red25519 1.1.0-jruby

data/ext/red25519/org/red25519/ed25519.java

@@ -0,0 +1,228 @@
+package org.red25519;
+
+import java.math.BigInteger;
+import java.nio.ByteBuffer;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+
+/* Written by k3d3
+ * Released to the public domain
+ */
+
+public class ed25519 {
+	static final int b = 256;
+	static final BigInteger q = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819949");
+	static final BigInteger qm2 = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819947");
+	static final BigInteger qp3 = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819952");
+	static final BigInteger l = new BigInteger("7237005577332262213973186563042994240857116359379907606001950938285454250989");
+	static final BigInteger d = new BigInteger("-4513249062541557337682894930092624173785641285191125241628941591882900924598840740");
+	static final BigInteger I = new BigInteger("19681161376707505956807079304988542015446066515923890162744021073123829784752");
+	static final BigInteger By = new BigInteger("46316835694926478169428394003475163141307993866256225615783033603165251855960");
+	static final BigInteger Bx = new BigInteger("15112221349535400772501151409588531511454012693041857206046113283949847762202");
+	static final BigInteger[] B = {Bx.mod(q),By.mod(q)};
+	static final BigInteger un = new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564819967");
+
+	static byte[] H(byte[] m) {
+		MessageDigest md;
+		try {
+			md = MessageDigest.getInstance("SHA-512");
+			md.reset();
+			return md.digest(m);
+		} catch (NoSuchAlgorithmException e) {
+			e.printStackTrace();
+			System.exit(1);
+		}
+		return null;
+	}
+
+	static BigInteger expmod(BigInteger b, BigInteger e, BigInteger m) {
+		//System.out.println("expmod open with b=" + b + " e=" + e + " m=" + m);
+		if (e.equals(BigInteger.ZERO)) {
+			//System.out.println("expmod close with 1z");
+			return BigInteger.ONE;
+		}
+		BigInteger t = expmod(b, e.divide(BigInteger.valueOf(2)), m).pow(2).mod(m);
+		//System.out.println("expmod 1/2 t="+t+" e="+e+" testbit="+(e.testBit(0)?1:0));
+		if (e.testBit(0)) {
+			t = t.multiply(b).mod(m);
+		}
+		//System.out.println("expmod close with " + t);
+		return t;
+	}
+
+	static BigInteger inv(BigInteger x) {
+		//System.out.println("inv open with " + x);
+		//System.out.println("inv close with " + expmod(x, qm2, q));
+		return expmod(x, qm2, q);
+	}
+
+	static BigInteger xrecover(BigInteger y) {
+		BigInteger y2 = y.multiply(y);
+		BigInteger xx = (y2.subtract(BigInteger.ONE)).multiply(inv(d.multiply(y2).add(BigInteger.ONE)));
+		BigInteger x = expmod(xx, qp3.divide(BigInteger.valueOf(8)), q);
+		if (!x.multiply(x).subtract(xx).mod(q).equals(BigInteger.ZERO)) x = (x.multiply(I).mod(q));
+		if (!x.mod(BigInteger.valueOf(2)).equals(BigInteger.ZERO)) x = q.subtract(x);
+		return x;
+	}
+
+	static BigInteger[] edwards(BigInteger[] P, BigInteger[] Q) {
+		BigInteger x1 = P[0];
+		BigInteger y1 = P[1];
+		BigInteger x2 = Q[0];
