diff options
| author | Matt Caswell <matt@openssl.org> | 2017-12-05 16:37:57 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-02-20 12:59:30 +0000 |
| commit | aeeef83cb536216a414287dee1f424265283da88 (patch) | |
| tree | 3aef18be0b916ca755bf24c25b32e544ab19a440 /crypto | |
| parent | 35b7c85a22a214512da9ce374ba7ff737b52f49d (diff) | |
Remove references to libdecaf
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/ec/curve448/arch_32/f_impl.c | 2 | ||||
| -rw-r--r-- | crypto/ec/curve448/curve448.c | 74 | ||||
| -rw-r--r-- | crypto/ec/curve448/curve448utils.h | 56 | ||||
| -rw-r--r-- | crypto/ec/curve448/ed448.h | 81 | ||||
| -rw-r--r-- | crypto/ec/curve448/eddsa.c | 187 | ||||
| -rw-r--r-- | crypto/ec/curve448/point_448.h | 74 | ||||
| -rw-r--r-- | crypto/ec/curve448/scalar.c | 82 | ||||
| -rw-r--r-- | crypto/ec/curve448/word.h | 26 |
8 files changed, 287 insertions, 295 deletions
diff --git a/crypto/ec/curve448/arch_32/f_impl.c b/crypto/ec/curve448/arch_32/f_impl.c index 3d8a331e3e..8189e1e53e 100644 --- a/crypto/ec/curve448/arch_32/f_impl.c +++ b/crypto/ec/curve448/arch_32/f_impl.c @@ -13,7 +13,7 @@ #include "f_field.h" #if (defined(__OPTIMIZE__) && !defined(__OPTIMIZE_SIZE__) && !I_HATE_UNROLLED_LOOPS) \ - || defined(DECAF_FORCE_UNROLL) + || defined(C448_FORCE_UNROLL) # define REPEAT8(_x) _x _x _x _x _x _x _x _x # define FOR_LIMB(_i,_start,_end,_x) do { _i=_start; REPEAT8( if (_i<_end) { _x; } _i++;) } while (0) #else diff --git a/crypto/ec/curve448/curve448.c b/crypto/ec/curve448/curve448.c index e2c5770803..f28bce1e4a 100644 --- a/crypto/ec/curve448/curve448.c +++ b/crypto/ec/curve448/curve448.c @@ -23,8 +23,8 @@ #define COMBS_N 5 #define COMBS_T 5 #define COMBS_S 18 -#define DECAF_WNAF_FIXED_TABLE_BITS 5 -#define DECAF_WNAF_VAR_TABLE_BITS 3 +#define C448_WNAF_FIXED_TABLE_BITS 5 +#define C448_WNAF_VAR_TABLE_BITS 3 static const int EDWARDS_D = -39081; static const curve448_scalar_t precomputed_scalarmul_adjustment = { @@ -38,7 +38,7 @@ static const curve448_scalar_t precomputed_scalarmul_adjustment = { #define TWISTED_D ((EDWARDS_D)-1) -#define WBITS DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */ +#define WBITS C448_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */ /* Projective Niels coordinates */ typedef struct { @@ -203,8 +203,8 @@ static void sub_pniels_from_pt(curve448_point_t p, const pniels_t pn, sub_niels_from_pt(p, pn->n, before_double); } -decaf_bool_t curve448_point_eq(const curve448_point_t p, - const curve448_point_t q) +c448_bool_t curve448_point_eq(const curve448_point_t p, + const curve448_point_t q) { mask_t succ; @@ -217,7 +217,7 @@ decaf_bool_t curve448_point_eq(const curve448_point_t p, return mask_to_bool(succ); } -decaf_bool_t curve448_point_valid(const curve448_point_t p) +c448_bool_t curve448_point_valid(const curve448_point_t p) { mask_t out; @@ -267,7 +267,7 @@ void curve448_precomputed_scalarmul(curve448_point_t out, for (k = 0; k < t; k++) { unsigned int bit = i + s * (k + j * t); - if (bit < DECAF_448_SCALAR_BITS) { + if (bit < C448_448_SCALAR_BITS) { tab |= (scalar1x->limb[bit / WBITS] >> (bit % WBITS) & 1) << k; } @@ -294,7 +294,7 @@ void curve448_precomputed_scalarmul(curve448_point_t out, } void curve448_point_mul_by_ratio_and_encode_like_eddsa( - uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES], + uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES], const curve448_point_t p) { @@ -329,9 +329,9 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa( gf_mul(x, y, z); /* Encode */ - enc[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0; + enc[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0; gf_serialize(enc, x, 1); - enc[DECAF_EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t); + enc[C448_EDDSA_448_PRIVATE_BYTES - 1] |= 0x80 & gf_lobit(t); OPENSSL_cleanse(x, sizeof(x)); OPENSSL_cleanse(y, sizeof(y)); @@ -340,22 +340,22 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa( curve448_point_destroy(q); } -decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( +c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( curve448_point_t p, - const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]) + const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES]) { - uint8_t enc2[DECAF_EDDSA_448_PUBLIC_BYTES]; + uint8_t enc2[C448_EDDSA_448_PUBLIC_BYTES]; mask_t low; mask_t succ; memcpy(enc2, enc, sizeof(enc2)); - low = ~word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES - 1] & 0x80); - enc2[DECAF_EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80; + low = ~word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] & 0x80); + enc2[C448_EDDSA_448_PRIVATE_BYTES - 1] &= ~0x80; succ = gf_deserialize(p->y, enc2, 1, 0); #if 0 == 0 - succ &= word_is_zero(enc2[DECAF_EDDSA_448_PRIVATE_BYTES - 1]); + succ &= word_is_zero(enc2[C448_EDDSA_448_PRIVATE_BYTES - 1]); #endif gf_sqr(p->x, p->y); @@ -396,12 +396,12 @@ decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( OPENSSL_cleanse(enc2, sizeof(enc2)); assert(curve448_point_valid(p) || ~succ); - return decaf_succeed_if(mask_to_bool(succ)); + return c448_succeed_if(mask_to_bool(succ)); } -decaf_error_t decaf_x448(uint8_t out[X_PUBLIC_BYTES], - const uint8_t base[X_PUBLIC_BYTES], - const uint8_t scalar[X_PRIVATE_BYTES]) +c448_error_t c448_x448(uint8_t out[X_PUBLIC_BYTES], + const uint8_t base[X_PUBLIC_BYTES], + const uint8_t scalar[X_PRIVATE_BYTES]) { gf x1, x2, z2, x3, z3, t1, t2; int t; @@ -470,7 +470,7 @@ decaf_error_t decaf_x448(uint8_t out[X_PUBLIC_BYTES], OPENSSL_cleanse(t1, sizeof(t1)); OPENSSL_cleanse(t2, sizeof(t2)); - return decaf_succeed_if(mask_to_bool(nz)); + return c448_succeed_if(mask_to_bool(nz)); } void curve448_point_mul_by_ratio_and_encode_like_x448(uint8_t @@ -486,8 +486,8 @@ void curve448_point_mul_by_ratio_and_encode_like_x448(uint8_t curve448_point_destroy(q); } -void decaf_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES], - const uint8_t scalar[X_PRIVATE_BYTES]) +void c448_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES], + const uint8_t scalar[X_PRIVATE_BYTES]) { /* Scalar conditioning */ uint8_t scalar2[X_PRIVATE_BYTES]; @@ -504,7 +504,7 @@ void decaf_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES], curve448_scalar_decode_long(the_scalar, scalar2, sizeof(scalar2)); /* Compensate for the encoding ratio */ - for (i = 1; i < DECAF_X448_ENCODE_RATIO; i <<= 1) { + for (i = 1; i < C448_X448_ENCODE_RATIO; i <<= 1) { curve448_scalar_halve(the_scalar, the_scalar); } curve448_precomputed_scalarmul(p, curve448_precomputed_base, the_scalar); @@ -522,7 +522,7 @@ static int recode_wnaf(struct smvt_control *control, const curve448_scalar_t scalar, unsigned int table_bits) { - unsigned int table_size = DECAF_448_SCALAR_BITS / (table_bits + 1) + 3; + unsigned int table_size = C448_448_SCALAR_BITS / (table_bits + 1) + 3; int position = table_size - 1; /* at the end */ uint64_t current = scalar->limb[0] & 0xFFFF; uint32_t mask = (1 << (table_bits + 1)) - 1; @@ -541,8 +541,8 @@ static int recode_wnaf(struct smvt_control *control, * 1/5 op. Probably not worth it. */ - for (w = 1; w < (DECAF_448_SCALAR_BITS - 1) / 16 + 3; w++) { - if (w < (DECAF_448_SCALAR_BITS - 1) / 16 + 1) { + for (w = 1; w < (C448_448_SCALAR_BITS - 1) / 16 + 3; w++) { + if (w < (C448_448_SCALAR_BITS - 1) / 16 + 1) { /* Refill the 16 high bits of current */ current += (uint32_t)((scalar->limb[w / B_OVER_16] >> (16 * (w % B_OVER_16))) << 16); @@ -610,15 +610,15 @@ void curve448_base_double_scalarmul_non_secret(curve448_point_t combo, const curve448_point_t base2, const curve448_scalar_t scalar2) { - const int table_bits_var = DECAF_WNAF_VAR_TABLE_BITS, - table_bits_pre = DECAF_WNAF_FIXED_TABLE_BITS; - struct smvt_control control_var[DECAF_448_SCALAR_BITS / - (DECAF_WNAF_VAR_TABLE_BITS + 1) + 3]; - struct smvt_control control_pre[DECAF_448_SCALAR_BITS / - (DECAF_WNAF_FIXED_TABLE_BITS + 1) + 3]; + const int table_bits_var = C448_WNAF_VAR_TABLE_BITS, + table_bits_pre = C448_WNAF_FIXED_TABLE_BITS; + struct smvt_control control_var[C448_448_SCALAR_BITS / + (C448_WNAF_VAR_TABLE_BITS + 1) + 3]; + struct smvt_control control_pre[C448_448_SCALAR_BITS / + (C448_WNAF_FIXED_TABLE_BITS + 1) + 3]; int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre); int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var); - pniels_t precmp_var[1 << DECAF_WNAF_VAR_TABLE_BITS]; + pniels_t precmp_var[1 << C448_WNAF_VAR_TABLE_BITS]; int contp = 0, contv = 0, i; prepare_wnaf_table(precmp_var, base2, table_bits_var); @@ -697,12 +697,12 @@ void curve448_point_destroy(curve448_point_t point) int X448(uint8_t out_shared_key[56], const uint8_t private_key[56], const uint8_t peer_public_value[56]) { - return decaf_x448(out_shared_key, peer_public_value, private_key) - == DECAF_SUCCESS; + return c448_x448(out_shared_key, peer_public_value, private_key) + == C448_SUCCESS; } void X448_public_from_private(uint8_t out_public_value[56], const uint8_t private_key[56]) { - decaf_x448_derive_public_key(out_public_value, private_key); + c448_x448_derive_public_key(out_public_value, private_key); } diff --git a/crypto/ec/curve448/curve448utils.h b/crypto/ec/curve448/curve448utils.h index edc1761c54..10902e7bed 100644 --- a/crypto/ec/curve448/curve448utils.h +++ b/crypto/ec/curve448/curve448utils.h @@ -10,8 +10,8 @@ * Originally written by Mike Hamburg */ -#ifndef __DECAF_COMMON_H__ -# define __DECAF_COMMON_H__ 1 +#ifndef __C448_COMMON_H__ +# define __C448_COMMON_H__ 1 # include <openssl/e_os2.h> @@ -26,61 +26,61 @@ extern "C" { * header was built with eg arch_neon, you might end up linking a library built * with arch_arm32. */ -# ifndef DECAF_WORD_BITS +# ifndef C448_WORD_BITS # if (defined(__ILP64__) || defined(__amd64__) || defined(__x86_64__) \ || (((__UINT_FAST32_MAX__)>>30)>>30)) -# define DECAF_WORD_BITS 64 /* The number of bits in a word */ +# define C448_WORD_BITS 64 /* The number of bits in a word */ # else -# define DECAF_WORD_BITS 32 /* The number of bits in a word */ +# define C448_WORD_BITS 32 /* The number of bits in a word */ # endif # endif -# if DECAF_WORD_BITS == 64 +# if C448_WORD_BITS == 64 /* Word size for internal computations */ -typedef uint64_t decaf_word_t; +typedef uint64_t c448_word_t; /* Signed word size for internal computations */ -typedef int64_t decaf_sword_t; +typedef int64_t c448_sword_t; /* "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */ -typedef uint64_t decaf_bool_t; +typedef uint64_t c448_bool_t; /* Double-word size for internal computations */ -typedef __uint128_t decaf_dword_t; +typedef __uint128_t c448_dword_t; /* Signed double-word size for internal computations */ -typedef __int128_t decaf_dsword_t; -# elif DECAF_WORD_BITS == 32 +typedef __int128_t c448_dsword_t; +# elif