├── randombytes.c ├── randombytes.h ├── .gitmodules ├── .editorconfig ├── .gitignore ├── .travis.yml ├── test_hazmat.c ├── Makefile ├── test_sss.c ├── LICENSE ├── sss.h ├── hazmat.h ├── sss.c ├── hazmat.c ├── README.md ├── tweetnacl.c └── tweetnacl.h /randombytes.c: -------------------------------------------------------------------------------- 1 | randombytes/randombytes.c -------------------------------------------------------------------------------- /randombytes.h: -------------------------------------------------------------------------------- 1 | randombytes/randombytes.h -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "randombytes"] 2 | path = randombytes 3 | url = https://github.com/dsprenkels/randombytes.git 4 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | [*.{c,h}] 2 | indent_style = tab 3 | indent_size = 8 4 | 5 | [Makefile] 6 | indent_style = tab 7 | indent_size = 8 8 | 9 | [*.yml] 10 | indent_style = space 11 | indent_size = 2 12 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Object files 5 | *.o 6 | *.ko 7 | *.obj 8 | *.elf 9 | 10 | # Linker output 11 | *.ilk 12 | *.map 13 | *.exp 14 | 15 | # Precompiled Headers 16 | *.gch 17 | *.pch 18 | 19 | # Libraries 20 | *.lib 21 | *.a 22 | *.la 23 | *.lo 24 | 25 | # Shared objects (inc. Windows DLLs) 26 | *.dll 27 | *.so 28 | *.so.* 29 | *.dylib 30 | 31 | # Executables 32 | *.exe 33 | *.out 34 | *.app 35 | *.i*86 36 | *.x86_64 37 | *.hex 38 | 39 | # Debug files 40 | *.dSYM/ 41 | *.su 42 | *.idb 43 | *.pdb 44 | 45 | # Kernel Module Compile Results 46 | *.mod* 47 | *.cmd 48 | .tmp_versions/ 49 | modules.order 50 | Module.symvers 51 | Mkfile.old 52 | dkms.conf 53 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: c 2 | 3 | os: 4 | - linux 5 | - osx 6 | 7 | compiler: 8 | - gcc 9 | - clang 10 | 11 | env: 12 | - USE_VALGRIND=1 13 | - USE_ASAN=1 14 | 15 | matrix: 16 | exclude: 17 | - compiler: gcc 18 | env: USE_ASAN=1 19 | - os: osx 20 | env: USE_VALGRIND=1 21 | include: 22 | - os: osx 23 | compiler: gcc 24 | env: "" 25 | 26 | addons: 27 | apt: 28 | packages: 29 | - valgrind 30 | 31 | before_script: 32 | - if [[ "$USE_VALGRIND" ]]; then export MEMCHECK="valgrind -q --leak-check=full --error-exitcode=1"; fi 33 | - if [[ "$USE_ASAN" ]]; then export CFLAGS="-fsanitize=address -fno-omit-frame-pointer"; fi 34 | 35 | script: make && make check 36 | -------------------------------------------------------------------------------- /test_hazmat.c: -------------------------------------------------------------------------------- 1 | #include "hazmat.h" 2 | #include 3 | #include 4 | 5 | 6 | static void test_key_shares(void) 7 | { 8 | uint8_t key[32], restored[32]; 9 | sss_Keyshare key_shares[256]; 10 | size_t idx; 11 | 12 | for (idx = 0; idx < 32; idx++) { 13 | key[idx] = idx; 14 | } 15 | 16 | sss_create_keyshares(key_shares, key, 1, 1); 17 | sss_combine_keyshares(restored, (const sss_Keyshare*) key_shares, 1); 18 | assert(memcmp(key, restored, 32) == 0); 19 | 20 | sss_create_keyshares(key_shares, key, 3, 2); 21 | sss_combine_keyshares(restored, (const sss_Keyshare*) key_shares[1], 2); 22 | assert(memcmp(key, restored, 32) == 0); 23 | 24 | sss_create_keyshares(key_shares, key, 255, 127); 25 | sss_combine_keyshares(restored, (const sss_Keyshare*) key_shares[128], 127); 26 | assert(memcmp(key, restored, 32) == 0); 27 | 28 | sss_create_keyshares(key_shares, key, 255, 255); 29 | sss_combine_keyshares(restored, (const sss_Keyshare*) key_shares, 255); 30 | assert(memcmp(key, restored, 32) == 0); 31 | } 32 | 33 | 34 | int main(void) 35 | { 36 | test_key_shares(); 37 | return 0; 38 | } 39 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | CFLAGS += -g -O2 -m64 -std=c99 -pedantic \ 2 | -Wall -Wshadow -Wpointer-arith -Wcast-qual -Wformat -Wformat-security \ 3 | -Werror=format-security -Wstrict-prototypes -Wmissing-prototypes \ 4 | -D_FORTIFY_SOURCE=2 -fPIC -fno-strict-overflow 5 | SRCS = hazmat.c randombytes.c sss.c tweetnacl.c 6 | OBJS := ${SRCS:.c=.o} 7 | UNAME_S := $(shell uname -s) 8 | 9 | all: libsss.a 10 | 11 | libsss.a: randombytes/librandombytes.a $(OBJS) 12 | ifeq ($(UNAME_S),Linux) 13 | $(AR) -rcs libsss.a $^ 14 | endif 15 | ifeq ($(UNAME_S),Darwin) 16 | libtool -static -o libsss.a $^ 17 | endif 18 | 19 | randombytes/librandombytes.a: 20 | $(MAKE) -C randombytes librandombytes.a 21 | 22 | # Force unrolling loops on hazmat.c 23 | hazmat.o: CFLAGS += -funroll-loops 24 | 25 | %.out: %.o randombytes/librandombytes.a 26 | $(CC) -o $@ $(CFLAGS) $(LDFLAGS) $^ $(LOADLIBES) $(LDLIBS) 27 | $(MEMCHECK) ./$@ 28 | 29 | test_hazmat.out: $(OBJS) 30 | test_sss.out: $(OBJS) 31 | 32 | .PHONY: check 33 | check: test_hazmat.out test_sss.out 34 | 35 | .PHONY: clean 36 | clean: 37 | $(MAKE) -C randombytes $@ 38 | $(RM) *.o *.gch *.a *.out 39 | -------------------------------------------------------------------------------- /test_sss.c: -------------------------------------------------------------------------------- 1 | #include "sss.h" 2 | #include 3 | #include 4 | 5 | int main(void) 6 | { 7 | unsigned char data[sss_MLEN] = { 42 }, restored[sss_MLEN]; 8 | sss_Share shares[256]; 9 | int tmp; 10 | 11 | /* Normal operation */ 12 | sss_create_shares(shares, data, 1, 1); 13 | tmp = sss_combine_shares(restored, (const sss_Share*) shares, 1); 14 | assert(tmp == 0); 15 | assert(memcmp(restored, data, sss_MLEN) == 0); 16 | 17 | /* A lot of shares */ 18 | sss_create_shares(shares, data, 255, 255); 19 | tmp = sss_combine_shares(restored, (const sss_Share*) shares, 255); 20 | assert(tmp == 0); 21 | assert(memcmp(restored, data, sss_MLEN) == 0); 22 | 23 | /* Not enough shares to restore secret */ 24 | sss_create_shares(shares, data, 100, 100); 25 | tmp = sss_combine_shares(restored, (const sss_Share*) shares, 99); 26 | assert(tmp == -1); 27 | 28 | /* Too many secrets should also restore the secret */ 29 | sss_create_shares(shares, data, 200, 100); 30 | tmp = sss_combine_shares(restored, (const sss_Share*) shares, 200); 31 | assert(tmp == 0); 32 | assert(memcmp(restored, data, sss_MLEN) == 0); 33 | 34 | return 0; 35 | } 36 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License 2 | 3 | Copyright (c) 2017 Daan Sprenkels 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /sss.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Intermediate level API for Daan Sprenkels' Shamir secret sharing library 3 | * Copyright (c) 2017 Daan Sprenkels 4 | */ 5 | 6 | 7 | #ifndef sss_SSS_H_ 8 | #define sss_SSS_H_ 9 | 10 | #include "hazmat.h" 11 | #include "tweetnacl.h" 12 | #include 13 | 14 | 15 | #ifndef sss_MLEN 16 | /* 17 | Length of the message (must be known at compile-time) 18 | */ 19 | #define sss_MLEN sizeof(uint8_t[64]) 20 | #endif 21 | 22 | 23 | /* 24 | * Length of the ciphertext, including the message authentication code 25 | */ 26 | #define sss_CLEN (sss_MLEN + 16) 27 | 28 | 29 | /* 30 | * Length of a SSS share 31 | */ 32 | #define sss_SHARE_LEN (sss_CLEN + sss_KEYSHARE_LEN) 33 | 34 | 35 | /* 36 | * One share of a secret which is shared using Shamir's 37 | * the `sss_create_shares` function. 38 | */ 39 | typedef uint8_t sss_Share[sss_SHARE_LEN]; 40 | 41 | 42 | /* 43 | * Create `n` shares of the secret data `data`. Share such that `k` or more 44 | * shares will be able to restore the secret. 45 | * 46 | * This function will put the resulting shares in the array pointed to by 47 | * `out`. The caller has to guarantee that this array will fit at least `n` 48 | * instances of `sss_Share`. 49 | */ 50 | void sss_create_shares(sss_Share *out, 51 | const uint8_t *data, 52 | uint8_t n, 53 | uint8_t k); 54 | 55 | 56 | /* 57 | * Combine the `k` shares pointed to by `shares` and put the resulting secret 58 | * data in `data`. The caller has to ensure that the `data` array will fit 59 | * at least `sss_MLEN` (default: 64) bytes. 60 | * 61 | * On success, this function will return 0. If combining the secret fails, 62 | * this function will return a nonzero return code. On failure, the value 63 | * in `data` may have been altered, but must still be considered secret. 64 | */ 65 | int sss_combine_shares(uint8_t *data, 66 | const sss_Share *shares, 67 | uint8_t k); 68 | 69 | 70 | #endif /* sss_SSS_H_ */ 71 | -------------------------------------------------------------------------------- /hazmat.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Low level API for Daan Sprenkels' Shamir secret sharing library 3 | * Copyright (c) 2017 Daan Sprenkels 4 | * 5 | * Usage of this API is hazardous and is only reserved for beings with a 6 | * good understanding of the Shamir secret sharing scheme and who know how 7 | * crypto code is implemented. If you are unsure about this, use the 8 | * intermediate level API. You have been warned! 9 | */ 10 | 11 | 12 | #ifndef sss_HAZMAT_H_ 13 | #define sss_HAZMAT_H_ 14 | 15 | #include 16 | 17 | 18 | #define sss_KEYSHARE_LEN 33 /* 1 + 32 */ 19 | 20 | 21 | /* 22 | * One share of a cryptographic key which is shared using Shamir's 23 | * the `sss_create_keyshares` function. 24 | */ 25 | typedef uint8_t sss_Keyshare[sss_KEYSHARE_LEN]; 26 | 27 | 28 | /* 29 | * Share the secret given in `key` into `n` shares with a treshold value given 30 | * in `k`. The resulting shares are written to `out`. 31 | * 32 | * The share generation that is done in this function is only secure if the key 33 | * that is given is indeed a cryptographic key. This means that it should be 34 | * randomly and uniformly generated string of 32 bytes. 35 | * 36 | * Also, for performance reasons, this function assumes that both `n` and `k` 37 | * are *public* values. 38 | * 39 | * If you are looking for a function that *just* creates shares of arbitrary 40 | * data, you should use the `sss_create_shares` function in `sss.h`. 