RubyGems - red25519 - Versions diffs - 1.1.0-jruby - Mend

red25519 1.1.0-jruby

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

data/.gitignore +18 -0
data/.rspec +4 -0
data/.travis.yml +14 -0
data/CHANGES.md +3 -0
data/Gemfile +6 -0
data/LICENSE +22 -0
data/README.md +140 -0
data/Rakefile +9 -0
data/ed25519.png +0 -0
data/ext/red25519/api.h +4 -0
data/ext/red25519/crypto_int32.h +6 -0
data/ext/red25519/crypto_sign.h +13 -0
data/ext/red25519/crypto_uint32.h +6 -0
data/ext/red25519/crypto_verify_32.h +7 -0
data/ext/red25519/ed25519.c +136 -0
data/ext/red25519/extconf.rb +4 -0
data/ext/red25519/fe25519.c +326 -0
data/ext/red25519/fe25519.h +63 -0
data/ext/red25519/ge25519.c +311 -0
data/ext/red25519/ge25519.h +35 -0
data/ext/red25519/ge25519_base.data +850 -0
data/ext/red25519/org/red25519/ed25519.java +228 -0
data/ext/red25519/red25519_engine.c +82 -0
data/ext/red25519/sc25519.c +298 -0
data/ext/red25519/sc25519.h +73 -0
data/ext/red25519/sha512-blocks.c +239 -0
data/ext/red25519/sha512-hash.c +72 -0
data/ext/red25519/sha512.h +4 -0
data/ext/red25519/verify.c +40 -0
data/lib/red25519/jruby_engine.rb +27 -0
data/lib/red25519/keys.rb +73 -0
data/lib/red25519/version.rb +3 -0
data/lib/red25519.rb +41 -0
data/lib/red25519_engine.jar +0 -0
data/red25519.gemspec +31 -0
data/spec/red25519/engine_spec.rb +33 -0
data/spec/red25519/keys_spec.rb +65 -0
data/spec/spec_helper.rb +3 -0
data/tasks/extension.rake +12 -0
data/tasks/rspec.rake +7 -0
metadata +134 -0

data/ext/red25519/org/red25519/ed25519.java ADDED Viewed

@@ -0,0 +1,228 @@
+package org.red25519;
+import java.math.BigInteger;
+import java.nio.ByteBuffer;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+/* Written by k3d3
+ * Released to the public domain
+ */
+public class ed25519 {
+	static final int b = 256;
+	static final BigInteger q = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819949");
+	static final BigInteger qm2 = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819947");
+	static final BigInteger qp3 = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819952");
+	static final BigInteger l = new BigInteger("7237005577332262213973186563042994240857116359379907606001950938285454250989");
+	static final BigInteger d = new BigInteger("-4513249062541557337682894930092624173785641285191125241628941591882900924598840740");
+	static final BigInteger I = new BigInteger("19681161376707505956807079304988542015446066515923890162744021073123829784752");
+	static final BigInteger By = new BigInteger("46316835694926478169428394003475163141307993866256225615783033603165251855960");
+	static final BigInteger Bx = new BigInteger("15112221349535400772501151409588531511454012693041857206046113283949847762202");
+	static final BigInteger[] B = {Bx.mod(q),By.mod(q)};
+	static final BigInteger un = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819967");
+	static byte[] H(byte[] m) {
+		MessageDigest md;
+		try {
+			md = MessageDigest.getInstance("SHA-512");