C448_WORD_BITS == 32 /* Word size for internal computations */ -typedef uint32_t decaf_word_t; +typedef uint32_t c448_word_t; /* Signed word size for internal computations */ -typedef int32_t decaf_sword_t; +typedef int32_t c448_sword_t; /* "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */ -typedef uint32_t decaf_bool_t; +typedef uint32_t c448_bool_t; /* Double-word size for internal computations */ -typedef uint64_t decaf_dword_t; +typedef uint64_t c448_dword_t; /* Signed double-word size for internal computations */ -typedef int64_t decaf_dsword_t; +typedef int64_t c448_dsword_t; # else -# error "Only supporting DECAF_WORD_BITS = 32 or 64 for now" +# error "Only supporting C448_WORD_BITS = 32 or 64 for now" # endif -/* DECAF_TRUE = -1 so that DECAF_TRUE & x = x */ -static const decaf_bool_t DECAF_TRUE = -(decaf_bool_t) 1; +/* C448_TRUE = -1 so that C448_TRUE & x = x */ +static const c448_bool_t C448_TRUE = -(c448_bool_t) 1; -/* DECAF_FALSE = 0 so that DECAF_FALSE & x = 0 */ -static const decaf_bool_t DECAF_FALSE = 0; +/* C448_FALSE = 0 so that C448_FALSE & x = 0 */ +static const c448_bool_t C448_FALSE = 0; /* Another boolean type used to indicate success or failure. */ typedef enum { - DECAF_SUCCESS = -1, /**< The operation succeeded. */ - DECAF_FAILURE = 0 /**< The operation failed. */ -} decaf_error_t; + C448_SUCCESS = -1, /**< The operation succeeded. */ + C448_FAILURE = 0 /**< The operation failed. */ +} c448_error_t; /* Return success if x is true */ -static ossl_inline decaf_error_t decaf_succeed_if(decaf_bool_t x) +static ossl_inline c448_error_t c448_succeed_if(c448_bool_t x) { - return (decaf_error_t) x; + return (c448_error_t) x; } #ifdef __cplusplus } /* extern "C" */ #endif -#endif /* __DECAF_COMMON_H__ */ +#endif /* __C448_COMMON_H__ */ diff --git a/crypto/ec/curve448/ed448.h b/crypto/ec/curve448/ed448.h index fb46546a47..abad0dbf71 100644 --- a/crypto/ec/curve448/ed448.h +++ b/crypto/ec/curve448/ed448.h @@ -10,8 +10,8 @@ * Originally written by Mike Hamburg */ -#ifndef __DECAF_ED448_H__ -# define __DECAF_ED448_H__ 1 +#ifndef __C448_ED448_H__ +# define __C448_ED448_H__ 1 # include "point_448.h" @@ -20,20 +20,20 @@ extern "C" { #endif /* Number of bytes in an EdDSA public key. */ -# define DECAF_EDDSA_448_PUBLIC_BYTES 57 +# define C448_EDDSA_448_PUBLIC_BYTES 57 /* Number of bytes in an EdDSA private key. */ -# define DECAF_EDDSA_448_PRIVATE_BYTES DECAF_EDDSA_448_PUBLIC_BYTES +# define C448_EDDSA_448_PRIVATE_BYTES C448_EDDSA_448_PUBLIC_BYTES /* Number of bytes in an EdDSA private key. */ -# define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + \ - DECAF_EDDSA_448_PRIVATE_BYTES) +# define C448_EDDSA_448_SIGNATURE_BYTES (C448_EDDSA_448_PUBLIC_BYTES + \ + C448_EDDSA_448_PRIVATE_BYTES) /* EdDSA encoding ratio. */ -# define DECAF_448_EDDSA_ENCODE_RATIO 4 +# define C448_448_EDDSA_ENCODE_RATIO 4 /* EdDSA decoding ratio. */ -# define DECAF_448_EDDSA_DECODE_RATIO (4 / 4) +# define C448_448_EDDSA_DECODE_RATIO (4 / 4) /* * EdDSA key generation. This function uses a different (non-Decaf) encoding. @@ -41,9 +41,9 @@ extern "C" { * pubkey (out): The public key. * privkey (in): The private key. */ -decaf_error_t decaf_ed448_derive_public_key( - uint8_t pubkey [DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t privkey [DECAF_EDDSA_448_PRIVATE_BYTES]); +c448_error_t c448_ed448_derive_public_key( + uint8_t pubkey [C448_EDDSA_448_PUBLIC_BYTES], + const uint8_t privkey [C448_EDDSA_448_PRIVATE_BYTES]); /* * EdDSA signing. @@ -63,10 +63,10 @@ decaf_error_t decaf_ed448_derive_public_key( * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make * it harder to screw this up, but this C code gives you no seat belt. */ -decaf_error_t decaf_ed448_sign( - uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], +c448_error_t c448_ed448_sign( + uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], const uint8_t *message, size_t message_len, uint8_t prehashed, const uint8_t *context, size_t context_len) @@ -89,10 +89,10 @@ decaf_error_t decaf_ed448_sign( * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make * it harder to screw this up, but this C code gives you no seat belt. */ -decaf_error_t decaf_ed448_sign_prehash( - uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], +c448_error_t c448_ed448_sign_prehash( + uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], const uint8_t hash[64], const uint8_t *context, size_t context_len) @@ -117,10 +117,10 @@ decaf_error_t decaf_ed448_sign_prehash( * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make * it harder to screw this up, but this C code gives you no seat belt. */ -decaf_error_t decaf_ed448_verify(const uint8_t - signature[DECAF_EDDSA_448_SIGNATURE_BYTES], +c448_error_t c448_ed448_verify(const uint8_t + signature[C448_EDDSA_448_SIGNATURE_BYTES], const uint8_t - pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], + pubkey[C448_EDDSA_448_PUBLIC_BYTES], const uint8_t *message, size_t message_len, uint8_t prehashed, const uint8_t *context, uint8_t context_len) @@ -144,9 +144,9 @@ decaf_error_t decaf_ed448_verify(const uint8_t * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make * it harder to screw this up, but this C code gives you no seat belt. */ -decaf_error_t decaf_ed448_verify_prehash( - const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], +c448_error_t c448_ed448_verify_prehash( + const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], const uint8_t hash[64], const uint8_t *context, uint8_t context_len) @@ -154,7 +154,7 @@ decaf_error_t decaf_ed448_verify_prehash( /* * EdDSA point encoding. Used internally, exposed externally. - * Multiplies by DECAF_448_EDDSA_ENCODE_RATIO first. + * Multiplies by C448_448_EDDSA_ENCODE_RATIO first. * * The multiplication is required because the EdDSA encoding represents * the cofactor information, but the Decaf encoding ignores it (which @@ -162,26 +162,25 @@ decaf_error_t decaf_ed448_verify_prehash( * EdDSA, the cofactor info must get cleared, because the intermediate * representation doesn't track it. * - * The way libdecaf handles this is to multiply by - * DECAF_448_EDDSA_DECODE_RATIO when decoding, and by - * DECAF_448_EDDSA_ENCODE_RATIO when encoding. The product of these - * ratios is always exactly the cofactor 4, so the cofactor - * ends up cleared one way or another. But exactly how that shakes - * out depends on the base points specified in RFC 8032. + * The way we handle this is to multiply by C448_448_EDDSA_DECODE_RATIO when + * decoding, and by C448_448_EDDSA_ENCODE_RATIO when encoding. The product of + * these ratios is always exactly the cofactor 4, so the cofactor ends up + * cleared one way or another. But exactly how that shakes out depends on the + * base points specified in RFC 8032. * * The upshot is that if you pass the Decaf/Ristretto base point to - * this function, you will get DECAF_448_EDDSA_ENCODE_RATIO times the + * this function, you will get C448_448_EDDSA_ENCODE_RATIO times the * EdDSA base point. * * enc (out): The encoded point. * p (in): The point. */ void curve448_point_mul_by_ratio_and_encode_like_eddsa( - uint8_t enc [DECAF_EDDSA_448_PUBLIC_BYTES], + uint8_t