+		BigInteger y2 = Q[1];
+		BigInteger dtemp = d.multiply(x1).multiply(x2).multiply(y1).multiply(y2);
+		//System.out.println("edwards open with "+x1+","+x2+" "+y1+","+y2+" d="+d+" dtemp="+dtemp);
+		BigInteger x3 = ((x1.multiply(y2)).add((x2.multiply(y1)))).multiply(inv(BigInteger.ONE.add(dtemp)));
+		//System.out.println("edwards 1/2 with "+x1+","+x2+" "+y1+","+y2+" d="+d+" dtemp="+dtemp);
+		BigInteger y3 = ((y1.multiply(y2)).add((x1.multiply(x2)))).multiply(inv(BigInteger.ONE.subtract(dtemp)));
+		//System.out.println("edwards 2/2 with "+x1+","+x2+" "+y1+","+y2+" d="+d+" dtemp="+dtemp);
+		//System.out.println("edwards close with "+x3.mod(q)+","+y3.mod(q));
+		return new BigInteger[]{x3.mod(q), y3.mod(q)};
+	}
+
+	static BigInteger[] scalarmult(BigInteger[] P, BigInteger e) {
+		//System.out.println("scalarmult open with e = " + e);
+		if (e.equals(BigInteger.ZERO)) {
+			//System.out.println("scalarmult close with Q = 0,1");
+			return new BigInteger[]{BigInteger.ZERO, BigInteger.ONE};
+		}
+		BigInteger[] Q = scalarmult(P, e.divide(BigInteger.valueOf(2)));
+		//System.out.println("scalarmult asQ = " + Q[0] + "," + Q[1]);
+		Q = edwards(Q, Q);
+		//System.out.println("scalarmult aeQ = " + Q[0] + "," + Q[1] + " e="+e+" testbit="+(e.testBit(0)?1:0));
+		if (e.testBit(0)) Q = edwards(Q, P);
+		//System.out.println("scalarmult close with Q = " + Q[0] + "," + Q[1]);
+		return Q;
+	}
+
+	static byte[] encodeint(BigInteger y) {
+		byte[] in = y.toByteArray();
+		byte[] out = new byte[in.length];
+		for (int i=0;i<in.length;i++) {
+			out[i] = in[in.length-1-i];
+		}
+		return out;
+	}
+
+	static byte[] encodepoint(BigInteger[] P) {
+		BigInteger x = P[0];
+		BigInteger y = P[1];
+		byte[] out = encodeint(y);
+		//System.out.println("encodepoint x="+x+" testbit="+(x.testBit(0) ? 1 : 0));
+		out[out.length-1] |= (x.testBit(0) ? 0x80 : 0);
+		return out;
+	}
+
+	static int bit(byte[] h, int i) {
+		//System.out.println("bit open with i="+i);
+		//System.out.println("bit close with "+(h[i/8] >> (i%8) & 1));
+		return h[i/8] >> (i%8) & 1;
+	}
+
+	static byte[] publickey(byte[] sk) {
+		byte[] h = H(sk);
+		//System.out.println("publickey open with h=" + test.getHex(h));
+		BigInteger a = BigInteger.valueOf(2).pow(b-2);
+		for (int i=3;i<(b-2);i++) {
+			BigInteger apart = BigInteger.valueOf(2).pow(i).multiply(BigInteger.valueOf(bit(h,i)));
+			//System.out.println("publickey apart="+apart);
+			a = a.add(apart);
+		}
+		BigInteger[] A = scalarmult(B,a);
+		//System.out.println("publickey close with A="+A[0]+","+A[1]+" out="+test.getHex(encodepoint(A)));
+		return encodepoint(A);
+	}
+
+	static BigInteger Hint(byte[] m) {
+		byte[] h = H(m);
+		BigInteger hsum = BigInteger.ZERO;
+		for (int i=0;i<2*b;i++) {
+			hsum = hsum.add(BigInteger.valueOf(2).pow(i).multiply(BigInteger.valueOf(bit(h,i))));
+		}
+		return hsum;
+	}
+
+	static byte[] signature(byte[] m, byte[] sk, byte[] pk) {
+		byte[] h = H(sk);
