ed25519_blake2b 0.1.1

data/ext/ed25519_blake2b/ed25519-randombytes-custom.h

@@ -0,0 +1,10 @@
+/*
+	a custom randombytes must implement:
+
+	void ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len);
+
+	ed25519_randombytes_unsafe is used by the batch verification function
+	to create random scalars
+*/
+
+void ed25519_randombytes_unsafe (void * out, size_t outlen);

data/ext/ed25519_blake2b/ed25519-randombytes.h

@@ -0,0 +1,91 @@
+#if defined(ED25519_TEST)
+/*
+	ISAAC+ "variant", the paper is not clear on operator precedence and other
+	things. This is the "first in, first out" option!
+
+	Not threadsafe or securely initialized, only for deterministic testing
+*/
+typedef struct isaacp_state_t {
+	uint32_t state[256];
+	unsigned char buffer[1024];
+	uint32_t a, b, c;
+	size_t left;
+} isaacp_state;
+
+#define isaacp_step(offset, mix) \
+	x = mm[i + offset]; \
+	a = (a ^ (mix)) + (mm[(i + offset + 128) & 0xff]); \
+	y = (a ^ b) + mm[(x >> 2) & 0xff]; \
+	mm[i + offset] = y; \
+	b = (x + a) ^ mm[(y >> 10) & 0xff]; \
+	U32TO8_LE(out + (i + offset) * 4, b);
+
+static void
+isaacp_mix(isaacp_state *st) {
+	uint32_t i, x, y;
+	uint32_t a = st->a, b = st->b, c = st->c;
+	uint32_t *mm = st->state;
+	unsigned char *out = st->buffer;
+
+	c = c + 1;
+	b = b + c;
+
+	for (i = 0; i < 256; i += 4) {
+		isaacp_step(0, ROTL32(a,13))
+		isaacp_step(1, ROTR32(a, 6))
+		isaacp_step(2, ROTL32(a, 2))
+		isaacp_step(3, ROTR32(a,16))
+	}
+
+	st->a = a;
+	st->b = b;
+	st->c = c;
+	st->left = 1024;
+}
+
+static void
+isaacp_random(isaacp_state *st, void *p, size_t len) {
+	size_t use;
+	unsigned char *c = (unsigned char *)p;
+	while (len) {
+		use = (len > st->left) ? st->left : len;
+		memcpy(c, st->buffer + (sizeof(st->buffer) - st->left), use);
+
+		st->left -= use;
+		c += use;
+		len -= use;
+
+		if (!st->left)
+			isaacp_mix(st);
+	}
+}
+
+void
+ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len) {
+	static int initialized = 0;
+	static isaacp_state rng;
+
+	if (!initialized) {
+		memset(&rng, 0, sizeof(rng));
+		isaacp_mix(&rng);
+		isaacp_mix(&rng);
+		initialized = 1;
+	}
+
+	isaacp_random(&rng, p, len);
+}
+#elif defined(ED25519_CUSTOMRNG)
+
+#include "ed25519-randombytes-custom.h"
+
+#else
+
+#include <openssl/rand.h>
+
+void
+ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len) {
+
+  RAND_bytes(p, (int) len);
+
+}
+#endif