enc [C448_EDDSA_448_PUBLIC_BYTES], const curve448_point_t p); /* - * EdDSA point decoding. Multiplies by DECAF_448_EDDSA_DECODE_RATIO, and + * EdDSA point decoding. Multiplies by C448_448_EDDSA_DECODE_RATIO, and * ignores cofactor information. * * See notes on curve448_point_mul_by_ratio_and_encode_like_eddsa @@ -189,9 +188,9 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa( * enc (out): The encoded point. * p (in): The point. */ -decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( +c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( curve448_point_t p, - const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]); + const uint8_t enc[C448_EDDSA_448_PUBLIC_BYTES]); /* * EdDSA to ECDH private key conversion @@ -201,12 +200,12 @@ decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( * x (out): The ECDH private key as in RFC7748 * ed (in): The EdDSA private key */ -decaf_error_t decaf_ed448_convert_private_key_to_x448( - uint8_t x[DECAF_X448_PRIVATE_BYTES], - const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES]); +c448_error_t c448_ed448_convert_private_key_to_x448( + uint8_t x[C448_X448_PRIVATE_BYTES], + const uint8_t ed[C448_EDDSA_448_PRIVATE_BYTES]); #ifdef __cplusplus } /* extern "C" */ #endif -#endif /* __DECAF_ED448_H__ */ +#endif /* __C448_ED448_H__ */ diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c index 7d9ef8e221..d76c15dff1 100644 --- a/crypto/ec/curve448/eddsa.c +++ b/crypto/ec/curve448/eddsa.c @@ -20,45 +20,44 @@ #define COFACTOR 4 -static decaf_error_t oneshot_hash(uint8_t *out, size_t outlen, - const uint8_t *in, size_t inlen) +static c448_error_t oneshot_hash(uint8_t *out, size_t outlen, + const uint8_t *in, size_t inlen) { EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); if (hashctx == NULL) - return DECAF_FAILURE; + return C448_FAILURE; if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) || !EVP_DigestUpdate(hashctx, in, inlen) || !EVP_DigestFinalXOF(hashctx, out, outlen)) { EVP_MD_CTX_free(hashctx); - return DECAF_FAILURE; + return C448_FAILURE; } EVP_MD_CTX_free(hashctx); - return DECAF_SUCCESS; + return C448_SUCCESS; } -static void clamp(uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]) +static void clamp(uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES]) { uint8_t hibit = (1 << 0) >> 1; /* Blarg */ secret_scalar_ser[0] &= -COFACTOR; if (hibit == 0) { - secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0; - secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80; + secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0; + secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80; } else { - secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1; - secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] |= hibit; + secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1; + secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] |= hibit; } } -static decaf_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, - uint8_t prehashed, - uint8_t for_prehash, - const uint8_t *context, - size_t context_len) +static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed, + uint8_t for_prehash, + const uint8_t *context, + size_t context_len) { const char *dom_s = "SigEd448"; uint8_t dom[2]; @@ -67,42 +66,41 @@ static decaf_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, dom[1] = (uint8_t)context_len; if (context_len > UINT8_MAX) - return DECAF_FAILURE; + return C448_FAILURE; if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s)) || !EVP_DigestUpdate(hashctx, dom, sizeof(dom)) || !EVP_DigestUpdate(hashctx, context, context_len)) - return