplusX:q->YminusX:q->Z:q->T2d: 2 | fe r:var/r=fe: 3 | 4 | enter f:enter/f:>X1=fe#11:>Y1=fe#12:>Z1=fe#13:>T1=fe#14:>YpX2=fe#15:>YmX2=fe#16:>Z2=fe#17:>T2d2=fe#18: 5 | return:nofallthrough:h=fe:asm/fe_add(>h,h=fe:asm/fe_sub(>h,h=fe:asm/fe_mul(>h,h=fe:asm/fe_sq(>h,h=fe:asm/fe_add(>h,> 3] >> (i & 7)); 11 | 12 | for (i = 0;i < 256;++i) 13 | if (r[i]) { 14 | for (b = 1;b <= 6 && i + b < 256;++b) { 15 | if (r[i + b]) { 16 | if (r[i] + (r[i + b] << b) <= 15) { 17 | r[i] += r[i + b] << b; r[i + b] = 0; 18 | } else if (r[i] - (r[i + b] << b) >= -15) { 19 | r[i] -= r[i + b] << b; 20 | for (k = i + b;k < 256;++k) { 21 | if (!r[k]) { 22 | r[k] = 1; 23 | break; 24 | } 25 | r[k] = 0; 26 | } 27 | } else 28 | break; 29 | } 30 | } 31 | } 32 | 33 | } 34 | 35 | static const ge_precomp Bi[8] = { 36 | #include "base2.h" 37 | } ; 38 | 39 | /* 40 | r = a * A + b * B 41 | where a = a[0]+256*a[1]+...+256^31 a[31]. 42 | and b = b[0]+256*b[1]+...+256^31 b[31]. 43 | B is the Ed25519 base point (x,4/5) with x positive. 44 | */ 45 | 46 | void ge_double_scalarmult_vartime(ge_p2 *r,const unsigned char *a,const ge_p3 *A,const unsigned char *b) 47 | { 48 | signed char aslide[256]; 49 | signed char bslide[256]; 50 | ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */ 51 | ge_p1p1 t; 52 | ge_p3 u; 53 | ge_p3 A2; 54 | int i; 55 | 56 | slide(aslide,a); 57 | slide(bslide,b); 58 | 59 | ge_p3_to_cached(&Ai[0],A); 60 | ge_p3_dbl(&t,A); ge_p1p1_to_p3(&A2,&t); 61 | ge_add(&t,&A2,&Ai[0]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[1],&u); 62 | ge_add(&t,&A2,&Ai[1]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[2],&u); 63 | ge_add(&t,&A2,&Ai[2]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[3],&u); 64 | ge_add(&t,&A2,&Ai[3]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[4],&u); 65 | ge_add(&t,&A2,&Ai[4]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[5],&u); 66 | ge_add(&t,&A2,&Ai[5]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[6],&u); 67 | ge_add(&t,&A2,&Ai[6]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[7],&u); 68 | 69 | ge_p2_0(r); 70 | 71 | for (i = 255;i >= 0;--i) { 72 | if (aslide[i] || bslide[i]) break; 73 | } 74 | 75 | for (;i >= 0;--i) { 76 | ge_p2_dbl(&t,r); 77 | 78 | if (aslide[i] > 0) { 79 | ge_p1p1_to_p3(&u,&t); 80 | ge_add(&t,&u,&Ai[aslide[i]/2]); 81 | } else if (aslide[i] < 0) { 82 | ge_p1p1_to_p3(&u,&t); 83 | ge_sub(&t,&u,&Ai[(-aslide[i])/2]); 84 | } 85 | 86 | if (bslide[i] > 0) { 87 | ge_p1p1_to_p3(&u,&t); 88 | ge_madd(&t,&u,&Bi[bslide[i]/2]); 89 | } else if (bslide[i] < 0) { 90 | ge_p1p1_to_p3(&u,&t); 91 | ge_msub(&t,&u,&Bi[(-bslide[i])/2]); 92 | } 93 | 94 | ge_p1p1_to_p2(r,&t); 95 | } 96 | } 97 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_frombytes.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | static const fe d = { 4 | #include "d.h" 5 | } ; 6 | 7 | static const fe sqrtm1 = { 8 | #include "sqrtm1.h" 9 | } ; 10 | 11 | int ge_frombytes_negate_vartime(ge_p3 *h,const unsigned char *s) 12 | { 13 | fe u; 14 | fe v; 15 | fe v3; 16 | fe vxx; 17 | fe check; 18 | 19 | fe_frombytes(h->Y,s); 20 | fe_1(h->Z); 21 | fe_sq(u,h->Y); 22 | fe_mul(v,u,d); 23 | fe_sub(u,u,h->Z); /* u = y^2-1 */ 24 | fe_add(v,v,h->Z); /* v = dy^2+1 */ 25 | 26 | fe_sq(v3,v); 27 | fe_mul(v3,v3,v); /* v3 = v^3 */ 28 | fe_sq(h->X,v3); 29 | fe_mul(h->X,h->X,v); 30 | fe_mul(h->X,h->X,u); /* x = uv^7 */ 31 | 32 | fe_pow22523(h->X,h->X); /* x = (uv^7)^((q-5)/8) */ 33 | fe_mul(h->X,h->X,v3); 34 | fe_mul(h->X,h->X,u); /* x = uv^3(uv^7)^((q-5)/8) */ 35 | 36 | fe_sq(vxx,h->X); 37 | fe_mul(vxx,vxx,v); 38 | fe_sub(check,vxx,u); /* vx^2-u */ 39 | if (fe_isnonzero(check)) { 40 | fe_add(check,vxx,u); /* vx^2+u */ 41 | if (fe_isnonzero(check)) return -1; 42 | fe_mul(h->X,h->X,sqrtm1); 43 | } 44 | 45 | if (fe_isnegative(h->X) == (s[31] >> 7)) 46 | fe_neg(h->X,h->X); 47 | 48 | fe_mul(h->T,h->X,h->Y); 49 | return 0; 50 | } 51 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_madd.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = p + q 5 | */ 6 | 7 | void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q) 8 | { 9 | fe t0; 10 | #include "ge_madd.h" 11 | } 12 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_madd.h: -------------------------------------------------------------------------------- 1 | 2 | /* qhasm: enter ge_madd */ 3 | 4 | /* qhasm: fe X1 */ 5 | 6 | /* qhasm: fe Y1 */ 7 | 8 | /* qhasm: fe Z1 */ 9 | 10 | /* qhasm: fe T1 */ 11 | 12 | /* qhasm: fe ypx2 */ 13 | 14 | /* qhasm: fe ymx2 */ 15 | 16 | /* qhasm: fe xy2d2 */ 17 | 18 | /* qhasm: fe X3 */ 19 | 20 | /* qhasm: fe Y3 */ 21 | 22 | /* qhasm: fe Z3 */ 23 | 24 | /* qhasm: fe T3 */ 25 | 26 | /* qhasm: fe YpX1 */ 27 | 28 | /* qhasm: fe YmX1 */ 29 | 30 | /* qhasm: fe A */ 31 | 32 | /* qhasm: fe B */ 33 | 34 | /* qhasm: fe C */ 35 | 36 | /* qhasm: fe D */ 37 | 38 | /* qhasm: YpX1 = Y1+X1 */ 39 | /* asm 1: fe_add(>YpX1=fe#1,YpX1=r->X,Y,X); */ 41 | fe_add(r->X,p->Y,p->X); 42 | 43 | /* qhasm: YmX1 = Y1-X1 */ 44 | /* asm 1: fe_sub(>YmX1=fe#2,YmX1=r->Y,Y,X); */ 46 | fe_sub(r->Y,p->Y,p->X); 47 | 48 | /* qhasm: A = YpX1*ypx2 */ 49 | /* asm 1: fe_mul(>A=fe#3,A=r->Z,X,yplusx); */ 51 | fe_mul(r->Z,r->X,q->yplusx); 52 | 53 | /* qhasm: B = YmX1*ymx2 */ 54 | /* asm 1: fe_mul(>B=fe#2,B=r->Y,Y,yminusx); */ 56 | fe_mul(r->Y,r->Y,q->yminusx); 57 | 58 | /* qhasm: C = xy2d2*T1 */ 59 | /* asm 1: fe_mul(>C=fe#4,C=r->T,xy2d,T); */ 61 | fe_mul(r->T,q->xy2d,p->T); 62 | 63 | /* qhasm: D = 2*Z1 */ 64 | /* asm 1: fe_add(>D=fe#5,D=t0,Z,Z); */ 66 | fe_add(t0,p->Z,p->Z); 67 | 68 | /* qhasm: X3 = A-B */ 69 | /* asm 1: fe_sub(>X3=fe#1,X3=r->X,Z,Y); */ 71 | fe_sub(r->X,r->Z,r->Y); 72 | 73 | /* qhasm: Y3 = A+B */ 74 | /* asm 1: fe_add(>Y3=fe#2,Y3=r->Y,Z,Y); */ 76 | fe_add(r->Y,r->Z,r->Y); 77 | 78 | /* qhasm: Z3 = D+C */ 79 | /* asm 1: fe_add(>Z3=fe#3,Z3=r->Z,T); */ 81 | fe_add(r->Z,t0,r->T); 82 | 83 | /* qhasm: T3 = D-C */ 84 | /* asm 1: fe_sub(>T3=fe#4,T3=r->T,T); */ 86 | fe_sub(r->T,t0,r->T); 87 | 88 | /* qhasm: return */ 89 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_madd.q: -------------------------------------------------------------------------------- 1 | :name:fe:r->X:r->Y:r->Z:r->T:t0:t1:t2:t3:t4:t5:p->X:p->Y:p->Z:p->T:q->yplusx:q->yminusx:q->xy2d: 2 | fe r:var/r=fe: 3 | 4 | enter