+		//System.out.println("signature open with m="+test.getHex(m)+" h="+test.getHex(h)+" pk="+test.getHex(pk));
+		BigInteger a = BigInteger.valueOf(2).pow(b-2);
+		for (int i=3;i<(b-2);i++) {
+			a = a.add(BigInteger.valueOf(2).pow(i).multiply(BigInteger.valueOf(bit(h,i))));
+		}
+		//System.out.println("signature a="+a);
+		ByteBuffer rsub = ByteBuffer.allocate((b/8)+m.length);
+		rsub.put(h, b/8, b/4-b/8).put(m);
+		//System.out.println("signature rsub="+test.getHex(rsub.array()));
+		BigInteger r = Hint(rsub.array());
+		//System.out.println("signature r="+r);
+		BigInteger[] R = scalarmult(B,r);
+		ByteBuffer Stemp = ByteBuffer.allocate(32+pk.length+m.length);
+		Stemp.put(encodepoint(R)).put(pk).put(m);
+		BigInteger S = r.add(Hint(Stemp.array()).multiply(a)).mod(l);
+		ByteBuffer out = ByteBuffer.allocate(64);
+		out.put(encodepoint(R)).put(encodeint(S));
+		return out.array();
+	}
+
+	static boolean isoncurve(BigInteger[] P) {
+		BigInteger x = P[0];
+		BigInteger y = P[1];
+		//System.out.println("isoncurve open with P="+x+","+y);
+		BigInteger xx = x.multiply(x);
+		BigInteger yy = y.multiply(y);
+		BigInteger dxxyy = d.multiply(yy).multiply(xx);
+		//System.out.println("isoncurve close with "+xx.negate().add(yy).subtract(BigInteger.ONE).subtract(dxxyy).mod(q));
+		return xx.negate().add(yy).subtract(BigInteger.ONE).subtract(dxxyy).mod(q).equals(BigInteger.ZERO);
+	}
+
+	static BigInteger decodeint(byte[] s) {
+		byte[] out = new byte[s.length];
+		for (int i=0;i<s.length;i++) {
+			out[i] = s[s.length-1-i];
+		}
+		return new BigInteger(out).and(un);
+	}
+
+	static BigInteger[] decodepoint(byte[] s) throws Exception {
+		byte[] ybyte = new byte[s.length];
+		for (int i=0;i<s.length;i++) {
+			ybyte[i] = s[s.length-1-i];
+		}
+		//System.out.println("decodepoint open with s="+test.getHex(s)+" ybyte="+test.getHex(ybyte));
+		BigInteger y = new BigInteger(ybyte).and(un);
+		//System.out.println("decodepoint y="+y);
+		BigInteger x = xrecover(y);
+		//System.out.println("decodepoint x="+x+" testbit="+(x.testBit(0)?1:0)+" bit="+bit(s, b-1));
+		if ((x.testBit(0)?1:0) != bit(s, b-1)) {
+			x = q.subtract(x);
+		}
+		BigInteger[] P = {x,y};
+		if (!isoncurve(P)) throw new Exception("decoding point that is not on curve");
+		return P;
+	}
+
+	static boolean checkvalid(byte[] s, byte[] m, byte[] pk) throws Exception {
+		if (s.length != b/4) throw new Exception("signature length is wrong");
+		if (pk.length != b/8) throw new Exception("public-key length is wrong");
+		//System.out.println("checkvalid open with s="+test.getHex(s)+" m="+test.getHex(m)+" pk="+test.getHex(pk));
+		byte[] Rbyte = Arrays.copyOfRange(s, 0, b/8);
+		//System.out.println("checkvalid Rbyte="+test.getHex(Rbyte));
+		BigInteger[] R = decodepoint(Rbyte);
+		BigInteger[] A = decodepoint(pk);
+		//System.out.println("checkvalid R="+R[0]+","+R[1]+" A="+A[0]+","+A[1]);
+		byte[] Sbyte = Arrays.copyOfRange(s, b/8, b/4);
+		//System.out.println("checkvalid Sbyte="+test.getHex(Sbyte));