41 | */ 42 | void sss_create_keyshares(sss_Keyshare *out, 43 | const uint8_t key[32], 44 | uint8_t n, 45 | uint8_t k); 46 | 47 | 48 | /* 49 | * Combine the `k` shares provided in `shares` and write the resulting key to 50 | * `key`. The amount of shares used to restore a secret may be larger than the 51 | * threshold needed to restore them. 52 | * 53 | * This function does *not* do *any* checking for integrity. If any of the 54 | * shares not original, this will result in an invalid resored value. 55 | * All values written to `key` should be treated as secret. Even if some of the 56 | * shares that were provided as input were incorrect, the resulting key *still* 57 | * allows an attacker to gain information about the real key. 58 | * 59 | * This function treats `shares` and `key` as secret values. `k` is treated as 60 | * a public value (for performance reasons). 61 | * 62 | * If you are looking for a function that combines shares of arbitrary 63 | * data, you should use the `sss_combine_shares` function in `sss.h`. 64 | */ 65 | void sss_combine_keyshares(uint8_t key[32], 66 | const sss_Keyshare *shares, 67 | uint8_t k); 68 | 69 | 70 | #endif /* sss_HAZMAT_H_ */ 71 | -------------------------------------------------------------------------------- /sss.c: -------------------------------------------------------------------------------- 1 | /* 2 | * AEAD wrapper around the Secret shared data 3 | * 4 | * Author: Daan Sprenkels 5 | * 6 | * This module implements a AEAD wrapper around some secret shared data, 7 | * allowing the data to be in any format. (Directly secret-sharing requires the 8 | * message to be picked uniformly in the message space.) 9 | * 10 | * The NaCl cryptographic library is used for the encryption. The encryption 11 | * scheme that is used for wrapping the message is salsa20/poly1305. Because 12 | * we are using an ephemeral key, we are using a zero'd nonce. 13 | */ 14 | 15 | 16 | #include "randombytes.h" 17 | #include "tweetnacl.h" 18 | #include "sss.h" 19 | #include "tweetnacl.h" 20 | #include 21 | #include 22 | 23 | 24 | /* 25 | * These assertions may be considered overkill, but would if the tweetnacl API 26 | * ever change we *really* want to prevent buffer overflow vulnerabilities. 27 | */ 28 | #if crypto_secretbox_KEYBYTES != 32 29 | # error "crypto_secretbox_KEYBYTES size is invalid" 30 | #endif 31 | 32 | 33 | /* 34 | * Nonce for the `crypto_secretbox` authenticated encryption. 35 | * The nonce is constant (zero), because we are using an ephemeral key. 36 | */ 37 | static const unsigned char nonce[crypto_secretbox_NONCEBYTES] = { 0 }; 38 | 39 | 40 | /* 41 | * Return a mutable pointer to the ciphertext part of this Share 42 | */ 43 | static uint8_t* get_ciphertext(sss_Share *share) 44 | { 45 | return &((uint8_t*) share)[sss_KEYSHARE_LEN]; 46 | } 47 | 48 | 49 | /* 50 | * Return a mutable pointer to the Keyshare part of this Share 51 | */ 52 | static sss_Keyshare* get_keyshare(sss_Share *share) 53 | { 54 | return (sss_Keyshare*) &share[0]; 55 | } 56 | 57 | 58 | /* 59 | * Return a const pointer to the ciphertext part of this Share 60 | */ 61 | static const uint8_t* get_ciphertext_const(const sss_Share *share) 62 | { 63 | return &((const uint8_t*) share)[sss_KEYSHARE_LEN]; 64 | } 65 | 66 | 67 | /* 68 | * Return a const pointer to the Keyshare part of this Share 69 | */ 70 | static const sss_Keyshare* get_keyshare_const(const sss_Share *share) 71 | { 72 | return (const sss_Keyshare*) &share[0]; 73 | } 74 | 75 | 76 | /* 77 | * Create `n` shares with theshold `k` and write them to `out` 78 | */ 79 | void sss_create_shares(sss_Share *out, const unsigned char *data, 80 | uint8_t n, uint8_t k) 81 | { 82 | unsigned char key[32]; 83 | unsigned char m[crypto_secretbox_ZEROBYTES + sss_MLEN] = { 0 }; 84 | unsigned long long mlen = sizeof(m); /* length includes zero-bytes */ 85 | unsigned char c[mlen]; 86 | int tmp; 87 | sss_Keyshare keyshares[n]; 88 | size_t idx; 89 | 90 | /* Generate a random encryption key */ 91 | randombytes(key, sizeof(key)); 92 | 93 | /* AEAD encrypt the data with the key */ 94 | memcpy(&m[crypto_secretbox_ZEROBYTES], data, sss_MLEN); 95 | tmp = crypto_secretbox(c, m, mlen, nonce, key); 96 | assert(tmp == 0); /* should always happen */ 97 | 98 | /* Generate KeyShares */ 99 | sss_create_keyshares(keyshares, key, n, k); 100 | 101 | /* Build regular shares */ 102 | for (idx = 0; idx < n; idx++) { 103 | memcpy(get_keyshare((sss_Share*) &out[idx]), &keyshares[idx][0], 104 | sss_KEYSHARE_LEN); 105 | memcpy(get_ciphertext((sss_Share*) &out[idx]), 106 | &c[crypto_secretbox_BOXZEROBYTES], sss_CLEN); 107 | } 108 | } 109 | 110 | 111 | /* 112 | * Combine `k` shares pointed to by `shares` and write the result to `data` 113 | * 114 | * This function returns -1 if any of the shares were corrupted or if the number 115 | * of shares was too low. It is not possible to detect which of these errors 116 | * did occur. 117 | */ 118 | int sss_combine_shares(uint8_t *data, const sss_Share *shares, uint8_t k) 119 | { 120 | unsigned char key[crypto_secretbox_KEYBYTES]; 121 | unsigned char c[crypto_secretbox_BOXZEROBYTES + sss_CLEN] = { 0 }; 122 | unsigned long long clen = sizeof(c); 123 | unsigned char m[clen]; 124 | sss_Keyshare keyshares[k]; 125 | size_t idx; 126 | int ret = 0; 127 | 128 | /* Check if all ciphertexts are the same */ 129 | if (k < 1) return -1; 130 | for (idx = 1; idx < k; idx++) { 131 | if (memcmp(get_ciphertext_const(&shares[0]), 132 | get_ciphertext_const(&shares[idx]), sss_CLEN) != 0) { 133 | return -1; 134 | } 135 | } 136 | 137 | /* Restore the key */ 138 | for (idx = 0; idx < k; idx++) { 139 | memcpy(&keyshares[idx], get_keyshare_const(&shares[idx]), 140 | sss_KEYSHARE_LEN); 141 | } 142 | sss_combine_keyshares(key, (const sss_Keyshare*) keyshares, k); 143 | 144 | /* Decrypt the ciphertext */ 145 | memcpy(&c[crypto_secretbox_BOXZEROBYTES], 146 | &shares[0][sss_KEYSHARE_LEN], sss_CLEN); 147 | ret |= crypto_secretbox_open(m, c, clen, nonce, key); 148 | memcpy(data, &m[crypto_secretbox_ZEROBYTES], sss_MLEN); 149 | 150 | return ret; 151 | } 152 | -------------------------------------------------------------------------------- /hazmat.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Implementation of the hazardous parts of the SSS library 3 | * 4 | * Author: Daan Sprenkels 5 | * 6 | * This code contains the actual Shamir secret sharing functionality. The 7 | * implementation of this code is based on the idea that the user likes to 8 | * generate/combine 32 shares (in GF(2^8) at the same time, because a 256 bit 9 | * key will be exactly 32 bytes. Therefore we bitslice all the input and 10 | * unbitslice the output right before returning. 11 | * 12 | * This bitslice approach optimizes natively on all architectures that are 32 13 | * bit or more. Care is taken to use not too many registers, to ensure that no 14 | * values have to be leaked to the stack. 15 | * 16 | * All functions in this module are implemented constant time and constant 17 | * lookup operations, as all proper crypto code must be. 18 | */ 19 | 20 | 21 | #include "randombytes.h" 22 | #include "hazmat.h" 23 | #include 24 | #include 25 | 26 | 27 | typedef struct { 28 | uint8_t x; 29 | uint8_t y; 30 | } ByteShare; 31 | 32 | 33 | static void 34 | bitslice(uint32_t r[8], const uint8_t x[32]) 35 | { 36 | size_t bit_idx, arr_idx; 37 | uint32_t cur; 38 | 39 | memset(r, 0, sizeof(uint32_t[8])); 40 | for (arr_idx = 0; arr_idx < 32; arr_idx++) { 41 | cur = (uint32_t) x[arr_idx]; 42 | for (bit_idx = 0; bit_idx < 8; bit_idx++) { 43 | r[bit_idx] |= ((cur >> bit_idx) & 1) << arr_idx; 44 | } 45 | } 46 | } 47 | 48 | 49 | static void 50 | unbitslice(uint8_t r[32], const uint32_t x[8]) 51 | { 52 | size_t bit_idx, arr_idx; 53 | uint32_t cur; 54 | 55 | memset(r, 0, sizeof(uint8_t[32])); 56 | for (bit_idx = 0; bit_idx < 8; bit_idx++) { 57 | cur = (uint32_t) x[bit_idx]; 58 | for (arr_idx = 0; arr_idx < 32; arr_idx++) { 59 | r[arr_idx] |= ((cur >> arr_idx) & 1) << bit_idx; 60 | } 61 | } 62 | } 63 | 64 | 65 | static void 66 | bitslice_setall(uint32_t r[8], const uint8_t x) 67 | { 68 | size_t idx; 69 | for (idx = 0; idx < 8; idx++) { 70 | r[idx] = ((int32_t) ((x & (1 << idx)) << (31 - idx))) >> 31; 71 | } 72 | } 73 | 74 | 75 | /* 76 | * Add (XOR) `r` with `x` and store the result in `r`. 77 | */ 78 | static void 79 | gf256_add(uint32_t r[8], const uint32_t x[8]) 80 | { 81 | size_t idx; 82 | for (idx = 0; idx < 8; idx++) r[idx] ^= x[idx]; 83 | } 84 | 85 | 86 | /* 87 | * Safely multiply two bitsliced polynomials in GF(2^8) reduced by 88 | * x^8 + x^4 + x^3 + x + 1. `r` and `a` may overlap, but overlapping of `r` 89 | * and `b` will produce an incorrect result! If you need to square a polynomial 90 | * use `gf256_square` instead. 91 | */ 92 | static void 93 | gf256_mul(uint32_t r[8], const uint32_t a[8], const uint32_t b[8]) 94 | { 95 | /* This function implements Russian Peasant multiplication on two 96 | * bitsliced polynomials. 