f:enter/f:>X1=fe#11:>Y1=fe#12:>Z1=fe#13:>T1=fe#14:>ypx2=fe#15:>ymx2=fe#16:>xy2d2=fe#17: 5 | return:nofallthrough:h=fe:asm/fe_add(>h,h=fe:asm/fe_sub(>h,h=fe:asm/fe_mul(>h,h=fe:asm/fe_sq(>h,h=fe:asm/fe_add(>h,YpX1=fe#1,YpX1=r->X,Y,X); */ 41 | fe_add(r->X,p->Y,p->X); 42 | 43 | /* qhasm: YmX1 = Y1-X1 */ 44 | /* asm 1: fe_sub(>YmX1=fe#2,YmX1=r->Y,Y,X); */ 46 | fe_sub(r->Y,p->Y,p->X); 47 | 48 | /* qhasm: A = YpX1*ymx2 */ 49 | /* asm 1: fe_mul(>A=fe#3,A=r->Z,X,yminusx); */ 51 | fe_mul(r->Z,r->X,q->yminusx); 52 | 53 | /* qhasm: B = YmX1*ypx2 */ 54 | /* asm 1: fe_mul(>B=fe#2,B=r->Y,Y,yplusx); */ 56 | fe_mul(r->Y,r->Y,q->yplusx); 57 | 58 | /* qhasm: C = xy2d2*T1 */ 59 | /* asm 1: fe_mul(>C=fe#4,C=r->T,xy2d,T); */ 61 | fe_mul(r->T,q->xy2d,p->T); 62 | 63 | /* qhasm: D = 2*Z1 */ 64 | /* asm 1: fe_add(>D=fe#5,D=t0,Z,Z); */ 66 | fe_add(t0,p->Z,p->Z); 67 | 68 | /* qhasm: X3 = A-B */ 69 | /* asm 1: fe_sub(>X3=fe#1,X3=r->X,Z,Y); */ 71 | fe_sub(r->X,r->Z,r->Y); 72 | 73 | /* qhasm: Y3 = A+B */ 74 | /* asm 1: fe_add(>Y3=fe#2,Y3=r->Y,Z,Y); */ 76 | fe_add(r->Y,r->Z,r->Y); 77 | 78 | /* qhasm: Z3 = D-C */ 79 | /* asm 1: fe_sub(>Z3=fe#3,Z3=r->Z,T); */ 81 | fe_sub(r->Z,t0,r->T); 82 | 83 | /* qhasm: T3 = D+C */ 84 | /* asm 1: fe_add(>T3=fe#4,T3=r->T,T); */ 86 | fe_add(r->T,t0,r->T); 87 | 88 | /* qhasm: return */ 89 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_msub.q: -------------------------------------------------------------------------------- 1 | :name:fe:r->X:r->Y:r->Z:r->T:t0:t1:t2:t3:t4:t5:p->X:p->Y:p->Z:p->T:q->yplusx:q->yminusx:q->xy2d: 2 | fe r:var/r=fe: 3 | 4 | enter f:enter/f:>X1=fe#11:>Y1=fe#12:>Z1=fe#13:>T1=fe#14:>ypx2=fe#15:>ymx2=fe#16:>xy2d2=fe#17: 5 | return:nofallthrough:h=fe:asm/fe_add(>h,h=fe:asm/fe_sub(>h,h=fe:asm/fe_mul(>h,h=fe:asm/fe_sq(>h,h=fe:asm/fe_add(>h,X,p->X,p->T); 10 | fe_mul(r->Y,p->Y,p->Z); 11 | fe_mul(r->Z,p->Z,p->T); 12 | } 13 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_p1p1_to_p3.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = p 5 | */ 6 | 7 | extern void ge_p1p1_to_p3(ge_p3 *r,const ge_p1p1 *p) 8 | { 9 | fe_mul(r->X,p->X,p->T); 10 | fe_mul(r->Y,p->Y,p->Z); 11 | fe_mul(r->Z,p->Z,p->T); 12 | fe_mul(r->T,p->X,p->Y); 13 | } 14 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_p2_0.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | void ge_p2_0(ge_p2 *h) 4 | { 5 | fe_0(h->X); 6 | fe_1(h->Y); 7 | fe_1(h->Z); 8 | } 9 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_p2_dbl.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = 2 * p 5 | */ 6 | 7 | void ge_p2_dbl(ge_p1p1 *r,const ge_p2 *p) 8 | { 9 | fe t0; 10 | #include "ge_p2_dbl.h" 11 | } 12 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_p2_dbl.h: -------------------------------------------------------------------------------- 1 | 2 | /* qhasm: enter ge_p2_dbl */ 3 | 4 | /* qhasm: fe X1 */ 5 | 6 | /* qhasm: fe Y1 */ 7 | 8 | /* qhasm: fe Z1 */ 9 | 10 | /* qhasm: fe A */ 11 | 12 | /* qhasm: fe AA */ 13 | 14 | /* qhasm: fe XX */ 15 | 16 | /* qhasm: fe YY */ 17 | 18 | /* qhasm: fe B */ 19 | 20 | /* qhasm: fe X3 */ 21 | 22 | /* qhasm: fe Y3 */ 23 | 24 | /* qhasm: fe Z3 */ 25 | 26 | /* qhasm: fe T3 */ 27 | 28 | /* qhasm: XX=X1^2 */ 29 | /* asm 1: fe_sq(>XX=fe#1,XX=r->X,X); */ 31 | fe_sq(r->X,p->X); 32 | 33 | /* qhasm: YY=Y1^2 */ 34 | /* asm 1: fe_sq(>YY=fe#3,YY=r->Z,Y); */ 36 | fe_sq(r->Z,p->Y); 37 | 38 | /* qhasm: B=2*Z1^2 */ 39 | /* asm 1: fe_sq2(>B=fe#4,B=r->T,Z); */ 41 | fe_sq2(r->T,p->Z); 42 | 43 | /* qhasm: A=X1+Y1 */ 44 | /* asm 1: fe_add(>A=fe#2,A=r->Y,X,Y); */ 46 | fe_add(r->Y,p->X,p->Y); 47 | 48 | /* qhasm: AA=A^2 */ 49 | /* asm 1: fe_sq(>AA=fe#5,AA=t0,Y); */ 51 | fe_sq(t0,r->Y); 52 | 53 | /* qhasm: Y3=YY+XX */ 54 | /* asm 1: fe_add(>Y3=fe#2,Y3=r->Y,Z,X); */ 56 | fe_add(r->Y,r->Z,r->X); 57 | 58 | /* qhasm: Z3=YY-XX */ 59 | /* asm 1: fe_sub(>Z3=fe#3,Z3=r->Z,Z,X); */ 61 | fe_sub(r->Z,r->Z,r->X); 62 | 63 | /* qhasm: X3=AA-Y3 */ 64 | /* asm 1: fe_sub(>X3=fe#1,X3=r->X,Y); */ 66 | fe_sub(r->X,t0,r->Y); 67 | 68 | /* qhasm: T3=B-Z3 */ 69 | /* asm 1: fe_sub(>T3=fe#4,T3=r->T,T,Z); */ 71 | fe_sub(r->T,r->T,r->Z); 72 | 73 | /* qhasm: return */ 74 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_p2_dbl.q: -------------------------------------------------------------------------------- 1 | :name:fe:r->X:r->Y:r->Z:r->T:t0:t1:t2:t3:t4:t5:p->X:p->Y:p->Z: 2 | fe r:var/r=fe: 3 | 4 | enter f:enter/f:>X1=fe#11:>Y1=fe#12:>Z1=fe#13: 5 | return:nofallthrough:h=fe:asm/fe_add(>h,h=fe:asm/fe_sub(>h,h=fe:asm/fe_mul(>h,h=fe:asm/fe_sq(>h,h=fe:asm/fe_sq2(>h,h=fe:asm/fe_add(>h,X); 6 | fe_1(h->Y); 7 | fe_1(h->Z); 8 | fe_0(h->T); 9 | } 10 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_p3_batchtobytes.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | // inz is ge_p3.Z pointer array. contents to .Zs will be overwritten 4 | // NOTE: leaves in unfinished state 5 | void ge_p3_batchtobytes_destructive_1(bytes32 *out,ge_p3 *in,fe *tmp,size_t num) 6 | { 7 | fe y; 8 | 9 | fe_batchinvert(&in->Z,&in->Z,tmp,num,sizeof(ge_p3)); 10 | 11 | for (size_t i = 0;i < num;++i) { 12 | fe_mul(y,in[i].Y,in[i].Z); 13 | fe_tobytes(out[i],y); 14 | } 15 | } 16 | 17 | void ge_p3_batchtobytes_destructive_finish(bytes32 out,ge_p3 *unf) 18 | { 19 | fe x; 20 | // z of unfinished is inverted 21 | fe_mul(x,unf->X,unf->Z); 22 | out[31] ^= fe_isnegative(x) << 7; 23 | } 24 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_p3_dbl.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = 2 * p 5 | */ 6 | 7 | void ge_p3_dbl(ge_p1p1 *r,const ge_p3 *p) 8 | { 9 | ge_p2 q; 10 | ge_p3_to_p2(&q,p); 11 | ge_p2_dbl(r,&q); 12 | } 13 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_p3_to_cached.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = p 5 | */ 6 | 7 | static const fe d2 = { 8 | #include "d2.h" 9 | } ; 10 | 11 | extern void ge_p3_to_cached(ge_cached *r,const ge_p3 *p) 12 | { 13 | fe_add(r->YplusX,p->Y,p->X); 14 | fe_sub(r->YminusX,p->Y,p->X); 15 | fe_copy(r->Z,p->Z); 16 | fe_mul(r->T2d,p->T,d2); 17 | } 18 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_p3_to_p2.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = p 5 | */ 6 | 7 | extern void ge_p3_to_p2(ge_p2 *r,const ge_p3 *p) 8 | { 9 | fe_copy(r->X,p->X); 10 | fe_copy(r->Y,p->Y); 11 | fe_copy(r->Z,p->Z); 12 | } 13 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_p3_tobytes.