+			md.reset();
+			return md.digest(m);
+		} catch (NoSuchAlgorithmException e) {
+			e.printStackTrace();
+			System.exit(1);
+		}
+		return null;
+	}
+	static BigInteger expmod(BigInteger b, BigInteger e, BigInteger m) {
+		//System.out.println("expmod open with b=" + b + " e=" + e + " m=" + m);
+		if (e.equals(BigInteger.ZERO)) {
+			//System.out.println("expmod close with 1z");
+			return BigInteger.ONE;
+		}
+		BigInteger t = expmod(b, e.divide(BigInteger.valueOf(2)), m).pow(2).mod(m);
+		//System.out.println("expmod 1/2 t="+t+" e="+e+" testbit="+(e.testBit(0)?1:0));
+		if (e.testBit(0)) {
+			t = t.multiply(b).mod(m);
+		}
+		//System.out.println("expmod close with " + t);
+		return t;
+	}
+	static BigInteger inv(BigInteger x) {
+		//System.out.println("inv open with " + x);
+		//System.out.println("inv close with " + expmod(x, qm2, q));
+		return expmod(x, qm2, q);
+	}
+	static BigInteger xrecover(BigInteger y) {
+		BigInteger y2 = y.multiply(y);
+		BigInteger xx = (y2.subtract(BigInteger.ONE)).multiply(inv(d.multiply(y2).add(BigInteger.ONE)));
+		BigInteger x = expmod(xx, qp3.divide(BigInteger.valueOf(8)), q);
+		if (!x.multiply(x).subtract(xx).mod(q).equals(BigInteger.ZERO)) x = (x.multiply(I).mod(q));
+		if (!x.mod(BigInteger.valueOf(2)).equals(BigInteger.ZERO)) x = q.subtract(x);
+		return x;
+	}
+	static BigInteger[] edwards(BigInteger[] P, BigInteger[] Q) {
+		BigInteger x1 = P[0];
+		BigInteger y1 = P[1];
+		BigInteger x2 = Q[0];
+		BigInteger y2 = Q[1];
+		BigInteger dtemp = d.multiply(x1).multiply(x2).multiply(y1).multiply(y2);
+		//System.out.println("edwards open with "+x1+","+x2+" "+y1+","+y2+" d="+d+" dtemp="+dtemp);
+		BigInteger x3 = ((x1.multiply(y2)).add((x2.multiply(y1)))).multiply(inv(BigInteger.ONE.add(dtemp)));
+		//System.out.println("edwards 1/2 with "+x1+","+x2+" "+y1+","+y2+" d="+d+" dtemp="+dtemp);
+		BigInteger y3 = ((y1.multiply(y2)).add((x1.multiply(x2)))).multiply(inv(BigInteger.ONE.subtract(dtemp)));
+		//System.out.println("edwards 2/2 with "+x1+","+x2+" "+y1+","+y2+" d="+d+" dtemp="+dtemp);
+		//System.out.println("edwards close with "+x3.mod(q)+","+y3.mod(q));
+		return new BigInteger[]{x3.mod(q), y3.mod(q)};
+	}
+	static BigInteger[] scalarmult(BigInteger[] P, BigInteger e) {
+		//System.out.println("scalarmult open with e = " + e);
+		if (e.equals(BigInteger.ZERO)) {
+			//System.out.println("scalarmult close with Q = 0,1");
+			return new BigInteger[]{BigInteger.ZERO, BigInteger.ONE};
+		}
+		BigInteger[] Q = scalarmult(P, e.divide(BigInteger.valueOf(2)));
+		//System.out.println("scalarmult asQ = " + Q[0] + "," + Q[1]);
+		Q = edwards(Q, Q);
+		//System.out.println("scalarmult aeQ = " + Q[0] + "," + Q[1] + " e="+e+" testbit="+(e.testBit(0)?1:0));
+		if (e.testBit(0)) Q = edwards(Q, P);
+		//System.out.println("scalarmult close with Q = " + Q[0] + "," + Q[1]);
+		return Q;
+	}
+	static byte[] encodeint(BigInteger y) {
+		byte[] in = y.toByteArray();
+		byte[] out = new byte[in.length];
