doxygen/ed25519_8cpp_source.html

 /*
 * Ed25519
 * (C) 2017 Ribose Inc
 *
 * Based on the public domain code from SUPERCOP ref10 by
 * Peter Schwabe, Daniel J. Bernstein, Niels Duif, Tanja Lange, Bo-Yin Yang
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */

 #include <botan/ed25519.h>
 #include <botan/internal/ed25519_internal.h>
 #include <botan/sha2_64.h>
 #include <botan/rng.h>

 namespace Botan {

 void ed25519_gen_keypair(uint8_t* pk, uint8_t* sk, const uint8_t seed[32])
    {
    uint8_t az[64];

    SHA_512 sha;
    sha.update(seed, 32);
    sha.final(az);
    az[0] &= 248;
    az[31] &= 63;
    az[31] |= 64;

    ge_scalarmult_base(pk, az);

    // todo copy_mem
    copy_mem(sk, seed, 32);
    copy_mem(sk + 32, pk, 32);
    }

 void ed25519_sign(uint8_t sig[64],
                   const uint8_t m[], size_t mlen,
                   const uint8_t sk[64],
                   const uint8_t domain_sep[], size_t domain_sep_len)
    {
    uint8_t az[64];
    uint8_t nonce[64];
    uint8_t hram[64];

    SHA_512 sha;

    sha.update(sk, 32);
    sha.final(az);
    az[0] &= 248;
    az[31] &= 63;
    az[31] |= 64;

    sha.update(domain_sep, domain_sep_len);
    sha.update(az + 32, 32);
    sha.update(m, mlen);
    sha.final(nonce);

    sc_reduce(nonce);
    ge_scalarmult_base(sig, nonce);

    sha.update(domain_sep, domain_sep_len);
    sha.update(sig, 32);
    sha.update(sk + 32, 32);
    sha.update(m, mlen);
    sha.final(hram);

    sc_reduce(hram);
    sc_muladd(sig + 32, hram, az, nonce);
    }

 bool ed25519_verify(const uint8_t* m, size_t mlen,
                     const uint8_t sig[64],
                     const uint8_t* pk,
                     const uint8_t domain_sep[], size_t domain_sep_len)
    {
    uint8_t h[64];
    uint8_t rcheck[32];
    ge_p3 A;
    SHA_512 sha;

    if(sig[63] & 224)
       {
       return false;
       }
    if(ge_frombytes_negate_vartime(&A, pk) != 0)
       {
       return false;
       }

    sha.update(domain_sep, domain_sep_len);
    sha.update(sig, 32);
    sha.update(pk, 32);
    sha.update(m, mlen);
    sha.final(h);
    sc_reduce(h);

    ge_double_scalarmult_vartime(rcheck, h, &A, sig + 32);

    return constant_time_compare(rcheck, sig, 32);
    }

 }
Botan::ed25519_gen_keypair
void ed25519_gen_keypair(uint8_t *pk, uint8_t *sk, const uint8_t seed[32])
Definition: ed25519.cpp:18

Botan::sc_muladd
void sc_muladd(uint8_t *, const uint8_t *, const uint8_t *, const uint8_t *)
Definition: sc_muladd.cpp:26

Botan::sc_reduce
void sc_reduce(uint8_t *)
Definition: sc_reduce.cpp:25

Botan::constant_time_compare
bool constant_time_compare(const uint8_t x[], const uint8_t y[], size_t len)
Definition: mem_ops.h:82

Botan::ge_p3
Definition: ed25519_internal.h:93

Botan::Buffered_Computation::final
void final(uint8_t out[])
Definition: buf_comp.h:83

Botan::ge_frombytes_negate_vartime
int ge_frombytes_negate_vartime(ge_p3 *, const uint8_t *)
Definition: ge.cpp:458

Botan::ge_double_scalarmult_vartime
void ge_double_scalarmult_vartime(uint8_t out[32], const uint8_t a[], const ge_p3 *A, const uint8_t b[])

Botan::copy_mem
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133

Botan
Definition: alg_id.cpp:13

Botan::Buffered_Computation::update
void update(const uint8_t in[], size_t length)
Definition: buf_comp.h:33

Botan::ed25519_verify
bool ed25519_verify(const uint8_t *m, size_t mlen, const uint8_t sig[64], const uint8_t *pk, const uint8_t domain_sep[], size_t domain_sep_len)
Definition: ed25519.cpp:71

Botan::SHA_512
Definition: sha2_64.h:43

Botan::ge_scalarmult_base
void ge_scalarmult_base(uint8_t out[32], const uint8_t in[32])
Definition: ge.cpp:2118

Botan::ed25519_sign
void ed25519_sign(uint8_t sig[64], const uint8_t m[], size_t mlen, const uint8_t sk[64], const uint8_t domain_sep[], size_t domain_sep_len)
Definition: ed25519.cpp:36