+		BigInteger S = decodeint(Sbyte);
+		//System.out.println("checkvalid S="+S);
+		ByteBuffer Stemp = ByteBuffer.allocate(32+pk.length+m.length);
+		Stemp.put(encodepoint(R)).put(pk).put(m);
+		BigInteger h = Hint(Stemp.array());
+		BigInteger[] ra = scalarmult(B,S);
+		BigInteger[] rb = edwards(R,scalarmult(A,h));
+		//System.out.println("checkvalid ra="+ra[0]+","+ra[1]+" rb="+rb[0]+","+rb[1]);
+		if (!ra[0].equals(rb[0]) || !ra[1].equals(rb[1])) // Constant time comparison
+			return false;
+		return true;
+	}
+}

data/ext/red25519/red25519_engine.c

@@ -0,0 +1,82 @@
+#include "ruby.h"
+#include "crypto_sign.h"
+
+static VALUE mEd25519 = Qnil;
+static VALUE mEd25519_Engine = Qnil;
+
+static VALUE Ed25519_Engine_create_keypair(VALUE self, VALUE seed);
+static VALUE Ed25519_Engine_sign(VALUE self, VALUE signing_key, VALUE msg);
+static VALUE Ed25519_Engine_verify(VALUE self, VALUE verify_key, VALUE signature, VALUE msg);
+
+void Init_red25519_engine()
+{
+    mEd25519 = rb_define_module("Ed25519");
+    mEd25519_Engine = rb_define_module_under(mEd25519, "Engine");
+
+    rb_define_singleton_method(mEd25519_Engine, "create_keypair", Ed25519_Engine_create_keypair, 1);
+    rb_define_singleton_method(mEd25519_Engine, "sign", Ed25519_Engine_sign, 2);
+    rb_define_singleton_method(mEd25519_Engine, "verify", Ed25519_Engine_verify, 3);
+}
+
+static VALUE Ed25519_Engine_create_keypair(VALUE self, VALUE seed)
+{
+    unsigned char verify_key[PUBLICKEYBYTES], signing_key[SECRETKEYBYTES];
+
+    seed = rb_convert_type(seed, T_STRING, "String", "to_str");
+
+    if(RSTRING_LEN(seed) != SECRETKEYBYTES / 2)
+        rb_raise(rb_eArgError, "seed must be exactly %d bytes", SECRETKEYBYTES / 2);
+
+    crypto_sign_publickey(verify_key, signing_key, RSTRING_PTR(seed));
+
+    rb_ary_new3(2,
+        rb_str_new(verify_key, PUBLICKEYBYTES),
+        rb_str_new(signing_key, SECRETKEYBYTES)
+    );
+}
+
+static VALUE Ed25519_Engine_sign(VALUE self, VALUE signing_key, VALUE msg)
+{
+    unsigned char *sig_and_msg;
+    unsigned long long sig_and_msg_len;
+    VALUE result;
+
+    if(RSTRING_LEN(signing_key) != SECRETKEYBYTES)
+        rb_raise(rb_eArgError, "private signing keys must be %d bytes", SECRETKEYBYTES);
+
+    sig_and_msg = (unsigned char *)xmalloc(SIGNATUREBYTES + RSTRING_LEN(msg));
+    crypto_sign(sig_and_msg, &sig_and_msg_len, RSTRING_PTR(msg), RSTRING_LEN(msg), RSTRING_PTR(signing_key));
+    result = rb_str_new(sig_and_msg, SIGNATUREBYTES);
+    free(sig_and_msg);
+
+    return result;
+}
+
+static VALUE Ed25519_Engine_verify(VALUE self, VALUE verify_key, VALUE signature, VALUE msg)
+{
+    unsigned char *sig_and_msg, *buffer;
+    unsigned long long sig_and_msg_len, buffer_len;
+    int result;
+
+    if(RSTRING_LEN(verify_key) != PUBLICKEYBYTES)
+      rb_raise(rb_eArgError, "public verify keys must be %d bytes", PUBLICKEYBYTES);
+
+    if(RSTRING_LEN(signature) != SIGNATUREBYTES)
+      rb_raise(rb_eArgError, "public verify keys must be %d bytes", PUBLICKEYBYTES);