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | void ge_p3_tobytes(unsigned char *s,const ge_p3 *h) 4 | { 5 | fe recip; 6 | fe x; 7 | fe y; 8 | 9 | fe_invert(recip,h->Z); 10 | fe_mul(x,h->X,recip); 11 | fe_mul(y,h->Y,recip); 12 | fe_tobytes(s,y); 13 | s[31] ^= fe_isnegative(x) << 7; 14 | } 15 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_precomp_0.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | void ge_precomp_0(ge_precomp *h) 4 | { 5 | fe_1(h->yplusx); 6 | fe_1(h->yminusx); 7 | fe_0(h->xy2d); 8 | } 9 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_scalarmult_base.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | #include "crypto_uint32.h" 3 | 4 | static unsigned char equal(signed char b,signed char c) 5 | { 6 | unsigned char ub = b; 7 | unsigned char uc = c; 8 | unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */ 9 | crypto_uint32 y = x; /* 0: yes; 1..255: no */ 10 | y -= 1; /* 4294967295: yes; 0..254: no */ 11 | y >>= 31; /* 1: yes; 0: no */ 12 | return y; 13 | } 14 | 15 | static unsigned char negative(signed char b) 16 | { 17 | unsigned long long x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */ 18 | x >>= 63; /* 1: yes; 0: no */ 19 | return x; 20 | } 21 | 22 | static void cmov(ge_precomp *t,const ge_precomp *u,unsigned char b) 23 | { 24 | fe_cmov(t->yplusx,u->yplusx,b); 25 | fe_cmov(t->yminusx,u->yminusx,b); 26 | fe_cmov(t->xy2d,u->xy2d,b); 27 | } 28 | 29 | /* base[i][j] = (j+1)*256^i*B */ 30 | static const ge_precomp base[32][8] = { 31 | #include "base.h" 32 | } ; 33 | 34 | static void select(ge_precomp *t,int pos,signed char b) 35 | { 36 | ge_precomp minust; 37 | unsigned char bnegative = negative(b); 38 | unsigned char babs = b - (((-bnegative) & b) << 1); 39 | 40 | ge_precomp_0(t); 41 | cmov(t,&base[pos][0],equal(babs,1)); 42 | cmov(t,&base[pos][1],equal(babs,2)); 43 | cmov(t,&base[pos][2],equal(babs,3)); 44 | cmov(t,&base[pos][3],equal(babs,4)); 45 | cmov(t,&base[pos][4],equal(babs,5)); 46 | cmov(t,&base[pos][5],equal(babs,6)); 47 | cmov(t,&base[pos][6],equal(babs,7)); 48 | cmov(t,&base[pos][7],equal(babs,8)); 49 | fe_copy(minust.yplusx,t->yminusx); 50 | fe_copy(minust.yminusx,t->yplusx); 51 | fe_neg(minust.xy2d,t->xy2d); 52 | cmov(t,&minust,bnegative); 53 | } 54 | 55 | /* 56 | h = a * B 57 | where a = a[0]+256*a[1]+...+256^31 a[31] 58 | B is the Ed25519 base point (x,4/5) with x positive. 59 | 60 | Preconditions: 61 | a[31] <= 127 62 | */ 63 | 64 | void ge_scalarmult_base(ge_p3 *h,const unsigned char *a) 65 | { 66 | signed char e[64]; 67 | signed char carry; 68 | ge_p1p1 r; 69 | ge_p2 s; 70 | ge_precomp t; 71 | int i; 72 | 73 | for (i = 0;i < 32;++i) { 74 | e[2 * i + 0] = (a[i] >> 0) & 15; 75 | e[2 * i + 1] = (a[i] >> 4) & 15; 76 | } 77 | /* each e[i] is between 0 and 15 */ 78 | /* e[63] is between 0 and 7 */ 79 | 80 | carry = 0; 81 | for (i = 0;i < 63;++i) { 82 | e[i] += carry; 83 | carry = e[i] + 8; 84 | carry >>= 4; 85 | e[i] -= carry << 4; 86 | } 87 | e[63] += carry; 88 | /* each e[i] is between -8 and 8 */ 89 | 90 | ge_p3_0(h); 91 | for (i = 1;i < 64;i += 2) { 92 | select(&t,i / 2,e[i]); 93 | ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r); 94 | } 95 | 96 | ge_p3_dbl(&r,h); ge_p1p1_to_p2(&s,&r); 97 | ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); 98 | ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); 99 | ge_p2_dbl(&r,&s); ge_p1p1_to_p3(h,&r); 100 | 101 | for (i = 0;i < 64;i += 2) { 102 | select(&t,i / 2,e[i]); 103 | ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r); 104 | } 105 | } 106 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_sub.c: -------------------------------------------------------------------------------- 1 | #include "ge.h" 2 | 3 | /* 4 | r = p - q 5 | */ 6 | 7 | void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q) 8 | { 9 | fe t0; 10 | #include "ge_sub.h" 11 | } 12 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_sub.h: -------------------------------------------------------------------------------- 1 | 2 | /* qhasm: enter ge_sub */ 3 | 4 | /* qhasm: fe X1 */ 5 | 6 | /* qhasm: fe Y1 */ 7 | 8 | /* qhasm: fe Z1 */ 9 | 10 | /* qhasm: fe Z2 */ 11 | 12 | /* qhasm: fe T1 */ 13 | 14 | /* qhasm: fe ZZ */ 15 | 16 | /* qhasm: fe YpX2 */ 17 | 18 | /* qhasm: fe YmX2 */ 19 | 20 | /* qhasm: fe T2d2 */ 21 | 22 | /* qhasm: fe X3 */ 23 | 24 | /* qhasm: fe Y3 */ 25 | 26 | /* qhasm: fe Z3 */ 27 | 28 | /* qhasm: fe T3 */ 29 | 30 | /* qhasm: fe YpX1 */ 31 | 32 | /* qhasm: fe YmX1 */ 33 | 34 | /* qhasm: fe A */ 35 | 36 | /* qhasm: fe B */ 37 | 38 | /* qhasm: fe C */ 39 | 40 | /* qhasm: fe D */ 41 | 42 | /* qhasm: YpX1 = Y1+X1 */ 43 | /* asm 1: fe_add(>YpX1=fe#1,YpX1=r->X,Y,X); */ 45 | fe_add(r->X,p->Y,p->X); 46 | 47 | /* qhasm: YmX1 = Y1-X1 */ 48 | /* asm 1: fe_sub(>YmX1=fe#2,YmX1=r->Y,Y,X); */ 50 | fe_sub(r->Y,p->Y,p->X); 51 | 52 | /* qhasm: A = YpX1*YmX2 */ 53 | /* asm 1: fe_mul(>A=fe#3,A=r->Z,X,YminusX); */ 55 | fe_mul(r->Z,r->X,q->YminusX); 56 | 57 | /* qhasm: B = YmX1*YpX2 */ 58 | /* asm 1: fe_mul(>B=fe#2,B=r->Y,Y,YplusX); */ 60 | fe_mul(r->Y,r->Y,q->YplusX); 61 | 62 | /* qhasm: C = T2d2*T1 */ 63 | /* asm 1: fe_mul(>C=fe#4,C=r->T,T2d,T); */ 65 | fe_mul(r->T,q->T2d,p->T); 66 | 67 | /* qhasm: ZZ = Z1*Z2 */ 68 | /* asm 1: fe_mul(>ZZ=fe#1,ZZ=r->X,Z,Z); */ 70 | fe_mul(r->X,p->Z,q->Z); 71 | 72 | /* qhasm: D = 2*ZZ */ 73 | /* asm 1: fe_add(>D=fe#5,D=t0,X,X); */ 75 | fe_add(t0,r->X,r->X); 76 | 77 | /* qhasm: X3 = A-B */ 78 | /* asm 1: fe_sub(>X3=fe#1,X3=r->X,Z,Y); */ 80 | fe_sub(r->X,r->Z,r->Y); 81 | 82 | /* qhasm: Y3 = A+B */ 83 | /* asm 1: fe_add(>Y3=fe#2,Y3=r->Y,Z,Y); */ 85 | fe_add(r->Y,r->Z,r->Y); 86 | 87 | /* qhasm: Z3 = D-C */ 88 | /* asm 1: fe_sub(>Z3=fe#3,Z3=r->Z,T); */ 90 | fe_sub(r->Z,t0,r->T); 91 | 92 | /* qhasm: T3 = D+C */ 93 | /* asm 1: fe_add(>T3=fe#4,T3=r->T,T); */ 95 | fe_add(r->T,t0,r->T); 96 | 97 | /* qhasm: return */ 98 | -------------------------------------------------------------------------------- /ed25519/ref10/ge_sub.q: -------------------------------------------------------------------------------- 1 | :name:fe:r->X:r->Y:r->Z:r->T:t0:t1:t2:t3:t4:t5:p->X:p->Y:p->Z:p->T:q->YplusX:q->YminusX:q->Z:q->T2d: 2 | fe r:var/r=fe: 3 | 4 | enter f:enter/f:>X1=fe#11:>Y1=fe#12:>Z1=fe#13:>T1=fe#14:>YpX2=fe#15:>YmX2=fe#16:>Z2=fe#17:>T2d2=fe#18: 5 | return:nofallthrough:h=fe:asm/fe_add(>h,h=fe:asm/fe_sub(>h,h=fe:asm/fe_mul(>h,h=fe:asm/fe_sq(>h,h=fe:asm/fe_add(>h,Z); 10 | fe_mul(x,h->X,recip); 11 | fe_mul(y,h->Y,recip); 12 | fe_tobytes(s,y); 13 | s[31] ^= fe_isnegative(x) << 7; 14 | } 15 | -------------------------------------------------------------------------------- /ed25519/ref10/keypair.