Home Verkennen Help
Inloggen
byuu
/
higan
spiegel van https://github.com/byuu/higan
Volgen 2
Ster 0
Vork 0
Bestanden Kwesties 0 Wiki
Aftakking: master
Aftakkingen Labels
higan
/
nall
/
elliptic-curve
/
ed25519.hpp

ed25519.hpp 4.1 KB
Permalink Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145 
  1. #pragma once
    2. 

  2. 

  3. #include <nall/hash/sha512.hpp>
    4. 

  4. #if defined(EC_REFERENCE)
    5. 

  5.   #include <nall/elliptic-curve/modulo25519-reference.hpp>
    6. 

  6. #else
    7. 

  7.   #include <nall/elliptic-curve/modulo25519-optimized.hpp>
    8. 

  8. #endif
    9. 

  9. 

  10. namespace nall::EllipticCurve {
    11. 

  11. 

  12. static const uint256_t L = (1_u256 << 252) + 27742317777372353535851937790883648493_u256;
    13. 

  13. 

  14. struct Ed25519 {
    15. 

  15.   auto publicKey(uint256_t privateKey) const -> uint256_t {
    16. 

  16.     return compress(scalarMultiply(B, clamp(hash(privateKey)) % L));
    17. 

  17.   }
    18. 

  18. 

  19.   auto sign(array_view<uint8_t> message, uint256_t privateKey) const -> uint512_t {
    20. 

  20.     uint512_t H = hash(privateKey);
    21. 

  21.     uint256_t a = clamp(H) % L;
    22. 

  22.     uint256_t A = compress(scalarMultiply(B, a));
    23. 

  23. 

  24.     uint512_t r = hash(upper(H), message) % L;
    25. 

  25.     uint256_t R = compress(scalarMultiply(B, r));
    26. 

  26. 

  27.     uint512_t k = hash(R, A, message) % L;
    28. 

  28.     uint256_t S = (k * a + r) % L;
    29. 

  29. 

  30.     return uint512_t(S) << 256 | R;
    31. 

  31.   }
    32. 

  32. 

  33.   auto verify(array_view<uint8_t> message, uint512_t signature, uint256_t publicKey) const -> bool {
    34. 

  34.     auto R = decompress(lower(signature));
    35. 

  35.     auto A = decompress(publicKey);
    36. 

  36.     if(!R || !A) return false;
    37. 

  37. 

  38.     uint256_t S = upper(signature) % L;
    39. 

  39.     uint512_t r = hash(lower(signature), publicKey, message) % L;
    40. 

  40. 

  41.     auto p = scalarMultiply(B, S);
    42. 

  42.     auto q = edwardsAdd(R(), scalarMultiply(A(), r));
    43. 

  43.     if(!onCurve(p) || !onCurve(q)) return false;
    44. 

  44.     if(p.x * q.z - q.x * p.z) return false;
    45. 

  45.     if(p.y * q.z - q.y * p.z) return false;
    46. 

  46.     return true;
    47. 

  47.   }
    48. 

  48. 

  49. private:
    50. 

  50.   using field = Modulo25519;
    51. 

  51.   struct point { field x, y, z, t; };
    52. 

  52.   const field D = -field(121665) * reciprocal(field(121666));
    53. 

  53.   const point B = *decompress((field(4) * reciprocal(field(5)))());
    54. 

  54.   const BarrettReduction<256> L = BarrettReduction<256>{EllipticCurve::L};
    55. 

  55. 

  56.   auto input(Hash::SHA512&) const -> void {}
    57. 

  57. 

  58.   template<typename... P> auto input(Hash::SHA512& hash, uint256_t value, P&&... p) const -> void {
    59. 

  59.     for(uint byte : range(32)) hash.input(uint8_t(value >> byte * 8));
    60. 

  60.     input(hash, forward<P>(p)...);
    61. 

  61.   }
    62. 

  62. 

  63.   template<typename... P> auto input(Hash::SHA512& hash, array_view<uint8_t> value, P&&... p) const -> void {
    64. 

  64.     hash.input(value);
    65. 