+
+    sig_and_msg_len = SIGNATUREBYTES + RSTRING_LEN(msg);
+    sig_and_msg = (unsigned char *)xmalloc(sig_and_msg_len);
+    buffer      = (unsigned char *)xmalloc(sig_and_msg_len);
+    memcpy(sig_and_msg, RSTRING_PTR(signature), SIGNATUREBYTES);
+    memcpy(sig_and_msg + SIGNATUREBYTES, RSTRING_PTR(msg), RSTRING_LEN(msg));
+
+    result = crypto_sign_open(
+        buffer, &buffer_len,
+        sig_and_msg, sig_and_msg_len,
+        RSTRING_PTR(verify_key));
+
+    free(sig_and_msg);
+    free(buffer);
+
+    return result == 0 ? Qtrue : Qfalse;
+}

data/ext/red25519/sc25519.c

@@ -0,0 +1,298 @@
+#include "sc25519.h"
+
+/*Arithmetic modulo the group order m = 2^252 +  27742317777372353535851937790883648493 = 7237005577332262213973186563042994240857116359379907606001950938285454250989 */
+
+static const crypto_uint32 m[32] = {0xED, 0xD3, 0xF5, 0x5C, 0x1A, 0x63, 0x12, 0x58, 0xD6, 0x9C, 0xF7, 0xA2, 0xDE, 0xF9, 0xDE, 0x14, 
+                                    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10};
+
+static const crypto_uint32 mu[33] = {0x1B, 0x13, 0x2C, 0x0A, 0xA3, 0xE5, 0x9C, 0xED, 0xA7, 0x29, 0x63, 0x08, 0x5D, 0x21, 0x06, 0x21, 
+                                     0xEB, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F};
+
+static crypto_uint32 lt(crypto_uint32 a,crypto_uint32 b) /* 16-bit inputs */
+{
+  unsigned int x = a;
+  x -= (unsigned int) b; /* 0..65535: no; 4294901761..4294967295: yes */
+  x >>= 31; /* 0: no; 1: yes */
+  return x;
+}
+
+/* Reduce coefficients of r before calling reduce_add_sub */
+static void reduce_add_sub(sc25519 *r)
+{
+  crypto_uint32 pb = 0;
+  crypto_uint32 b;
+  crypto_uint32 mask;
+  int i;
+  unsigned char t[32];
+
+  for(i=0;i<32;i++) 
+  {
+    pb += m[i];
+    b = lt(r->v[i],pb);
+    t[i] = r->v[i]-pb+(b<<8);
+    pb = b;
+  }
+  mask = b - 1;
+  for(i=0;i<32;i++) 
+    r->v[i] ^= mask & (r->v[i] ^ t[i]);
+}
+
+/* Reduce coefficients of x before calling barrett_reduce */
+static void barrett_reduce(sc25519 *r, const crypto_uint32 x[64])
+{
+  /* See HAC, Alg. 14.42 */
+  int i,j;
+  crypto_uint32 q2[66];
+  crypto_uint32 *q3 = q2 + 33;
+  crypto_uint32 r1[33];
+  crypto_uint32 r2[33];
+  crypto_uint32 carry;
+  crypto_uint32 pb = 0;
+  crypto_uint32 b;
+
+  for (i = 0;i < 66;++i) q2[i] = 0;
+  for (i = 0;i < 33;++i) r2[i] = 0;
+
+  for(i=0;i<33;i++)
+    for(j=0;j<33;j++)
+      if(i+j >= 31) q2[i+j] += mu[i]*x[j+31];
+  carry = q2[31] >> 8;
+  q2[32] += carry;
+  carry = q2[32] >> 8;
+  q2[33] += carry;
+
+  for(i=0;i<33;i++)r1[i] = x[i];
+  for(i=0;i<32;i++)
+    for(j=0;j<33;j++)
+      if(i+j < 33) r2[i+j] += m[i]*q3[j];
+
+  for(i=0;i<32;i++)
+  {
+    carry = r2[i] >> 8;
+    r2[i+1] += carry;
+    r2[i] &= 0xff;
+  }
+
+  for(i=0;i<32;i++) 
+  {
+    pb += r2[i];
+    b = lt(r1[i],pb);
+    r->v[i] = r1[i]-pb+(b<<8);
+    pb = b;
+  }
+
+  /* XXX: Can it really happen that r<0?, See HAC, Alg 14.42, Step 3 
+   * If so: Handle  it here!
