aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey/ed25519/ed25519.cpp
blob: 624f82657a643006faf231735695d3475d8354ad (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
/*
* Ed25519
* (C) 2017 Ribose Inc
*
* Based on the public domain code from SUPERCOP ref10 by
* Peter Schwabe, Daniel J. Bernstein, Niels Duif, Tanja Lange, Bo-Yin Yang
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/ed25519.h>
#include <botan/internal/ed25519_internal.h>
#include <botan/sha2_64.h>
#include <botan/rng.h>

namespace Botan {

void ed25519_gen_keypair(uint8_t* pk, uint8_t* sk, const uint8_t seed[32])
   {
   uint8_t az[64];

   SHA_512 sha;
   sha.update(seed, 32);
   sha.final(az);
   az[0] &= 248;
   az[31] &= 63;
   az[31] |= 64;

   ge_scalarmult_base(pk, az);

   // todo copy_mem
   copy_mem(sk, seed, 32);
   copy_mem(sk + 32, pk, 32);
   }

void ed25519_sign(uint8_t sig[64],
                  const uint8_t m[], size_t mlen,
                  const uint8_t sk[64],
                  const uint8_t domain_sep[], size_t domain_sep_len)
   {
   uint8_t az[64];
   uint8_t nonce[64];
   uint8_t hram[64];

   SHA_512 sha;

   sha.update(sk, 32);
   sha.final(az);
   az[0] &= 248;
   az[31] &= 63;
   az[31] |= 64;

   sha.update(domain_sep, domain_sep_len);
   sha.update(az + 32, 32);
   sha.update(m, mlen);
   sha.final(nonce);

   sc_reduce(nonce);
   ge_scalarmult_base(sig, nonce);

   sha.update(domain_sep, domain_sep_len);
   sha.update(sig, 32);
   sha.update(sk + 32, 32);
   sha.update(m, mlen);
   sha.final(hram);

   sc_reduce(hram);
   sc_muladd(sig + 32, hram, az, nonce);
   }

bool ed25519_verify(const uint8_t* m, size_t mlen,
                    const uint8_t sig[64],
                    const uint8_t* pk,
                    const uint8_t domain_sep[], size_t domain_sep_len)
   {
   uint8_t h[64];
   uint8_t rcheck[32];
   ge_p3 A;
   SHA_512 sha;

   if(sig[63] & 224)
      {
      return false;
      }
   if(ge_frombytes_negate_vartime(&A, pk) != 0)
      {
      return false;
      }

   sha.update(domain_sep, domain_sep_len);
   sha.update(sig, 32);
   sha.update(pk, 32);
   sha.update(m, mlen);
   sha.final(h);
   sc_reduce(h);

   ge_double_scalarmult_vartime(rcheck, h, &A, sig + 32);

   return constant_time_compare(rcheck, sig, 32);
   }

}