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "randombytes.h" 3 | #include "crypto_sign.h" 4 | #include "crypto_hash_sha512.h" 5 | #include "ge.h" 6 | 7 | int crypto_sign_seckey_expand(unsigned char *sk,const unsigned char *seed) 8 | { 9 | crypto_hash_sha512(sk,seed,32); 10 | sk[0] &= 248; 11 | sk[31] &= 63; 12 | sk[31] |= 64; 13 | 14 | return 0; 15 | } 16 | 17 | int crypto_sign_seckey(unsigned char *sk) 18 | { 19 | unsigned char seed[32]; 20 | 21 | if (randombytes(seed,32) < 0) 22 | return -1; 23 | 24 | crypto_sign_seckey_expand(sk,seed); 25 | 26 | return 0; 27 | } 28 | 29 | int crypto_sign_pubkey(unsigned char *pk,const unsigned char *sk) 30 | { 31 | ge_p3 A; 32 | 33 | ge_scalarmult_base(&A,sk); 34 | ge_p3_tobytes(pk,&A); 35 | 36 | return 0; 37 | } 38 | 39 | 40 | int crypto_sign_keypair(unsigned char *pk,unsigned char *sk) 41 | { 42 | crypto_sign_seckey(sk); 43 | crypto_sign_pubkey(pk,sk); 44 | 45 | return 0; 46 | } 47 | -------------------------------------------------------------------------------- /ed25519/ref10/open.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "crypto_sign.h" 3 | #include "crypto_hash_sha512.h" 4 | #include "crypto_verify_32.h" 5 | #include "ge.h" 6 | #include "sc.h" 7 | 8 | int crypto_sign_open( 9 | unsigned char *m,unsigned long long *mlen, 10 | const unsigned char *sm,unsigned long long smlen, 11 | const unsigned char *pk 12 | ) 13 | { 14 | unsigned char pkcopy[32]; 15 | unsigned char rcopy[32]; 16 | unsigned char scopy[32]; 17 | unsigned char h[64]; 18 | unsigned char rcheck[32]; 19 | ge_p3 A; 20 | ge_p2 R; 21 | 22 | if (smlen < 64) goto badsig; 23 | if (sm[63] & 224) goto badsig; 24 | if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig; 25 | 26 | memmove(pkcopy,pk,32); 27 | memmove(rcopy,sm,32); 28 | memmove(scopy,sm + 32,32); 29 | 30 | memmove(m,sm,smlen); 31 | memmove(m + 32,pkcopy,32); 32 | crypto_hash_sha512(h,m,smlen); 33 | sc_reduce(h); 34 | 35 | ge_double_scalarmult_vartime(&R,h,&A,scopy); 36 | ge_tobytes(rcheck,&R); 37 | if (crypto_verify_32(rcheck,rcopy) == 0) { 38 | memmove(m,m + 64,smlen - 64); 39 | memset(m + smlen - 64,0,64); 40 | *mlen = smlen - 64; 41 | return 0; 42 | } 43 | 44 | badsig: 45 | *mlen = -1; 46 | memset(m,0,smlen); 47 | return -1; 48 | } 49 | -------------------------------------------------------------------------------- /ed25519/ref10/pow22523.q: -------------------------------------------------------------------------------- 1 | :name:fe:t0:t1:t2:t3:t4:t5:t6:t7:t8:t9:z:out: 2 | fe r:var/r=fe: 3 | 4 | enter f:enter/f:>z1=fe#11: 5 | return:nofallthrough:h=fe:asm/fe_mul(>h,h=fe:#k:asm/fe_sq(>h,h,>h);: 9 | 10 | : 11 | 12 | fe z1 13 | fe z2 14 | fe z8 15 | fe z9 16 | fe z11 17 | fe z22 18 | fe z_5_0 19 | fe z_10_5 20 | fe z_10_0 21 | fe z_20_10 22 | fe z_20_0 23 | fe z_40_20 24 | fe z_40_0 25 | fe z_50_10 26 | fe z_50_0 27 | fe z_100_50 28 | fe z_100_0 29 | fe z_200_100 30 | fe z_200_0 31 | fe z_250_50 32 | fe z_250_0 33 | fe z_252_2 34 | fe z_252_3 35 | 36 | enter pow22523 37 | 38 | z2 = z1^2^1 39 | z8 = z2^2^2 40 | z9 = z1*z8 41 | z11 = z2*z9 42 | z22 = z11^2^1 43 | z_5_0 = z9*z22 44 | z_10_5 = z_5_0^2^5 45 | z_10_0 = z_10_5*z_5_0 46 | z_20_10 = z_10_0^2^10 47 | z_20_0 = z_20_10*z_10_0 48 | z_40_20 = z_20_0^2^20 49 | z_40_0 = z_40_20*z_20_0 50 | z_50_10 = z_40_0^2^10 51 | z_50_0 = z_50_10*z_10_0 52 | z_100_50 = z_50_0^2^50 53 | z_100_0 = z_100_50*z_50_0 54 | z_200_100 = z_100_0^2^100 55 | z_200_0 = z_200_100*z_100_0 56 | z_250_50 = z_200_0^2^50 57 | z_250_0 = z_250_50*z_50_0 58 | z_252_2 = z_250_0^2^2 59 | z_252_3 = z_252_2*z1 60 | 61 | return 62 | -------------------------------------------------------------------------------- /ed25519/ref10/pow225521.q: -------------------------------------------------------------------------------- 1 | :name:fe:t0:t1:t2:t3:t4:t5:t6:t7:t8:t9:z:out: 2 | fe r:var/r=fe: 3 | 4 | enter f:enter/f:>z1=fe#11: 5 | return:nofallthrough:h=fe:asm/fe_mul(>h,h=fe:#k:asm/fe_sq(>h,h,>h);: 9 | 10 | : 11 | 12 | fe z1 13 | fe z2 14 | fe z8 15 | fe z9 16 | fe z11 17 | fe z22 18 | fe z_5_0 19 | fe z_10_5 20 | fe z_10_0 21 | fe z_20_10 22 | fe z_20_0 23 | fe z_40_20 24 | fe z_40_0 25 | fe z_50_10 26 | fe z_50_0 27 | fe z_100_50 28 | fe z_100_0 29 | fe z_200_100 30 | fe z_200_0 31 | fe z_250_50 32 | fe z_250_0 33 | fe z_255_5 34 | fe z_255_21 35 | 36 | enter pow225521 37 | 38 | z2 = z1^2^1 39 | z8 = z2^2^2 40 | z9 = z1*z8 41 | z11 = z2*z9 42 | z22 = z11^2^1 43 | z_5_0 = z9*z22 44 | z_10_5 = z_5_0^2^5 45 | z_10_0 = z_10_5*z_5_0 46 | z_20_10 = z_10_0^2^10 47 | z_20_0 = z_20_10*z_10_0 48 | z_40_20 = z_20_0^2^20 49 | z_40_0 = z_40_20*z_20_0 50 | z_50_10 = z_40_0^2^10 51 | z_50_0 = z_50_10*z_10_0 52 | z_100_50 = z_50_0^2^50 53 | z_100_0 = z_100_50*z_50_0 54 | z_200_100 = z_100_0^2^100 55 | z_200_0 = z_200_100*z_100_0 56 | z_250_50 = z_200_0^2^50 57 | z_250_0 = z_250_50*z_50_0 58 | z_255_5 = z_250_0^2^5 59 | z_255_21 = z_255_5*z11 60 | 61 | return 62 | -------------------------------------------------------------------------------- /ed25519/ref10/q2h.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | sed 's/^#.*//' \ 3 | | qhasm-generic \ 4 | | sed 's_//\(.*\)$_/*\1 */_' 5 | -------------------------------------------------------------------------------- /ed25519/ref10/randombytes.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | static inline int randombytes_wrap(unsigned char *b,size_t l) 4 | { 5 | randombytes(b,l); 6 | return 0; 7 | } 8 | #define randombytes randombytes_wrap 9 | -------------------------------------------------------------------------------- /ed25519/ref10/sc.h: -------------------------------------------------------------------------------- 1 | #ifndef SC_H 2 | #define SC_H 3 | 4 | /* 5 | The set of scalars is \Z/l 6 | where l = 2^252 + 27742317777372353535851937790883648493. 