ed25519 1.0.0-jruby

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 7ae17b8d776a0e09bfba306d42f817e806cdeb14
+  data.tar.gz: f7551dd72b2361acc584c0e8a7f8406f1a395532
+SHA512:
+  metadata.gz: c4997f60634446a3b948b9ddcd2c228b2d2a4ce2a23ef9cb5f09b933d090273b898c3e97c802cad9c4f85710ed4b588aac9f414f9aa2a01699bcd48f5aaded4b
+  data.tar.gz: 406ec016f0cdae858fc6276895e36cd3ffc0276b1e1f46ff99b726b33cf7f9daff67ed7e4e21f3b610a6c2e093b7efa591c8d21889736570207b0ef0336b8e9b

data/.gitignore

@@ -0,0 +1,15 @@
+/Gemfile.lock
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.o
+*.so
+*.bundle
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,5 @@
+--color
+--format documentation
+--order random
+--warnings
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,35 @@
+AllCops:
+  TargetRubyVersion: 2.4
+  DisplayCopNames: true
+
+#
+# Style
+#
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+#
+# Metrics
+#
+
+Metrics/AbcSize:
+  Enabled: false
+
+Metrics/CyclomaticComplexity:
+  Enabled: false
+
+Metrics/PerceivedComplexity:
+  Enabled: false
+
+Metrics/BlockLength:
+  Max: 100
+
+Metrics/ClassLength:
+  Max: 100
+
+Metrics/LineLength:
+  Max: 128
+
+Metrics/MethodLength:
+  Max: 25

data/.travis.yml

@@ -0,0 +1,13 @@
+language: ruby
+
+rvm:
+  - jruby-9.1.15.0
+  - 2.2.8
+  - 2.3.5
+  - 2.4.2
+
+before_install: gem install bundler -v 1.16.0
+
+branches:
+  only:
+    - master

data/CHANGES.md

@@ -0,0 +1,16 @@
+# [1.0.0] (2017-12-12)
+
+[1.0.0]: https://github.com/cryptosphere/x25519/compare/v0.1.0...v1.0.0
+
+* [#7](https://github.com/cryptosphere/ed25519/pull/7)
+  Keypair refactor
+
+* [#6](https://github.com/cryptosphere/ed25519/pull/6)
+  Switch from "ref" C implementation to SUPERCOP "ref10"
+
+* [#5](https://github.com/cryptosphere/ed25519/pull/5)
+  Raise Ed25519::VerifyError if signature verification fails
+
+# 0.1.0 (2017-12-11)
+
+* Initial release

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at bascule@gmail.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gemspec
+
+group :development, :test do
+  gem "rake", require: false
+  gem "rake-compiler", "~> 1.0", require: false
+  gem "rspec", "~> 3.7", require: false
+  gem "rubocop", "0.51.0", require: false
+end