97 | * 98 | * I personally think that these kinds of long lists of operations 99 | * are often a bit ugly. A double for loop would be nicer and would 100 | * take up a lot less lines of code. 101 | * However, some compilers seem to fail in optimizing these kinds of 102 | * loops. So we will just have to do this by hand. 103 | */ 104 | uint32_t a2[8]; 105 | memcpy(a2, a, sizeof(uint32_t[8])); 106 | 107 | r[0] = a2[0] & b[0]; /* add (assignment, because r is 0) */ 108 | r[1] = a2[1] & b[0]; 109 | r[2] = a2[2] & b[0]; 110 | r[3] = a2[3] & b[0]; 111 | r[4] = a2[4] & b[0]; 112 | r[5] = a2[5] & b[0]; 113 | r[6] = a2[6] & b[0]; 114 | r[7] = a2[7] & b[0]; 115 | a2[0] ^= a2[7]; /* reduce */ 116 | a2[2] ^= a2[7]; 117 | a2[3] ^= a2[7]; 118 | 119 | r[0] ^= a2[7] & b[1]; /* add */ 120 | r[1] ^= a2[0] & b[1]; 121 | r[2] ^= a2[1] & b[1]; 122 | r[3] ^= a2[2] & b[1]; 123 | r[4] ^= a2[3] & b[1]; 124 | r[5] ^= a2[4] & b[1]; 125 | r[6] ^= a2[5] & b[1]; 126 | r[7] ^= a2[6] & b[1]; 127 | a2[7] ^= a2[6]; /* reduce */ 128 | a2[1] ^= a2[6]; 129 | a2[2] ^= a2[6]; 130 | 131 | r[0] ^= a2[6] & b[2]; /* add */ 132 | r[1] ^= a2[7] & b[2]; 133 | r[2] ^= a2[0] & b[2]; 134 | r[3] ^= a2[1] & b[2]; 135 | r[4] ^= a2[2] & b[2]; 136 | r[5] ^= a2[3] & b[2]; 137 | r[6] ^= a2[4] & b[2]; 138 | r[7] ^= a2[5] & b[2]; 139 | a2[6] ^= a2[5]; /* reduce */ 140 | a2[0] ^= a2[5]; 141 | a2[1] ^= a2[5]; 142 | 143 | r[0] ^= a2[5] & b[3]; /* add */ 144 | r[1] ^= a2[6] & b[3]; 145 | r[2] ^= a2[7] & b[3]; 146 | r[3] ^= a2[0] & b[3]; 147 | r[4] ^= a2[1] & b[3]; 148 | r[5] ^= a2[2] & b[3]; 149 | r[6] ^= a2[3] & b[3]; 150 | r[7] ^= a2[4] & b[3]; 151 | a2[5] ^= a2[4]; /* reduce */ 152 | a2[7] ^= a2[4]; 153 | a2[0] ^= a2[4]; 154 | 155 | r[0] ^= a2[4] & b[4]; /* add */ 156 | r[1] ^= a2[5] & b[4]; 157 | r[2] ^= a2[6] & b[4]; 158 | r[3] ^= a2[7] & b[4]; 159 | r[4] ^= a2[0] & b[4]; 160 | r[5] ^= a2[1] & b[4]; 161 | r[6] ^= a2[2] & b[4]; 162 | r[7] ^= a2[3] & b[4]; 163 | a2[4] ^= a2[3]; /* reduce */ 164 | a2[6] ^= a2[3]; 165 | a2[7] ^= a2[3]; 166 | 167 | r[0] ^= a2[3] & b[5]; /* add */ 168 | r[1] ^= a2[4] & b[5]; 169 | r[2] ^= a2[5] & b[5]; 170 | r[3] ^= a2[6] & b[5]; 171 | r[4] ^= a2[7] & b[5]; 172 | r[5] ^= a2[0] & b[5]; 173 | r[6] ^= a2[1] & b[5]; 174 | r[7] ^= a2[2] & b[5]; 175 | a2[3] ^= a2[2]; /* reduce */ 176 | a2[5] ^= a2[2]; 177 | a2[6] ^= a2[2]; 178 | 179 | r[0] ^= a2[2] & b[6]; /* add */ 180 | r[1] ^= a2[3] & b[6]; 181 | r[2] ^= a2[4] & b[6]; 182 | r[3] ^= a2[5] & b[6]; 183 | r[4] ^= a2[6] & b[6]; 184 | r[5] ^= a2[7] & b[6]; 185 | r[6] ^= a2[0] & b[6]; 186 | r[7] ^= a2[1] & b[6]; 187 | a2[2] ^= a2[1]; /* reduce */ 188 | a2[4] ^= a2[1]; 189 | a2[5] ^= a2[1]; 190 | 191 | r[0] ^= a2[1] & b[7]; /* add */ 192 | r[1] ^= a2[2] & b[7]; 193 | r[2] ^= a2[3] & b[7]; 194 | r[3] ^= a2[4] & b[7]; 195 | r[4] ^= a2[5] & b[7]; 196 | r[5] ^= a2[6] & b[7]; 197 | r[6] ^= a2[7] & b[7]; 198 | r[7] ^= a2[0] & b[7]; 199 | } 200 | 201 | 202 | /* 203 | * Square `x` in GF(2^8) and write the result to `r`. `r` and `x` may overlap. 204 | */ 205 | static void 206 | gf256_square(uint32_t r[8], const uint32_t x[8]) 207 | { 208 | uint32_t r8, r10, r12, r14; 209 | /* Use the Freshman's Dream rule to square the polynomial 210 | * Assignments are done from 7 downto 0, because this allows the user 211 | * to execute this function in-place (e.g. `gf256_square(r, r);`). 212 | */ 213 | r14 = x[7]; 214 | r12 = x[6]; 215 | r10 = x[5]; 216 | r8 = x[4]; 217 | r[6] = x[3]; 218 | r[4] = x[2]; 219 | r[2] = x[1]; 220 | r[0] = x[0]; 221 | 222 | /* Reduce with x^8 + x^4 + x^3 + x + 1 until order is less than 8 */ 223 | r[7] = r14; /* r[7] was 0 */ 224 | r[6] ^= r14; 225 | r10 ^= r14; 226 | /* Skip, because r13 is always 0 */ 227 | r[4] ^= r12; 228 | r[5] = r12; /* r[5] was 0 */ 229 | r[7] ^= r12; 230 | r8 ^= r12; 231 | /* Skip, because r11 is always 0 */ 232 | r[2] ^= r10; 233 | r[3] = r10; /* r[3] was 0 */ 234 | r[5] ^= r10; 235 | r[6] ^= r10; 236 | r[1] = r14; /* r[1] was 0 */ 237 | r[2] ^= r14; /* Substitute r9 by r14 because they will always be equal*/ 238 | r[4] ^= r14; 239 | r[5] ^= r14; 240 | r[0] ^= r8; 241 | r[1] ^= r8; 242 | r[3] ^= r8; 243 | r[4] ^= r8; 244 | } 245 | 246 | 247 | /* 248 | * Invert `x` in GF(2^8) and write the result to `r` 249 | */ 250 | static void 251 | gf256_inv(uint32_t r[8], uint32_t x[8]) 252 | { 253 | uint32_t y[8], z[8]; 254 | 255 | gf256_square(y, x); // y = x^2 256 | gf256_square(y, y); // y = x^4 257 | gf256_square(r, y); // r = x^8 258 | gf256_mul(z, r, x); // z = x^9 259 | gf256_square(r, r); // r = x^16 260 | gf256_mul(r, r, z); // r = x^25 261 | gf256_square(r, r); // r = x^50 262 | gf256_square(z, r); // z = x^100 263 | gf256_square(z, z); // z = x^200 264 | gf256_mul(r, r, z); // r = x^250 265 | gf256_mul(r, r, y); // r = x^254 266 | } 267 | 268 | 269 | /* 270 | * Create `k` key shares of the key given in `key`. The caller has to ensure 271 | * that the array `out` has enough space to hold at least `n` sss_Keyshare 272 | * structs. 273 | */ 274 | void 275 | sss_create_keyshares(sss_Keyshare *out, 276 | const uint8_t key[32], 277 | uint8_t n, 278 | uint8_t k) 279 | { 280 | /* Check if the parameters are valid */ 281 | assert(n != 0); 282 | assert(k != 0); 283 | assert(k <= n); 284 | 285 | uint8_t share_idx, coeff_idx, unbitsliced_x; 286 | uint32_t poly0[8], poly[k-1][8], x[8], y[8], xpow[8], tmp[8]; 287 | 288 | /* Put the secret in the bottom part of the polynomial */ 289 | bitslice(poly0, key); 290 | 291 | /* Generate the other terms of the polynomial */ 292 | randombytes((void*) poly, sizeof(poly)); 293 | 294 | for (share_idx = 0; share_idx < n; share_idx++) { 295 | /* x value is in 1..n */ 296 | unbitsliced_x = share_idx + 1; 297 | out[share_idx][0] = unbitsliced_x; 298 | bitslice_setall(x, unbitsliced_x); 299 | 300 | /* Calculate y */ 301 | memset(y, 0, sizeof(y)); 302 | memset(xpow, 0, sizeof(xpow)); 303 | xpow[0] = ~0; 304 | gf256_add(y, poly0); 305 | for (coeff_idx = 0; coeff_idx < (k-1); coeff_idx++) { 306 | gf256_mul(xpow, xpow, x); 307 | gf256_mul(tmp, xpow, poly[coeff_idx]); 308 | gf256_add(y, tmp); 309 | } 310 | unbitslice(&out[share_idx][1], y); 311 | } 312 | } 313 | 314 | 315 | /* 316 | * Restore the `k` sss_Keyshare structs given in `shares` and write the result 317 | * to `key`. 318 | */ 319 | void sss_combine_keyshares(uint8_t key[32], 320 | const sss_Keyshare *key_shares, 321 | uint8_t k) 322 | { 323 | size_t share_idx, idx1, idx2; 324 | uint32_t xs[k][8], ys[k][8]; 325 | uint32_t num[8], denom[8], tmp[8]; 326 | uint32_t secret[8] = {0}; 327 | 328 | /* Collect the x and y values */ 329 | for (share_idx = 0; share_idx < k; share_idx++) { 330 | bitslice_setall(xs[share_idx], key_shares[share_idx][0]); 331 | bitslice(ys[share_idx], &key_shares[share_idx][1]); 332 | } 333 | 334 | /* Use Lagrange basis polynomials to calculate the secret coefficient */ 335 | for (idx1 = 0; idx1 < k; idx1++) { 336 | memset(num, 0, sizeof(num)); 337 | memset(denom, 0, sizeof(denom)); 338 | num[0] = ~0; /* num is the numerator (=1) */ 339 | denom[0] = ~0; /* denom is the numerator (=1) */ 340 | for (idx2 = 0; idx2 < k; idx2++) { 341 | if (idx1 == idx2) continue; 342 | gf256_mul(num, num, xs[idx2]); 343 | memcpy(tmp, xs[idx1], sizeof(uint32_t[8])); 344 | gf256_add(tmp, xs[idx2]); 345 | gf256_mul(denom, denom, tmp); 346 | } 347 | gf256_inv(tmp, denom); /* inverted denominator */ 348 | gf256_mul(num, num, tmp); /* basis polynomial */ 349 | gf256_mul(num, num, ys[idx1]); /* scaled coefficient */ 350 | gf256_add(secret, num); 351 | } 352 | unbitslice(key, secret); 353 | } 354 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Shamir secret sharing library 2 | 3 | [![Build Status](https://travis-ci.org/dsprenkels/sss.svg?branch=master)](https://travis-ci.org/dsprenkels/sss) 4 | 5 | `sss` is a library that exposes an API to split secret data buffers into 6 | a number of different _shares_. With the possession of some or all of these 7 | shares, the original secret can be restored. It is the schoolbook example of 8 | a cryptographic _threshold scheme_. This library has a [command line 9 | interface][sss-cli]. ([web demo]) 10 | 11 | [sss-cli]: https://github.com/dsprenkels/sss-cli 12 | 13 | ## Table of contents 14 | 15 | 1. [Introduction](#introduction) 16 | 2. [Download](#download) 17 | 3. [Usage](#usage) 18 | 1. [Example](#example) 19 | 2. [How to Run Program (above)](#How-to-Run-program-(above)) 20 | 4. [Bindings](#bindings) 21 | 5. [Technical details](#technical-details) 22 | 6. [Comparison of secret sharing libraries](#comparison-of-secret-sharing-libraries) 23 | 7. [Questions](#questions) 24 | 25 | ## Introduction 26 | 27 | An example use case is a beer brewery which has a vault which contains their 28 | precious super secret recipe. The 5 board members of this brewery do not trust 29 | all the others well enough that they won't secretly break into the vault and 30 | sell the recipe to a competitor. So they split the code into 5 shares, and 31 | allow 4 shares to restore the original code. Now they are sure that the 32 | majority of the staff will know when the vault is opened, but they can still 33 | open the vault when one of the staff members is abroad or sick at home. 34 | 35 | As often with crypto libraries, there is a lot of Shamir secret sharing code 36 | around that *does not meet cryptographic standards* (a.k.a. is insecure). 37 | Some details—like integrity checks and side-channel resistance—are often 38 | forgotten. But these slip-ups can often fully compromise the security of the 39 | scheme. 40 | With this in mind, I have made this library to: 41 | - Be side channel resistant (timing, branch, cache) 42 | - Secure the shared secret with a MAC 43 | - Use the platform (OS) randomness source 44 | 45 | It should be safe to use this library in "the real world". I currently regard 46 | the API as being stable. Should there be any breaking changes, then I will 47 | update the version number conforming to the [semantic versioning spec][semver]. 48 | 49 | [semver]: http://semver.org/ 50 | 51 | ## Download 52 | 53 | I have released version 0.1.0 of this library, which can be downloaded from 54 | the [releases](https://github.com/dsprenkels/sss/releases) page. However, I 55 | actually recommend cloning the library with git, to also get the necesarry 56 | submodules: 57 | 58 | ```shell 59 | git clone --recursive https://github.com/dsprenkels/sss.git 60 | ``` 61 | 62 | The current version is version 0.1.0, which should be stable enough for now. 63 | The functionality may still change before version 1.0.0, although I will 64 | still fix any security issues before that. 65 | 66 | ## Usage 67 | 68 | Secrets are provided as arrays of 64 bytes long. This should be big enough to 69 | store generally small secrets. If you wish to split larger chunks of data, you 70 | can use symmetric encryption and split the key instead. Shares are generated 71 | from secret data using `sss_create_shares` and shares can be combined again 72 | using the `sss_combine_shares` functions. The shares are octet strings of 73 | 113 bytes each. 74 | 75 | This library is implemented in such a way that the maximum number of shares 76 | is 255. 