7 | */ 8 | 9 | #define sc_reduce CRYPTO_NAMESPACE(sc_reduce) 10 | #define sc_muladd CRYPTO_NAMESPACE(sc_muladd) 11 | 12 | extern void sc_reduce(unsigned char *); 13 | extern void sc_muladd(unsigned char *,const unsigned char *,const unsigned char *,const unsigned char *); 14 | 15 | #endif 16 | -------------------------------------------------------------------------------- /ed25519/ref10/sign.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "crypto_sign.h" 3 | #include "crypto_hash_sha512.h" 4 | #include "ge.h" 5 | #include "sc.h" 6 | 7 | int crypto_sign( 8 | unsigned char *sm,unsigned long long *smlen, 9 | const unsigned char *m,unsigned long long mlen, 10 | const unsigned char *sk 11 | ) 12 | { 13 | unsigned char pk[32]; 14 | unsigned char nonce[64]; 15 | unsigned char hram[64]; 16 | ge_p3 R; 17 | 18 | crypto_sign_pubkey(pk,sk); 19 | 20 | *smlen = mlen + 64; 21 | memmove(sm + 64,m,mlen); 22 | memmove(sm + 32,sk + 32,32); 23 | crypto_hash_sha512(nonce,sm + 32,mlen + 32); 24 | memmove(sm + 32,pk,32); 25 | 26 | sc_reduce(nonce); 27 | ge_scalarmult_base(&R,nonce); 28 | ge_p3_tobytes(sm,&R); 29 | 30 | crypto_hash_sha512(hram,sm,mlen + 64); 31 | sc_reduce(hram); 32 | sc_muladd(sm + 32,hram,sk,nonce); 33 | 34 | return 0; 35 | } 36 | -------------------------------------------------------------------------------- /ed25519/ref10/sqrtm1.h: -------------------------------------------------------------------------------- 1 | -32595792,-7943725,9377950,3500415,12389472,-272473,-25146209,-2005654,326686,11406482 2 | -------------------------------------------------------------------------------- /ed25519/ref10/sqrtm1.py: -------------------------------------------------------------------------------- 1 | q = 2**255 - 19 2 | 3 | def expmod(b,e,m): 4 | if e == 0: return 1 5 | t = expmod(b,e/2,m)**2 % m 6 | if e & 1: t = (t*b) % m 7 | return t 8 | 9 | def inv(x): 10 | return expmod(x,q-2,q) 11 | 12 | def radix255(x): 13 | x = x % q 14 | if x + x > q: x -= q 15 | x = [x,0,0,0,0,0,0,0,0,0] 16 | bits = [26,25,26,25,26,25,26,25,26,25] 17 | for i in range(9): 18 | carry = (x[i] + 2**(bits[i]-1)) / 2**bits[i] 19 | x[i] -= carry * 2**bits[i] 20 | x[i + 1] += carry 21 | result = "" 22 | for i in range(9): 23 | result = result+str(x[i])+"," 24 | result = result+str(x[9]) 25 | return result 26 | 27 | I = expmod(2,(q-1)/4,q) 28 | print radix255(I) 29 | -------------------------------------------------------------------------------- /filters.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef INTFILTER 3 | # define BINFILTER 4 | #endif 5 | 6 | #ifdef PCRE2FILTER 7 | # undef BINFILTER 8 | # undef INTFILTER 9 | #endif 10 | 11 | #ifdef INTFILTER 12 | # ifdef BINSEARCH 13 | # ifndef BESORT 14 | # define OMITMASK 15 | # endif 16 | # endif 17 | #endif 18 | 19 | #ifdef OMITMASK 20 | # define EXPANDMASK 21 | #endif 22 | 23 | // whether binfilter struct is needed 24 | #ifdef BINFILTER 25 | # define NEEDBINFILTER 26 | #endif 27 | #ifdef INTFILTER 28 | # define NEEDBINFILTER 29 | #endif 30 | 31 | 32 | #ifdef NEEDBINFILTER 33 | 34 | # ifndef BINFILTERLEN 35 | # define BINFILTERLEN PUBLIC_LEN 36 | # endif 37 | 38 | struct binfilter { 39 | u8 f[BINFILTERLEN]; 40 | size_t len; // real len minus one 41 | u8 mask; 42 | } ; 43 | 44 | VEC_STRUCT(bfiltervec,struct binfilter); 45 | 46 | #ifdef BINFILTER 47 | extern struct bfiltervec filters; 48 | #endif 49 | 50 | #endif // NEEDBINFILTER 51 | 52 | 53 | 54 | #ifdef INTFILTER 55 | 56 | struct intfilter { 57 | IFT f; 58 | # ifndef OMITMASK 59 | IFT m; 60 | # endif 61 | } ; 62 | 63 | VEC_STRUCT(ifiltervec,struct intfilter); 64 | 65 | extern struct ifiltervec filters; 66 | 67 | # ifdef OMITMASK 68 | extern IFT ifiltermask; 69 | # endif 70 | 71 | #endif // INTFILTER 72 | 73 | 74 | 75 | #ifdef PCRE2FILTER 76 | 77 | #define PCRE2_CODE_UNIT_WIDTH 8 78 | #include 79 | 80 | struct pcre2filter { 81 | char *str; 82 | pcre2_code *re; 83 | } ; 84 | 85 | VEC_STRUCT(pfiltervec,struct pcre2filter); 86 | 87 | extern struct pfiltervec filters; 88 | 89 | #endif // PCRE2FILTER 90 | 91 | 92 | extern int flattened; 93 | 94 | extern void filters_init(void); 95 | extern void filters_add(const char *filter); 96 | extern size_t filters_count(void); 97 | -------------------------------------------------------------------------------- /filters_common.inc.h: -------------------------------------------------------------------------------- 1 | #ifdef INTFILTER 2 | 3 | static inline size_t S(filter_len)(size_t i) 4 | { 5 | # ifndef OMITMASK 6 | const u8 *m = (const u8 *)&VEC_BUF(filters,i).m; 7 | # else // OMITMASK 8 | (void) i; 9 | const u8 *m = (const u8 *)&ifiltermask; 10 | # endif // OMITMASK 11 | size_t c = 0; 12 | for (size_t j = 0;;) { 13 | u8 v = m[j]; 14 | for (size_t k = 0;;) { 15 | if (!v) 16 | return c; 17 | ++c; 18 | if (++k >= 8) 19 | break; 20 | v <<= 1; 21 | } 22 | if (++j >= sizeof(IFT)) 23 | break; 24 | } 25 | return c; 26 | } 27 | #define filter_len S(filter_len) 28 | 29 | #endif // INTFILTER 30 | 31 | #ifdef BINFILTER 32 | 33 | static inline size_t S(filter_len)(size_t i) 34 | { 35 | size_t c = VEC_BUF(filters,i).len * 8; 36 | u8 v = VEC_BUF(filters,i).mask; 37 | for (size_t k = 0;;) { 38 | if (!v) 39 | return c; 40 | ++c; 41 | if (++k >= 8) 42 | return c; 43 | v <<= 1; 44 | } 45 | } 46 | #define filter_len S(filter_len) 47 | 48 | #endif // BINFILTER 49 | 50 | #ifdef PCRE2FILTER 51 | 52 | #define filter_len(i) ((pcre2ovector[1] - pcre2ovector[0]) * 5) 53 | 54 | #endif // PCRE2FILTER 55 | -------------------------------------------------------------------------------- /filters_inc.inc.h: -------------------------------------------------------------------------------- 1 | #define S(x) x 2 | -------------------------------------------------------------------------------- /hex.