acw/simple_crypto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[CHECKPOINT] Tidy, tidy, tidy.

Browse Source
This commit is contained in:
Adam Wick
2019-05-26 15:03:42 -07:00
parent 2b63dfa376
commit 2f395721bc
3 changed files with 1239 additions and 1414 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/ed25519/constants.rs
View File

@@ -8,13 +8,6 @@ pub struct Precomp {
pub xy2d: FieldElement
}
pub fn ge_precomp_0(h: &mut Precomp)
{
h.yplusx.overwrite_with(&FieldElement::one());
h.yminusx.overwrite_with(&FieldElement::one());
h.xy2d.overwrite_with(&FieldElement::zero());
}
impl Precomp
{
pub fn new() -> Precomp
@@ -26,6 +19,15 @@ impl Precomp
}
}
pub fn zero() -> Precomp
{
Precomp {
yplusx: FieldElement::one(),
yminusx: FieldElement::one(),
xy2d: FieldElement::zero()
}
}
#[cfg(test)]
pub fn load_test_value(xs: &[u8]) -> Precomp {
assert!(xs.len() == 160);
@@ -35,6 +37,13 @@ impl Precomp
xy2d: test_from_bytes(&xs[80..])
}
}
pub fn cmov(&mut self, u: &Precomp, b: bool)
{
self.yplusx.cmov(&u.yplusx, b);
self.yminusx.cmov(&u.yminusx, b);
self.xy2d.cmov(&u.xy2d, b);
}
}
/* k25519Precomp[i][j] = (j+1)*256^i*B */

9
src/ed25519/mod.rs
View File

@@ -74,8 +74,7 @@ impl ED25519Private {
result.private.copy_from_slice(private);
result.prefix.copy_from_slice(prefix);
curve25519_scalar_mask(&mut result.private);
let mut a = Point::new();
x25519_ge_scalarmult_base(&mut a, &result.private);
let a = Point::scalarmult_base(&result.private);
result.public.copy_from_slice(&a.encode());
result
}
@@ -88,8 +87,7 @@ impl ED25519Private {
ctx.input(&self.prefix);
ctx.input(&msg);
let nonce = digest_scalar(ctx.result().as_slice());
let mut r = Point::new();
x25519_ge_scalarmult_base(&mut r, &nonce);
let r = Point::scalarmult_base(&nonce);
let signature_r = r.encode();
let hram_digest = eddsa_digest(&signature_r, &self.public, &msg);
let hram = digest_scalar(&hram_digest);
@@ -151,8 +149,7 @@ impl ED25519Public {
a.invert();
let h_digest = eddsa_digest(signature_r, &self.public, msg);
let h = digest_scalar(&h_digest);
let mut r = Point2::new();
ge_double_scalarmult_vartime(&mut r, &h, &a, &signature_s);
let r = ge_double_scalarmult_vartime(&h, &a, &signature_s);
let r_check = r.encode();
signature_r.to_vec() == r_check
}

289
src/ed25519/point.rs
View File

@@ -24,6 +24,16 @@ impl Point {
}
}
fn zero() -> Point
{
Point {
x: FieldElement::zero(),
y: FieldElement::one(),
z: FieldElement::one(),
t: FieldElement::zero(),
}
}
#[cfg(test)]
fn load_test_value(xs: &[u8]) -> Point {
assert!(xs.len() == 160);
@@ -116,14 +126,6 @@ fn from_bytes_vartime() {
});
}
fn ge_p3_0(h: &mut Point)
{
h.x.overwrite_with(&FieldElement::zero());
h.y.overwrite_with(&FieldElement::one());
h.z.overwrite_with(&FieldElement::one());
h.t.overwrite_with(&FieldElement::zero());
}
#[derive(Debug,PartialEq)]
pub struct Point2 {
pub x: FieldElement,
@@ -141,6 +143,15 @@ impl Point2 {
}
}
pub fn zero() -> Point2
{
Point2 {
x: FieldElement::zero(),
y: FieldElement::one(),
z: FieldElement::one()
}
}
#[cfg(test)]
fn load_test_value(xs: &[u8]) -> Point2 {
assert!(xs.len() == 120);
@@ -157,13 +168,6 @@ impl Point2 {
}
}
fn ge_p2_0(h: &mut Point2)
{
h.x.overwrite_with(&FieldElement::zero());
h.y.overwrite_with(&FieldElement::one());
h.z.overwrite_with(&FieldElement::one());
}
fn ge_p3_to_p2(r: &mut Point2, p: &Point)
{
r.x.overwrite_with(&p.x);
@@ -471,13 +475,6 @@ fn equal(b: i8, c: i8) -> bool