77 | 78 | Moreover, every share includes an ID, which is implemented as a counter. 79 | This ID is not considered a secret by the library, and an participants may be 80 | able to infer the amount of shares from these ids (for example, if I have a 81 | share with ID=3, I expect that ID∈{1,2} will also exist. 82 | If you require random share IDs, then you should generate 255 different 83 | shares, and randomly throw away the excess shares. 84 | 85 | ### Example 86 | 87 | ```c 88 | #include "sss.h" 89 | #include "randombytes.h" 90 | #include 91 | #include 92 | 93 | int main() 94 | { 95 | uint8_t data[sss_MLEN], restored[sss_MLEN]; 96 | sss_Share shares[5]; 97 | size_t idx; 98 | int tmp; 99 | 100 | // Read a message to be shared 101 | strncpy(data, "Tyler Durden isn't real.", sizeof(data)); 102 | 103 | // Split the secret into 5 shares (with a recombination theshold of 4) 104 | sss_create_shares(shares, data, 5, 4); 105 | 106 | // Combine some of the shares to restore the original secret 107 | tmp = sss_combine_shares(restored, shares, 4); 108 | assert(tmp == 0); 109 | assert(memcmp(restored, data, sss_MLEN) == 0); 110 | } 111 | ``` 112 | 113 | ## How to Run program (above) 114 | 115 | 1. clone from git by bellow command. (As It is recommended. If you clone make sure that file under subdirectory also came with it) 116 | ```shell 117 | git clone --recursive https://github.com/dsprenkels/sss.git 118 | ``` 119 | 120 | 2. go inside sss directory and run make command 121 | ```shell 122 | make 123 | ``` 124 | 125 | 3. copy the example provided in readme as above and save it as demo.c 126 | 127 | 4. compile demo.c by running bellow commnad 128 | ```shell 129 | gcc demo.c -o demo randombytes.o sss.o hazmat.o tweetnacl.o 130 | ``` 131 | 132 | 5. execute program by bellow command 133 | ```shell 134 | ./demo 135 | ``` 136 | 137 | ## Bindings 138 | 139 | I have currently written bindings for the following languages: 140 | 141 | - [Node.js](https://github.com/dsprenkels/sss-node) 142 | - [Go](https://github.com/dsprenkels/sss-go) 143 | - [Rust](https://github.com/dsprenkels/sss-rs) 144 | - [WASM](https://github.com/3box/sss-wasm) 145 | - [Android](https://github.com/dsprenkels/sss-android)¹ 146 | - [Haskell](https://github.com/dsprenkels/sss-hs)¹ 147 | - [Swift](https://github.com/dsprenkels/sss-swift)¹ 148 | > ¹ No releases yet. 149 | 150 | There are also contributed bindings: 151 | 152 | - [Nim](https://github.com/markspanbroek/sss.nim) 153 | - [Erlang](https://github.com/arekinath/esss) 154 | 155 | ## Technical details 156 | 157 | Shamir secret sharing works by generating a polynomial (e.g. _33x³ + 8x² + 29x + 158 | 42_). The lowest term is the secret and is just filled in. All the 159 | other terms are generated randomly. Then we can pick points on the polynomial 160 | by filling in values for _x_. Each point is put in a share. Afterwards, with _k_ 161 | points we can use interpolation to restore a _k_-degree polynomial. 162 | 163 | In practice there is a wrapper around the secret-sharing part (this is done 164 | because of crypto-technical reasons). This wrapper uses the XSalsa20/Poly1305 165 | authenticated encryption scheme. Because of this, the shares are always a little 166 | bit larger than the original data. 167 | 168 | This library uses a custom [`randombytes`][randombytes] function to generate a 169 | random encapsulation key, which talks directly to the operating system. When 170 | using the high level API, you are not allowed to choose your own key. It _must_ 171 | be uniformly random, because regularities in shared secrets can be exploited. 172 | 173 | With the low level API (`hazmat.h`) you _can_ choose to secret-share a piece of 174 | data of exactly 32 bytes. This produces a set of shares that are much shorter 175 | than the high-level shares (namely 33 bytes each). However, keep in mind that 176 | this module is called `hazmat.h` (for "hazardous materials") for a reason. 177 | Please only use this if you _really_ know what you are doing. Raw "textbook" 178 | Shamir secret sharing is only safe when using a uniformly random secret (with 179 | 128 bits of entropy). Note also that it is entirely insecure for integrity. 180 | Please do not use the low-level API unless you _really_ have no other choice. 181 | 182 | ## Comparison of secret-sharing libraries 183 | 184 | If you would like your library to be added here, please open a pull request. :) 185 | 186 | | Library | Side-channels | Tamper-resistant | Secret length | 187 | |-----------------|---------------|------------------|---------------| 188 | | [B. Poettering] | Insecure¹ | Insecure | 128 bytes | 189 | | [libgfshare] | Insecure² | Insecure | ∞ | 190 | | [blockstack] | ??³ | Insecure | 160 bytes | 191 | | [sssa-golang] | Secure | Secure⁴ | ∞ | 192 | | [sssa-ruby] | ??³ | Secure⁴ | ∞ | 193 | | [snipsco] | Secure | Insecure | Note⁶ | 194 | | [c-sss] | Insecure⁷ | Insecure | ∞ | 195 | | [timtiemens] | Insecure⁸ | Note⁹ | 512 bytes | 196 | | [dsprenkels] | Secure | Secure⁵ | 64 bytes | 197 | 198 | ### Notes 199 | 200 | It is important to note that a limited secret length does not mean 201 | that it is impossible to share longer secrets. The way this is done is 202 | by secret sharing a random key and using this key to encrypt the real 203 | secret. This is a lot faster and the security is not reduced. (This is 204 | actually how [sss-cli] produces variable-length shares.) 205 | 206 | 1. Uses the GNU gmp library. 207 | 2. Uses lookup tables for GF(256) multiplication. 208 | 3. This library is implemented in a high level scripting library which does not 209 | guarantee that its basic operators execute in constant-time. 210 | 4. Uses randomized *x*-coordinates. 211 | 5. Uses randomized *y*-coordinates. 212 | 6. When using the [snipsco] library you will have to specify your own prime. 213 | Computation time is _O(p²)_, so on a normal computer you will be limited to 214 | a secret size of ~1024 bytes. 215 | 7. As mentioned by the [documentation](https://github.com/fletcher/c-sss#security-issues). 216 | 8. Uses Java `BigInteger` class. 217 | 9. Basic usage of this tool does not protect the integrity of the secrets. 218 | However, the project's readme file advises the user to use a hybrid 219 | encryption scheme and secret share the key. Through destroying the ephemeral 220 | key, the example that is listed in the readme file protects prevents an 221 | attacker from arbitrarily inserting a secret. However, inserting a garbled 222 | secret is still possible. To prevent this the user should use a AEAD scheme 223 | (like AES-GCM or ChaCha20-Poly1305) instead of AES-CBC. 224 | 225 | [B. Poettering]: http://point-at-infinity.org/ssss/ 226 | [libgfshare]: https://github.com/jcushman/libgfshare 227 | [blockstack]: https://github.com/blockstack/secret-sharing 228 | [sssa-golang]: https://github.com/SSSaaS/sssa-golang 229 | [sssa-ruby]: https://github.com/SSSaaS/sssa-ruby 230 | [snipsco]: https://github.com/snipsco/rust-threshold-secret-sharing 231 | [c-sss]: https://github.com/fletcher/c-sss 232 | [timtiemens]: https://github.com/timtiemens/secretshare 233 | [dsprenkels]: https://github.com/dsprenkels/sss 234 | 235 | 236 | ## Questions 237 | 238 | ### I do not know a lot about secret sharing. Is Shamir secret sharing useful for me? 239 | 240 | It depends. In the case of threshold schemes (that's what this is) there are 241 | two types: 242 | 243 | 1. The share-holders _cannot_ verify that their shares are valid. 244 | 2. The share-holders _can_ verify that their shares are valid. 245 | 246 | Shamir's scheme is of the first type. This immediately implies that the dealer 247 | could cheat. Indeed, they can distribute a number of shares which are just 248 | random strings. The only way the participants could know is by banding together 249 | and trying to restore the secret. This would show the secret, which would make 250 | the scheme totally pointless. 251 | 252 | **Use Shamir secret sharing only if the dealer _and_ the participants have no 253 | reason to corrupt any shares.** 254 | 255 | Examples where this is _not_ the case: 256 | 257 | - When the secret hides something that is embarrasing for one of the 258 | participants. 259 | - When the shared secret is something like a testament, and the participants 260 | are the heirs. If one of the heirs inherits more wealth when the secret is 261 | not disclosed, they can corrupt their share (and it would be impossible to 262 | check this from the share alone). 263 | 264 | In these cases, you will need a scheme of the second type. See the next 265 | question. 266 | 267 | ### Wait, I need verifiable shares! What should I use instead? 268 | 269 | There are two straightforward options: 270 | 271 | 1. When the secret is fully random—for example, a cryptographic key—use 272 | **Feldman verifiable secret sharing**. 273 | 2. When the secret is not fully random—it _could_ be a message, a number, 274 | etc.—use **Pedersen verifiable secret sharing**. 275 | 276 | ### Other 277 | 278 | For other questions, feel free to open an issue or send me an email on my Github 279 | associated e-mail address. 