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012-2017 Tony Arcieri
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,159 @@
+# ed25519.rb [![Latest Version][gem-shield]][gem-link] [![Build Status][build-image]][build-link] [![Yard Docs][docs-image]][docs-link] [![License: MIT][license-image]][license-link]
+
+[gem-shield]: https://badge.fury.io/rb/ed25519.svg
+[gem-link]: https://rubygems.org/gems/ed25519
+[build-image]: https://travis-ci.org/cryptosphere/ed25519.svg?branch=master
+[build-link]: https://travis-ci.org/cryptosphere/ed25519
+[docs-image]: https://img.shields.io/badge/yard-docs-blue.svg
+[docs-link]: http://www.rubydoc.info/gems/ed25519
+[license-image]: https://img.shields.io/badge/license-MIT-blue.svg
+[license-link]: https://github.com/cryptosphere/ed25519/blob/master/LICENSE
+
+A Ruby binding to the Ed25519 elliptic curve public-key signature system
+described in [RFC 8032].
+
+Two implementations are provided: a MRI C extension which uses the "ref10"
+implementation from the SUPERCOP benchmark suite, and a pure Java version
+which is a direct port of the Python implementation.
+
+[RFC 8032]: https://tools.ietf.org/html/rfc8032
+
+## What is Ed25519?
+
+Ed25519 is a modern implementation of a [Schnorr signature] system using
+elliptic curve groups.
+
+Ed25519 provides a 128-bit security level, that is to say, all known attacks
+take at least 2^128 operations, providing the same security level as AES-128,
+NIST P-256, and RSA-3072.
+
+![Ed25519 Diagram](https://raw.github.com/cryptosphere/ed25519/master/ed25519.png)
+
+Ed25519 has a number of unique properties that make it one of the best-in-class
+digital signature algorithms:
+
+* ***Small keys***: Ed25519 keys are only 256-bits (32 bytes), making them
+  small enough to easily copy around. Ed25519 also allows the public key
+  to be derived from the private key, meaning that it doesn't need to be
+  included in a serialized private key in cases you want both.
+* ***Small signatures***: Ed25519 signatures are only 512-bits (64 bytes),
+  one of the smallest signature sizes available.
+* ***Deterministic***: Unlike (EC)DSA, Ed25519 does not rely on an entropy
+  source when signing messages. This can be a potential attack vector if
+  the entropy source is not generating good random numbers. Ed25519 avoids
+  this problem entirely and will always generate the same signature for the
+  same data.
+* ***Collision Resistant***: Hash-function collisions do not break this
+  system. This adds a layer of defense against the possibility of weakness
+  in the selected hash function.
+
+You can read more on [Dan Bernstein's Ed25519 site](http://ed25519.cr.yp.to/).
+
+[Schnorr signature]: https://en.wikipedia.org/wiki/Schnorr_signature
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'ed25519'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install ed25519
+
+# Usage
+
+Require **ed25519.rb** in your Ruby program:
+
+```ruby
+require "ed25519"
+```
+
+Generate a new random signing key:
+
+```ruby
+signing_key = Ed25519::SigningKey.generate
+```
+
+Sign a message with the signing key:
+
+```ruby
+signature = signing_key.sign(message)
+```
+
+Obtain the verify key for a given signing key:
+
+```ruby
+verify_key = signing_key.verify_key
+```
+
+Check the validity of a signature:
+
+```ruby
+verify_key.verify(signature, message)
+```
+
+The verify method will return `true` if the signature verifies, or raise
+`Ed25519::VerifyError` if verification fails.
+
+### Serializing Keys
+
+Keys can be serialized as 32-byte binary strings as follows:
+
+```ruby
+signature_key_bytes = signing_key.to_bytes
+verify_key_bytes = verify_key.to_bytes
+```
+
+The binary serialization can be passed directly into the constructor for a given key type:
+
+```ruby
+signing_key = Ed25519::SigningKey.new(signature_key_bytes)
+verify_key  = Ed25519::VerifyKey.new(verify_key_bytes)
+```
+
+## Security Notes
+
+The Ed25519 "ref" implementation from SUPERCOP was lovingly crafted by expert
+security boffins with great care taken to prevent timing attacks. The same
+cannot be said for the C code used in the **ed25519.rb** C extension or in the
+entirety of the provided Java implementation.
+
+Care should be taken to avoid leaking to the attacker how long it takes to
+generate keys or sign messages (at least until **ed25519.rb** itself can be audited
+by experts who can fix any potential timing vulnerabilities)
+
+**ed25519.rb** relies on a strong `SecureRandom` for key generation.
+Weaknesses in the random number source can potentially result in insecure keys.
+
+## JRuby Notes
+
+**ed25519.rb** provides a pure Java backend, however this backend is much slower
+than the C-based version. While **ed25519.rb** will function on JRuby, it may be
+too slow to be usable for a given use case. You should benchmark your
+application to determine if it will be fast enough for your purposes.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/cryptosphere/ed25519.
+This project is intended to be a safe, welcoming space for collaboration,
+and contributors areexpected to adhere to the [Contributor Covenant](http://contributor-covenant.org)
+code of conduct.
+
+## License
+
+Copyright (c) 2012-2017 Tony Arcieri. Distributed under the MIT License. See
+[LICENSE] for further details.
+
+[LICENSE]: https://github.com/cryptosphere/ed25519/blob/master/LICENSE
+
+## Code of Conduct
+
+Everyone interacting in the **ed25519.rb** project’s codebases, issue trackers, chat
+rooms and mailing lists is expected to follow the [code of conduct].
+
+[code of conduct]: https://github.com/cryptosphere/ed25519/blob/master/CODE_OF_CONDUCT.md

data/Rakefile

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+
+require "rake/clean"
+CLEAN.include("**/*.o", "**/*.so", "**/*.bundle", "pkg", "tmp")
+
+if defined? JRUBY_VERSION
+  require "rake/javaextensiontask"
+  Rake::JavaExtensionTask.new("ed25519_java") do |ext|
+    ext.ext_dir = "ext/ed25519_java"
+  end
+else
+  require "rake/extensiontask"
+
+  Rake::ExtensionTask.new("ed25519_ref10") do |ext|
+    ext.ext_dir = "ext/ed25519_ref10"
+  end
+end
+
+require "rspec/core/rake_task"
+RSpec::Core::RakeTask.new
+
+require "rubocop/rake_task"
+RuboCop::RakeTask.new
+
+task default: %w[compile spec rubocop]