data/ext/ed25519_blake2b/ed25519.c

@@ -0,0 +1,150 @@
+/*
+	Public domain by Andrew M. <liquidsun@gmail.com>
+
+	Ed25519 reference implementation using Ed25519-donna
+*/
+
+
+/* define ED25519_SUFFIX to have it appended to the end of each public function */
+#if !defined(ED25519_SUFFIX)
+#define ED25519_SUFFIX 
+#endif
+
+#define ED25519_FN3(fn,suffix) fn##suffix
+#define ED25519_FN2(fn,suffix) ED25519_FN3(fn,suffix)
+#define ED25519_FN(fn)         ED25519_FN2(fn,ED25519_SUFFIX)
+
+#include "ed25519-donna.h"
+#include "ed25519.h"
+#include "ed25519-randombytes.h"
+#include "ed25519-hash.h"
+
+/*
+	Generates a (extsk[0..31]) and aExt (extsk[32..63])
+*/
+
+DONNA_INLINE static void
+ed25519_extsk(hash_512bits extsk, const ed25519_secret_key sk) {
+	ed25519_hash(extsk, sk, 32);
+	extsk[0] &= 248;
+	extsk[31] &= 127;
+	extsk[31] |= 64;
+}
+
+static void
+ed25519_hram(hash_512bits hram, const ed25519_signature RS, const ed25519_public_key pk, const unsigned char *m, size_t mlen) {
+	ed25519_hash_context ctx;
+	ed25519_hash_init(&ctx);
+	ed25519_hash_update(&ctx, RS, 32);
+	ed25519_hash_update(&ctx, pk, 32);
+	ed25519_hash_update(&ctx, m, mlen);
+	ed25519_hash_final(&ctx, hram);
+}
+
+void
+ED25519_FN(ed25519_publickey) (const ed25519_secret_key sk, ed25519_public_key pk) {
+	bignum256modm a;
+	ge25519 ALIGN(16) A;
+	hash_512bits extsk;
+
+	/* A = aB */
+	ed25519_extsk(extsk, sk);
+	expand256_modm(a, extsk, 32);
+	ge25519_scalarmult_base_niels(&A, ge25519_niels_base_multiples, a);
+	ge25519_pack(pk, &A);
+}
+
+
+void
+ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_public_key pk, ed25519_signature RS) {
+	ed25519_hash_context ctx;
+	bignum256modm r, S, a;
+	ge25519 ALIGN(16) R;
+	hash_512bits extsk, hashr, hram;
+
+	ed25519_extsk(extsk, sk);
+
+	/* r = H(aExt[32..64], m) */
+	ed25519_hash_init(&ctx);
+	ed25519_hash_update(&ctx, extsk + 32, 32);
+	ed25519_hash_update(&ctx, m, mlen);
+	ed25519_hash_final(&ctx, hashr);
+	expand256_modm(r, hashr, 64);
+
+	/* R = rB */
+	ge25519_scalarmult_base_niels(&R, ge25519_niels_base_multiples, r);
+	ge25519_pack(RS, &R);
+
+	/* S = H(R,A,m).. */
+	ed25519_hram(hram, RS, pk, m, mlen);
+	expand256_modm(S, hram, 64);
+
+	/* S = H(R,A,m)a */
+	expand256_modm(a, extsk, 32);
+	mul256_modm(S, S, a);
+
+	/* S = (r + H(R,A,m)a) */
+	add256_modm(S, S, r);
+
+	/* S = (r + H(R,A,m)a) mod L */	
+	contract256_modm(RS + 32, S);
+}
+
+int
+ED25519_FN(ed25519_sign_open) (const unsigned char *m, size_t mlen, const ed25519_public_key pk, const ed25519_signature RS) {
+	ge25519 ALIGN(16) R, A;
+	hash_512bits hash;
+	bignum256modm hram, S;
+	unsigned char checkR[32];
+
+	if ((RS[63] & 224) || !ge25519_unpack_negative_vartime(&A, pk))
+		return -1;
+
+	/* hram = H(R,A,m) */
+	ed25519_hram(hash, RS, pk, m, mlen);
+	expand256_modm(hram, hash, 64);
+
+	/* S */
+	expand256_modm(S, RS + 32, 32);
+
+	/* SB - H(R,A,m)A */
+	ge25519_double_scalarmult_vartime(&R, &A, hram, S);
+	ge25519_pack(checkR, &R);
+
+	/* check that R = SB - H(R,A,m)A */
+	return ed25519_verify(RS, checkR, 32) ? 0 : -1;
+}
+
+#include "ed25519-donna-batchverify.h"
+
+/*
+	Fast Curve25519 basepoint scalar multiplication
+*/
+
+void
+ED25519_FN(curved25519_scalarmult_basepoint) (curved25519_key pk, const curved25519_key e) {
+	curved25519_key ec;
+	bignum256modm s;
+	bignum25519 ALIGN(16) yplusz, zminusy;
+	ge25519 ALIGN(16) p;
+	size_t i;
+
+	/* clamp */
+	for (i = 0; i < 32; i++) ec[i] = e[i];
+	ec[0] &= 248;
+	ec[31] &= 127;
+	ec[31] |= 64;
+
+	expand_raw256_modm(s, ec);
+
+	/* scalar * basepoint */
+	ge25519_scalarmult_base_niels(&p, ge25519_niels_base_multiples, s);
+
+	/* u = (y + z) / (z - y) */
+	curve25519_add(yplusz, p.y, p.z);
+	curve25519_sub(zminusy, p.z, p.y);
+	curve25519_recip(zminusy, zminusy);
+	curve25519_mul(yplusz, yplusz, zminusy);
+	curve25519_contract(pk, yplusz);
+}
+

data/ext/ed25519_blake2b/ed25519.h

@@ -0,0 +1,30 @@
+#ifndef ED25519_H
+#define ED25519_H
+
+#include <stdlib.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+typedef unsigned char ed25519_signature[64];
+typedef unsigned char ed25519_public_key[32];
+typedef unsigned char ed25519_secret_key[32];
+
+typedef unsigned char curved25519_key[32];
+
+void ed25519_publickey(const ed25519_secret_key sk, ed25519_public_key pk);
+int ed25519_sign_open(const unsigned char *m, size_t mlen, const ed25519_public_key pk, const ed25519_signature RS);
+void ed25519_sign(const unsigned char *m, size_t mlen, const ed25519_secret_key sk, const ed25519_public_key pk, ed25519_signature RS);
+
+int ed25519_sign_open_batch(const unsigned char **m, size_t *mlen, const unsigned char **pk, const unsigned char **RS, size_t num, int *valid);
+
+void ed25519_randombytes_unsafe(void *out, size_t count);
+
+void curved25519_scalarmult_basepoint(curved25519_key pk, const curved25519_key e);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif // ED25519_H