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | static const char hext[] = "0123456789ABCDEF"; 4 | static void printhex(const unsigned char *z,size_t l) 5 | { 6 | printf("["); 7 | for (size_t i = 0;i < l;++i) { 8 | printf("%c%c",hext[*z >> 4],hext[*z & 0xF]); 9 | ++z; 10 | } 11 | printf("]\n"); 12 | } 13 | 14 | static void printbin(const unsigned char *z,size_t l) 15 | { 16 | printf("["); 17 | for (size_t i = 0;i < l;++i) { 18 | printf("%c%c%c%c%c%c%c%c", 19 | hext[(*z >> 7) & 1], 20 | hext[(*z >> 6) & 1], 21 | hext[(*z >> 5) & 1], 22 | hext[(*z >> 4) & 1], 23 | hext[(*z >> 3) & 1], 24 | hext[(*z >> 2) & 1], 25 | hext[(*z >> 1) & 1], 26 | hext[(*z ) & 1]); 27 | ++z; 28 | } 29 | printf("]\n"); 30 | } 31 | -------------------------------------------------------------------------------- /ifilter_bitsum.h: -------------------------------------------------------------------------------- 1 | 2 | #ifdef EXPANDMASK 3 | 4 | #ifdef __GNUC__ 5 | 6 | static IFT ifilter_bitsum(IFT x) 7 | { 8 | if (sizeof(IFT) == 16) 9 | return (((IFT) 1) << 10 | (__builtin_popcountll((unsigned long long) (x >> (sizeof(IFT) * 8 / 2))) + 11 | __builtin_popcountll((unsigned long long) x))) - 1; 12 | if (sizeof(IFT) == 8) 13 | return (((IFT) 1) << __builtin_popcountll((unsigned long long) x)) - 1; 14 | 15 | return (((IFT) 1) << __builtin_popcount((unsigned int) x)) - 1; 16 | } 17 | 18 | #else // __GNUC__ 19 | 20 | static IFT ifilter_bitsum(IFT x) 21 | { 22 | int v = 0; 23 | while (x != 0) { 24 | x &= x - 1; 25 | v++; 26 | } 27 | return (((IFT) 1) << v) - 1; 28 | } 29 | 30 | #endif // __GNUC__ 31 | 32 | #endif // EXPANDMASK 33 | -------------------------------------------------------------------------------- /ioutil.h: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _WIN32 3 | 4 | typedef int FH; 5 | #define FH_invalid -1 6 | 7 | #else 8 | 9 | #define UNICODE 1 10 | #include 11 | typedef HANDLE FH; 12 | #define FH_invalid INVALID_HANDLE_VALUE 13 | 14 | #endif 15 | 16 | FH createfile(const char *path,int secret); 17 | int closefile(FH fd); 18 | int writeall(FH,const u8 *data,size_t len); 19 | int writetofile(const char *path,const u8 *data,size_t len,int secret); 20 | int createdir(const char *path,int secret); 21 | int syncwrite(const char *filename,int secret,const u8 *data,size_t datalen); 22 | -------------------------------------------------------------------------------- /keccak.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include "types.h" 3 | #include "keccak.h" 4 | #define FOR(i,n) for(i=0; i>1; } 8 | #define ROL(a,o) ((((u64)a)<>(64-o))) 9 | static u64 load64(const u8 *x) { ui i; u64 u=0; FOR(i,8) { u<<=8; u|=x[7-i]; } return u; } 10 | static void store64(u8 *x, u64 u) { ui i; FOR(i,8) { x[i]=u; u>>=8; } } 11 | static void xor64(u8 *x, u64 u) { ui i; FOR(i,8) { x[i]^=u; u>>=8; } } 12 | #define rL(x,y) load64((u8*)s+8*(x+5*y)) 13 | #define wL(x,y,l) store64((u8*)s+8*(x+5*y),l) 14 | #define XL(x,y,l) xor64((u8*)s+8*(x+5*y),l) 15 | static void KeccakF1600(void *s) 16 | { 17 | ui r,x,y,i,j,Y; u8 R=0x01; u64 C[5],D; 18 | for(i=0; i<24; i++) { 19 | /*θ*/ FOR(x,5) C[x]=rL(x,0)^rL(x,1)^rL(x,2)^rL(x,3)^rL(x,4); FOR(x,5) { D=C[(x+4)%5]^ROL(C[(x+1)%5],1); FOR(y,5) XL(x,y,D); } 20 | /*ρπ*/ x=1; y=r=0; D=rL(x,y); FOR(j,24) { r+=j+1; Y=(2*x+3*y)%5; x=y; y=Y; C[0]=rL(x,y); wL(x,y,ROL(D,r%64)); D=C[0]; } 21 | /*χ*/ FOR(y,5) { FOR(x,5) C[x]=rL(x,y); FOR(x,5) wL(x,y,C[x]^((~C[(x+1)%5])&C[(x+2)%5])); } 22 | /*ι*/ FOR(j,7) if (LFSR86540(&R)) XL(0,0,(u64)1<<((1<0) { b=(inLen0) { b=(outLen0) KeccakF1600(s); } 31 | } 32 | -------------------------------------------------------------------------------- /keccak.h: -------------------------------------------------------------------------------- 1 | 2 | void Keccak(u32 r, const u8 *in, u64 inLen, u8 sfx, u8 *out, u64 outLen); 3 | 4 | #define FIPS202_SHA3_224_LEN 28 5 | #define FIPS202_SHA3_256_LEN 32 6 | #define FIPS202_SHA3_384_LEN 48 7 | #define FIPS202_SHA3_512_LEN 64 8 | 9 | static inline void FIPS202_SHAKE128(const u8 *in, u64 inLen, u8 *out, u64 outLen) { Keccak(1344, in, inLen, 0x1F, out, outLen); } 10 | static inline void FIPS202_SHAKE256(const u8 *in, u64 inLen, u8 *out, u64 outLen) { Keccak(1088, in, inLen, 0x1F, out, outLen); } 11 | static inline void FIPS202_SHA3_224(const u8 *in, u64 inLen, u8 *out) { Keccak(1152, in, inLen, 0x06, out, 28); } 12 | static inline void FIPS202_SHA3_256(const u8 *in, u64 inLen, u8 *out) { Keccak(1088, in, inLen, 0x06, out, 32); } 13 | static inline void FIPS202_SHA3_384(const u8 *in, u64 inLen, u8 *out) { Keccak(832, in, inLen, 0x06, out, 48); } 14 | static inline void FIPS202_SHA3_512(const u8 *in, u64 inLen, u8 *out) { Keccak(576, in, inLen, 0x06, out, 64); } 15 | -------------------------------------------------------------------------------- /likely.h: -------------------------------------------------------------------------------- 1 | #ifdef __GNUC__ 2 | #define likely(x) __builtin_expect(!!(x), 1) 3 | #define unlikely(x) __builtin_expect(!!(x), 0) 4 | #else 5 | #define likely(x) (x) 6 | #define unlikely(x) (x) 7 | #endif 8 | -------------------------------------------------------------------------------- /test_base16.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "types.h" 4 | #include "base16.h" 5 | #include 6 | #include 7 | #include 8 | 9 | /* 10 | BASE16("") = "" 11 | BASE16("f") = "66" 12 | BASE16("fo") = "666F" 13 | BASE16("foo") = "666F6F" 14 | BASE16("foob") = "666F6F62" 15 | BASE16("fooba") = "666F6F6261" 16 | BASE16("foobar") = "666F6F626172" 17 | */ 18 | 19 | struct texttestcase { 20 | const char *in; 21 | const char *out; 22 | const char *rev; 23 | } tests0[] = { 24 | {"", "", ""}, 25 | {"f", "66", "f"}, 26 | {"fo", "666F", "fo"}, 27 | {"foo", "666F6F", "foo"}, 28 | {"foob", "666F6F62", "foob"}, 29 | {"fooba", "666F6F6261", "fooba"}, 30 | {"foobar", "666F6F626172", "foobar"}, 31 | }; 32 | 33 | int main(void) 34 | { 35 | char buf[1024], buf2[1024], mask; 36 | size_t r; 37 | for (size_t i = 0; i < sizeof(tests0)/sizeof(tests0[0]); ++i) { 38 | base16_to(buf, (const u8 *)tests0[i].in, strlen(tests0[i].in)); 39 | assert(strcmp(buf, tests0[i].out) == 0); 40 | r = base16_from((u8 *)buf2, (u8 *)&mask, buf); 41 | buf2[r] = 0; 42 | //fprintf(stderr, "r:%d, mask:%02X\n", (int)r, ((unsigned int)mask) & 0xFF); 43 | //assert(r == strlen(buf2)); 44 | //assert(r == strlen(tests0[i].rev)); 45 | //fprintf(stderr, "%s -- %s\n", buf2, tests0[i].rev); 46 | assert(strcmp(buf2, tests0[i].rev) == 0); 47 | } 48 | 49 | return 0; 50 | } 51 | -------------------------------------------------------------------------------- /test_base32.