Botan  2.6.0
Crypto and TLS for C++11
ed25519.cpp
Go to the documentation of this file.
1 /*
2 * Ed25519
3 * (C) 2017 Ribose Inc
4 *
5 * Based on the public domain code from SUPERCOP ref10 by
6 * Peter Schwabe, Daniel J. Bernstein, Niels Duif, Tanja Lange, Bo-Yin Yang
7 *
8 * Botan is released under the Simplified BSD License (see license.txt)
9 */
10 
11 #include <botan/ed25519.h>
12 #include <botan/internal/ed25519_internal.h>
13 #include <botan/sha2_64.h>
14 #include <botan/rng.h>
15 
16 namespace Botan {
17 
18 void ed25519_gen_keypair(uint8_t* pk, uint8_t* sk, const uint8_t seed[32])
19  {
20  uint8_t az[64];
21 
22  SHA_512 sha;
23  sha.update(seed, 32);
24  sha.final(az);
25  az[0] &= 248;
26  az[31] &= 63;
27  az[31] |= 64;
28 
29  ge_scalarmult_base(pk, az);
30 
31  // todo copy_mem
32  memmove(sk, seed, 32);
33  memmove(sk + 32, pk, 32);
34  }
35 
36 void ed25519_sign(uint8_t sig[64],
37  const uint8_t* m, size_t mlen,
38  const uint8_t* sk)
39  {
40  uint8_t az[64];
41  uint8_t nonce[64];
42  uint8_t hram[64];
43 
44  SHA_512 sha;
45 
46  sha.update(sk, 32);
47  sha.final(az);
48  az[0] &= 248;
49  az[31] &= 63;
50  az[31] |= 64;
51 
52  sha.update(az + 32, 32);
53  sha.update(m, mlen);
54  sha.final(nonce);
55 
56  sc_reduce(nonce);
57  ge_scalarmult_base(sig, nonce);
58 
59  sha.update(sig, 32);
60  sha.update(sk + 32, 32);
61  sha.update(m, mlen);
62  sha.final(hram);
63 
64  sc_reduce(hram);
65  sc_muladd(sig + 32, hram, az, nonce);
66  }
67 
68 bool ed25519_verify(const uint8_t* m, size_t mlen,
69  const uint8_t sig[64],
70  const uint8_t* pk)
71  {
72  uint8_t h[64];
73  uint8_t rcheck[32];
74  ge_p3 A;
75  SHA_512 sha;
76 
77  if(sig[63] & 224)
78  {
79  return false;
80  }
81  if(ge_frombytes_negate_vartime(&A, pk) != 0)
82  {
83  return false;
84  }
85 
86  sha.update(sig, 32);
87  sha.update(pk, 32);
88  sha.update(m, mlen);
89  sha.final(h);
90  sc_reduce(h);
91 
92  ge_double_scalarmult_vartime(rcheck, h, &A, sig + 32);
93 
94  return constant_time_compare(rcheck, sig, 32);
95  }
96 
97 }
void ed25519_gen_keypair(uint8_t *pk, uint8_t *sk, const uint8_t seed[32])
Definition: ed25519.cpp:18
void sc_muladd(uint8_t *, const uint8_t *, const uint8_t *, const uint8_t *)
Definition: sc_muladd.cpp:26
void sc_reduce(uint8_t *)
Definition: sc_reduce.cpp:25
bool constant_time_compare(const uint8_t x[], const uint8_t y[], size_t len)
Definition: mem_ops.cpp:51
void final(uint8_t out[])
Definition: buf_comp.h:89
int ge_frombytes_negate_vartime(ge_p3 *, const uint8_t *)
Definition: ge.cpp:458
void ed25519_sign(uint8_t sig[64], const uint8_t *m, size_t mlen, const uint8_t *sk)
Definition: ed25519.cpp:36
void ge_double_scalarmult_vartime(uint8_t out[32], const uint8_t a[], const ge_p3 *A, const uint8_t b[])
Definition: alg_id.cpp:13
bool ed25519_verify(const uint8_t *m, size_t mlen, const uint8_t sig[64], const uint8_t *pk)
Definition: ed25519.cpp:68
void update(const uint8_t in[], size_t length)
Definition: buf_comp.h:34
void ge_scalarmult_base(uint8_t out[32], const uint8_t in[32])
Definition: ge.cpp:2118