data/ed25519.gemspec

@@ -0,0 +1,32 @@
+
+# frozen_string_literal: true
+
+require File.expand_path("lib/ed25519/version", __dir__)
+
+Gem::Specification.new do |spec|
+  spec.name          = "ed25519"
+  spec.version       = Ed25519::VERSION
+  spec.authors       = ["Tony Arcieri"]
+  spec.email         = ["tony.arcieri@gmail.com"]
+  spec.summary       = "An efficient digital signature library providing the Ed25519 algorithm"
+  spec.description = <<-DESCRIPTION.strip.gsub(/\s+/, " ")
+    A Ruby binding to the Ed25519 elliptic curve public-key signature system
+    described in RFC 8032.
+  DESCRIPTION
+  spec.homepage      = "https://github.com/cryptosphere/ed25519"
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  if defined? JRUBY_VERSION
+    spec.platform = "jruby"
+    spec.files << "lib/ed25519_java.jar"
+  else
+    spec.platform   = Gem::Platform::RUBY
+    spec.extensions = ["ext/ed25519_ref10/extconf.rb"]
+  end
+
+  spec.required_ruby_version = ">= 2.2.2"
+  spec.add_development_dependency "bundler", "~> 1.16"
+end

data/ext/ed25519_java/org/cryptosphere/ed25519.java

@@ -0,0 +1,228 @@
+package org.cryptosphere;
+
+import java.math.BigInteger;
+import java.nio.ByteBuffer;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+
+/* Written by k3d3
+ * Released to the public domain
+ */
+
+public class ed25519 {
+	static final int b = 256;
+	static final BigInteger q = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819949");
+	static final BigInteger qm2 = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819947");
+	static final BigInteger qp3 = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819952");
+	static final BigInteger l = new BigInteger("7237005577332262213973186563042994240857116359379907606001950938285454250989");
+	static final BigInteger d = new BigInteger("-4513249062541557337682894930092624173785641285191125241628941591882900924598840740");
+	static final BigInteger I = new BigInteger("19681161376707505956807079304988542015446066515923890162744021073123829784752");
+	static final BigInteger By = new BigInteger("46316835694926478169428394003475163141307993866256225615783033603165251855960");
+	static final BigInteger Bx = new BigInteger("15112221349535400772501151409588531511454012693041857206046113283949847762202");
+	static final BigInteger[] B = {Bx.mod(q),By.mod(q)};
+	static final BigInteger un = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819967");
+
+	static byte[] H(byte[] m) {
+		MessageDigest md;
+		try {
+			md = MessageDigest.getInstance("SHA-512");
+			md.reset();
+			return md.digest(m);
+		} catch (NoSuchAlgorithmException e) {
+			e.printStackTrace();
+			System.exit(1);
+		}
+		return null;
+	}
+
+	static BigInteger expmod(BigInteger b, BigInteger e, BigInteger m) {
+		//System.out.println("expmod open with b=" + b + " e=" + e + " m=" + m);
+		if (e.equals(BigInteger.ZERO)) {
+			//System.out.println("expmod close with 1z");
+			return BigInteger.ONE;
+		}
+		BigInteger t = expmod(b, e.divide(BigInteger.valueOf(2)), m).pow(2).mod(m);
+		//System.out.println("expmod 1/2 t="+t+" e="+e+" testbit="+(e.testBit(0)?1:0));
+		if (e.testBit(0)) {
+			t = t.multiply(b).mod(m);
+		}
+		//System.out.println("expmod close with " + t);
+		return t;
+	}
+
+	static BigInteger inv(BigInteger x) {
+		//System.out.println("inv open with " + x);
+		//System.out.println("inv close with " + expmod(x, qm2, q));
+		return expmod(x, qm2, q);
+	}
+
+	static BigInteger xrecover(BigInteger y) {