+   */
+
+  reduce_add_sub(r);
+  reduce_add_sub(r);
+}
+
+void sc25519_from32bytes(sc25519 *r, const unsigned char x[32])
+{
+  int i;
+  crypto_uint32 t[64];
+  for(i=0;i<32;i++) t[i] = x[i];
+  for(i=32;i<64;++i) t[i] = 0;
+  barrett_reduce(r, t);
+}
+
+void shortsc25519_from16bytes(shortsc25519 *r, const unsigned char x[16])
+{
+  int i;
+  for(i=0;i<16;i++) r->v[i] = x[i];
+}
+
+void sc25519_from64bytes(sc25519 *r, const unsigned char x[64])
+{
+  int i;
+  crypto_uint32 t[64];
+  for(i=0;i<64;i++) t[i] = x[i];
+  barrett_reduce(r, t);
+}
+
+void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x)
+{
+  int i;
+  for(i=0;i<16;i++)
+    r->v[i] = x->v[i];
+  for(i=0;i<16;i++)
+    r->v[16+i] = 0;
+}
+
+void sc25519_to32bytes(unsigned char r[32], const sc25519 *x)
+{
+  int i;
+  for(i=0;i<32;i++) r[i] = x->v[i];
+}
+
+int sc25519_iszero_vartime(const sc25519 *x)
+{
+  int i;
+  for(i=0;i<32;i++)
+    if(x->v[i] != 0) return 0;
+  return 1;
+}
+
+int sc25519_isshort_vartime(const sc25519 *x)
+{
+  int i;
+  for(i=31;i>15;i--)
+    if(x->v[i] != 0) return 0;
+  return 1;
+}
+
+int sc25519_lt_vartime(const sc25519 *x, const sc25519 *y)
+{
+  int i;
+  for(i=31;i>=0;i--)
+  {
+    if(x->v[i] < y->v[i]) return 1;
+    if(x->v[i] > y->v[i]) return 0;
+  }
+  return 0;
+}
+
+void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y)
+{
+  int i, carry;
+  for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i];
+  for(i=0;i<31;i++)
+  {
+    carry = r->v[i] >> 8;
+    r->v[i+1] += carry;
+    r->v[i] &= 0xff;
+  }
+  reduce_add_sub(r);
+}
+
+void sc25519_sub_nored(sc25519 *r, const sc25519 *x, const sc25519 *y)
+{
+  crypto_uint32 b = 0;
+  crypto_uint32 t;
+  int i;
+  for(i=0;i<32;i++)
+  {
+    t = x->v[i] - y->v[i] - b;
+    r->v[i] = t & 255;
+    b = (t >> 8) & 1;
+  }
+}
+
+void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y)
+{
+  int i,j,carry;
+  crypto_uint32 t[64];
+  for(i=0;i<64;i++)t[i] = 0;
+
+  for(i=0;i<32;i++)
+    for(j=0;j<32;j++)
+      t[i+j] += x->v[i] * y->v[j];
+
+  /* Reduce coefficients */
+  for(i=0;i<63;i++)
+  {
+    carry = t[i] >> 8;
+    t[i+1] += carry;
+    t[i] &= 0xff;
+  }
+
+  barrett_reduce(r, t);
+}
+
+void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519 *y)
+{
+  sc25519 t;
+  sc25519_from_shortsc(&t, y);
+  sc25519_mul(r, x, &t);
+}
+
+void sc25519_window3(signed char r[85], const sc25519 *s)
+{
+  char carry;
+  int i;
+  for(i=0;i<10;i++)
+  {
+    r[8*i+0]  =  s->v[3*i+0]       & 7;
+    r[8*i+1]  = (s->v[3*i+0] >> 3) & 7;
