Botan 3.10.0
Crypto and TLS for C&
ed25519.cpp
Go to the documentation of this file.
1/*
2* Ed25519
3* (C) 2017 Ribose Inc
4*
5* Based on the public domain code from SUPERCOP ref10 by
6* Peter Schwabe, Daniel J. Bernstein, Niels Duif, Tanja Lange, Bo-Yin Yang
7*
8* Botan is released under the Simplified BSD License (see license.txt)
9*/
10
11#include <botan/ed25519.h>
12
13#include <botan/hash.h>
14#include <botan/internal/ed25519_internal.h>
15
16namespace Botan {
17
18void ed25519_gen_keypair(uint8_t pk[32], uint8_t sk[64], const uint8_t seed[32]) {
19 uint8_t az[64];
20
21 auto sha512 = HashFunction::create_or_throw("SHA-512");
22 sha512->update(seed, 32);
23 sha512->final(az);
24 az[0] &= 248;
25 az[31] &= 63;
26 az[31] |= 64;
27
28 ed25519_basepoint_mul(std::span<uint8_t, 32>{pk, 32}, az);
29
30 copy_mem(sk, seed, 32);
31 copy_mem(sk + 32, pk, 32);
32}
33
34void ed25519_sign(uint8_t sig[64],
35 const uint8_t m[],
36 size_t mlen,
37 const uint8_t sk[64],
38 const uint8_t domain_sep[],
39 size_t domain_sep_len) {
40 uint8_t az[64];
41 uint8_t nonce[64];
42 uint8_t hram[64];
43
44 auto sha512 = HashFunction::create_or_throw("SHA-512");
45
46 sha512->update(sk, 32);
47 sha512->final(az);
48 az[0] &= 248;
49 az[31] &= 63;
50 az[31] |= 64;
51
52 sha512->update(domain_sep, domain_sep_len);
53 sha512->update(az + 32, 32);
54 sha512->update(m, mlen);
55 sha512->final(nonce);
56
57 sc_reduce(nonce);
58 ed25519_basepoint_mul(std::span<uint8_t, 32>{sig, 32}, nonce);
59
60 sha512->update(domain_sep, domain_sep_len);
61 sha512->update(sig, 32);
62 sha512->update(sk + 32, 32);
63 sha512->update(m, mlen);
64 sha512->final(hram);
65
66 sc_reduce(hram);
67 sc_muladd(sig + 32, hram, az, nonce);
68}
69
70bool ed25519_verify(const uint8_t* m,
71 size_t mlen,
72 const uint8_t sig[64],
73 const uint8_t* pk,
74 const uint8_t domain_sep[],
75 size_t domain_sep_len) {
76 if((sig[63] & 0xE0) != 0x00) {
77 return false;
78 }
79
80 const uint64_t CURVE25519_ORDER[4] = {
81 0x1000000000000000,
82 0x0000000000000000,
83 0x14def9dea2f79cd6,
84 0x5812631a5cf5d3ed,
85 };
86
87 const uint64_t s[4] = {load_le<uint64_t>(sig + 32, 3),
88 load_le<uint64_t>(sig + 32, 2),
89 load_le<uint64_t>(sig + 32, 1),
90 load_le<uint64_t>(sig + 32, 0)};
91
92 // RFC 8032 adds the requirement that we verify that s < order in
93 // the signature; this did not exist in the original Ed25519 spec.
94 for(size_t i = 0; i != 4; ++i) {
95 if(s[i] > CURVE25519_ORDER[i]) {
96 return false;
97 }
98 if(s[i] < CURVE25519_ORDER[i]) {
99 break;
100 }
101 if(i == 3) { // here s == order
102 return false;
103 }
104 }
105
106 uint8_t h[64];
107 auto sha512 = HashFunction::create_or_throw("SHA-512");
108
109 sha512->update(domain_sep, domain_sep_len);
110 sha512->update(sig, 32);
111 sha512->update(pk, 32);
112 sha512->update(m, mlen);
113 sha512->final(h);
114 sc_reduce(h);
115
116 return signature_check(std::span<const uint8_t, 32>{pk, 32}, h, sig, sig + 32);
117}
118
119} // namespace Botan
Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:308
Botan::ed25519_basepoint_mul
void ed25519_basepoint_mul(std::span< uint8_t, 32 > out, const uint8_t in[32])
Definition ge.cpp:1863
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:145
Botan::sc_muladd
void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, const uint8_t *c)
Definition sc_muladd.cpp:26
Botan::ed25519_sign
void ed25519_sign(uint8_t sig[64], const uint8_t m[], size_t mlen, const uint8_t sk[64], const uint8_t domain_sep[], size_t domain_sep_len)
Definition ed25519.cpp:34
Botan::signature_check
bool signature_check(std::span< const uint8_t, 32 > pk, const uint8_t h[32], const uint8_t r[32], const uint8_t s[32])
Definition ge.cpp:1904
Botan::sc_reduce
void sc_reduce(uint8_t *s)
Definition sc_reduce.cpp:25
Botan::load_le
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:495
Botan::ed25519_gen_keypair
void ed25519_gen_keypair(uint8_t pk[32], uint8_t sk[64], const uint8_t seed[32])
Definition ed25519.cpp:18
Botan::ed25519_verify
bool ed25519_verify(const uint8_t *m, size_t mlen, const uint8_t sig[64], const uint8_t *pk, const uint8_t domain_sep[], size_t domain_sep_len)
Definition ed25519.cpp:70
Generated by doxygen 1.15.0