DECAF_FAILURE; + return C448_FAILURE; - return DECAF_SUCCESS; + return C448_SUCCESS; } /* In this file because it uses the hash */ -decaf_error_t decaf_ed448_convert_private_key_to_x448( - uint8_t x[DECAF_X448_PRIVATE_BYTES], - const uint8_t ed [DECAF_EDDSA_448_PRIVATE_BYTES]) +c448_error_t c448_ed448_convert_private_key_to_x448( + uint8_t x[C448_X448_PRIVATE_BYTES], + const uint8_t ed [C448_EDDSA_448_PRIVATE_BYTES]) { /* pass the private key through oneshot_hash function */ - /* and keep the first DECAF_X448_PRIVATE_BYTES bytes */ - return oneshot_hash(x, - DECAF_X448_PRIVATE_BYTES, - ed, DECAF_EDDSA_448_PRIVATE_BYTES); + /* and keep the first C448_X448_PRIVATE_BYTES bytes */ + return oneshot_hash(x, C448_X448_PRIVATE_BYTES, ed, + C448_EDDSA_448_PRIVATE_BYTES); } -decaf_error_t decaf_ed448_derive_public_key( - uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]) +c448_error_t c448_ed448_derive_public_key( + uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES]) { /* only this much used for keygen */ - uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]; + uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES]; curve448_scalar_t secret_scalar; unsigned int c; curve448_point_t p; if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey, - DECAF_EDDSA_448_PRIVATE_BYTES)) - return DECAF_FAILURE; + C448_EDDSA_448_PRIVATE_BYTES)) + return C448_FAILURE; clamp(secret_scalar_ser); @@ -117,7 +115,7 @@ decaf_error_t decaf_ed448_derive_public_key( * converted it effectively picks up a factor of 2 from the isogenies. So * we might start at 2 instead of 1. */ - for (c = 1; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) + for (c = 1; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1) curve448_scalar_halve(secret_scalar, secret_scalar); curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar); @@ -129,37 +127,37 @@ decaf_error_t decaf_ed448_derive_public_key( curve448_point_destroy(p); OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser)); - return DECAF_SUCCESS; + return C448_SUCCESS; } -decaf_error_t decaf_ed448_sign( - uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], +c448_error_t c448_ed448_sign( + uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], const uint8_t *message, size_t message_len, uint8_t prehashed, const uint8_t *context, size_t context_len) { curve448_scalar_t secret_scalar; EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); - decaf_error_t ret = DECAF_FAILURE; + c448_error_t ret = C448_FAILURE; curve448_scalar_t nonce_scalar; - uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = { 0 }; + uint8_t nonce_point[C448_EDDSA_448_PUBLIC_BYTES] = { 0 }; unsigned int c; curve448_scalar_t challenge_scalar; if (hashctx == NULL) - return DECAF_FAILURE; + return C448_FAILURE; { /* Schedule the secret key */ struct { - uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]; - uint8_t seed[DECAF_EDDSA_448_PRIVATE_BYTES]; + uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES]; + uint8_t seed[C448_EDDSA_448_PRIVATE_BYTES]; } __attribute__ ((packed)) expanded; if (!oneshot_hash((uint8_t *)&expanded, sizeof(expanded), privkey, - DECAF_EDDSA_448_PRIVATE_BYTES)) + C448_EDDSA_448_PRIVATE_BYTES)) goto err; clamp(expanded.secret_scalar_ser); curve448_scalar_decode_long(secret_scalar, expanded.secret_scalar_ser, @@ -177,7 +175,7 @@ decaf_error_t decaf_ed448_sign( /* Decode the nonce */ { - uint8_t nonce[2 * DECAF_EDDSA_448_PRIVATE_BYTES]; + uint8_t nonce[2 * C448_EDDSA_448_PRIVATE_BYTES]; if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce))) goto