data/ext/ed25519_blake2b/extconf.rb

@@ -0,0 +1,3 @@
+require 'mkmf'
+$CFLAGS += ' -DED25519_CUSTOMHASH -Wall -Wextra -std=c99 -pedantic -Wno-long-long -Wunused-parameter'
+create_makefile('ed25519_blake2b')

data/ext/ed25519_blake2b/fuzz/README.md

@@ -0,0 +1,173 @@
+This code fuzzes ed25519-donna (and optionally ed25519-donna-sse2) against the ref10 implementations of
+[curve25519](https://github.com/floodyberry/supercop/tree/master/crypto_scalarmult/curve25519/ref10) and 
+[ed25519](https://github.com/floodyberry/supercop/tree/master/crypto_sign/ed25519/ref10).
+
+Curve25519 tests that generating a public key from a secret key
+
+# Building
+
+## *nix + PHP
+
+`php build-nix.php (required parameters) (optional parameters)`
+
+Required parameters:
+
+* `--function=[curve25519,ed25519]`
+* `--bits=[32,64]`
+
+Optional parameters:
+
+* `--with-sse2`
+
+    Also fuzz against ed25519-donna-sse2
+* `--with-openssl`
+
+    Build with OpenSSL's SHA-512.
+
+    Default: Reference SHA-512 implementation (slow!)
+
+* `--compiler=[gcc,clang,icc]`
+
+    Default: gcc
+
+* `--no-asm`
+
+    Do not use platform specific assembler
+
+
+example:
+    
+    php build-nix.php --bits=64 --function=ed25519 --with-sse2 --compiler=icc 
+
+## Windows
+
+Create a project with access to the ed25519 files.
+
+If you are not using OpenSSL, add the `ED25519_REFHASH` define to the projects 
+"Properties/Preprocessor/Preprocessor Definitions" option
+
+Add the following files to the project:
+
+* `fuzz/curve25519-ref10.c`
+* `fuzz/ed25519-ref10.c`
+* `fuzz/ed25519-donna.c`
+* `fuzz/ed25519-donna-sse2.c` (optional)
+* `fuzz-[curve25519/ed25519].c` (depending on which you want to fuzz)
+
+If you are also fuzzing against ed25519-donna-sse2, add the `ED25519_SSE2` define for `fuzz-[curve25519/ed25519].c` under 
+its "Properties/Preprocessor/Preprocessor Definitions" option.
+
+# Running
+
+If everything agrees, the program will only output occasional status dots (every 0x1000 passes) 
+and a 64bit progress count (every 0x20000 passes):
+
+    fuzzing:  ref10 curved25519 curved25519-sse2
+    
+    ................................ [0000000000020000]
+    ................................ [0000000000040000]
+    ................................ [0000000000060000]
+    ................................ [0000000000080000]
+    ................................ [00000000000a0000]
+    ................................ [00000000000c0000]
+ 
+If any of the implementations do not agree with the ref10 implementation, the program will dump
+the random data that was used, the data generated by the ref10 implementation, and diffs of the 
+ed25519-donna data against the ref10 data.
+
+## Example errors
+
+These are example error dumps (with intentionally introduced errors).
+
+### Ed25519
+
+Random data:
+
+* sk, or Secret Key
+* m, or Message
+
+Generated data:
+
+* pk, or Public Key
+* sig, or Signature
+* valid, or if the signature of the message is valid with the public key
+
+Dump:
+
+    sk:
+    0x3b,0xb7,0x17,0x7a,0x66,0xdc,0xb7,0x9a,0x90,0x25,0x07,0x99,0x96,0xf3,0x92,0xef,