  65.     input(hash, forward<P>(p)...);
    66. 

  66.   }
    67. 

  67. 

  68.   template<typename... P> auto hash(P&&... p) const -> uint512_t {
    69. 

  69.     Hash::SHA512 hash;
    70. 

  70.     input(hash, forward<P>(p)...);
    71. 

  71.     uint512_t result;
    72. 

  72.     for(auto byte : reverse(hash.output())) result = result << 8 | byte;
    73. 

  73.     return result;
    74. 

  74.   }
    75. 

  75. 

  76.   auto clamp(uint256_t p) const -> uint256_t {
    77. 

  77.     p &= (1_u256 << 254) - 8;
    78. 

  78.     p |= (1_u256 << 254);
    79. 

  79.     return p;
    80. 

  80.   }
    81. 

  81. 

  82.   auto onCurve(point p) const -> bool {
    83. 

  83.     if(!p.z) return false;
    84. 

  84.     if(p.x * p.y - p.z * p.t) return false;
    85. 

  85.     if(square(p.y) - square(p.x) - square(p.z) - square(p.t) * D) return false;
    86. 

  86.     return true;
    87. 

  87.   }
    88. 

  88. 

  89.   auto decompress(uint256_t c) const -> maybe<point> {
    90. 

  90.     field y = c & ~0_u256 >> 1;
    91. 

  91.     field x = squareRoot((square(y) - 1) * reciprocal(D * square(y) + 1));
    92. 

  92.     if(c >> 255) x = -x;
    93. 

  93.     point p{x, y, 1, x * y};
    94. 

  94.     if(!onCurve(p)) return nothing;
    95. 

  95.     return p;
    96. 

  96.   }
    97. 

  97. 

  98.   auto compress(point p) const -> uint256_t {
    99. 

  99.     field r = reciprocal(p.z);
    100. 

  100.     field x = p.x * r;
    101. 

  101.     field y = p.y * r;
    102. 

  102.     return (x & 1) << 255 | (y & ~0_u256 >> 1);
    103. 

  103.   }
    104. 

  104. 

  105.   auto edwardsDouble(point p) const -> point {
    106. 

  106.     field a = square(p.x);
    107. 

  107.     field b = square(p.y);
    108. 

  108.     field c = square(p.z);
    109. 

  109.     field d = -a;
    110. 

  110.     field e = square(p.x + p.y) - a - b;
    111. 

  111.     field g = d + b;
    112. 

  112.     field f = g - (c + c);
    113. 

  113.     field h = d - b;
    114. 

  114.     return {e * f, g * h, f * g, e * h};
    115. 

  115.   }
    116. 

  116. 

  117.   auto edwardsAdd(point p, point q) const -> point {
    118. 

  118.     field a = (p.y - p.x) * (q.y - q.x);
    119. 

  119.     field b = (p.y + p.x) * (q.y + q.x);
    120. 

  120.     field c = (p.t + p.t) * q.t * D;
    121. 

  121.     field d = (p.z + p.z) * q.z;
    122. 

  122.     field e = b - a;
    123. 

  123.     field f = d - c;
    124. 

  124.     field g = d + c;
    125. 

  125.     field h = b + a;
    126. 

  126.     return {e * f, g * h, f * g, e * h};
    127. 

  127.   }
    128. 

  128. 

  129.   auto scalarMultiply(point q, uint256_t exponent) const -> point {
    130. 

  130.     point p{0, 1, 1, 0}, c;
    131. 

  131.     for(uint bit : reverse(range(253))) {
    132. 

  132.       p = edwardsDouble(p);
    133. 

  133.       c = edwardsAdd(p, q);
    134. 

  134.       bool condition = exponent >> bit & 1;
    135. 

  135.       cmove(condition, p.x, c.x);
    136. 

  136.       cmove(condition, p.y, c.y);
    137. 

  137.       cmove(condition, p.z, c.z);
    138. 

  138.       cmove(condition, p.t, c.t);
    139. 

  139.     }
    140. 

  140.     return p;
    141. 

  141.   }
    142. 

  142. };
    143. 

  143. 

  144. }
    145. 

  145.