+    r[8*i+2]  = (s->v[3*i+0] >> 6) & 7;
+    r[8*i+2] ^= (s->v[3*i+1] << 2) & 7;
+    r[8*i+3]  = (s->v[3*i+1] >> 1) & 7;
+    r[8*i+4]  = (s->v[3*i+1] >> 4) & 7;
+    r[8*i+5]  = (s->v[3*i+1] >> 7) & 7;
+    r[8*i+5] ^= (s->v[3*i+2] << 1) & 7;
+    r[8*i+6]  = (s->v[3*i+2] >> 2) & 7;
+    r[8*i+7]  = (s->v[3*i+2] >> 5) & 7;
+  }
+  r[8*i+0]  =  s->v[3*i+0]       & 7;
+  r[8*i+1]  = (s->v[3*i+0] >> 3) & 7;
+  r[8*i+2]  = (s->v[3*i+0] >> 6) & 7;
+  r[8*i+2] ^= (s->v[3*i+1] << 2) & 7;
+  r[8*i+3]  = (s->v[3*i+1] >> 1) & 7;
+  r[8*i+4]  = (s->v[3*i+1] >> 4) & 7;
+
+  /* Making it signed */
+  carry = 0;
+  for(i=0;i<84;i++)
+  {
+    r[i] += carry;
+    r[i+1] += r[i] >> 3;
+    r[i] &= 7;
+    carry = r[i] >> 2;
+    r[i] -= carry<<3;
+  }
+  r[84] += carry;
+}
+
+void sc25519_window5(signed char r[51], const sc25519 *s)
+{
+  char carry;
+  int i;
+  for(i=0;i<6;i++)
+  {
+    r[8*i+0]  =  s->v[5*i+0]       & 31;
+    r[8*i+1]  = (s->v[5*i+0] >> 5) & 31;
+    r[8*i+1] ^= (s->v[5*i+1] << 3) & 31;
+    r[8*i+2]  = (s->v[5*i+1] >> 2) & 31;
+    r[8*i+3]  = (s->v[5*i+1] >> 7) & 31;
+    r[8*i+3] ^= (s->v[5*i+2] << 1) & 31;
+    r[8*i+4]  = (s->v[5*i+2] >> 4) & 31;
+    r[8*i+4] ^= (s->v[5*i+3] << 4) & 31;
+    r[8*i+5]  = (s->v[5*i+3] >> 1) & 31;
+    r[8*i+6]  = (s->v[5*i+3] >> 6) & 31;
+    r[8*i+6] ^= (s->v[5*i+4] << 2) & 31;
+    r[8*i+7]  = (s->v[5*i+4] >> 3) & 31;
+  }
+  r[8*i+0]  =  s->v[5*i+0]       & 31;
+  r[8*i+1]  = (s->v[5*i+0] >> 5) & 31;
+  r[8*i+1] ^= (s->v[5*i+1] << 3) & 31;
+  r[8*i+2]  = (s->v[5*i+1] >> 2) & 31;
+
+  /* Making it signed */
+  carry = 0;
+  for(i=0;i<50;i++)
+  {
+    r[i] += carry;
+    r[i+1] += r[i] >> 5;
+    r[i] &= 31;
+    carry = r[i] >> 4;
+    r[i] -= carry<<5;
+  }
+  r[50] += carry;
+}
+
+void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2)
+{
+  int i;
+  for(i=0;i<31;i++)
+  {
+    r[4*i]   = ( s1->v[i]       & 3) ^ (( s2->v[i]       & 3) << 2);
+    r[4*i+1] = ((s1->v[i] >> 2) & 3) ^ (((s2->v[i] >> 2) & 3) << 2);
+    r[4*i+2] = ((s1->v[i] >> 4) & 3) ^ (((s2->v[i] >> 4) & 3) << 2);
+    r[4*i+3] = ((s1->v[i] >> 6) & 3) ^ (((s2->v[i] >> 6) & 3) << 2);
+  }
+  r[124] = ( s1->v[31]       & 3) ^ (( s2->v[31]       & 3) << 2);
+  r[125] = ((s1->v[31] >> 2) & 3) ^ (((s2->v[31] >> 2) & 3) << 2);
+  r[126] = ((s1->v[31] >> 4) & 3) ^ (((s2->v[31] >> 4) & 3) << 2);
+}

data/ext/red25519/sc25519.h

@@ -0,0 +1,73 @@
+#ifndef SC25519_H
+#define SC25519_H
+
+#include "crypto_int32.h"
+#include "crypto_uint32.h"
+
+#define sc25519                  crypto_sign_ed25519_ref_sc25519