+		for (int i=0;i<in.length;i++) {
+			out[i] = in[in.length-1-i];
+		}
+		return out;
+	}
+	static byte[] encodepoint(BigInteger[] P) {
+		BigInteger x = P[0];
+		BigInteger y = P[1];
+		byte[] out = encodeint(y);
+		//System.out.println("encodepoint x="+x+" testbit="+(x.testBit(0) ? 1 : 0));
+		out[out.length-1] |= (x.testBit(0) ? 0x80 : 0);
+		return out;
+	}
+	static int bit(byte[] h, int i) {
+		//System.out.println("bit open with i="+i);
+		//System.out.println("bit close with "+(h[i/8] >> (i%8) & 1));
+		return h[i/8] >> (i%8) & 1;
+	}
+	static byte[] publickey(byte[] sk) {
+		byte[] h = H(sk);
+		//System.out.println("publickey open with h=" + test.getHex(h));
+		BigInteger a = BigInteger.valueOf(2).pow(b-2);
+		for (int i=3;i<(b-2);i++) {
+			BigInteger apart = BigInteger.valueOf(2).pow(i).multiply(BigInteger.valueOf(bit(h,i)));
+			//System.out.println("publickey apart="+apart);
+			a = a.add(apart);
+		}
+		BigInteger[] A = scalarmult(B,a);
+		//System.out.println("publickey close with A="+A[0]+","+A[1]+" out="+test.getHex(encodepoint(A)));
+		return encodepoint(A);
+	}
+	static BigInteger Hint(byte[] m) {
+		byte[] h = H(m);
+		BigInteger hsum = BigInteger.ZERO;
+		for (int i=0;i<2*b;i++) {
+			hsum = hsum.add(BigInteger.valueOf(2).pow(i).multiply(BigInteger.valueOf(bit(h,i))));
+		}
+		return hsum;
+	}
+	static byte[] signature(byte[] m, byte[] sk, byte[] pk) {
+		byte[] h = H(sk);
+		//System.out.println("signature open with m="+test.getHex(m)+" h="+test.getHex(h)+" pk="+test.getHex(pk));
+		BigInteger a = BigInteger.valueOf(2).pow(b-2);
+		for (int i=3;i<(b-2);i++) {
+			a = a.add(BigInteger.valueOf(2).pow(i).multiply(BigInteger.valueOf(bit(h,i))));
+		}
+		//System.out.println("signature a="+a);
+		ByteBuffer rsub = ByteBuffer.allocate((b/8)+m.length);
+		rsub.put(h, b/8, b/4-b/8).put(m);
+		//System.out.println("signature rsub="+test.getHex(rsub.array()));
+		BigInteger r = Hint(rsub.array());
+		//System.out.println("signature r="+r);
+		BigInteger[] R = scalarmult(B,r);
+		ByteBuffer Stemp = ByteBuffer.allocate(32+pk.length+m.length);
+		Stemp.put(encodepoint(R)).put(pk).put(m);
+		BigInteger S = r.add(Hint(Stemp.array()).multiply(a)).mod(l);
+		ByteBuffer out = ByteBuffer.allocate(64);
+		out.put(encodepoint(R)).put(encodeint(S));
+		return out.array();
+	}
+	static boolean isoncurve(BigInteger[] P) {
+		BigInteger x = P[0];
+		BigInteger y = P[1];
+		//System.out.println("isoncurve open with P="+x+","+y);
+		BigInteger xx = x.multiply(x);
+		BigInteger yy = y.multiply(y);
+		BigInteger dxxyy = d.multiply(yy).multiply(xx);
+		//System.out.println("isoncurve close with "+xx.negate().add(yy).subtract(BigInteger.ONE).subtract(dxxyy).mod(q));
+		return xx.negate().add(yy).subtract(BigInteger.ONE).subtract(dxxyy).mod(q).equals(BigInteger.ZERO);
+	}
+	static BigInteger decodeint(byte[] s) {
+		byte[] out = new byte[s.length];
+		for (int i=0;i<s.length;i++) {
+			out[i] = s[s.length-1-i];
+		}
+		return new BigInteger(out).and(un);