(x == 0)
}
fn cmov(t: &mut Precomp, u: &Precomp, b: bool)
{
t.yplusx.cmov(&u.yplusx, b);
t.yminusx.cmov(&u.yminusx, b);
t.xy2d.cmov(&u.xy2d, b);
}
fn negative(b: i8) -> u8
{
let mut x = b as u32;
@@ -485,34 +482,36 @@ fn negative(b: i8) -> u8
x as u8
}
fn table_select(t: &mut Precomp, pos: i32, b: i8)
fn table_select(pos: i32, b: i8) -> Precomp
{
let mut minust = Precomp::new();
let mut res = Precomp::zero();
let bnegative = negative(b);
let babs = b - (((-(bnegative as i8)) & b) << 1);
ge_precomp_0(t);
cmov(t, &K25519_PRECOMP[pos as usize][0], equal(babs, 1));
cmov(t, &K25519_PRECOMP[pos as usize][1], equal(babs, 2));
cmov(t, &K25519_PRECOMP[pos as usize][2], equal(babs, 3));
cmov(t, &K25519_PRECOMP[pos as usize][3], equal(babs, 4));
cmov(t, &K25519_PRECOMP[pos as usize][4], equal(babs, 5));
cmov(t, &K25519_PRECOMP[pos as usize][5], equal(babs, 6));
cmov(t, &K25519_PRECOMP[pos as usize][6], equal(babs, 7));
cmov(t, &K25519_PRECOMP[pos as usize][7], equal(babs, 8));
minust.yplusx.overwrite_with(&t.yminusx);
minust.yminusx.overwrite_with(&t.yplusx);
minust.xy2d = -&t.xy2d;
cmov(t, &minust, bnegative != 0);
res.cmov(&K25519_PRECOMP[pos as usize][0], equal(babs, 1));
res.cmov(&K25519_PRECOMP[pos as usize][1], equal(babs, 2));
res.cmov(&K25519_PRECOMP[pos as usize][2], equal(babs, 3));
res.cmov(&K25519_PRECOMP[pos as usize][3], equal(babs, 4));
res.cmov(&K25519_PRECOMP[pos as usize][4], equal(babs, 5));
res.cmov(&K25519_PRECOMP[pos as usize][5], equal(babs, 6));
res.cmov(&K25519_PRECOMP[pos as usize][6], equal(babs, 7));
res.cmov(&K25519_PRECOMP[pos as usize][7], equal(babs, 8));
minust.yplusx.overwrite_with(&res.yminusx);
minust.yminusx.overwrite_with(&res.yplusx);
minust.xy2d = -&res.xy2d;
res.cmov(&minust, bnegative != 0);
res
}
impl Point {
/* h = a * B
* where a = a[0]+256*a[1]+...+256^31 a[31]
* B is the Ed25519 base point (x,4/5) with x positive.
*
* Preconditions:
* a[31] <= 127 */
pub fn x25519_ge_scalarmult_base(h: &mut Point, a: &[u8])
pub fn scalarmult_base(a: &[u8]) -> Point
{
let mut e: [i8; 64] = [0; 64];
for i in 0..32 {
@@ -534,13 +533,13 @@ pub fn x25519_ge_scalarmult_base(h: &mut Point, a: &[u8])
let mut r = PointP1P1::new();
let mut s = Point2::new();
let mut t = Precomp::new();
let mut t;
ge_p3_0(h);
let mut h = Point::zero();
for i in &[1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61,63] {
table_select(&mut t, *i / 2, e[*i as usize]);
t = table_select(*i / 2, e[*i as usize]);
ge_madd(&mut r, &h, &t);
x25519_ge_p1p1_to_p3(h, &r);
x25519_ge_p1p1_to_p3(&mut h, &r);
}
ge_p3_dbl(&mut r, &h);
@@ -550,12 +549,15 @@ pub fn x25519_ge_scalarmult_base(h: &mut Point, a: &[u8])
ge_p2_dbl(&mut r, &s);
x25519_ge_p1p1_to_p2(&mut s, &r);
ge_p2_dbl(&mut r, &s);
x25519_ge_p1p1_to_p3(h, &r);
x25519_ge_p1p1_to_p3(&mut h, &r);
for i in &[0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58,60,62] {
table_select(&mut t, *i / 2, e[*i as usize]);
t = table_select(*i / 2, e[*i as usize]);
ge_madd(&mut r, &h, &t);
x25519_ge_p1p1_to_p3(h, &r);
x25519_ge_p1p1_to_p3(&mut h, &r);
}
h
}
}
@@ -569,8 +571,7 @@ fn scalarmult_base() {
assert!(!nega && !negb);
let b = Point::load_test_value(bbytes);
let mut mine = Point::new();
x25519_ge_scalarmult_base(&mut mine, abytes);
let mine = Point::scalarmult_base(&abytes);
assert_eq!(mine, b);
});
}
@@ -630,7 +631,7 @@ fn helper_slide() {
* and b = b[0]+256*b[1]+...+256^31 b[31].