err; @@ -191,7 +189,7 @@ decaf_error_t decaf_ed448_sign( curve448_point_t p; curve448_scalar_halve(nonce_scalar_2, nonce_scalar); - for (c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) { + for (c = 2; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1) { curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2); } @@ -203,12 +201,12 @@ decaf_error_t decaf_ed448_sign( } { - uint8_t challenge[2 * DECAF_EDDSA_448_PRIVATE_BYTES]; + uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES]; /* Compute the challenge */ if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len) || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point)) - || !EVP_DigestUpdate(hashctx, pubkey, DECAF_EDDSA_448_PUBLIC_BYTES) + || !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES) || !EVP_DigestUpdate(hashctx, message, message_len) || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) goto err; @@ -221,73 +219,68 @@ decaf_error_t decaf_ed448_sign( curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar); curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar); - OPENSSL_cleanse(signature, DECAF_EDDSA_448_SIGNATURE_BYTES); + OPENSSL_cleanse(signature, C448_EDDSA_448_SIGNATURE_BYTES); memcpy(signature, nonce_point, sizeof(nonce_point)); - curve448_scalar_encode(&signature[DECAF_EDDSA_448_PUBLIC_BYTES], + curve448_scalar_encode(&signature[C448_EDDSA_448_PUBLIC_BYTES], challenge_scalar); curve448_scalar_destroy(secret_scalar); curve448_scalar_destroy(nonce_scalar); curve448_scalar_destroy(challenge_scalar); - ret = DECAF_SUCCESS; + ret = C448_SUCCESS; err: EVP_MD_CTX_free(hashctx); return ret; } -decaf_error_t decaf_ed448_sign_prehash(uint8_t - signature - [DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t - privkey[DECAF_EDDSA_448_PRIVATE_BYTES], - const uint8_t - pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t hash[64], - const uint8_t *context, - size_t context_len) +c448_error_t c448_ed448_sign_prehash( + uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + const uint8_t hash[64], const uint8_t *context, + size_t context_len) { - return decaf_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context, - context_len); + return c448_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context, + context_len); } -decaf_error_t decaf_ed448_verify(const uint8_t - signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t - pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t *message, size_t message_len, - uint8_t prehashed, const uint8_t *context, - uint8_t context_len) +c448_error_t c448_ed448_verify( + const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + const uint8_t *message, size_t message_len, + uint8_t prehashed, const uint8_t *context, + uint8_t context_len) { curve448_point_t pk_point, r_point; - decaf_error_t error = + c448_error_t error = curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey); curve448_scalar_t challenge_scalar; curve448_scalar_t response_scalar; unsigned int c; - if (DECAF_SUCCESS != error) + if (C448_SUCCESS != error) return error; error = curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature); - if (DECAF_SUCCESS != error) + if (C448_SUCCESS != error) return error; { /* Compute the challenge */ EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); - uint8_t challenge[2 * DECAF_EDDSA_448_PRIVATE_BYTES]; + uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES]; if (hashctx == NULL || !hash_init_with_dom(hashctx, prehashed, 0, context, context_len) || !EVP_DigestUpdate(hashctx, signature, - DECAF_EDDSA_448_PUBLIC_BYTES) |