+	}
+	static BigInteger[] decodepoint(byte[] s) throws Exception {
+		byte[] ybyte = new byte[s.length];
+		for (int i=0;i<s.length;i++) {
+			ybyte[i] = s[s.length-1-i];
+		}
+		//System.out.println("decodepoint open with s="+test.getHex(s)+" ybyte="+test.getHex(ybyte));
+		BigInteger y = new BigInteger(ybyte).and(un);
+		//System.out.println("decodepoint y="+y);
+		BigInteger x = xrecover(y);
+		//System.out.println("decodepoint x="+x+" testbit="+(x.testBit(0)?1:0)+" bit="+bit(s, b-1));
+		if ((x.testBit(0)?1:0) != bit(s, b-1)) {
+			x = q.subtract(x);
+		}
+		BigInteger[] P = {x,y};
+		if (!isoncurve(P)) throw new Exception("decoding point that is not on curve");
+		return P;
+	}
+	static boolean checkvalid(byte[] s, byte[] m, byte[] pk) throws Exception {
+		if (s.length != b/4) throw new Exception("signature length is wrong");
+		if (pk.length != b/8) throw new Exception("public-key length is wrong");
+		//System.out.println("checkvalid open with s="+test.getHex(s)+" m="+test.getHex(m)+" pk="+test.getHex(pk));
+		byte[] Rbyte = Arrays.copyOfRange(s, 0, b/8);
+		//System.out.println("checkvalid Rbyte="+test.getHex(Rbyte));
+		BigInteger[] R = decodepoint(Rbyte);
+		BigInteger[] A = decodepoint(pk);
+		//System.out.println("checkvalid R="+R[0]+","+R[1]+" A="+A[0]+","+A[1]);
+		byte[] Sbyte = Arrays.copyOfRange(s, b/8, b/4);
+		//System.out.println("checkvalid Sbyte="+test.getHex(Sbyte));
+		BigInteger S = decodeint(Sbyte);
+		//System.out.println("checkvalid S="+S);
+		ByteBuffer Stemp = ByteBuffer.allocate(32+pk.length+m.length);
+		Stemp.put(encodepoint(R)).put(pk).put(m);
+		BigInteger h = Hint(Stemp.array());
+		BigInteger[] ra = scalarmult(B,S);
+		BigInteger[] rb = edwards(R,scalarmult(A,h));
+		//System.out.println("checkvalid ra="+ra[0]+","+ra[1]+" rb="+rb[0]+","+rb[1]);
+		if (!ra[0].equals(rb[0]) || !ra[1].equals(rb[1])) // Constant time comparison
+			return false;
+		return true;
+	}
+}

data/ext/red25519/red25519_engine.c ADDED Viewed

@@ -0,0 +1,82 @@
+#include "ruby.h"
+#include "crypto_sign.h"
+static VALUE mEd25519 = Qnil;
+static VALUE mEd25519_Engine = Qnil;
+static VALUE Ed25519_Engine_create_keypair(VALUE self, VALUE seed);
+static VALUE Ed25519_Engine_sign(VALUE self, VALUE signing_key, VALUE msg);
+static VALUE Ed25519_Engine_verify(VALUE self, VALUE verify_key, VALUE signature, VALUE msg);
+void Init_red25519_engine()
+{
+    mEd25519 = rb_define_module("Ed25519");
+    mEd25519_Engine = rb_define_module_under(mEd25519, "Engine");
+    rb_define_singleton_method(mEd25519_Engine, "create_keypair", Ed25519_Engine_create_keypair, 1);
+    rb_define_singleton_method(mEd25519_Engine, "sign", Ed25519_Engine_sign, 2);
+    rb_define_singleton_method(mEd25519_Engine, "verify", Ed25519_Engine_verify, 3);
+}
+static VALUE Ed25519_Engine_create_keypair(VALUE self, VALUE seed)
+{
+    unsigned char verify_key[PUBLICKEYBYTES], signing_key[SECRETKEYBYTES];
+    seed = rb_convert_type(seed, T_STRING, "String", "to_str");