+		BigInteger y2 = y.multiply(y);
+		BigInteger xx = (y2.subtract(BigInteger.ONE)).multiply(inv(d.multiply(y2).add(BigInteger.ONE)));
+		BigInteger x = expmod(xx, qp3.divide(BigInteger.valueOf(8)), q);
+		if (!x.multiply(x).subtract(xx).mod(q).equals(BigInteger.ZERO)) x = (x.multiply(I).mod(q));
+		if (!x.mod(BigInteger.valueOf(2)).equals(BigInteger.ZERO)) x = q.subtract(x);
+		return x;
+	}
+
+	static BigInteger[] edwards(BigInteger[] P, BigInteger[] Q) {
+		BigInteger x1 = P[0];
+		BigInteger y1 = P[1];
+		BigInteger x2 = Q[0];
+		BigInteger y2 = Q[1];
+		BigInteger dtemp = d.multiply(x1).multiply(x2).multiply(y1).multiply(y2);
+		//System.out.println("edwards open with "+x1+","+x2+" "+y1+","+y2+" d="+d+" dtemp="+dtemp);
+		BigInteger x3 = ((x1.multiply(y2)).add((x2.multiply(y1)))).multiply(inv(BigInteger.ONE.add(dtemp)));
+		//System.out.println("edwards 1/2 with "+x1+","+x2+" "+y1+","+y2+" d="+d+" dtemp="+dtemp);
+		BigInteger y3 = ((y1.multiply(y2)).add((x1.multiply(x2)))).multiply(inv(BigInteger.ONE.subtract(dtemp)));
+		//System.out.println("edwards 2/2 with "+x1+","+x2+" "+y1+","+y2+" d="+d+" dtemp="+dtemp);
+		//System.out.println("edwards close with "+x3.mod(q)+","+y3.mod(q));
+		return new BigInteger[]{x3.mod(q), y3.mod(q)};
+	}
+
+	static BigInteger[] scalarmult(BigInteger[] P, BigInteger e) {
+		//System.out.println("scalarmult open with e = " + e);
+		if (e.equals(BigInteger.ZERO)) {
+			//System.out.println("scalarmult close with Q = 0,1");
+			return new BigInteger[]{BigInteger.ZERO, BigInteger.ONE};
+		}
+		BigInteger[] Q = scalarmult(P, e.divide(BigInteger.valueOf(2)));
+		//System.out.println("scalarmult asQ = " + Q[0] + "," + Q[1]);
+		Q = edwards(Q, Q);
+		//System.out.println("scalarmult aeQ = " + Q[0] + "," + Q[1] + " e="+e+" testbit="+(e.testBit(0)?1:0));
+		if (e.testBit(0)) Q = edwards(Q, P);
+		//System.out.println("scalarmult close with Q = " + Q[0] + "," + Q[1]);
+		return Q;
+	}
+
+	static byte[] encodeint(BigInteger y) {
+		byte[] in = y.toByteArray();
+		byte[] out = new byte[in.length];
+		for (int i=0;i<in.length;i++) {
+			out[i] = in[in.length-1-i];
+		}
+		return out;
+	}
+
+	static byte[] encodepoint(BigInteger[] P) {
+		BigInteger x = P[0];
+		BigInteger y = P[1];
+		byte[] out = encodeint(y);
+		//System.out.println("encodepoint x="+x+" testbit="+(x.testBit(0) ? 1 : 0));
+		out[out.length-1] |= (x.testBit(0) ? 0x80 : 0);
+		return out;
+	}
+
+	static int bit(byte[] h, int i) {
+		//System.out.println("bit open with i="+i);
+		//System.out.println("bit close with "+(h[i/8] >> (i%8) & 1));
+		return h[i/8] >> (i%8) & 1;
+	}
+
+	static byte[] publickey(byte[] sk) {
+		byte[] h = H(sk);
+		//System.out.println("publickey open with h=" + test.getHex(h));
+		BigInteger a = BigInteger.valueOf(2).pow(b-2);
+		for (int i=3;i<(b-2);i++) {
+			BigInteger apart = BigInteger.valueOf(2).pow(i).multiply(BigInteger.valueOf(bit(h,i)));
+			//System.out.println("publickey apart="+apart);
+			a = a.add(apart);
+		}
+		BigInteger[] A = scalarmult(B,a);
+		//System.out.println("publickey close with A="+A[0]+","+A[1]+" out="+test.getHex(encodepoint(A)));
+		return encodepoint(A);
+	}
+
+	static BigInteger Hint(byte[] m) {
+		byte[] h = H(m);
+		BigInteger hsum = BigInteger.ZERO;
+		for (int i=0;i<2*b;i++) {
+			hsum = hsum.add(BigInteger.valueOf(2).pow(i).multiply(BigInteger.valueOf(bit(h,i))));
+		}
+		return hsum;
+	}
+
+	static byte[] signature(byte[] m, byte[] sk, byte[] pk) {
+		byte[] h = H(sk);