* B is the Ed25519 base point (x,4/5) with x positive. */
#[allow(non_snake_case)]
pub fn ge_double_scalarmult_vartime(r: &mut Point2, a: &[u8], A: &Point, b: &[u8])
pub fn ge_double_scalarmult_vartime(a: &[u8], A: &Point, b: &[u8]) -> Point2
{
let mut aslide: [i8; 256] = [0; 256];
let mut bslide: [i8; 256] = [0; 256];
@@ -670,7 +671,7 @@ pub fn ge_double_scalarmult_vartime(r: &mut Point2, a: &[u8], A: &Point, b: &[u8
x25519_ge_p1p1_to_p3(&mut u, &t);
x25519_ge_p3_to_cached(&mut Ai[7], &u);
ge_p2_0(r);
let mut r = Point2::zero();
let mut i: i32 = 255;
loop {
@@ -684,7 +685,7 @@ pub fn ge_double_scalarmult_vartime(r: &mut Point2, a: &[u8], A: &Point, b: &[u8
}
while i >= 0 {
ge_p2_dbl(&mut t, r);
ge_p2_dbl(&mut t, &r);
if aslide[i as usize] > 0 {
x25519_ge_p1p1_to_p3(&mut u, &t);
@@ -706,9 +707,11 @@ pub fn ge_double_scalarmult_vartime(r: &mut Point2, a: &[u8], A: &Point, b: &[u8
ge_msub(&mut t, &u, &BI[idx]);
}
x25519_ge_p1p1_to_p2(r, &t);
x25519_ge_p1p1_to_p2(&mut r, &t);
i -= 1;
}
r
}
#[cfg(test)]
@@ -724,8 +727,7 @@ fn double_scalarmult() {
assert!(!nega && !negb && !negc && !negd);
let b = Point::load_test_value(bbytes);
let d = Point2::load_test_value(dbytes);
let mut mine = Point2::new();
ge_double_scalarmult_vartime(&mut mine, &abytes, &b, &cbytes);
let mine = ge_double_scalarmult_vartime(&abytes, &b, &cbytes);
assert_eq!(mine, d);
});
}
@@ -1607,189 +1609,6 @@ pub fn curve25519_scalar_mask(a: &mut [u8])
a[31] |= 64;
}
/* Replace (f,g) with (g,f) if b == 1;
* replace (f,g) with (f,g) if b == 0.
*
* Preconditions: b in {0,1}. */
//fn fe_cswap(f: &mut FieldElement, g: &mut FieldElement, inb: bool) {
// let b = if inb { 0xFFFFFFFFu32 as i32 } else { 0x00000000 };
// for i in 0..NUM_ELEMENT_LIMBS {
// let mut x = f[i] ^ g[i];
// x &= b;
// f[i] ^= x;
// g[i] ^= x;
// }
//}
/* h = f * 121666
* Can overlap h with f.
*
* Preconditions:
* |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*
* Postconditions:
* |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */
//fn fe_mul121666(h: &mut FieldElement, f: &FieldElement)
//{
// let f0 = f[0];
// let f1 = f[1];
// let f2 = f[2];
// let f3 = f[3];
// let f4 = f[4];
// let f5 = f[5];
// let f6 = f[6];
// let f7 = f[7];
// let f8 = f[8];
// let f9 = f[9];
// let mut h0 = (f0 as i64) * 121666;
// let mut h1 = (f1 as i64) * 121666;
// let mut h2 = (f2 as i64) * 121666;
// let mut h3 = (f3 as i64) * 121666;
// let mut h4 = (f4 as i64) * 121666;
// let mut h5 = (f5 as i64) * 121666;
// let mut h6 = (f6 as i64) * 121666;
// let mut h7 = (f7 as i64) * 121666;
// let mut h8 = (f8 as i64) * 121666;
// let mut h9 = (f9 as i64) * 121666;
//
// let carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & KTOP_39BITS;
// let carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & KTOP_39BITS;
// let carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & KTOP_39BITS;
// let carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & KTOP_39BITS;
// let carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & KTOP_39BITS;
//
// let carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & KTOP_38BITS;
// let carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & KTOP_38BITS;
// let carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & KTOP_38BITS;
// let carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & KTOP_38BITS;