+    if(RSTRING_LEN(seed) != SECRETKEYBYTES / 2)
+        rb_raise(rb_eArgError, "seed must be exactly %d bytes", SECRETKEYBYTES / 2);
+    crypto_sign_publickey(verify_key, signing_key, RSTRING_PTR(seed));
+    rb_ary_new3(2,
+        rb_str_new(verify_key, PUBLICKEYBYTES),
+        rb_str_new(signing_key, SECRETKEYBYTES)
+    );
+}
+static VALUE Ed25519_Engine_sign(VALUE self, VALUE signing_key, VALUE msg)
+{
+    unsigned char *sig_and_msg;
+    unsigned long long sig_and_msg_len;
+    VALUE result;
+    if(RSTRING_LEN(signing_key) != SECRETKEYBYTES)
+        rb_raise(rb_eArgError, "private signing keys must be %d bytes", SECRETKEYBYTES);
+    sig_and_msg = (unsigned char *)xmalloc(SIGNATUREBYTES + RSTRING_LEN(msg));
+    crypto_sign(sig_and_msg, &sig_and_msg_len, RSTRING_PTR(msg), RSTRING_LEN(msg), RSTRING_PTR(signing_key));
+    result = rb_str_new(sig_and_msg, SIGNATUREBYTES);
+    free(sig_and_msg);
+    return result;
+}
+static VALUE Ed25519_Engine_verify(VALUE self, VALUE verify_key, VALUE signature, VALUE msg)
+{
+    unsigned char *sig_and_msg, *buffer;
+    unsigned long long sig_and_msg_len, buffer_len;
+    int result;
+    if(RSTRING_LEN(verify_key) != PUBLICKEYBYTES)
+      rb_raise(rb_eArgError, "public verify keys must be %d bytes", PUBLICKEYBYTES);
+    if(RSTRING_LEN(signature) != SIGNATUREBYTES)
+      rb_raise(rb_eArgError, "public verify keys must be %d bytes", PUBLICKEYBYTES);
+    sig_and_msg_len = SIGNATUREBYTES + RSTRING_LEN(msg);
+    sig_and_msg = (unsigned char *)xmalloc(sig_and_msg_len);
+    buffer      = (unsigned char *)xmalloc(sig_and_msg_len);
+    memcpy(sig_and_msg, RSTRING_PTR(signature), SIGNATUREBYTES);
+    memcpy(sig_and_msg + SIGNATUREBYTES, RSTRING_PTR(msg), RSTRING_LEN(msg));
+    result = crypto_sign_open(
+        buffer, &buffer_len,
+        sig_and_msg, sig_and_msg_len,
+        RSTRING_PTR(verify_key));
+    free(sig_and_msg);
+    free(buffer);
+    return result == 0 ? Qtrue : Qfalse;
+}

data/ext/red25519/sc25519.c ADDED Viewed

@@ -0,0 +1,298 @@
+#include "sc25519.h"
+/*Arithmetic modulo the group order m = 2^252 +  27742317777372353535851937790883648493 = 7237005577332262213973186563042994240857116359379907606001950938285454250989 */
+static const crypto_uint32 m[32] = {0xED, 0xD3, 0xF5, 0x5C, 0x1A, 0x63, 0x12, 0x58, 0xD6, 0x9C, 0xF7, 0xA2, 0xDE, 0xF9, 0xDE, 0x14,
+                                    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10};
+static const crypto_uint32 mu[33] = {0x1B, 0x13, 0x2C, 0x0A, 0xA3, 0xE5, 0x9C, 0xED, 0xA7, 0x29, 0x63, 0x08, 0x5D, 0x21, 0x06, 0x21,
+                                     0xEB, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F};
+static crypto_uint32 lt(crypto_uint32 a,crypto_uint32 b) /* 16-bit inputs */
+{
+  unsigned int x = a;
+  x -= (unsigned int) b; /* 0..65535: no; 4294901761..4294967295: yes */
+  x >>= 31; /* 0: no; 1: yes */
+  return x;
+}
+/* Reduce coefficients of r before calling reduce_add_sub */