+		//System.out.println("signature open with m="+test.getHex(m)+" h="+test.getHex(h)+" pk="+test.getHex(pk));
+		BigInteger a = BigInteger.valueOf(2).pow(b-2);
+		for (int i=3;i<(b-2);i++) {
+			a = a.add(BigInteger.valueOf(2).pow(i).multiply(BigInteger.valueOf(bit(h,i))));
+		}
+		//System.out.println("signature a="+a);
+		ByteBuffer rsub = ByteBuffer.allocate((b/8)+m.length);
+		rsub.put(h, b/8, b/4-b/8).put(m);
+		//System.out.println("signature rsub="+test.getHex(rsub.array()));
+		BigInteger r = Hint(rsub.array());
+		//System.out.println("signature r="+r);
+		BigInteger[] R = scalarmult(B,r);
+		ByteBuffer Stemp = ByteBuffer.allocate(32+pk.length+m.length);
+		Stemp.put(encodepoint(R)).put(pk).put(m);
+		BigInteger S = r.add(Hint(Stemp.array()).multiply(a)).mod(l);
+		ByteBuffer out = ByteBuffer.allocate(64);
+		out.put(encodepoint(R)).put(encodeint(S));
+		return out.array();
+	}
+
+	static boolean isoncurve(BigInteger[] P) {
+		BigInteger x = P[0];
+		BigInteger y = P[1];
+		//System.out.println("isoncurve open with P="+x+","+y);
+		BigInteger xx = x.multiply(x);
+		BigInteger yy = y.multiply(y);
+		BigInteger dxxyy = d.multiply(yy).multiply(xx);
+		//System.out.println("isoncurve close with "+xx.negate().add(yy).subtract(BigInteger.ONE).subtract(dxxyy).mod(q));
+		return xx.negate().add(yy).subtract(BigInteger.ONE).subtract(dxxyy).mod(q).equals(BigInteger.ZERO);
+	}
+
+	static BigInteger decodeint(byte[] s) {
+		byte[] out = new byte[s.length];
+		for (int i=0;i<s.length;i++) {
+			out[i] = s[s.length-1-i];
+		}
+		return new BigInteger(out).and(un);
+	}
+
+	static BigInteger[] decodepoint(byte[] s) throws Exception {
+		byte[] ybyte = new byte[s.length];
+		for (int i=0;i<s.length;i++) {
+			ybyte[i] = s[s.length-1-i];
+		}
+		//System.out.println("decodepoint open with s="+test.getHex(s)+" ybyte="+test.getHex(ybyte));
+		BigInteger y = new BigInteger(ybyte).and(un);
+		//System.out.println("decodepoint y="+y);
+		BigInteger x = xrecover(y);
+		//System.out.println("decodepoint x="+x+" testbit="+(x.testBit(0)?1:0)+" bit="+bit(s, b-1));
+		if ((x.testBit(0)?1:0) != bit(s, b-1)) {
+			x = q.subtract(x);
+		}
+		BigInteger[] P = {x,y};
+		if (!isoncurve(P)) throw new Exception("decoding point that is not on curve");
+		return P;
+	}
+
+	static boolean checkvalid(byte[] s, byte[] m, byte[] pk) throws Exception {
+		if (s.length != b/4) throw new Exception("signature length is wrong");
+		if (pk.length != b/8) throw new Exception("public-key length is wrong");
+		//System.out.println("checkvalid open with s="+test.getHex(s)+" m="+test.getHex(m)+" pk="+test.getHex(pk));
+		byte[] Rbyte = Arrays.copyOfRange(s, 0, b/8);
+		//System.out.println("checkvalid Rbyte="+test.getHex(Rbyte));
+		BigInteger[] R = decodepoint(Rbyte);
+		BigInteger[] A = decodepoint(pk);
+		//System.out.println("checkvalid R="+R[0]+","+R[1]+" A="+A[0]+","+A[1]);
+		byte[] Sbyte = Arrays.copyOfRange(s, b/8, b/4);
+		//System.out.println("checkvalid Sbyte="+test.getHex(Sbyte));
+		BigInteger S = decodeint(Sbyte);
+		//System.out.println("checkvalid S="+S);
+		ByteBuffer Stemp = ByteBuffer.allocate(32+pk.length+m.length);
+		Stemp.put(encodepoint(R)).put(pk).put(m);
+		BigInteger h = Hint(Stemp.array());
+		BigInteger[] ra = scalarmult(B,S);
+		BigInteger[] rb = edwards(R,scalarmult(A,h));
+		//System.out.println("checkvalid ra="+ra[0]+","+ra[1]+" rb="+rb[0]+","+rb[1]);
+		if (!ra[0].equals(rb[0]) || !ra[1].equals(rb[1])) // Constant time comparison
+			return false;
+		return true;
+	}
+}