+/* -*-c-*-
+ *
+ * The X25519 key-agreement algorithm
+ *
+ * (c) 2017 Straylight/Edgeware
+ */
+
+/*----- Licensing notice --------------------------------------------------*
+ *
+ * This file is part of Catacomb.
+ *
+ * Catacomb is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Library General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * Catacomb is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public
+ * License along with Catacomb; if not, write to the Free
+ * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
+ * MA 02111-1307, USA.
+ */
+
+/*----- Header files ------------------------------------------------------*/
+
+#include <mLib/bits.h>
+
+#include "montladder.h"
+#include "f25519.h"
+#include "x25519.h"
+
+/*----- Important constants -----------------------------------------------*/
+
+const octet x25519_base[32] = { 9, 0, /* ... */ };
+
+#define A0 121665
+
+/*----- Key fetching ------------------------------------------------------*/
+
+const key_fetchdef x25519_pubfetch[] = {
+ { "pub", offsetof(x25519_pub, pub), KENC_BINARY, 0 },
+ { 0, 0, 0, 0 }
+};
+
+static const key_fetchdef priv[] = {
+ { "priv", offsetof(x25519_priv, priv), KENC_BINARY, 0 },
+ { 0, 0, 0, 0 }
+};
+
+const key_fetchdef x25519_privfetch[] = {
+ { "pub", offsetof(x25519_priv, pub), KENC_BINARY, 0 },
+ { "private", 0, KENC_STRUCT, priv },
+ { 0, 0, 0, 0 }
+};
+
+/*----- Main code ---------------------------------------------------------*/
+
+/* --- @x25519@ --- *
+ *
+ * Arguments: @octet zz[X25519_OUTSZ]@ = where to put the result
+ * @const octet k[X25519_KEYSZ]@ = pointer to private key
+ * @const octet qx[X25519_PUBSZ]@ = pointer to public value
+ *
+ * Returns: ---
+ *
+ * Use: Calculates X25519 of @k@ and @qx@.
+ *
+ * Note that there is disagreement over whether the most
+ * significant bit of @qx@ (i.e., the value @qx[31]&0x80@)
+ * should be ignored or counted towards the represented value.
+ * Historically implementations respected the bit; later
+ * convention seems to be to ignore it. This implementation
+ * honours the bit: a caller who wants to ignore the bit can
+ * easily clear it, while caller who wants to respect it has a
+ * difficult job if this function ignores it.
+ */
+
+void x25519(octet zz[X25519_OUTSZ],
+ const octet k[X25519_KEYSZ],
+ const octet qx[X25519_PUBSZ])
+{
+ uint32 kw[8];
+ f25519 x1;
+
+ /* Load and clamp the key. The low bits are cleared to kill the small
+ * subgroups on the curve and its twist, and a high bit is set to guard
+ * against careless implementations, though this isn't one of those.
+ */
+ kw[0] = LOAD32_L(k + 0); kw[1] = LOAD32_L(k + 4);
+ kw[2] = LOAD32_L(k + 8); kw[3] = LOAD32_L(k + 12);
+ kw[4] = LOAD32_L(k + 16); kw[5] = LOAD32_L(k + 20);
+ kw[6] = LOAD32_L(k + 24); kw[7] = LOAD32_L(k + 28);
+ kw[0] &= 0xfffffff8; kw[7] = (kw[7]&0x3fffffff) | 0x40000000;
+
+ /* And run the ladder. */
+ f25519_load(&x1, qx);
+#define MULA0(z, x) do { f25519_mulconst((z), (x), A0); } while (0)
+ MONT_LADDER(f25519, MULA0, kw, 8, 32, &x1, &x1);
+#undef MULA0
+ f25519_store(zz, &x1);
+}
+
+/*----- Test rig ----------------------------------------------------------*/
+
+#ifdef TEST_RIG
+
+#include <stdio.h>
+#include <string.h>
+
+#include <mLib/report.h>
+#include <mLib/testrig.h>
+
+static int vrf_x25519(dstr dv[])
+{
+ dstr dz = DSTR_INIT;
+ int ok = 1;
+
+ if (dv[0].len != 32) die(1, "bad key length");
+ if (dv[1].len != 32) die(1, "bad public length");
+ if (dv[2].len != 32) die(1, "bad result length");
+
+ dstr_ensure(&dz, 32); dz.len = 32;
+ x25519((octet *)dz.buf,
+ (const octet *)dv[0].buf,
+ (const octet *)dv[1].buf);
+ if (memcmp(dz.buf, dv[2].buf, 32) != 0) {
+ ok = 0;
+ fprintf(stderr, "failed!");
+ fprintf(stderr, "\n\t k = "); type_hex.dump(&dv[0], stderr);
+ fprintf(stderr, "\n\t p = "); type_hex.dump(&dv[1], stderr);
+ fprintf(stderr, "\n\twant = "); type_hex.dump(&dv[2], stderr);
+ fprintf(stderr, "\n\tcalc = "); type_hex.dump(&dz, stderr);
+ fprintf(stderr, "\n");
+ }
+
+ dstr_destroy(&dz);
+ return (ok);
+}
+
+static int vrf_mct(dstr dv[])
+{
+ octet b0[32], b1[32], *k = b0, *x = b1, *t;
+ unsigned long i, niter;
+ dstr d = DSTR_INIT;
+ int ok = 1;
+
+ if (dv[0].len != sizeof(b0)) { fprintf(stderr, "k len\n"); exit(2); }
+ if (dv[1].len != sizeof(b1)) { fprintf(stderr, "x len\n"); exit(2); }
+ if (dv[3].len != sizeof(b0)) { fprintf(stderr, "result len\n"); exit(2); }
+ memcpy(b0, dv[0].buf, sizeof(b0));
+ memcpy(b1, dv[1].buf, sizeof(b1));
+ niter = *(unsigned long *)dv[2].buf;
+ dstr_ensure(&d, 32); d.len = 32; t = (octet *)d.buf;
+
+ for (i = 0; i < niter; i++) {
+ x[31] &= 0x7f;
+ x25519(x, k, x);
+ t = x; x = k; k = t;
+ }
+ memcpy(d.buf, k, d.len);
+
+ if (memcmp(d.buf, dv[3].buf, d.len) != 0) {
+ ok = 0;
+ fprintf(stderr, "failed...");
+ fprintf(stderr, "\n\tinitial k = "); type_hex.dump(&dv[0], stderr);
+ fprintf(stderr, "\n\tinitial x = "); type_hex.dump(&dv[1], stderr);
+ fprintf(stderr, "\n\titerations = %lu", niter);
+ fprintf(stderr, "\n\texpected = "); type_hex.dump(&dv[3], stderr);
+ fprintf(stderr, "\n\tcalculated = "); type_hex.dump(&d, stderr);
+ fputc('\n', stderr);
+ }
+
+ dstr_destroy(&d);
+ return (ok);
+}
+
+static test_chunk tests[] = {
+ { "x25519", vrf_x25519, { &type_hex, &type_hex, &type_hex } },
+ { "x25519-mct", vrf_mct,
+ { &type_hex, &type_hex, &type_ulong, &type_hex } },
+ { 0, 0, { 0 } }
+};
+
+int main(int argc, char *argv[])
+{
+ test_run(argc, argv, tests, SRCDIR "/t/x25519");
+ return (0);
+}
+
+#endif
+
+/*----- That's all, folks -------------------------------------------------*/
~mdw / catacomb / commitdiff