+static void reduce_add_sub(sc25519 *r)
+{
+  crypto_uint32 pb = 0;
+  crypto_uint32 b;
+  crypto_uint32 mask;
+  int i;
+  unsigned char t[32];
+  for(i=0;i<32;i++)
+  {
+    pb += m[i];
+    b = lt(r->v[i],pb);
+    t[i] = r->v[i]-pb+(b<<8);
+    pb = b;
+  }
+  mask = b - 1;
+  for(i=0;i<32;i++)
+    r->v[i] ^= mask & (r->v[i] ^ t[i]);
+}
+/* Reduce coefficients of x before calling barrett_reduce */
+static void barrett_reduce(sc25519 *r, const crypto_uint32 x[64])
+{
+  /* See HAC, Alg. 14.42 */
+  int i,j;
+  crypto_uint32 q2[66];
+  crypto_uint32 *q3 = q2 + 33;
+  crypto_uint32 r1[33];
+  crypto_uint32 r2[33];
+  crypto_uint32 carry;
+  crypto_uint32 pb = 0;
+  crypto_uint32 b;
+  for (i = 0;i < 66;++i) q2[i] = 0;
+  for (i = 0;i < 33;++i) r2[i] = 0;
+  for(i=0;i<33;i++)
+    for(j=0;j<33;j++)
+      if(i+j >= 31) q2[i+j] += mu[i]*x[j+31];
+  carry = q2[31] >> 8;
+  q2[32] += carry;
+  carry = q2[32] >> 8;
+  q2[33] += carry;
+  for(i=0;i<33;i++)r1[i] = x[i];
+  for(i=0;i<32;i++)
+    for(j=0;j<33;j++)
+      if(i+j < 33) r2[i+j] += m[i]*q3[j];
+  for(i=0;i<32;i++)
+  {
+    carry = r2[i] >> 8;
+    r2[i+1] += carry;
+    r2[i] &= 0xff;
+  }
+  for(i=0;i<32;i++)
+  {
+    pb += r2[i];
+    b = lt(r1[i],pb);
+    r->v[i] = r1[i]-pb+(b<<8);
+    pb = b;
+  }
+  /* XXX: Can it really happen that r<0?, See HAC, Alg 14.42, Step 3
+   * If so: Handle  it here!
+   */
+  reduce_add_sub(r);
+  reduce_add_sub(r);
+}
+void sc25519_from32bytes(sc25519 *r, const unsigned char x[32])
+{
+  int i;
+  crypto_uint32 t[64];
+  for(i=0;i<32;i++) t[i] = x[i];
+  for(i=32;i<64;++i) t[i] = 0;
+  barrett_reduce(r, t);
+}
+void shortsc25519_from16bytes(shortsc25519 *r, const unsigned char x[16])
+{
+  int i;
+  for(i=0;i<16;i++) r->v[i] = x[i];
+}
+void sc25519_from64bytes(sc25519 *r, const unsigned char x[64])
+{
+  int i;
+  crypto_uint32 t[64];
+  for(i=0;i<64;i++) t[i] = x[i];
+  barrett_reduce(r, t);
+}
+void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x)
+{
+  int i;
+  for(i=0;i<16;i++)
+    r->v[i] = x->v[i];
+  for(i=0;i<16;i++)
+    r->v[16+i] = 0;
+}
+void sc25519_to32bytes(unsigned char r[32], const sc25519 *x)
+{
+  int i;
+  for(i=0;i<32;i++) r[i] = x->v[i];
+}
+int sc25519_iszero_vartime(const sc25519 *x)
+{
+  int i;
+  for(i=0;i<32;i++)
+    if(x->v[i] != 0) return 0;
+  return 1;
+}
+int sc25519_isshort_vartime(const sc25519 *x)
+{
+  int i;
+  for(i=31;i>15;i--)
+    if(x->v[i] != 0) return 0;
+  return 1;
+}
+int sc25519_lt_vartime(const sc25519 *x, const sc25519 *y)
+{
+  int i;
+  for(i=31;i>=0;i--)
+  {
+    if(x->v[i] < y->v[i]) return 1;
+    if(x->v[i] > y->v[i]) return 0;
+  }
+  return 0;
+}
+void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y)
+{
+  int i, carry;
+  for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i];
+  for(i=0;i<31;i++)
+  {
+    carry = r->v[i] >> 8;
+    r->v[i+1] += carry;
+    r->v[i] &= 0xff;
+  }
+  reduce_add_sub(r);
+}