280 | 281 | [web demo]: http://bakaoh.com/sss-wasm/ 282 | [randombytes]: https://github.com/dsprenkels/randombytes 283 | -------------------------------------------------------------------------------- /tweetnacl.c: -------------------------------------------------------------------------------- 1 | #include "tweetnacl.h" 2 | #define FOR(i,n) for (i = 0;i < n;++i) 3 | #define sv static void 4 | 5 | typedef unsigned char u8; 6 | typedef unsigned long u32; 7 | typedef unsigned long long u64; 8 | typedef long long i64; 9 | typedef i64 gf[16]; 10 | extern void randombytes(u8 *,u64); 11 | 12 | static const u8 13 | _0[16], 14 | _9[32] = {9}; 15 | static const gf 16 | gf0, 17 | gf1 = {1}, 18 | _121665 = {0xDB41,1}, 19 | D = {0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203}, 20 | D2 = {0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406}, 21 | X = {0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169}, 22 | Y = {0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666}, 23 | I = {0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83}; 24 | 25 | static u32 L32(u32 x,int c) { return (x << c) | ((x&0xffffffff) >> (32 - c)); } 26 | 27 | static u32 ld32(const u8 *x) 28 | { 29 | u32 u = x[3]; 30 | u = (u<<8)|x[2]; 31 | u = (u<<8)|x[1]; 32 | return (u<<8)|x[0]; 33 | } 34 | 35 | static u64 dl64(const u8 *x) 36 | { 37 | u64 i,u=0; 38 | FOR(i,8) u=(u<<8)|x[i]; 39 | return u; 40 | } 41 | 42 | sv st32(u8 *x,u32 u) 43 | { 44 | int i; 45 | FOR(i,4) { x[i] = u; u >>= 8; } 46 | } 47 | 48 | sv ts64(u8 *x,u64 u) 49 | { 50 | int i; 51 | for (i = 7;i >= 0;--i) { x[i] = u; u >>= 8; } 52 | } 53 | 54 | static int vn(const u8 *x,const u8 *y,int n) 55 | { 56 | u32 i,d = 0; 57 | FOR(i,n) d |= x[i]^y[i]; 58 | return (1 & ((d - 1) >> 8)) - 1; 59 | } 60 | 61 | int crypto_verify_16(const u8 *x,const u8 *y) 62 | { 63 | return vn(x,y,16); 64 | } 65 | 66 | int crypto_verify_32(const u8 *x,const u8 *y) 67 | { 68 | return vn(x,y,32); 69 | } 70 | 71 | sv core(u8 *out,const u8 *in,const u8 *k,const u8 *c,int h) 72 | { 73 | u32 w[16],x[16],y[16],t[4]; 74 | int i,j,m; 75 | 76 | FOR(i,4) { 77 | x[5*i] = ld32(c+4*i); 78 | x[1+i] = ld32(k+4*i); 79 | x[6+i] = ld32(in+4*i); 80 | x[11+i] = ld32(k+16+4*i); 81 | } 82 | 83 | FOR(i,16) y[i] = x[i]; 84 | 85 | FOR(i,20) { 86 | FOR(j,4) { 87 | FOR(m,4) t[m] = x[(5*j+4*m)%16]; 88 | t[1] ^= L32(t[0]+t[3], 7); 89 | t[2] ^= L32(t[1]+t[0], 9); 90 | t[3] ^= L32(t[2]+t[1],13); 91 | t[0] ^= L32(t[3]+t[2],18); 92 | FOR(m,4) w[4*j+(j+m)%4] = t[m]; 93 | } 94 | FOR(m,16) x[m] = w[m]; 95 | } 96 | 97 | if (h) { 98 | FOR(i,16) x[i] += y[i]; 99 | FOR(i,4) { 100 | x[5*i] -= ld32(c+4*i); 101 | x[6+i] -= ld32(in+4*i); 102 | } 103 | FOR(i,4) { 104 | st32(out+4*i,x[5*i]); 105 | st32(out+16+4*i,x[6+i]); 106 | } 107 | } else 108 | FOR(i,16) st32(out + 4 * i,x[i] + y[i]); 109 | } 110 | 111 | int crypto_core_salsa20(u8 *out,const u8 *in,const u8 *k,const u8 *c) 112 | { 113 | core(out,in,k,c,0); 114 | return 0; 115 | } 116 | 117 | int crypto_core_hsalsa20(u8 *out,const u8 *in,const u8 *k,const u8 *c) 118 | { 119 | core(out,in,k,c,1); 120 | return 0; 121 | } 122 | 123 | static const u8 sigma[16] = "expand 32-byte k"; 124 | 125 | int crypto_stream_salsa20_xor(u8 *c,const u8 *m,u64 b,const u8 *n,const u8 *k) 126 | { 127 | u8 z[16],x[64]; 128 | u32 u,i; 129 | if (!b) return 0; 130 | FOR(i,16) z[i] = 0; 131 | FOR(i,8) z[i] = n[i]; 132 | while (b >= 64) { 133 | crypto_core_salsa20(x,z,k,sigma); 134 | FOR(i,64) c[i] = (m?m[i]:0) ^ x[i]; 135 | u = 1; 136 | for (i = 8;i < 16;++i) { 137 | u += (u32) z[i]; 138 | z[i] = u; 139 | u >>= 8; 140 | } 141 | b -= 64; 142 | c += 64; 143 | if (m) m += 64; 144 | } 145 | if (b) { 146 | crypto_core_salsa20(x,z,k,sigma); 147 | FOR(i,b) c[i] = (m?m[i]:0) ^ x[i]; 148 | } 149 | return 0; 150 | } 151 | 152 | int crypto_stream_salsa20(u8 *c,u64 d,const u8 *n,const u8 *k) 153 | { 154 | return crypto_stream_salsa20_xor(c,0,d,n,k); 155 | } 156 | 157 | int crypto_stream(u8 *c,u64 d,const u8 *n,const u8 *k) 158 | { 159 | u8 s[32]; 160 | crypto_core_hsalsa20(s,n,k,sigma); 161 | return crypto_stream_salsa20(c,d,n+16,s); 162 | } 163 | 164 | int crypto_stream_xor(u8 *c,const u8 *m,u64 d,const u8 *n,const u8 *k) 165 | { 166 | u8 s[32]; 167 | crypto_core_hsalsa20(s,n,k,sigma); 168 | return crypto_stream_salsa20_xor(c,m,d,n+16,s); 169 | } 170 | 171 | sv add1305(u32 *h,const u32 *c) 172 | { 173 | u32 j,u = 0; 174 | FOR(j,17) { 175 | u += h[j] + c[j]; 176 | h[j] = u & 255; 177 | u >>= 8; 178 | } 179 | } 180 | 181 | static const u32 minusp[17] = { 182 | 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 252 183 | } ; 184 | 185 | int crypto_onetimeauth(u8 *out,const u8 *m,u64 n,const u8 *k) 186 | { 187 | u32 s,i,j,u,x[17],r[17],h[17],c[17],g[17]; 188 | 189 | FOR(j,17) r[j]=h[j]=0; 190 | FOR(j,16) r[j]=k[j]; 191 | r[3]&=15; 192 | r[4]&=252; 193 | r[7]&=15; 194 | r[8]&=252; 195 | r[11]&=15; 196 | r[12]&=252; 197 | r[15]&=15; 198 | 199 | while (n > 0) { 200 | FOR(j,17) c[j] = 0; 201 | for (j = 0;(j < 16) && (j < n);++j) c[j] = m[j]; 202 | c[j] = 1; 203 | m += j; n -= j; 204 | add1305(h,c); 205 | FOR(i,17) { 206 | x[i] = 0; 207 | FOR(j,17) x[i] += h[j] * ((j <= i) ? r[i - j] : 320 * r[i + 17 - j]); 208 | } 209 | FOR(i,17) h[i] = x[i]; 210 | u = 0; 211 | FOR(j,16) { 212 | u += h[j]; 213 | h[j] = u & 255; 214 | u >>= 8; 215 | } 216 | u += h[16]; h[16] = u & 3; 217 | u = 5 * (u >> 2); 218 | FOR(j,16) { 219 | u += h[j]; 220 | h[j] = u & 255; 221 | u >>= 8; 222 | } 223 | u += h[16]; h[16] = u; 224 | } 225 | 226 | FOR(j,17) g[j] = h[j]; 227 | add1305(h,minusp); 228 | s = -(h[16] >> 7); 229 | FOR(j,17) h[j] ^= s & (g[j] ^ h[j]); 230 | 231 | FOR(j,16) c[j] = k[j + 16]; 232 | c[16] = 0; 233 | add1305(h,c); 234 | FOR(j,16) out[j] = h[j]; 235 | return 0; 236 | } 237 | 238 | int crypto_onetimeauth_verify(const u8 *h,const u8 *m,u64 n,const u8 *k) 239 | { 240 | u8 x[16]; 241 | crypto_onetimeauth(x,m,n,k); 242 | return crypto_verify_16(h,x); 243 | } 244 | 245 | int crypto_secretbox(u8 *c,const u8 *m,u64 d,const u8 *n,const u8 *k) 246 | { 247 | int i; 248 | if (d < 32) return -1; 249 | crypto_stream_xor(c,m,d,n,k); 250 | crypto_onetimeauth(c + 16,c + 32,d - 32,c); 251 | FOR(i,16) c[i] = 0; 252 | return 0; 253 | } 254 | 255 | int crypto_secretbox_open(u8 *m,const u8 *c,u64 d,const u8 *n,const u8 *k) 256 | { 257 | int i; 258 | u8 x[32]; 259 | if (d < 32) return -1; 260 | crypto_stream(x,32,n,k); 261 | if (crypto_onetimeauth_verify(c + 16,c + 32,d - 32,x) != 0) return -1; 262 | crypto_stream_xor(m,c,d,n,k); 263 | FOR(i,32) m[i] = 0; 264 | return 0; 265 | } 266 | 267 | sv set25519(gf r, const gf a) 268 | { 269 | int i; 270 | FOR(i,16) r[i]=a[i]; 271 | } 272 | 273 | sv car25519(gf o) 274 | { 275 | int i; 276 | i64 c; 277 | FOR(i,16) { 278 | o[i]+=(1LL<<16); 279 | c=o[i]>>16; 280 | o[(i+1)*(i<15)]+=c-1+37*(c-1)*(i==15); 281 | o[i]-=c<<16; 282 | } 283 | } 284 | 285 | sv sel25519(gf p,gf q,int b) 286 | { 287 | i64 t,i,c=~(b-1); 288 | FOR(i,16) { 289 | t= c&(p[i]^q[i]); 290 | p[i]^=t; 291 | q[i]^=t; 292 | } 293 | } 294 | 295 | sv pack25519(u8 *o,const gf n) 296 | { 297 | int i,j,b; 298 | gf m,t; 299 | FOR(i,16) t[i]=n[i]; 300 | car25519(t); 301 | car25519(t); 302 | car25519(t); 303 | FOR(j,2) { 304 | m[0]=t[0]-0xffed; 305 | for(i=1;i<15;i++) { 306 | m[i]=t[i]-0xffff-((m[i-1]>>16)&1); 307 | m[i-1]&=0xffff; 308 | } 309 | m[15]=t[15]-0x7fff-((m[14]>>16)&1); 310 | b=(m[15]>>16)&1; 311 | m[14]&=0xffff; 312 | sel25519(t,m,1-b); 313 | } 314 | FOR(i,16) { 315 | o[2*i]=t[i]&0xff; 316 | o[2*i+1]=t[i]>>8; 317 | } 318 | } 319 | 320 | static int neq25519(const gf a, const gf b) 321 | { 322 | u8 c[32],d[32]; 323 | pack25519(c,a); 324 | pack25519(d,b); 325 | return crypto_verify_32(c,d); 326 | } 327 | 328 | static u8 par25519(const gf a) 329 | { 330 | u8 d[32]; 331 | pack25519(d,a); 332 | return d[0]&1; 333 | } 334 | 335 | sv unpack25519(gf o, const u8 *n) 336 | { 337 | int i; 338 | FOR(i,16) o[i]=n[2*i]+((i64)n[2*i+1]<<8); 339 | o[15]&=0x7fff; 340 | } 341 | 342 | sv A(gf o,const gf a,const gf b) 343 | { 344 | int i; 345 | FOR(i,16) o[i]=a[i]+b[i]; 346 | } 347 | 348 | sv Z(gf o,const gf a,const gf b) 349 | { 350 | int i; 351 | FOR(i,16) o[i]=a[i]-b[i]; 352 | } 353 | 354 | sv M(gf o,const gf a,const gf b) 355 | { 356 | i64 i,j,t[31]; 357 | FOR(i,31) t[i]=0; 358 | FOR(i,16) FOR(j,16) t[i+j]+=a[i]*b[j]; 359 | FOR(i,15) t[i]+=38*t[i+16]; 360 | FOR(i,16) o[i]=t[i]; 361 | car25519(o); 362 | car25519(o); 363 | } 364 | 365 | sv S(gf o,const gf a) 366 | { 367 | M(o,a,a); 368 | } 369 | 370 | sv inv25519(gf o,const gf i) 371 | { 372 | gf c; 373 | int a; 374 | FOR(a,16) c[a]=i[a]; 375 | for(a=253;a>=0;a--) { 376 | S(c,c); 377 | if(a!=2&&a!=4) M(c,c,i); 378 | } 379 | FOR(a,16) o[a]=c[a]; 380 | } 381 | 382 | sv pow2523(gf o,const gf i) 383 | { 384 | gf c; 385 | int a; 386 | FOR(a,16) c[a]=i[a]; 387 | for(a=250;a>=0;a--) { 388 | S(c,c); 389 | if(a!=1) M(c,c,i); 390 | } 391 | FOR(a,16) o[a]=c[a]; 392 | } 393 | 394 | int crypto_scalarmult(u8 *q,const u8 *n,const u8 *p) 395 | { 396 | u8 z[32]; 397 | i64 x[80],r,i; 398 | gf a,b,c,d,e,f; 399 | FOR(i,31) z[i]=n[i]; 400 | z[31]=(n[31]&127)|64; 401 | z[0]&=248; 402 | unpack25519(x,p); 403 | FOR(i,16) { 404 | b[i]=x[i]; 405 | d[i]=a[i]=c[i]=0; 406 | } 407 | a[0]=d[0]=1; 408 | for(i=254;i>=0;--i) { 409 | r=(z[i>>3]>>(i&7))&1; 410 | sel25519(a,b,r); 411 | sel25519(c,d,r); 412 | A(e,a,c); 413 | Z(a,a,c); 414 | A(c,b,d); 415 | Z(b,b,d); 416 | S(d,e); 417 | S(f,a); 418 | M(a,c,a); 419 | M(c,b,e); 420 | A(e,a,c); 421 | Z(a,a,c); 422 | S(b,a); 423 | Z(c,d,f); 424 | M(a,c,_121665); 425 | A(a,a,d); 426 | M(c,c,a); 427 | M(a,d,f); 428 | M(d,b,x); 429 | S(b,e); 430 | sel25519(a,b,r); 431 | sel25519(c,d,r); 432 | } 433 | FOR(i,16) { 434 | x[i+16]=a[i]; 435 | x[i+32]=c[i]; 436 | x[i+48]=b[i]; 437 | x[i+64]=d[i]; 438 | } 439 | inv25519(x+32,x+32); 440 | M(x+16,x+16,x+32); 441 | pack25519(q,x+16); 442 | return 0; 443 | } 444 | 445 | int crypto_scalarmult_base(u8 *q,const u8 *n) 446 | { 447 | return crypto_scalarmult(q,n,_9); 448 | } 449 | 450 | int crypto_box_keypair(u8 *y,u8 *x) 451 | { 452 | randombytes(x,32); 453 | return crypto_scalarmult_base(y,x); 454 | } 455 | 456 | int crypto_box_beforenm(u8 *k,const u8 *y,const u8 *x) 457 | { 458 | u8 s[32]; 459 | crypto_scalarmult(s,x,y); 460 | return crypto_core_hsalsa20(k,_0,s,sigma); 461 | } 462 | 463 | int crypto_box_afternm(u8 *c,const u8 *m,u64 d,const u8 *n,const u8 *k) 464 | { 465 | return crypto_secretbox(c,m,d,n,k); 466 | } 467 | 468 | int crypto_box_open_afternm(u8 *m,const u8 *c,u64 d,const u8 *n,const u8 *k) 469 | { 470 | return crypto_secretbox_open(m,c,d,n,k); 471 | } 472 | 473 | int