Botan 3.9.0
Crypto and TLS for C&
ed25519.cpp
Go to the documentation of this file.
1/*
2* Ed25519
3* (C) 2017 Ribose Inc
4*
5* Based on the public domain code from SUPERCOP ref10 by
6* Peter Schwabe, Daniel J. Bernstein, Niels Duif, Tanja Lange, Bo-Yin Yang
7*
8* Botan is released under the Simplified BSD License (see license.txt)
9*/
10
11#include <botan/ed25519.h>
12
13#include <botan/hash.h>
14#include <botan/rng.h>
15#include <botan/internal/ct_utils.h>
16#include <botan/internal/ed25519_internal.h>
17
18namespace Botan {
19
20void ed25519_gen_keypair(uint8_t pk[32], uint8_t sk[64], const uint8_t seed[32]) {
21 uint8_t az[64];
22
23 auto sha512 = HashFunction::create_or_throw("SHA-512");
24 sha512->update(seed, 32);
25 sha512->final(az);
26 az[0] &= 248;
27 az[31] &= 63;
28 az[31] |= 64;
29
30 ed25519_basepoint_mul(std::span<uint8_t, 32>{pk, 32}, az);
31
32 copy_mem(sk, seed, 32);
33 copy_mem(sk + 32, pk, 32);
34}
35
36void ed25519_sign(uint8_t sig[64],
37 const uint8_t m[],
38 size_t mlen,
39 const uint8_t sk[64],
40 const uint8_t domain_sep[],
41 size_t domain_sep_len) {
42 uint8_t az[64];
43 uint8_t nonce[64];
44 uint8_t hram[64];
45
46 auto sha512 = HashFunction::create_or_throw("SHA-512");
47
48 sha512->update(sk, 32);
49 sha512->final(az);
50 az[0] &= 248;
51 az[31] &= 63;
52 az[31] |= 64;
53
54 sha512->update(domain_sep, domain_sep_len);
55 sha512->update(az + 32, 32);
56 sha512->update(m, mlen);
57 sha512->final(nonce);
58
59 sc_reduce(nonce);
60 ed25519_basepoint_mul(std::span<uint8_t, 32>{sig, 32}, nonce);
61
62 sha512->update(domain_sep, domain_sep_len);
63 sha512->update(sig, 32);
64 sha512->update(sk + 32, 32);
65 sha512->update(m, mlen);
66 sha512->final(hram);
67
68 sc_reduce(hram);
69 sc_muladd(sig + 32, hram, az, nonce);
70}
71
72bool ed25519_verify(const uint8_t* m,
73 size_t mlen,
74 const uint8_t sig[64],
75 const uint8_t* pk,
76 const uint8_t domain_sep[],
77 size_t domain_sep_len) {
78 if((sig[63] & 0xE0) != 0x00) {
79 return false;
80 }
81
82 const uint64_t CURVE25519_ORDER[4] = {
83 0x1000000000000000,
84 0x0000000000000000,
85 0x14def9dea2f79cd6,
86 0x5812631a5cf5d3ed,
87 };
88
89 const uint64_t s[4] = {load_le<uint64_t>(sig + 32, 3),
90 load_le<uint64_t>(sig + 32, 2),
91 load_le<uint64_t>(sig + 32, 1),
92 load_le<uint64_t>(sig + 32, 0)};
93
94 // RFC 8032 adds the requirement that we verify that s < order in
95 // the signature; this did not exist in the original Ed25519 spec.
96 for(size_t i = 0; i != 4; ++i) {
97 if(s[i] > CURVE25519_ORDER[i]) {
98 return false;
99 }
100 if(s[i] < CURVE25519_ORDER[i]) {
101 break;
102 }
103 if(i == 3) { // here s == order
104 return false;
105 }
106 }
107
108 uint8_t h[64];
109 auto sha512 = HashFunction::create_or_throw("SHA-512");
110
111 sha512->update(domain_sep, domain_sep_len);
112 sha512->update(sig, 32);
113 sha512->update(pk, 32);
114 sha512->update(m, mlen);
115 sha512->final(h);
116 sc_reduce(h);
117
118 return signature_check(std::span<const uint8_t, 32>{pk, 32}, h, sig, sig + 32);
119}
120
121} // namespace Botan
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:298
void ed25519_basepoint_mul(std::span< uint8_t, 32 > out, const uint8_t in[32])
Definition ge.cpp:1863
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:145
void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, const uint8_t *c)
Definition sc_muladd.cpp:26
void ed25519_sign(uint8_t sig[64], const uint8_t m[], size_t mlen, const uint8_t sk[64], const uint8_t domain_sep[], size_t domain_sep_len)
Definition ed25519.cpp:36
bool signature_check(std::span< const uint8_t, 32 > pk, const uint8_t h[32], const uint8_t r[32], const uint8_t s[32])
Definition ge.cpp:1904
void sc_reduce(uint8_t *s)
Definition sc_reduce.cpp:25
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:495
void ed25519_gen_keypair(uint8_t pk[32], uint8_t sk[64], const uint8_t seed[32])
Definition ed25519.cpp:20
bool ed25519_verify(const uint8_t *m, size_t mlen, const uint8_t sig[64], const uint8_t *pk, const uint8_t domain_sep[], size_t domain_sep_len)
Definition ed25519.cpp:72