+#define shortsc25519             crypto_sign_ed25519_ref_shortsc25519
+#define sc25519_from32bytes      crypto_sign_ed25519_ref_sc25519_from32bytes
+#define shortsc25519_from16bytes crypto_sign_ed25519_ref_shortsc25519_from16bytes
+#define sc25519_from64bytes      crypto_sign_ed25519_ref_sc25519_from64bytes
+#define sc25519_from_shortsc     crypto_sign_ed25519_ref_sc25519_from_shortsc
+#define sc25519_to32bytes        crypto_sign_ed25519_ref_sc25519_to32bytes
+#define sc25519_iszero_vartime   crypto_sign_ed25519_ref_sc25519_iszero_vartime
+#define sc25519_isshort_vartime  crypto_sign_ed25519_ref_sc25519_isshort_vartime
+#define sc25519_lt_vartime       crypto_sign_ed25519_ref_sc25519_lt_vartime
+#define sc25519_add              crypto_sign_ed25519_ref_sc25519_add
+#define sc25519_sub_nored        crypto_sign_ed25519_ref_sc25519_sub_nored
+#define sc25519_mul              crypto_sign_ed25519_ref_sc25519_mul
+#define sc25519_mul_shortsc      crypto_sign_ed25519_ref_sc25519_mul_shortsc
+#define sc25519_window3          crypto_sign_ed25519_ref_sc25519_window3
+#define sc25519_window5          crypto_sign_ed25519_ref_sc25519_window5
+#define sc25519_2interleave2     crypto_sign_ed25519_ref_sc25519_2interleave2
+
+typedef struct 
+{
+  crypto_uint32 v[32]; 
+}
+sc25519;
+
+typedef struct 
+{
+  crypto_uint32 v[16]; 
+}
+shortsc25519;
+
+void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]);
+
+void shortsc25519_from16bytes(shortsc25519 *r, const unsigned char x[16]);
+
+void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]);
+
+void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x);
+
+void sc25519_to32bytes(unsigned char r[32], const sc25519 *x);
+
+int sc25519_iszero_vartime(const sc25519 *x);
+
+int sc25519_isshort_vartime(const sc25519 *x);
+
+int sc25519_lt_vartime(const sc25519 *x, const sc25519 *y);
+
+void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y);
+
+void sc25519_sub_nored(sc25519 *r, const sc25519 *x, const sc25519 *y);
+
+void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y);
+
+void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519 *y);
+
+/* Convert s into a representation of the form \sum_{i=0}^{84}r[i]2^3
+ * with r[i] in {-4,...,3}
+ */
+void sc25519_window3(signed char r[85], const sc25519 *s);
+
+/* Convert s into a representation of the form \sum_{i=0}^{50}r[i]2^5
+ * with r[i] in {-16,...,15}
+ */
+void sc25519_window5(signed char r[51], const sc25519 *s);
+
+void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const sc25519 *s2);
+
+#endif