crypto_box(u8 *c,const u8 *m,u64 d,const u8 *n,const u8 *y,const u8 *x) 474 | { 475 | u8 k[32]; 476 | crypto_box_beforenm(k,y,x); 477 | return crypto_box_afternm(c,m,d,n,k); 478 | } 479 | 480 | int crypto_box_open(u8 *m,const u8 *c,u64 d,const u8 *n,const u8 *y,const u8 *x) 481 | { 482 | u8 k[32]; 483 | crypto_box_beforenm(k,y,x); 484 | return crypto_box_open_afternm(m,c,d,n,k); 485 | } 486 | 487 | static u64 R(u64 x,int c) { return (x >> c) | (x << (64 - c)); } 488 | static u64 Ch(u64 x,u64 y,u64 z) { return (x & y) ^ (~x & z); } 489 | static u64 Maj(u64 x,u64 y,u64 z) { return (x & y) ^ (x & z) ^ (y & z); } 490 | static u64 Sigma0(u64 x) { return R(x,28) ^ R(x,34) ^ R(x,39); } 491 | static u64 Sigma1(u64 x) { return R(x,14) ^ R(x,18) ^ R(x,41); } 492 | static u64 sigma0(u64 x) { return R(x, 1) ^ R(x, 8) ^ (x >> 7); } 493 | static u64 sigma1(u64 x) { return R(x,19) ^ R(x,61) ^ (x >> 6); } 494 | 495 | static const u64 K[80] = 496 | { 497 | 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 498 | 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 499 | 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 500 | 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 501 | 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 502 | 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 503 | 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 504 | 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 505 | 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 506 | 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 507 | 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 508 | 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 509 | 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 510 | 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 511 | 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 512 | 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 513 | 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 514 | 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 515 | 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 516 | 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 517 | }; 518 | 519 | int crypto_hashblocks(u8 *x,const u8 *m,u64 n) 520 | { 521 | u64 z[8],b[8],a[8],w[16],t; 522 | int i,j; 523 | 524 | FOR(i,8) z[i] = a[i] = dl64(x + 8 * i); 525 | 526 | while (n >= 128) { 527 | FOR(i,16) w[i] = dl64(m + 8 * i); 528 | 529 | FOR(i,80) { 530 | FOR(j,8) b[j] = a[j]; 531 | t = a[7] + Sigma1(a[4]) + Ch(a[4],a[5],a[6]) + K[i] + w[i%16]; 532 | b[7] = t + Sigma0(a[0]) + Maj(a[0],a[1],a[2]); 533 | b[3] += t; 534 | FOR(j,8) a[(j+1)%8] = b[j]; 535 | if (i%16 == 15) 536 | FOR(j,16) 537 | w[j] += w[(j+9)%16] + sigma0(w[(j+1)%16]) + sigma1(w[(j+14)%16]); 538 | } 539 | 540 | FOR(i,8) { a[i] += z[i]; z[i] = a[i]; } 541 | 542 | m += 128; 543 | n -= 128; 544 | } 545 | 546 | FOR(i,8) ts64(x+8*i,z[i]); 547 | 548 | return n; 549 | } 550 | 551 | static const u8 iv[64] = { 552 | 0x6a,0x09,0xe6,0x67,0xf3,0xbc,0xc9,0x08, 553 | 0xbb,0x67,0xae,0x85,0x84,0xca,0xa7,0x3b, 554 | 0x3c,0x6e,0xf3,0x72,0xfe,0x94,0xf8,0x2b, 555 | 0xa5,0x4f,0xf5,0x3a,0x5f,0x1d,0x36,0xf1, 556 | 0x51,0x0e,0x52,0x7f,0xad,0xe6,0x82,0xd1, 557 | 0x9b,0x05,0x68,0x8c,0x2b,0x3e,0x6c,0x1f, 558 | 0x1f,0x83,0xd9,0xab,0xfb,0x41,0xbd,0x6b, 559 | 0x5b,0xe0,0xcd,0x19,0x13,0x7e,0x21,0x79 560 | } ; 561 | 562 | int crypto_hash(u8 *out,const u8 *m,u64 n) 563 | { 564 | u8 h[64],x[256]; 565 | u64 i,b = n; 566 | 567 | FOR(i,64) h[i] = iv[i]; 568 | 569 | crypto_hashblocks(h,m,n); 570 | m += n; 571 | n &= 127; 572 | m -= n; 573 | 574 | FOR(i,256) x[i] = 0; 575 | FOR(i,n) x[i] = m[i]; 576 | x[n] = 128; 577 | 578 | n = 256-128*(n<112); 579 | x[n-9] = b >> 61; 580 | ts64(x+n-8,b<<3); 581 | crypto_hashblocks(h,x,n); 582 | 583 | FOR(i,64) out[i] = h[i]; 584 | 585 | return 0; 586 | } 587 | 588 | sv add(gf p[4],gf q[4]) 589 | { 590 | gf a,b,c,d,t,e,f,g,h; 591 | 592 | Z(a, p[1], p[0]); 593 | Z(t, q[1], q[0]); 594 | M(a, a, t); 595 | A(b, p[0], p[1]); 596 | A(t, q[0], q[1]); 597 | M(b, b, t); 598 | M(c, p[3], q[3]); 599 | M(c, c, D2); 600 | M(d, p[2], q[2]); 601 | A(d, d, d); 602 | Z(e, b, a); 603 | Z(f, d, c); 604 | A(g, d, c); 605 | A(h, b, a); 606 | 607 | M(p[0], e, f); 608 | M(p[1], h, g); 609 | M(p[2], g, f); 610 | M(p[3], e, h); 611 | } 612 | 613 | sv cswap(gf p[4],gf q[4],u8 b) 614 | { 615 | int i; 616 | FOR(i,4) 617 | sel25519(p[i],q[i],b); 618 | } 619 | 620 | sv pack(u8 *r,gf p[4]) 621 | { 622 | gf tx, ty, zi; 623 | inv25519(zi, p[2]); 624 | M(tx, p[0], zi); 625 | M(ty, p[1], zi); 626 | pack25519(r, ty); 627 | r[31] ^= par25519(tx) << 7; 628 | } 629 | 630 | sv scalarmult(gf p[4],gf q[4],const u8 *s) 631 | { 632 | int i; 633 | set25519(p[0],gf0); 634 | set25519(p[1],gf1); 635 | set25519(p[2],gf1); 636 | set25519(p[3],gf0); 637 | for (i = 255;i >= 0;--i) { 638 | u8 b = (s[i/8]>>(i&7))&1; 639 | cswap(p,q,b); 640 | add(q,p); 641 | add(p,p); 642 | cswap(p,q,b); 643 | } 644 | } 645 | 646 | sv scalarbase(gf p[4],const u8 *s) 647 | { 648 | gf q[4]; 649 | set25519(q[0],X); 650 | set25519(q[1],Y); 651 | set25519(q[2],gf1); 652 | M(q[3],X,Y); 653 | scalarmult(p,q,s); 654 | } 655 | 656 | int crypto_sign_keypair(u8 *pk, u8 *sk) 657 | { 658 | u8 d[64]; 659 | gf p[4]; 660 | int i; 661 | 662 | randombytes(sk, 32); 663 | crypto_hash(d, sk, 32); 664 | d[0] &= 248; 665 | d[31] &= 127; 666 | d[31] |= 64; 667 | 668 | scalarbase(p,d); 669 | pack(pk,p); 670 | 671 | FOR(i,32) sk[32 + i] = pk[i]; 672 | return 0; 673 | } 674 | 675 | static const u64 L[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10}; 676 | 677 | sv modL(u8 *r,i64 x[64]) 678 | { 679 | i64 carry,i,j; 680 | for (i = 63;i >= 32;--i) { 681 | carry = 0; 682 | for (j = i - 32;j < i - 12;++j) { 683 | x[j] += carry - 16 * x[i] * L[j - (i - 32)]; 684 | carry = (x[j] + 128) >> 8; 685 | x[j] -= carry << 8; 686 | } 687 | x[j] += carry; 688 | x[i] = 0; 689 | } 690 | carry = 0; 691 | FOR(j,32) { 692 | x[j] += carry - (x[31] >> 4) * L[j]; 693 | carry = x[j] >> 8; 694 | x[j] &= 255; 695 | } 696 | FOR(j,32) x[j] -= carry * L[j]; 697 | FOR(i,32) { 698 | x[i+1] += x[i] >> 8; 699 | r[i] = x[i] & 255; 700 | } 701 | } 702 | 703 | sv reduce(u8 *r) 704 | { 705 | i64 x[64],i; 706 | FOR(i,64) x[i] = (u64) r[i]; 707 | FOR(i,64) r[i] = 0; 708 | modL(r,x); 709 | } 710 | 711 | int crypto_sign(u8 *sm,u64 *smlen,const u8 *m,u64 n,const u8 *sk) 712 | { 713 | u8 d[64],h[64],r[64]; 714 | i64 i,j,x[64]; 715 | gf p[4]; 716 | 717 | crypto_hash(d, sk, 32); 718 | d[0] &= 248; 719 | d[31] &= 127; 720 | d[31] |= 64; 721 | 722 | *smlen = n+64; 723 | FOR(i,n) sm[64 + i] = m[i]; 724 | FOR(i,32) sm[32 + i] = d[32 + i]; 725 | 726 | crypto_hash(r, sm+32, n+32); 727 | reduce(r); 728 | scalarbase(p,r); 729 | pack(sm,p); 730 | 731 | FOR(i,32) sm[i+32] = sk[i+32]; 732 | crypto_hash(h,sm,n + 64); 733 | reduce(h); 734 | 735 | FOR(i,64) x[i] = 0; 736 | FOR(i,32) x[i] = (u64) r[i]; 737 | FOR(i,32) FOR(j,32) x[i+j] += h[i] * (u64) d[j]; 738 | modL(sm + 32,x); 739 | 740 | return 0; 741 | } 742 | 743 | static int unpackneg(gf r[4],const u8 p[32]) 744 | { 745 | gf t, chk, num, den, den2, den4, den6; 746 | set25519(r[2],gf1); 747 | unpack25519(r[1],p); 748 | S(num,r[1]); 749 | M(den,num,D); 750 | Z(num,num,r[2]); 751 | A(den,r[2],den); 752 | 753 | S(den2,den); 754 | S(den4,den2); 755 | M(den6,den4,den2); 756 | M(t,den6,num); 757 | M(t,t,den); 758 | 759 | pow2523(t,t); 760 | M(t,t,num); 761 | M(t,t,den); 762 | M(t,t,den); 763 | M(r[0],t,den); 764 | 765 | S(chk,r[0]); 766 | M(chk,chk,den); 767 | if (neq25519(chk, num)) M(r[0],r[0],I); 768 | 769 | S(chk,r[0]); 770 | M(chk,chk,den); 771 | if (neq25519(chk, num)) return -1; 772 | 773 | if (par25519(r[0]) == (p[31]>>7)) Z(r[0],gf0,r[0]); 774 | 775 | M(r[3],r[0],r[1]); 776 | return 0; 777 | } 778 | 779 | int crypto_sign_open(u8 *m,u64 *mlen,const u8 *sm,u64 n,const u8 *pk) 780 | { 781 | int i; 782 | u8 t[32],h[64]; 783 | gf p[4],q[4]; 784 | 785 | *mlen = -1; 786 | if (n < 64) return -1; 787 | 788 | if (unpackneg(q,pk)) return -1; 789 | 790 | FOR(i,n) m[i] = sm[i]; 791 | FOR(i,32) m[i+32] = pk[i]; 792 | crypto_hash(h,m,n); 793 | reduce(h); 794 | scalarmult(p,q,h); 795 | 796 | scalarbase(q,sm + 32); 797 | add(p,q); 798 | pack(t,p); 799 | 800 | n -= 64; 801 | if (crypto_verify_32(sm, t)) { 802 | FOR(i,n) m[i] = 0; 803 | return -1; 804 | } 805 | 806 | FOR(i,n) m[i] = sm[i + 64]; 807 | *mlen = n; 808 | return 0; 809 | } 810 | -------------------------------------------------------------------------------- /tweetnacl.h: -------------------------------------------------------------------------------- 1 | #ifndef TWEETNACL_H 2 | #define TWEETNACL_H 3 | #define crypto_auth_PRIMITIVE "hmacsha512256" 4 | #define crypto_auth crypto_auth_hmacsha512256 5 | #define crypto_auth_verify crypto_auth_hmacsha512256_verify 6 | #define crypto_auth_BYTES crypto_auth_hmacsha512256_BYTES 7 | #define crypto_auth_KEYBYTES crypto_auth_hmacsha512256_KEYBYTES 8 | #define crypto_auth_IMPLEMENTATION crypto_auth_hmacsha512256_IMPLEMENTATION 9 | #define crypto_auth_VERSION crypto_auth_hmacsha512256_VERSION 10 | #define crypto_auth_hmacsha512256_tweet_BYTES 32 11 | #define crypto_auth_hmacsha512256_tweet_KEYBYTES 32 12 | extern int crypto_auth_hmacsha512256_tweet(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *); 13 | extern int crypto_auth_hmacsha512256_tweet_verify(const unsigned char *,const unsigned char *,unsigned long long,const unsigned char *); 14 | #define crypto_auth_hmacsha512256_tweet_VERSION "-" 15 | #define crypto_auth_hmacsha512256 crypto_auth_hmacsha512256_tweet 16 | #define crypto_auth_hmacsha512256_verify crypto_auth_hmacsha512256_tweet_verify 17 | #define crypto_auth_hmacsha512256_BYTES crypto_auth_hmacsha512256_tweet_BYTES 18 | #define crypto_auth_hmacsha512256_KEYBYTES crypto_auth_hmacsha512256_tweet_KEYBYTES 19 | #define crypto_auth_hmacsha512256_VERSION crypto_auth_hmacsha512256_tweet_VERSION 20 | #define crypto_auth_hmacsha512256_IMPLEMENTATION "crypto_auth/hmacsha512256/tweet" 21 | #define crypto_box_PRIMITIVE "curve25519xsalsa20poly1305" 22 | #define crypto_box crypto_box_curve25519xsalsa20poly1305 23 | #define crypto_box_open crypto_box_curve25519xsalsa20poly1305_open 24 | #define crypto_box_keypair crypto_box_curve25519xsalsa20poly1305_keypair 25 | #define crypto_box_beforenm crypto_box_curve25519xsalsa20poly1305_beforenm 26 | #define crypto_box_afternm crypto_box_curve25519xsalsa20poly1305_afternm 27 | #define crypto_box_open_afternm crypto_box_curve25519xsalsa20poly1305_open_afternm 28 | #define crypto_box_PUBLICKEYBYTES crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES 29 | #define crypto_box_SECRETKEYBYTES crypto_box_curve25519xsalsa20poly1305_SECRETKEYBYTES 30 | #define crypto_box_BEFORENMBYTES crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES 31 | #define crypto_box_NONCEBYTES crypto_box_curve25519xsalsa20poly1305_NONCEBYTES 32 | #define crypto_box_ZEROBYTES crypto_box_curve25519xsalsa20poly1305_ZEROBYTES 33 | #define crypto_box_BOXZEROBYTES crypto_box_curve25519xsalsa20poly1305_BOXZEROBYTES 34 | #define crypto_box_IMPLEMENTATION crypto_box_curve25519xsalsa20poly1305_IMPLEMENTATION 35 | #define crypto_box_VERSION crypto_box_curve25519xsalsa20poly1305_VERSION 36 | #define crypto_box_curve25519xsalsa20poly1305_tweet_PUBLICKEYBYTES 32 37 | #define crypto_box_curve25519xsalsa20poly1305_tweet_SECRETKEYBYTES 32 38 | #define crypto_box_curve25519xsalsa20poly1305_tweet_BEFORENMBYTES 32 39 | #define crypto_box_curve25519xsalsa20poly1305_tweet_NONCEBYTES 24 40 | #define crypto_box_curve25519xsalsa20poly1305_tweet_ZEROBYTES 32 41 | #define crypto_box_curve25519xsalsa20poly1305_tweet_BOXZEROBYTES 16 42 | extern int crypto_box_curve25519xsalsa20poly1305_tweet(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *,const unsigned char *); 43 | extern int crypto_box_curve25519xsalsa20poly1305_tweet_open(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *,const unsigned char *); 44 | extern int crypto_box_curve25519xsalsa20poly1305_tweet_keypair(unsigned char *,unsigned char *); 45 | extern int crypto_box_curve25519xsalsa20poly1305_tweet_beforenm(unsigned char *,const unsigned char *,const unsigned char *); 46 | extern int crypto_box_curve25519xsalsa20poly1305_tweet_afternm(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); 47 | extern int crypto_box_curve25519xsalsa20poly1305_tweet_open_afternm(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); 48 | #define crypto_box_curve25519xsalsa20poly1305_tweet_VERSION "-" 49 | #define crypto_box_curve25519xsalsa20poly1305 crypto_box_curve25519xsalsa20poly1305_tweet 50 | #define crypto_box_curve25519xsalsa20poly1305_open crypto_box_curve25519xsalsa20poly1305_tweet_open 51 | #define crypto_box_curve25519xsalsa20poly1305_keypair crypto_box_curve25519xsalsa20poly1305_tweet_keypair 52 | #define crypto_box_curve25519xsalsa20poly1305_beforenm crypto_box_curve25519xsalsa20poly1305_tweet_beforenm 53 | #define crypto_box_curve25519xsalsa20poly1305_afternm crypto_box_curve25519xsalsa20poly1305_tweet_afternm 54 | #define crypto_box_curve25519xsalsa20poly1305_open_afternm crypto_box_curve25519xsalsa20poly1305_tweet_open_afternm 55 | #define crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES crypto_box_curve25519xsalsa20poly1305_tweet_PUBLICKEYBYTES 56 | #define crypto_box_curve25519xsalsa20poly1305_SECRETKEYBYTES crypto_box_curve25519xsalsa20poly1305_tweet_SECRETKEYBYTES 57 | #define crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES crypto_box_curve25519xsalsa20poly1305_tweet_BEFORENMBYTES 58 | #define crypto_box_curve25519xsalsa20poly1305_NONCEBYTES crypto_box_curve25519xsalsa20poly1305_tweet_NONCEBYTES 59 | #define crypto_box_curve25519xsalsa20poly1305_ZEROBYTES crypto_box_curve25519xsalsa20poly1305_tweet_ZEROBYTES 60 | #define crypto_box_curve25519xsalsa20poly1305_BOXZEROBYTES crypto_box_curve25519xsalsa20poly1305_tweet_BOXZEROBYTES 61 | #define crypto_box_curve25519xsalsa20poly1305_VERSION crypto_box_curve25519xsalsa20poly1305_tweet_VERSION 62 | #define crypto_box_curve25519xsalsa20poly1305_IMPLEMENTATION "crypto_box/curve25519xsalsa20poly1305/tweet" 63 | #define crypto_core_PRIMITIVE "salsa20" 64 | #define crypto_core crypto_core_salsa20 65 | #define crypto_core_OUTPUTBYTES crypto_core_salsa20_OUTPUTBYTES 66 | #define crypto_core_INPUTBYTES crypto_core_salsa20_INPUTBYTES 67 | #define crypto_core_KEYBYTES crypto_core_salsa20_KEYBYTES 68 | #define crypto_core_CONSTBYTES crypto_core_salsa20_CONSTBYTES 69 | #define crypto_core_IMPLEMENTATION crypto_core_salsa20_IMPLEMENTATION 70 | #define crypto_core_VERSION crypto_core_salsa20_VERSION 71 | #define crypto_core_salsa20_tweet_OUTPUTBYTES 64 72 | #define crypto_core_salsa20_tweet_INPUTBYTES 16 73 | #define crypto_core_salsa20_tweet_KEYBYTES 32 74 | #define crypto_core_salsa20_tweet_CONSTBYTES 16 75 | extern int crypto_core_salsa20_tweet(unsigned char *,const unsigned char *,const unsigned char *,const unsigned char *); 76 | #define crypto_core_salsa20_tweet_VERSION "-" 77 | #define crypto_core_salsa20 crypto_core_salsa20_tweet 78 | #define crypto_core_salsa20_OUTPUTBYTES crypto_core_salsa20_tweet_OUTPUTBYTES 79 | #define crypto_core_salsa20_INPUTBYTES crypto_core_salsa20_tweet_INPUTBYTES 80 | #define crypto_core_salsa20_KEYBYTES crypto_core_salsa20_tweet_KEYBYTES 81 | #define crypto_core_salsa20_CONSTBYTES crypto_core_salsa20_tweet_CONSTBYTES 82 | #define crypto_core_salsa20_VERSION crypto_core_salsa20_tweet_VERSION 83 | #define crypto_core_salsa20_IMPLEMENTATION "crypto_core/salsa20/tweet" 84 | #define crypto_core_hsalsa20_tweet_OUTPUTBYTES 32 85 | #define crypto_core_hsalsa20_tweet_INPUTBYTES 16 86 | #define crypto_core_hsalsa20_tweet_KEYBYTES 32 87 | #define crypto_core_hsalsa20_tweet_CONSTBYTES 16 88 | extern int crypto_core_hsalsa20_tweet(unsigned char *,const unsigned char *,const unsigned char *,const unsigned char *); 89 | #define crypto_core_hsalsa20_tweet_VERSION "-" 90 | #define crypto_core_hsalsa20 crypto_core_hsalsa20_tweet 91 | #define crypto_core_hsalsa20_OUTPUTBYTES crypto_core_hsalsa20_tweet_OUTPUTBYTES 92 | #define crypto_core_hsalsa20_INPUTBYTES crypto_core_hsalsa20_tweet_INPUTBYTES 93 | #define crypto_core_hsalsa20_KEYBYTES crypto_core_hsalsa20_tweet_KEYBYTES 94 | #define crypto_core_hsalsa20_CONSTBYTES crypto_core_hsalsa20_tweet_CONSTBYTES 95 | #define crypto_core_hsalsa20_VERSION crypto_core_hsalsa20_tweet_VERSION 96 | #define crypto_core_hsalsa20_IMPLEMENTATION "crypto_core/hsalsa20/tweet" 97 | #define crypto_hashblocks_PRIMITIVE "sha512" 98 | #define crypto_hashblocks crypto_hashblocks_sha512 99 | #define crypto_hashblocks_STATEBYTES crypto_hashblocks_sha512_STATEBYTES 100 | #define crypto_hashblocks_BLOCKBYTES crypto_hashblocks_sha512_BLOCKBYTES 101 | #define crypto_hashblocks_IMPLEMENTATION crypto_hashblocks_sha512_IMPLEMENTATION 102 | #define crypto_hashblocks_VERSION crypto_hashblocks_sha512_VERSION 103 | #define crypto_hashblocks_sha512_tweet_STATEBYTES 64 104 | #define crypto_hashblocks_sha512_tweet_BLOCKBYTES 128 105 | extern int crypto_hashblocks_sha512_tweet(unsigned char *,const unsigned char *,unsigned long long); 106 | #define crypto_hashblocks_sha512_tweet_VERSION "-" 107 | #define crypto_hashblocks_sha512 crypto_hashblocks_sha512_tweet 108 | #define crypto_hashblocks_sha512_STATEBYTES crypto_hashblocks_sha512_tweet_STATEBYTES 109 | #define crypto_hashblocks_sha512_BLOCKBYTES crypto_hashblocks_sha512_tweet_BLOCKBYTES 110 | #define crypto_hashblocks_sha512_VERSION crypto_hashblocks_sha512_tweet_VERSION 111 | #define crypto_hashblocks_sha512_IMPLEMENTATION "crypto_hashblocks/sha512/tweet" 112 | #define crypto_hashblocks_sha256_tweet_STATEBYTES 32 113 | #define crypto_hashblocks_sha256_tweet_BLOCKBYTES 64 114 | extern int crypto_hashblocks_sha256_tweet(unsigned char *,const unsigned char *,unsigned long long); 115 | #define crypto_hashblocks_sha256_tweet_VERSION "-" 116 | #define crypto_hashblocks_sha256 crypto_hashblocks_sha256_tweet 117 | #define crypto_hashblocks_sha256_STATEBYTES crypto_hashblocks_sha256_tweet_STATEBYTES 118 | #define crypto_hashblocks_sha256_BLOCKBYTES crypto_hashblocks_sha256_tweet_BLOCKBYTES 119 | #define crypto_hashblocks_sha256_VERSION crypto_hashblocks_sha256_tweet_VERSION 120 | #define crypto_hashblocks_sha256_IMPLEMENTATION "crypto_hashblocks/sha256/tweet" 121 | #define crypto_hash_PRIMITIVE "sha512" 122 | #define crypto_hash crypto_hash_sha512 123 | #define crypto_hash_BYTES crypto_hash_sha512_BYTES 124 | #define crypto_hash_IMPLEMENTATION crypto_hash_sha512_IMPLEMENTATION 125 | #define crypto_hash_VERSION crypto_hash_sha512_VERSION 126 | #define crypto_hash_sha512_tweet_BYTES 64 127 | extern int crypto_hash_sha512_tweet(unsigned char *,const unsigned char *,unsigned long long); 128 | #define crypto_hash_sha512_tweet_VERSION "-" 129 | #define crypto_hash_sha512 crypto_hash_sha512_tweet 130 | #define crypto_hash_sha512_BYTES crypto_hash_sha512_tweet_BYTES 131 | #define crypto_hash_sha512_VERSION crypto_hash_sha512_tweet_VERSION 132 | #define crypto_hash_sha512_IMPLEMENTATION "crypto_hash/sha512/tweet" 133 | #define crypto_hash_sha256_tweet_BYTES 32 134 | extern int crypto_hash_sha256_tweet(unsigned char *,const unsigned char *,unsigned long long); 135 | #define crypto_hash_sha256_tweet_VERSION "-" 136 | #define crypto_hash_sha256 crypto_hash_sha256_tweet 137 | #define crypto_hash_sha256_BYTES crypto_hash_sha256_tweet_BYTES 138 | #define crypto_hash_sha256_VERSION crypto_hash_sha256_tweet_VERSION 139 | #define crypto_hash_sha256_IMPLEMENTATION "crypto_hash/sha256/tweet" 140 | #define crypto_onetimeauth_PRIMITIVE "poly1305" 141 | #define crypto_onetimeauth crypto_onetimeauth_poly1305 142 | #define crypto_onetimeauth_verify crypto_onetimeauth_poly1305_verify 143 | #define crypto_onetimeauth_BYTES crypto_onetimeauth_poly1305_BYTES 144 | #define crypto_onetimeauth_KEYBYTES crypto_onetimeauth_poly1305_KEYBYTES 