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "types.h" 4 | #include "base32.h" 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | struct texttestcase { 11 | const char *in; 12 | const char *out; 13 | const char *rev; 14 | } tests0[] = { 15 | {"", "", ""}, 16 | {"f", "my", "f"}, 17 | {"fo", "mzxq", "fo"}, 18 | {"foo", "mzxw6", "foo"}, 19 | {"foob", "mzxw6yq", "foob"}, 20 | {"fooba", "mzxw6ytb", "fooba"}, 21 | {"foobar", "mzxw6ytboi", "foobar"}, 22 | }; 23 | 24 | /* 25 | r:0, mask:FF 26 | -- 27 | r:2, mask:C0 28 | f -- f 29 | r:3, mask:F0 30 | fo -- fo 31 | r:4, mask:80 32 | foo -- foo 33 | r:5, mask:E0 34 | foob -- foob 35 | r:5, mask:FF 36 | fooba -- fooba 37 | r:7, mask:C0 38 | foobar -- foobar 39 | */ 40 | 41 | /* 42 | struct masktestcase { 43 | const char *src; 44 | u8 mask; 45 | } tests1[] = { 46 | {"", 0x00}, 47 | {"a", 0x00}, 48 | {"ab", 0x00}, 49 | {"abc", 0x00}, 50 | {"abcd", 0x00}, 51 | {"abcde", 0x00}, 52 | {"abcdef", 0x00}, 53 | {"abcdefg", 0x00}, 54 | {"abcdefgh", 0x00}, 55 | {"abcdefghi", 0x00}, 56 | {"abcdefghij", 0x00}, 57 | }; 58 | */ 59 | 60 | int main(void) 61 | { 62 | char buf[1024], buf2[1024], mask; 63 | size_t r; 64 | for (size_t i = 0; i < sizeof(tests0)/sizeof(tests0[0]); ++i) { 65 | base32_to(buf, (const u8 *)tests0[i].in, strlen(tests0[i].in)); 66 | assert(strcmp(buf, tests0[i].out) == 0); 67 | r = base32_from((u8 *)buf2, (u8 *)&mask, buf); 68 | buf2[r] = 0; 69 | if (r > 0) { 70 | assert((buf2[r-1] & ~mask) == 0); 71 | } 72 | //fprintf(stderr, "r:%d, mask:%02X\n", (int)r, ((unsigned int)mask) & 0xFF); 73 | //assert(r == strlen(buf2)); 74 | //assert(r == strlen(tests0[i].rev)); 75 | //fprintf(stderr, "%s -- %s\n", buf2, tests0[i].rev); 76 | assert(strcmp(buf2, tests0[i].rev) == 0); 77 | } 78 | 79 | //randombytes_buf(buf, 128); 80 | //base32_to(buf2, (const u8 *)buf, 128); 81 | //fprintf(stderr, ">%s\n", buf2); 82 | 83 | return 0; 84 | } 85 | -------------------------------------------------------------------------------- /test_base64.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "types.h" 4 | #include "base64.h" 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | struct texttestcase { 11 | const char *in; 12 | const char *out; 13 | } tests0[] = { 14 | { "" ,"" }, 15 | { "f" ,"Zg==" }, 16 | { "fo" ,"Zm8=" }, 17 | { "foo" ,"Zm9v" }, 18 | { "foob" ,"Zm9vYg==" }, 19 | { "fooba" ,"Zm9vYmE=" }, 20 | { "foobar","Zm9vYmFy" }, 21 | 22 | { "foobarf" ,"Zm9vYmFyZg==" }, 23 | { "foobarfo" ,"Zm9vYmFyZm8=" }, 24 | { "foobarfoo" ,"Zm9vYmFyZm9v" }, 25 | { "foobarfoob" ,"Zm9vYmFyZm9vYg==" }, 26 | { "foobarfooba" ,"Zm9vYmFyZm9vYmE=" }, 27 | { "foobarfoobar","Zm9vYmFyZm9vYmFy" }, 28 | }; 29 | 30 | int main(void) 31 | { 32 | char buf[1024], buf2[1024]; 33 | size_t r; 34 | for (size_t i = 0; i < sizeof(tests0)/sizeof(tests0[0]); ++i) { 35 | base64_to(buf, (const u8 *)tests0[i].in, strlen(tests0[i].in)); 36 | if (strcmp(buf, tests0[i].out) != 0) { 37 | printf("invalid encoding result: \"%s\" -> encoded as \"%s\", but expected \"%s\".\n", 38 | tests0[i].in, buf, tests0[i].out); 39 | return 1; 40 | } 41 | if (strlen(buf) != BASE64_TO_LEN(strlen(tests0[i].in))) { 42 | printf("encoded length mismatch: got %d expected %d\n", 43 | (int) strlen(buf), (int) BASE64_TO_LEN(strlen(tests0[i].in))); 44 | return 1; 45 | } 46 | if (!base64_valid(buf,0)) { 47 | printf("encoded data is considered invalid\n"); 48 | return 1; 49 | } 50 | r = base64_from((u8 *)buf2, buf, strlen(buf)); 51 | buf2[r] = '\000'; 52 | if (strcmp(buf2, tests0[i].in) != 0) { 53 | printf("invalid decoding result: encoded \"%s\", decoded as \"%s\", but expected \"%s\".\n", 54 | tests0[i].out, buf2, tests0[i].in); 55 | return 1; 56 | } 57 | } 58 | return 0; 59 | } 60 | -------------------------------------------------------------------------------- /test_ed25519.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include "types.h" 7 | #include "base16.h" 8 | #include "ed25519/ed25519.h" 9 | #include "ed25519/ed25519_impl_pre.h" 10 | #include "testutil.h" 11 | 12 | struct pktest { 13 | const char *seed; 14 | const char *secret; 15 | const char *public; 16 | } test0[] = { 17 | { 18 | "26c76712d89d906e6672dafa614c42e5cb1caac8c6568e4d2493087db51f0d36", 19 | "c0a4de23cc64392d85aa1da82b3defddbea946d13bb053bf8489fa9296281f49" 20 | "5022f1f7ec0dcf52f07d4c7965c4eaed121d5d88d0a8ff546b06116a20e97755", 21 | "c2247870536a192d142d056abefca68d6193158e7c1a59c1654c954eccaff894", 22 | }, 23 | { 24 | "fba7a5366b5cb98c2667a18783f5cf8f4f8d1a2ce939ad22a6e685edde85128d", 25 | "18a8a69a06790dac778e882f7e868baacfa12521a5c058f5194f3a729184514a" 26 | "2a656fe7799c3e41f43d756da8d9cd47a061316cfe6147e23ea2f90d1ca45f30", 27 | "1519a3b15816a1aafab0b213892026ebf5c0dc232c58b21088d88cb90e9b940d" 28 | }, 29 | }; 30 | 31 | #define SEEDBYTES 32 32 | #define SECRETKEYBYTES 64 33 | #define PUBLICKEYBYTES 32 34 | 35 | int main(void) 36 | { 37 | u8 seedbuf[SEEDBYTES]; 38 | u8 secretbuf1[SECRETKEYBYTES]; 39 | u8 secretbuf2[SECRETKEYBYTES]; 40 | u8 publicbuf1[PUBLICKEYBYTES]; 41 | u8 publicbuf2[PUBLICKEYBYTES]; 42 | u8 mask; 43 | char str1[1024], str2[1024]; 44 | for (size_t i = 0; i < sizeof(test0)/sizeof(test0[0]); ++i) { 45 | base16_from(seedbuf, &mask, test0[i].seed); 46 | base16_from(secretbuf1, &mask, test0[i].secret); 47 | base16_from(publicbuf1, &mask, test0[i].public); 48 | ed25519_seckey_expand(secretbuf2, seedbuf); 49 | WARNF(memcmp(secretbuf1, secretbuf2, SECRETKEYBYTES) == 0) { 50 | base16_to(str1, secretbuf1, sizeof(secretbuf1)); 51 | base16_to(str2, secretbuf2, sizeof(secretbuf2)); 52 | fprintf(stderr, "expected: %s got %s\n", str1, str2); 53 | } 54 | ed25519_pubkey(publicbuf2, secretbuf1); 55 | WARNF(memcmp(publicbuf1, publicbuf2, PUBLICKEYBYTES) == 0) { 56 | base16_to(str1, publicbuf1, sizeof(publicbuf1)); 57 | base16_to(str2, publicbuf2, sizeof(publicbuf2)); 58 | fprintf(stderr, "expected: %s got %s\n", str1, str2); 59 | } 60 | } 61 | 62 | return 0; 63 | } 64 | 65 | #include "ed25519/ed25519_impl_post.h" 66 | -------------------------------------------------------------------------------- /testutil.h: -------------------------------------------------------------------------------- 1 | 2 | #define WARN(test) if (!(test)) \ 3 | fprintf(stderr, "check failed @ %d: %s\n", (int)__LINE__, #test) 4 | 5 | #define WARNF(test) if (!