From: Niels Möller Date: Thu, 2 Oct 2014 13:51:42 +0000 (+0200) Subject: Implemented eddsa compression and decompression. X-Git-Tag: nettle_3.1rc1~81 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6907bbacd6da270aea6cd9d51eb9c0e25c17d520;p=thirdparty%2Fnettle.git Implemented eddsa compression and decompression. --- diff --git a/ChangeLog b/ChangeLog index 637060bd..d7f70a2f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ 2014-10-02 Niels Möller + * eddsa-decompress.c (_eddsa_decompress): New file, new function. + * eddsa-compress.c (_eddsa_compress): New file, new function. + * eddsa.h: New file. + * Makefile.in (HEADERS): Added eddsa.h. + (hogweed_SOURCES): Added eddsa-compress.c and eddsa-decompress.c. + * testsuite/ecc-sqrt-test.c: New test case. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-sqrt-test.c. diff --git a/Makefile.in b/Makefile.in index 5345e887..1cc423df 100644 --- a/Makefile.in +++ b/Makefile.in @@ -176,13 +176,14 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ + eddsa-compress.c eddsa-decompress.c \ $(OPT_HOGWEED_SOURCES) HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h \ base16.h base64.h buffer.h camellia.h cast128.h \ cbc.h ccm.h chacha.h chacha-poly1305.h ctr.h \ curve25519.h des.h des-compat.h dsa.h dsa-compat.h eax.h \ - ecc-curve.h ecc.h ecdsa.h \ + ecc-curve.h ecc.h ecdsa.h eddsa.h \ gcm.h gosthash94.h hmac.h \ knuth-lfib.h \ macros.h \ diff --git a/eddsa-compress.c b/eddsa-compress.c new file mode 100644 index 00000000..40959586 --- /dev/null +++ b/eddsa-compress.c @@ -0,0 +1,62 @@ +/* eddsa-compress.c + + Copyright (C) 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "eddsa.h" + +#include "ecc-internal.h" +#include "gmp-glue.h" + +mp_size_t +_eddsa_compress_itch (const struct ecc_curve *ecc) +{ + return 2*ecc->p.size + ecc->h_to_a_itch; +} + +void +_eddsa_compress (const struct ecc_curve *ecc, uint8_t *r, mp_limb_t *p, + mp_limb_t *scratch) +{ +#define xp scratch +#define yp (scratch + ecc->p.size) +#define scratch_out (scratch + 2*ecc->p.size) + + ecc->h_to_a (ecc, 0, xp, p, scratch_out); + /* Encoding is the y coordinate and an appended "sign" bit, which is + the low bit of x. Bit order is not specified explicitly, but for + little-endian encoding, it makes most sense to append the bit + after the most significant bit of y. */ + mpn_get_base256_le (r, 1 + ecc->p.bit_size / 8, yp, ecc->p.size); + r[ecc->p.bit_size / 8] += (xp[0] & 1) << (ecc->p.bit_size & 7); +} diff --git a/eddsa-decompress.c b/eddsa-decompress.c new file mode 100644 index 00000000..75550168 --- /dev/null +++ b/eddsa-decompress.c @@ -0,0 +1,83 @@ +/* eddsa-decompress.c + + Copyright (C) 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include "eddsa.h" + +#include "ecc-internal.h" +#include "gmp-glue.h" + +mp_size_t +_eddsa_decompress_itch (const struct ecc_curve *ecc) +{ + return 4*ecc->p.size + ecc->p.sqrt_itch; +} + +int +_eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, + const uint8_t *cp, + mp_limb_t *scratch) +{ + mp_limb_t sign, cy; + int res; + +#define xp p +#define yp (p + ecc->p.size) + +#define y2 scratch +#define vp (scratch + ecc->p.size) +#define up scratch +#define tp (scratch + 2*ecc->p.size) +#define scratch_out (scratch + 4*ecc->p.size) + + sign = cp[ecc->p.bit_size / 8] >> (ecc->p.bit_size & 7); + if (sign > 1) + return 0; + mpn_set_base256_le (yp, ecc->p.size, cp, 1 + ecc->p.bit_size / 8); + /* Clear out the sign bit (if it fits) */ + yp[ecc->p.size - 1] &= ~(mp_limb_t) 0 + >> (ecc->p.size * GMP_NUMB_BITS - ecc->p.bit_size); + ecc_modp_sqr (ecc, y2, yp); + ecc_modp_mul (ecc, vp, y2, ecc->b); + ecc_modp_sub (ecc, vp, vp, ecc->unit); + ecc_modp_sub (ecc, up, ecc->unit, y2); + res = ecc->p.sqrt (&ecc->p, tp, up, vp, scratch_out); + + cy = mpn_sub_n (xp, tp, ecc->p.m, ecc->p.size); + cnd_copy (cy, xp, tp, ecc->p.size); + sign ^= xp[0] & 1; + mpn_sub_n (tp, ecc->p.m, xp, ecc->p.size); + cnd_copy (sign, xp, tp, ecc->p.size); + return res; +} diff --git a/eddsa.h b/eddsa.h new file mode 100644 index 00000000..7152b077 --- /dev/null +++ b/eddsa.h @@ -0,0 +1,70 @@ +/* eddsa.h + + Copyright (C) 2014 Niels Möller + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_EDDSA_H +#define NETTLE_EDDSA_H + +#include "nettle-types.h" + +#include "bignum.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Name mangling */ +#define _eddsa_compress _nettle_eddsa_compress +#define _eddsa_compress_itch _nettle_eddsa_compress_itch +#define _eddsa_decompress _nettle_eddsa_decompress +#define _eddsa_decompress_itch _nettle_eddsa_decompress_itch + +#define ED25519_KEY_SIZE 32 + +struct ecc_curve; + +mp_size_t +_eddsa_compress_itch (const struct ecc_curve *ecc); +void +_eddsa_compress (const struct ecc_curve *ecc, uint8_t *r, mp_limb_t *p, + mp_limb_t *scratch); + +mp_size_t +_eddsa_decompress_itch (const struct ecc_curve *ecc); +int +_eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, + const uint8_t *cp, + mp_limb_t *scratch); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_EDDSA_H */