145 | #define crypto_onetimeauth_IMPLEMENTATION crypto_onetimeauth_poly1305_IMPLEMENTATION 146 | #define crypto_onetimeauth_VERSION crypto_onetimeauth_poly1305_VERSION 147 | #define crypto_onetimeauth_poly1305_tweet_BYTES 16 148 | #define crypto_onetimeauth_poly1305_tweet_KEYBYTES 32 149 | extern int crypto_onetimeauth_poly1305_tweet(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *); 150 | extern int crypto_onetimeauth_poly1305_tweet_verify(const unsigned char *,const unsigned char *,unsigned long long,const unsigned char *); 151 | #define crypto_onetimeauth_poly1305_tweet_VERSION "-" 152 | #define crypto_onetimeauth_poly1305 crypto_onetimeauth_poly1305_tweet 153 | #define crypto_onetimeauth_poly1305_verify crypto_onetimeauth_poly1305_tweet_verify 154 | #define crypto_onetimeauth_poly1305_BYTES crypto_onetimeauth_poly1305_tweet_BYTES 155 | #define crypto_onetimeauth_poly1305_KEYBYTES crypto_onetimeauth_poly1305_tweet_KEYBYTES 156 | #define crypto_onetimeauth_poly1305_VERSION crypto_onetimeauth_poly1305_tweet_VERSION 157 | #define crypto_onetimeauth_poly1305_IMPLEMENTATION "crypto_onetimeauth/poly1305/tweet" 158 | #define crypto_scalarmult_PRIMITIVE "curve25519" 159 | #define crypto_scalarmult crypto_scalarmult_curve25519 160 | #define crypto_scalarmult_base crypto_scalarmult_curve25519_base 161 | #define crypto_scalarmult_BYTES crypto_scalarmult_curve25519_BYTES 162 | #define crypto_scalarmult_SCALARBYTES crypto_scalarmult_curve25519_SCALARBYTES 163 | #define crypto_scalarmult_IMPLEMENTATION crypto_scalarmult_curve25519_IMPLEMENTATION 164 | #define crypto_scalarmult_VERSION crypto_scalarmult_curve25519_VERSION 165 | #define crypto_scalarmult_curve25519_tweet_BYTES 32 166 | #define crypto_scalarmult_curve25519_tweet_SCALARBYTES 32 167 | extern int crypto_scalarmult_curve25519_tweet(unsigned char *,const unsigned char *,const unsigned char *); 168 | extern int crypto_scalarmult_curve25519_tweet_base(unsigned char *,const unsigned char *); 169 | #define crypto_scalarmult_curve25519_tweet_VERSION "-" 170 | #define crypto_scalarmult_curve25519 crypto_scalarmult_curve25519_tweet 171 | #define crypto_scalarmult_curve25519_base crypto_scalarmult_curve25519_tweet_base 172 | #define crypto_scalarmult_curve25519_BYTES crypto_scalarmult_curve25519_tweet_BYTES 173 | #define crypto_scalarmult_curve25519_SCALARBYTES crypto_scalarmult_curve25519_tweet_SCALARBYTES 174 | #define crypto_scalarmult_curve25519_VERSION crypto_scalarmult_curve25519_tweet_VERSION 175 | #define crypto_scalarmult_curve25519_IMPLEMENTATION "crypto_scalarmult/curve25519/tweet" 176 | #define crypto_secretbox_PRIMITIVE "xsalsa20poly1305" 177 | #define crypto_secretbox crypto_secretbox_xsalsa20poly1305 178 | #define crypto_secretbox_open crypto_secretbox_xsalsa20poly1305_open 179 | #define crypto_secretbox_KEYBYTES crypto_secretbox_xsalsa20poly1305_KEYBYTES 180 | #define crypto_secretbox_NONCEBYTES crypto_secretbox_xsalsa20poly1305_NONCEBYTES 181 | #define crypto_secretbox_ZEROBYTES crypto_secretbox_xsalsa20poly1305_ZEROBYTES 182 | #define crypto_secretbox_BOXZEROBYTES crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES 183 | #define crypto_secretbox_IMPLEMENTATION crypto_secretbox_xsalsa20poly1305_IMPLEMENTATION 184 | #define crypto_secretbox_VERSION crypto_secretbox_xsalsa20poly1305_VERSION 185 | #define crypto_secretbox_xsalsa20poly1305_tweet_KEYBYTES 32 186 | #define crypto_secretbox_xsalsa20poly1305_tweet_NONCEBYTES 24 187 | #define crypto_secretbox_xsalsa20poly1305_tweet_ZEROBYTES 32 188 | #define crypto_secretbox_xsalsa20poly1305_tweet_BOXZEROBYTES 16 189 | extern int crypto_secretbox_xsalsa20poly1305_tweet(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); 190 | extern int crypto_secretbox_xsalsa20poly1305_tweet_open(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); 191 | #define crypto_secretbox_xsalsa20poly1305_tweet_VERSION "-" 192 | #define crypto_secretbox_xsalsa20poly1305 crypto_secretbox_xsalsa20poly1305_tweet 193 | #define crypto_secretbox_xsalsa20poly1305_open crypto_secretbox_xsalsa20poly1305_tweet_open 194 | #define crypto_secretbox_xsalsa20poly1305_KEYBYTES crypto_secretbox_xsalsa20poly1305_tweet_KEYBYTES 195 | #define crypto_secretbox_xsalsa20poly1305_NONCEBYTES crypto_secretbox_xsalsa20poly1305_tweet_NONCEBYTES 196 | #define crypto_secretbox_xsalsa20poly1305_ZEROBYTES crypto_secretbox_xsalsa20poly1305_tweet_ZEROBYTES 197 | #define crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES crypto_secretbox_xsalsa20poly1305_tweet_BOXZEROBYTES 198 | #define crypto_secretbox_xsalsa20poly1305_VERSION crypto_secretbox_xsalsa20poly1305_tweet_VERSION 199 | #define crypto_secretbox_xsalsa20poly1305_IMPLEMENTATION "crypto_secretbox/xsalsa20poly1305/tweet" 200 | #define crypto_sign_PRIMITIVE "ed25519" 201 | #define crypto_sign crypto_sign_ed25519 202 | #define crypto_sign_open crypto_sign_ed25519_open 203 | #define crypto_sign_keypair crypto_sign_ed25519_keypair 204 | #define crypto_sign_BYTES crypto_sign_ed25519_BYTES 205 | #define crypto_sign_PUBLICKEYBYTES crypto_sign_ed25519_PUBLICKEYBYTES 206 | #define crypto_sign_SECRETKEYBYTES crypto_sign_ed25519_SECRETKEYBYTES 207 | #define crypto_sign_IMPLEMENTATION crypto_sign_ed25519_IMPLEMENTATION 208 | #define crypto_sign_VERSION crypto_sign_ed25519_VERSION 209 | #define crypto_sign_ed25519_tweet_BYTES 64 210 | #define crypto_sign_ed25519_tweet_PUBLICKEYBYTES 32 211 | #define crypto_sign_ed25519_tweet_SECRETKEYBYTES 64 212 | extern int crypto_sign_ed25519_tweet(unsigned char *,unsigned long long *,const unsigned char *,unsigned long long,const unsigned char *); 213 | extern int crypto_sign_ed25519_tweet_open(unsigned char *,unsigned long long *,const unsigned char *,unsigned long long,const unsigned char *); 214 | extern int crypto_sign_ed25519_tweet_keypair(unsigned char *,unsigned char *); 215 | #define crypto_sign_ed25519_tweet_VERSION "-" 216 | #define crypto_sign_ed25519 crypto_sign_ed25519_tweet 217 | #define crypto_sign_ed25519_open crypto_sign_ed25519_tweet_open 218 | #define crypto_sign_ed25519_keypair crypto_sign_ed25519_tweet_keypair 219 | #define crypto_sign_ed25519_BYTES crypto_sign_ed25519_tweet_BYTES 220 | #define crypto_sign_ed25519_PUBLICKEYBYTES crypto_sign_ed25519_tweet_PUBLICKEYBYTES 221 | #define crypto_sign_ed25519_SECRETKEYBYTES crypto_sign_ed25519_tweet_SECRETKEYBYTES 222 | #define crypto_sign_ed25519_VERSION crypto_sign_ed25519_tweet_VERSION 223 | #define crypto_sign_ed25519_IMPLEMENTATION "crypto_sign/ed25519/tweet" 224 | #define crypto_stream_PRIMITIVE "xsalsa20" 225 | #define crypto_stream crypto_stream_xsalsa20 226 | #define crypto_stream_xor crypto_stream_xsalsa20_xor 227 | #define crypto_stream_KEYBYTES crypto_stream_xsalsa20_KEYBYTES 228 | #define crypto_stream_NONCEBYTES crypto_stream_xsalsa20_NONCEBYTES 229 | #define crypto_stream_IMPLEMENTATION crypto_stream_xsalsa20_IMPLEMENTATION 230 | #define crypto_stream_VERSION crypto_stream_xsalsa20_VERSION 231 | #define crypto_stream_xsalsa20_tweet_KEYBYTES 32 232 | #define crypto_stream_xsalsa20_tweet_NONCEBYTES 24 233 | extern int crypto_stream_xsalsa20_tweet(unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); 234 | extern int crypto_stream_xsalsa20_tweet_xor(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); 235 | #define crypto_stream_xsalsa20_tweet_VERSION "-" 236 | #define crypto_stream_xsalsa20 crypto_stream_xsalsa20_tweet 237 | #define crypto_stream_xsalsa20_xor crypto_stream_xsalsa20_tweet_xor 238 | #define crypto_stream_xsalsa20_KEYBYTES crypto_stream_xsalsa20_tweet_KEYBYTES 239 | #define crypto_stream_xsalsa20_NONCEBYTES crypto_stream_xsalsa20_tweet_NONCEBYTES 240 | #define crypto_stream_xsalsa20_VERSION crypto_stream_xsalsa20_tweet_VERSION 241 | #define crypto_stream_xsalsa20_IMPLEMENTATION "crypto_stream/xsalsa20/tweet" 242 | #define crypto_stream_salsa20_tweet_KEYBYTES 32 243 | #define crypto_stream_salsa20_tweet_NONCEBYTES 8 244 | extern int crypto_stream_salsa20_tweet(unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); 245 | extern int crypto_stream_salsa20_tweet_xor(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); 246 | #define crypto_stream_salsa20_tweet_VERSION "-" 247 | #define crypto_stream_salsa20 crypto_stream_salsa20_tweet 248 | #define crypto_stream_salsa20_xor crypto_stream_salsa20_tweet_xor 249 | #define crypto_stream_salsa20_KEYBYTES crypto_stream_salsa20_tweet_KEYBYTES 250 | #define crypto_stream_salsa20_NONCEBYTES crypto_stream_salsa20_tweet_NONCEBYTES 251 | #define crypto_stream_salsa20_VERSION crypto_stream_salsa20_tweet_VERSION 252 | #define crypto_stream_salsa20_IMPLEMENTATION "crypto_stream/salsa20/tweet" 253 | #define crypto_verify_PRIMITIVE "16" 254 | #define crypto_verify crypto_verify_16 255 | #define crypto_verify_BYTES crypto_verify_16_BYTES 256 | #define crypto_verify_IMPLEMENTATION crypto_verify_16_IMPLEMENTATION 257 | #define crypto_verify_VERSION crypto_verify_16_VERSION 258 | #define crypto_verify_16_tweet_BYTES 16 259 | extern int crypto_verify_16_tweet(const unsigned char *,const unsigned char *); 260 | #define crypto_verify_16_tweet_VERSION "-" 261 | #define crypto_verify_16 crypto_verify_16_tweet 262 | #define crypto_verify_16_BYTES crypto_verify_16_tweet_BYTES 263 | #define crypto_verify_16_VERSION crypto_verify_16_tweet_VERSION 264 | #define crypto_verify_16_IMPLEMENTATION "crypto_verify/16/tweet" 265 | #define crypto_verify_32_tweet_BYTES 32 266 | extern int crypto_verify_32_tweet(const unsigned char *,const unsigned char *); 267 | #define crypto_verify_32_tweet_VERSION "-" 268 | #define crypto_verify_32 crypto_verify_32_tweet 269 | #define crypto_verify_32_BYTES crypto_verify_32_tweet_BYTES 270 | #define crypto_verify_32_VERSION crypto_verify_32_tweet_VERSION 271 | #define crypto_verify_32_IMPLEMENTATION "crypto_verify/32/tweet" 272 | #endif 273 | --------------------------------------------------------------------------------