(test) && ((void) fprintf(stderr, "check failed @ %d: %s\n", (int)__LINE__, #test), 1)) 6 | -------------------------------------------------------------------------------- /types.h: -------------------------------------------------------------------------------- 1 | 2 | #define U8_MAX UINT8_MAX 3 | #define I8_MIN INT8_MIN 4 | #define I8_MAX INT8_MAX 5 | #define U16_MAX UINT16_MAX 6 | #define I16_MIN INT16_MIN 7 | #define I16_MAX INT16_MAX 8 | #define U32_MAX UINT32_MAX 9 | #define I32_MIN INT32_MIN 10 | #define I32_MAX INT32_MAX 11 | #define U64_MAX UINT64_MAX 12 | #define I64_MIN INT64_MIN 13 | #define I64_MAX INT64_MAX 14 | 15 | typedef uint8_t u8; 16 | typedef int8_t i8; 17 | typedef uint16_t u16; 18 | typedef int16_t i16; 19 | typedef uint32_t u32; 20 | typedef int32_t i32; 21 | typedef uint64_t u64; 22 | typedef int64_t i64; 23 | -------------------------------------------------------------------------------- /vec.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "vec.h" 5 | 6 | void vec_add1(struct vec_basestruct *ctl,size_t sz) 7 | { 8 | if (!ctl->alen) { 9 | ctl->alen = 8; 10 | if (SIZE_MAX / 8 < sz) 11 | ctl->alen = 1; 12 | ctl->buf = malloc(ctl->alen * sz); 13 | if (!ctl->buf) 14 | abort(); 15 | } else if (ctl->len >= ctl->alen) { 16 | ctl->alen *= 2; 17 | if (SIZE_MAX / ctl->alen < sz) 18 | abort(); 19 | ctl->buf = realloc(ctl->buf,ctl->alen * sz); 20 | if (!ctl->buf) 21 | abort(); 22 | } 23 | ++ctl->len; 24 | } 25 | 26 | void vec_addn(struct vec_basestruct *ctl,size_t sz,size_t n) 27 | { 28 | if (!ctl->alen) { 29 | if (SIZE_MAX / 8 >= sz) 30 | ctl->alen = 8; 31 | else 32 | ctl->alen = 1; 33 | } 34 | size_t nlen = ctl->alen; 35 | ctl->len += n; 36 | while (ctl->len > nlen) 37 | nlen *= 2; 38 | if (nlen > ctl->alen) { 39 | ctl->alen = nlen; 40 | if (SIZE_MAX / nlen < sz) 41 | abort(); 42 | ctl->buf = realloc(ctl->buf,nlen * sz); 43 | if (!ctl->buf) 44 | abort(); 45 | } else if (!ctl->buf) { 46 | ctl->buf = malloc(ctl->alen * sz); 47 | if (!ctl->buf) 48 | abort(); 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /vec.h: -------------------------------------------------------------------------------- 1 | #define VEC_STRUCT(typename,inttype) \ 2 | struct typename { \ 3 | inttype *buf; \ 4 | size_t len,alen; \ 5 | } 6 | VEC_STRUCT(vec_basestruct,void) ; 7 | 8 | #define VEC_INIT(ctl) memset(&ctl,0,sizeof(ctl)) 9 | 10 | #define VEC_ELSIZE(ctl) (sizeof(*(ctl).buf)) 11 | 12 | void vec_add1(struct vec_basestruct *ctl,size_t sz); 13 | #define VEC_ADD1(ctl) \ 14 | vec_add1((struct vec_basestruct *)&(ctl),VEC_ELSIZE(ctl)) 15 | #define VEC_ADD(ctl,val) \ 16 | do { \ 17 | VEC_ADD1(ctl); \ 18 | (ctl).buf[(ctl).len - 1] = (val); \ 19 | } while (0) 20 | 21 | void vec_addn(struct vec_basestruct *ctl,size_t sz,size_t n); 22 | #define VEC_ADDN(ctl,n) \ 23 | vec_addn((struct vec_basestruct *)&(ctl),VEC_ELSIZE(ctl),(size_t)(n)) 24 | 25 | #define VEC_SETLENGTH(ctl,n) \ 26 | do { \ 27 | (ctl).len = n; \ 28 | } while (0) 29 | 30 | #define VEC_REMOVEN(ctl,n,m) \ 31 | do { \ 32 | (ctl).len -= m; \ 33 | memmove( \ 34 | &(ctl).buf[n], \ 35 | &(ctl).buf[(n) + (m)], \ 36 | ((ctl).len - (n)) * VEC_ELSIZE(ctl)); \ 37 | } while (0) 38 | #define VEC_REMOVE(ctl,n) VEC_REMOVEN(ctl,n,1) 39 | 40 | #define VEC_INSERT1(ctl,n) \ 41 | do { \ 42 | VEC_ADD1(ctl); \ 43 | memmove( \ 44 | &(ctl).buf[(n) + 1], \ 45 | &(ctl).buf[n], \ 46 | ((ctl).len - (n) - 1) * VEC_ELSIZE(ctl)); \ 47 | } while (0) 48 | #define VEC_INSERT(ctl,n,val) \ 49 | do { \ 50 | VEC_INSERT1(ctl,n); \ 51 | (ctl).buf[n] = (val); \ 52 | } while (0) 53 | 54 | #define VEC_INSERTN(ctl,n,m) \ 55 | do { \ 56 | VEC_ADDN(ctl,m); \ 57 | memmove( \ 58 | &(ctl).buf[(n) + (m)], \ 59 | &(ctl).buf[n], \ 60 | ((ctl).len - (n) - (m)) * VEC_ELSIZE(ctl)); \ 61 | } while (0) 62 | 63 | #define VEC_ZERO(ctl) \ 64 | do { \ 65 | if ((ctl).buf) \ 66 | memset((ctl).buf,0,(ctl).len * VEC_ELSIZE(ctl)); \ 67 | } while (0) 68 | 69 | #define VEC_FREE(ctl) \ 70 | do { \ 71 | free((ctl).buf); \ 72 | memset(&(ctl), 0, sizeof(ctl)); \ 73 | } while (0) 74 | 75 | #define VEC_LENGTH(ctl) ((ctl).len) 76 | #define VEC_BUF(ctl,num) ((ctl).buf[num]) 77 | 78 | #define VEC_FOR(ctl,it) for (size_t it = 0;it < VEC_LENGTH((ctl));++it) 79 | -------------------------------------------------------------------------------- /worker.h: -------------------------------------------------------------------------------- 1 | 2 | extern pthread_mutex_t keysgenerated_mutex; 3 | extern volatile size_t keysgenerated; 4 | extern volatile int endwork; 5 | 6 | extern int yamloutput; 7 | extern int yamlraw; 8 | extern int numwords; 9 | extern size_t numneedgenerate; 10 | 11 | extern char *workdir; 12 | extern size_t workdirlen; 13 | 14 | // statistics, if enabled 15 | #ifdef STATISTICS 16 | struct statstruct { 17 | union { 18 | u32 v; 19 | size_t align; 20 | } numcalc; 21 | union { 22 | u32 v; 23 | size_t align; 24 | } numsuccess; 25 | union { 26 | u32 v; 27 | size_t align; 28 | } numrestart; 29 | } ; 30 | VEC_STRUCT(statsvec,struct statstruct); 31 | #endif 32 | 33 | #ifdef PASSPHRASE 34 | extern pthread_mutex_t determseed_mutex; 35 | extern u8 determseed[SEED_LEN]; 36 | extern int pw_skipnear; 37 | extern int pw_warnnear; 38 | #endif 39 | 40 | extern void worker_init(void); 41 | 42 | extern char *makesname(void); 43 | extern size_t worker_batch_memuse(void); 44 | 45 | extern void *CRYPTO_NAMESPACE(worker_batch)(void *task); 46 | #ifdef PASSPHRASE 47 | extern void *CRYPTO_NAMESPACE(worker_batch_pass)(void *task); 48 | #endif 49 | -------------------------------------------------------------------------------- /worker_impl.inc.h: -------------------------------------------------------------------------------- 1 | 2 | #include "ed25519/ed25519_impl_pre.h" 3 | 4 | static size_t CRYPTO_NAMESPACE(worker_batch_memuse)(void) 5 | { 6 | return (sizeof(ge_p3) + sizeof(fe) + sizeof(bytes32)) * BATCHNUM; 7 | } 8 | 9 | #include "worker_batch.inc.h" 10 | #include "worker_batch_pass.inc.h" 11 | 12 | #include "ed25519/ed25519_impl_post.h" 13 | -------------------------------------------------------------------------------- /yaml.h: -------------------------------------------------------------------------------- 1 | extern void yamlout_init(void); 2 | extern void yamlout_clean(void); 3 | extern void yamlout_writekeys( 4 | const char *hostname,const u8 *publickey,const u8 *secretkey,int rawkeys); 5 | extern int yamlin_parseandcreate( 6 | FILE *fin,char *sname,const char *hostname,int rawkeys); 7 | --------------------------------------------------------------------------------