// let carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & KTOP_38BITS;
//
// h[0] = h0 as i32;
// h[1] = h1 as i32;
// h[2] = h2 as i32;
// h[3] = h3 as i32;
// h[4] = h4 as i32;
// h[5] = h5 as i32;
// h[6] = h6 as i32;
// h[7] = h7 as i32;
// h[8] = h8 as i32;
// h[9] = h9 as i32;
//}
//fn x25519_scalar_mult(out: &mut [u8], scalar: &[u8], point: &[u8])
//{
// assert_eq!(out.len(), 32);
// assert_eq!(scalar.len(), 32);
// assert_eq!(point.len(), 32);
//
// let mut x1 = FieldElement::new();
// let mut x2 = FieldElement::new();
// let mut z2 = FieldElement::new();
// let mut x3 = FieldElement::new();
// let mut z3 = FieldElement::new();
// let mut tmp0 = FieldElement::new();
// let mut tmp1 = FieldElement::new();
// let mut tmp2;
// let mut e = [0; 32];
//
// e.copy_from_slice(scalar);
// curve25519_scalar_mask(&mut e);
// fe_frombytes(&mut x1, &point);
// fe1(&mut x2);
// fe0(&mut z2);
// x3.copy_from_slice(&x1);
// fe1(&mut z3);
//
// let mut swap = 0;
// let mut pos = 254;
// loop {
// let b = 1 & (e[pos / 8] >> (pos & 7));
// swap ^= b;
// fe_cswap(&mut x2, &mut x3, swap != 0);
// fe_cswap(&mut z2, &mut z3, swap != 0);
// swap = b;
// tmp0 = &x3 - &z3;
// tmp1 = &x2 - &z2;
// tmp2 = x2.clone();
// x2 = &tmp2 + &z2;
// z2 = &x3 + &z3;
// fe_mul(&mut z3, &tmp0, &x2);
// tmp2 = z2.clone();
// fe_mul(&mut z2, &tmp2, &tmp1);
// fe_square(&mut tmp0, &tmp1);
// fe_square(&mut tmp1, &x2);
// x3 = &z3 + &z2;
// tmp2 = z2.clone();
// z2 = &z3 - &tmp2;
// fe_mul(&mut x2, &tmp1, &tmp0);
// tmp2 = tmp1.clone();
// tmp1 = &tmp2 - &tmp0;
// tmp2 = z2.clone();
// fe_square(&mut z2, &tmp2);
// fe_mul121666(&mut z3, &tmp1);
// tmp2 = x3.clone();
// fe_square( &mut x3, &tmp2);
// tmp2 = tmp0.clone();
// tmp0 = &tmp2 + &z3;
// fe_mul(&mut z3, &x1, &z2);
// fe_mul(&mut z2, &tmp1, &tmp0);
// if pos == 0 {
// break;
// } else {
// pos -= 1;
// }
// }
// fe_cswap(&mut x2, &mut x3, swap != 0);
// fe_cswap(&mut z2, &mut z3, swap != 0);
//
// z2 = fe_invert(&z2);
// tmp2 = x2.clone();
// fe_mul(&mut x2, &tmp2, &z2);
// fe_tobytes(out, &x2);
//}
//
//pub fn x25519_public_from_private(public: &mut [u8], private: &[u8])
//{
// assert_eq!(private.len(), 32);
// assert_eq!(public.len(), 32);
//
// let mut e = [0; 32];
// e.copy_from_slice(private);
// curve25519_scalar_mask(&mut e);
//
// #[allow(non_snake_case)]
// let mut A = Point::new();
// x25519_ge_scalarmult_base(&mut A, &e);
//
// /* We only need the u-coordinate of the curve25519 point. The map is
// * u=(y+1)/(1-y). Since y=Y/Z, this gives u=(Z+Y)/(Z-Y). */
// let mut zplusy = FieldElement::new();
// let mut zminusy = FieldElement::new();
// zplusy = &A.z + &A.y;
// zminusy = &A.z - &A.y;
// let zminusy_inv = fe_invert(&zminusy);
// let copy = zplusy.clone();
// fe_mul(&mut zplusy, &copy, &zminusy_inv);
// fe_tobytes(public, &zplusy);
//}
//
//#[cfg(test)]
//#[test]
//fn public_from_private() {
// let fname = "testdata/ed25519/pubfrompriv.test";
// run_test(fname.to_string(), 2, |case| {
// let (nega, abytes) = case.get("a").unwrap();
// let (negb, bbytes) = case.get("b").unwrap();
//
// assert!(!nega && !negb);
// let mut mine = [0; 32];
// x25519_public_from_private(&mut mine, abytes);
// for i in 0..32 {
// assert_eq!(mine[i], bbytes[i]);
// }
// });
//}
//
fn into_encoded_point(x: &FieldElement, y: &FieldElement, z: &FieldElement) -> Vec<u8>
{
let recip = z.invert();