+void sc25519_sub_nored(sc25519 *r, const sc25519 *x, const sc25519 *y)
+{
+  crypto_uint32 b = 0;
+  crypto_uint32 t;
+  int i;
+  for(i=0;i<32;i++)
+  {
+    t = x->v[i] - y->v[i] - b;
+    r->v[i] = t & 255;
+    b = (t >> 8) & 1;
+  }
+}
+void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y)
+{
+  int i,j,carry;
+  crypto_uint32 t[64];
+  for(i=0;i<64;i++)t[i] = 0;
+  for(i=0;i<32;i++)
+    for(j=0;j<32;j++)
+      t[i+j] += x->v[i] * y->v[j];
+  /* Reduce coefficients */
+  for(i=0;i<63;i++)
+  {
+    carry = t[i] >> 8;
+    t[i+1] += carry;
+    t[i] &= 0xff;
+  }
+  barrett_reduce(r, t);
+}
+void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519 *y)
+{
+  sc25519 t;
+  sc25519_from_shortsc(&t, y);
+  sc25519_mul(r, x, &t);
+}
+void sc25519_window3(signed char r[85], const sc25519 *s)
+{
+  char carry;
+  int i;
+  for(i=0;i<10;i++)
+  {
+    r[8*i+0]  =  s->v[3*i+0]       & 7;
+    r[8*i+1]  = (s->v[3*i+0] >> 3) & 7;
+    r[8*i+2]  = (s->v[3*i+0] >> 6) & 7;
+    r[8*i+2] ^= (s->v[3*i+1] << 2) & 7;
+    r[8*i+3]  = (s->v[3*i+1] >> 1) & 7;
+    r[8*i+4]  = (s->v[3*i+1] >> 4) & 7;
+    r[8*i+5]  = (s->v[3*i+1] >> 7) & 7;
+    r[8*i+5] ^= (s->v[3*i+2] << 1) & 7;
+    r[8*i+6]  = (s->v[3*i+2] >> 2) & 7;
+    r[8*i+7]  = (s->v[3*i+2] >> 5) & 7;
+  }
+  r[8*i+0]  =  s->v[3*i+0]       & 7;
+  r[8*i+1]  = (s->v[3*i+0] >> 3) & 7;
+  r[8*i+2]  = (s->v[3*i+0] >> 6) & 7;
+  r[8*i+2] ^= (s->v[3*i+1] << 2) & 7;
+  r[8*i+3]  = (s->v[3*i+1] >> 1) & 7;
+  r[8*i+4]  = (s->v[3*i+1] >> 4) & 7;
+  /* Making it signed */
+  carry = 0;
+  for(i=0;i<84;i++)
+  {
+    r[i] += carry;
+    r[i+1] += r[i] >> 3;
+    r[i] &= 7;
+    carry = r[i] >> 2;
+    r[i] -= carry<<3;
+  }
+  r[84] += carry;
+}
+void sc25519_window5(signed char r[51], const sc25519 *s)
+{
+  char carry;
+  int i;
+  for(i=0;i<6;i++)
+  {
+    r[8*i+0]  =  s->v[5*i+0]       & 31;
+    r[8*i+1]  = (s->v[5*i+0] >> 5) & 31;
+    r[8*i+1] ^= (s->v[5*i+1] << 3) & 31;
+    r[8*i+2]  = (s->v[5*i+1] >> 2) & 31;
+    r[8*i+3]  = (s->v[5*i+1] >> 7) & 31;
+    r[8*i+3] ^= (s->v[5*i+2] << 1) & 31;
+    r[8*i+4]  = (s->v[5*i+2] >> 4) & 31;
+    r[8*i+4] ^= (s->v[5*i+3] << 4) & 31;
+    r[8*i+5]  = (s->v[5*i+3] >> 1) & 31;
+    r[8*i+6]  = (s->v[5*i+3] >> 6) & 31;
+    r[8*i+6] ^= (s->v[5*i+4] << 2) & 31;
+    r[8*i+7]  = (s->v[5*i+4] >> 3) & 31;
+  }
+  r[8*i+0]  =  s->v[5*i+0]       & 31;
+  r[8*i+1]  = (s->v[5*i+0] >> 5) & 31;
+  r[8*i+1] ^= (s->v[5*i+1] << 3) & 31;
+  r[8*i+2]  = (s->v[5*i+1] >> 2) & 31;
+  /* Making it signed */
+  carry = 0;
+  for(i=0;i<50;i++)
+  {
+    r[i] += carry;
+    r[i+1] += r[i] >> 5;
+    r[i] &= 31;
+    carry = r[i] >> 4;
+    r[i] -= carry<<5;
+  }
+  r[50] += carry;
+}
+void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2)
+{
+  int i;
+  for(i=0;i<31;i++)
+  {
+    r[4*i]   = ( s1->v[i]       & 3) ^ (( s2->v[i]       & 3) << 2);
+    r[4*i+1] = ((s1->v[i] >> 2) & 3) ^ (((s2->v[i] >> 2) & 3) << 2);
+    r[4*i+2] = ((s1->v[i] >> 4) & 3) ^ (((s2->v[i] >> 4) & 3) << 2);