+    0x78,0xf8,0xad,0x6c,0x35,0x87,0x81,0x67,0x03,0xe6,0x95,0xba,0x06,0x18,0x7c,0x9c,
+    
+    m:
+    0x7c,0x8d,0x3d,0xe1,0x92,0xee,0x7a,0xb8,0x4d,0xc9,0xfb,0x02,0x34,0x1e,0x5a,0x91,
+    0xee,0x01,0xa6,0xb8,0xab,0x37,0x3f,0x3d,0x6d,0xa2,0x47,0xe3,0x27,0x93,0x7c,0xb7,
+    0x77,0x07,0xb6,0x88,0x41,0x22,0xf3,0x3f,0xce,0xcb,0x6b,0x3e,0x2b,0x23,0x68,0x7f,
+    0x5b,0xb9,0xda,0x04,0xbb,0xae,0x42,0x50,0xf5,0xe9,0xc5,0x11,0xbd,0x52,0x76,0x98,
+    0xf1,0x87,0x09,0xb9,0x89,0x0a,0x52,0x69,0x01,0xce,0xe0,0x4a,0xa6,0x46,0x5a,0xe1,
+    0x63,0x14,0xe0,0x81,0x52,0xec,0xcd,0xcf,0x70,0x54,0x7d,0xa3,0x49,0x8b,0xf0,0x89,
+    0x70,0x07,0x12,0x2a,0xd9,0xaa,0x16,0x01,0xb2,0x16,0x3a,0xbb,0xfc,0xfa,0x13,0x5b,
+    0x69,0x83,0x92,0x70,0x95,0x76,0xa0,0x8e,0x16,0x79,0xcc,0xaa,0xb5,0x7c,0xf8,0x7a,
+    
+    ref10:
+    pk:
+    0x71,0xb0,0x5e,0x62,0x1b,0xe3,0xe7,0x36,0x91,0x8b,0xc0,0x13,0x36,0x0c,0xc9,0x04,
+    0x16,0xf5,0xff,0x48,0x0c,0x83,0x6b,0x88,0x53,0xa2,0xc6,0x0f,0xf7,0xac,0x42,0x04,
+    
+    sig:
+    0x3e,0x05,0xc5,0x37,0x16,0x0b,0x29,0x30,0x89,0xa3,0xe7,0x83,0x08,0x16,0xdd,0x96,
+    0x02,0xfa,0x0d,0x44,0x2c,0x43,0xaa,0x80,0x93,0x04,0x58,0x22,0x09,0xbf,0x11,0xa5,
+    0xcc,0xa5,0x3c,0x9f,0xa0,0xa4,0x64,0x5a,0x4a,0xdb,0x20,0xfb,0xc7,0x9b,0xfd,0x3f,
+    0x08,0xae,0xc4,0x3c,0x1e,0xd8,0xb6,0xb4,0xd2,0x6d,0x80,0x92,0xcb,0x71,0xf3,0x02,
+    
+    valid: yes
+    
+    ed25519-donna:
+    pk diff:
+    ____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,
+    ____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,
+    
+    sig diff:
+    0x2c,0xb9,0x25,0x14,0xd0,0x94,0xeb,0xfe,0x46,0x02,0xc2,0xe8,0xa3,0xeb,0xbf,0xb5,
+    0x72,0x84,0xbf,0xc1,0x8a,0x32,0x30,0x99,0xf7,0x58,0xfe,0x06,0xa8,0xdc,0xdc,0xab,
+    0xb5,0x57,0x03,0x33,0x87,0xce,0x54,0x55,0x6a,0x69,0x8a,0xc4,0xb7,0x2a,0xed,0x97,
+    0xb4,0x68,0xe7,0x52,0x7a,0x07,0x55,0x3b,0xa2,0x94,0xd6,0x5e,0xa1,0x61,0x80,0x08,
+    
+    valid: no
+
+In this case, the generated public key matches, but the generated signature is completely 
+different and does not validate.
+
+### Curve25519
+
+Random data:
+
+* sk, or Secret Key
+
+Generated data:
+
+* pk, or Public Key
+
+Dump:
+
+    sk:
+    0x44,0xec,0x0b,0x0e,0xa2,0x0e,0x9c,0x5b,0x8c,0xce,0x7b,0x1d,0x68,0xae,0x0f,0x9e,
+    0x81,0xe2,0x04,0x76,0xda,0x87,0xa4,0x9e,0xc9,0x4f,0x3b,0xf9,0xc3,0x89,0x63,0x70,
+    
+    
+    ref10:
+    0x24,0x55,0x55,0xc0,0xf9,0x80,0xaf,0x02,0x43,0xee,0x8c,0x7f,0xc1,0xad,0x90,0x95,
+    0x57,0x91,0x14,0x2e,0xf2,0x14,0x22,0x80,0xdd,0x4e,0x3c,0x85,0x71,0x84,0x8c,0x62,
+    
+    
+    curved25519 diff:
+    0x12,0xd1,0x61,0x2b,0x16,0xb3,0xd8,0x29,0xf8,0xa3,0xba,0x70,0x4e,0x49,0x4f,0x43,
+    0xa1,0x3c,0x6b,0x42,0x11,0x61,0xcc,0x30,0x87,0x73,0x46,0xfb,0x85,0xc7,0x9a,0x35,
+    
+    
+    curved25519-sse2 diff:
+    ____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,
+    ____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,____,
+
+
+In this case, curved25519 is totally wrong, while curved25519-sse2 matches the reference 
+implementation.