+    r[4*i+3] = ((s1->v[i] >> 6) & 3) ^ (((s2->v[i] >> 6) & 3) << 2);
+  }
+  r[124] = ( s1->v[31]       & 3) ^ (( s2->v[31]       & 3) << 2);
+  r[125] = ((s1->v[31] >> 2) & 3) ^ (((s2->v[31] >> 2) & 3) << 2);
+  r[126] = ((s1->v[31] >> 4) & 3) ^ (((s2->v[31] >> 4) & 3) << 2);
+}

data/ext/red25519/sc25519.h ADDED Viewed

@@ -0,0 +1,73 @@
+#ifndef SC25519_H
+#define SC25519_H
+#include "crypto_int32.h"
+#include "crypto_uint32.h"
+#define sc25519                  crypto_sign_ed25519_ref_sc25519
+#define shortsc25519             crypto_sign_ed25519_ref_shortsc25519
+#define sc25519_from32bytes      crypto_sign_ed25519_ref_sc25519_from32bytes
+#define shortsc25519_from16bytes crypto_sign_ed25519_ref_shortsc25519_from16bytes
+#define sc25519_from64bytes      crypto_sign_ed25519_ref_sc25519_from64bytes
+#define sc25519_from_shortsc     crypto_sign_ed25519_ref_sc25519_from_shortsc
+#define sc25519_to32bytes        crypto_sign_ed25519_ref_sc25519_to32bytes
+#define sc25519_iszero_vartime   crypto_sign_ed25519_ref_sc25519_iszero_vartime
+#define sc25519_isshort_vartime  crypto_sign_ed25519_ref_sc25519_isshort_vartime
+#define sc25519_lt_vartime       crypto_sign_ed25519_ref_sc25519_lt_vartime
+#define sc25519_add              crypto_sign_ed25519_ref_sc25519_add
+#define sc25519_sub_nored        crypto_sign_ed25519_ref_sc25519_sub_nored
+#define sc25519_mul              crypto_sign_ed25519_ref_sc25519_mul
+#define sc25519_mul_shortsc      crypto_sign_ed25519_ref_sc25519_mul_shortsc
+#define sc25519_window3          crypto_sign_ed25519_ref_sc25519_window3
+#define sc25519_window5          crypto_sign_ed25519_ref_sc25519_window5
+#define sc25519_2interleave2     crypto_sign_ed25519_ref_sc25519_2interleave2
+typedef struct
+{
+  crypto_uint32 v[32];
+}
+sc25519;
+typedef struct
+{
+  crypto_uint32 v[16];
+}
+shortsc25519;
+void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]);
+void shortsc25519_from16bytes(shortsc25519 *r, const unsigned char x[16]);
+void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]);
+void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x);
+void sc25519_to32bytes(unsigned char r[32], const sc25519 *x);
+int sc25519_iszero_vartime(const sc25519 *x);
+int sc25519_isshort_vartime(const sc25519 *x);
+int sc25519_lt_vartime(const sc25519 *x, const sc25519 *y);
+void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y);
+void sc25519_sub_nored(sc25519 *r, const sc25519 *x, const sc25519 *y);
+void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y);
+void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519 *y);
+/* Convert s into a representation of the form \sum_{i=0}^{84}r[i]2^3
+ * with r[i] in {-4,...,3}
+ */
+void sc25519_window3(signed char r[85], const sc25519 *s);
+/* Convert s into a representation of the form \sum_{i=0}^{50}r[i]2^5
+ * with r[i] in {-16,...,15}
+ */
+void sc25519_window5(signed char r[51], const sc25519 *s);
+void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2);
+#endif