diff --git a/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c b/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c index b25e06b4..228966c9 100644 --- a/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c +++ b/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c @@ -162,7 +162,7 @@ fe25519_pow22523(fe25519 out, const fe25519 z) */ void -ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) +ge25519_add(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_cached *q) { fe25519 t0; @@ -222,7 +222,7 @@ slide_vartime(signed char *r, const unsigned char *a) } int -ge_frombytes(ge_p3 *h, const unsigned char *s) +ge25519_frombytes(ge25519_p3 *h, const unsigned char *s) { fe25519 u; fe25519 v; @@ -267,7 +267,7 @@ ge_frombytes(ge_p3 *h, const unsigned char *s) } int -ge_frombytes_negate_vartime(ge_p3 *h, const unsigned char *s) +ge25519_frombytes_negate_vartime(ge25519_p3 *h, const unsigned char *s) { fe25519 u; fe25519 v; @@ -316,7 +316,7 @@ ge_frombytes_negate_vartime(ge_p3 *h, const unsigned char *s) */ static void -ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) +ge25519_madd(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_precomp *q) { fe25519 t0; @@ -337,7 +337,7 @@ ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) */ static void -ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) +ge25519_msub(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_precomp *q) { fe25519 t0; @@ -358,7 +358,7 @@ ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) */ void -ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) +ge25519_p1p1_to_p2(ge25519_p2 *r, const ge25519_p1p1 *p) { fe25519_mul(r->X, p->X, p->T); fe25519_mul(r->Y, p->Y, p->Z); @@ -370,7 +370,7 @@ ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) */ static void -ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) +ge25519_p1p1_to_p3(ge25519_p3 *r, const ge25519_p1p1 *p) { fe25519_mul(r->X, p->X, p->T); fe25519_mul(r->Y, p->Y, p->Z); @@ -379,7 +379,7 @@ ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) } static void -ge_p2_0(ge_p2 *h) +ge25519_p2_0(ge25519_p2 *h) { fe25519_0(h->X); fe25519_1(h->Y); @@ -391,7 +391,7 @@ ge_p2_0(ge_p2 *h) */ static void -ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) +ge25519_p2_dbl(ge25519_p1p1 *r, const ge25519_p2 *p) { fe25519 t0; @@ -407,7 +407,7 @@ ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) } static void -ge_p3_0(ge_p3 *h) +ge25519_p3_0(ge25519_p3 *h) { fe25519_0(h->X); fe25519_1(h->Y); @@ -420,7 +420,7 @@ ge_p3_0(ge_p3 *h) */ void -ge_p3_to_cached(ge_cached *r, const ge_p3 *p) +ge25519_p3_to_cached(ge25519_cached *r, const ge25519_p3 *p) { fe25519_add(r->YplusX, p->Y, p->X); fe25519_sub(r->YminusX, p->Y, p->X); @@ -429,7 +429,7 @@ ge_p3_to_cached(ge_cached *r, const ge_p3 *p) } static void -ge_p3_to_precomp(ge_precomp *pi, const ge_p3 *p) +ge25519_p3_to_precomp(ge25519_precomp *pi, const ge25519_p3 *p) { fe25519 recip; fe25519 x; @@ -450,7 +450,7 @@ ge_p3_to_precomp(ge_precomp *pi, const ge_p3 *p) */ static void -ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) +ge25519_p3_to_p2(ge25519_p2 *r, const ge25519_p3 *p) { fe25519_copy(r->X, p->X); fe25519_copy(r->Y, p->Y); @@ -458,7 +458,7 @@ ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) } void -ge_p3_tobytes(unsigned char *s, const ge_p3 *h) +ge25519_p3_tobytes(unsigned char *s, const ge25519_p3 *h) { fe25519 recip; fe25519 x; @@ -476,15 +476,15 @@ ge_p3_tobytes(unsigned char *s, const ge_p3 *h) */ static void -ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p) +ge25519_p3_dbl(ge25519_p1p1 *r, const ge25519_p3 *p) { - ge_p2 q; - ge_p3_to_p2(&q, p); - ge_p2_dbl(r, &q); + ge25519_p2 q; + ge25519_p3_to_p2(&q, p); + ge25519_p2_dbl(r, &q); } static void -ge_precomp_0(ge_precomp *h) +ge25519_precomp_0(ge25519_precomp *h) { fe25519_1(h->yplusx); fe25519_1(h->yminusx); @@ -517,7 +517,7 @@ negative(signed char b) } static void -ge_cmov(ge_precomp *t, const ge_precomp *u, unsigned char b) +ge25519_cmov(ge25519_precomp *t, const ge25519_precomp *u, unsigned char b) { fe25519_cmov(t->yplusx, u->yplusx, b); fe25519_cmov(t->yminusx, u->yminusx, b); @@ -525,38 +525,38 @@ ge_cmov(ge_precomp *t, const ge_precomp *u, unsigned char b) } static void -ge_select(ge_precomp *t, const ge_precomp precomp[8], const signed char b) +ge25519_select(ge25519_precomp *t, const ge25519_precomp precomp[8], const signed char b) { - ge_precomp minust; + ge25519_precomp minust; const unsigned char bnegative = negative(b); const unsigned char babs = b - (((-bnegative) & b) * ((signed char) 1 << 1)); - ge_precomp_0(t); - ge_cmov(t, &precomp[0], equal(babs, 1)); - ge_cmov(t, &precomp[1], equal(babs, 2)); - ge_cmov(t, &precomp[2], equal(babs, 3)); - ge_cmov(t, &precomp[3], equal(babs, 4)); - ge_cmov(t, &precomp[4], equal(babs, 5)); - ge_cmov(t, &precomp[5], equal(babs, 6)); - ge_cmov(t, &precomp[6], equal(babs, 7)); - ge_cmov(t, &precomp[7], equal(babs, 8)); + ge25519_precomp_0(t); + ge25519_cmov(t, &precomp[0], equal(babs, 1)); + ge25519_cmov(t, &precomp[1], equal(babs, 2)); + ge25519_cmov(t, &precomp[2], equal(babs, 3)); + ge25519_cmov(t, &precomp[3], equal(babs, 4)); + ge25519_cmov(t, &precomp[4], equal(babs, 5)); + ge25519_cmov(t, &precomp[5], equal(babs, 6)); + ge25519_cmov(t, &precomp[6], equal(babs, 7)); + ge25519_cmov(t, &precomp[7], equal(babs, 8)); fe25519_copy(minust.yplusx, t->yminusx); fe25519_copy(minust.yminusx, t->yplusx); fe25519_neg(minust.xy2d, t->xy2d); - ge_cmov(t, &minust, bnegative); + ge25519_cmov(t, &minust, bnegative); } static void -ge_select_base(ge_precomp *t, const int pos, const signed char b) +ge25519_select_base(ge25519_precomp *t, const int pos, const signed char b) { - static const ge_precomp base[32][8] = { /* base[i][j] = (j+1)*256^i*B */ + static const ge25519_precomp base[32][8] = { /* base[i][j] = (j+1)*256^i*B */ #ifdef HAVE_TI_MODE # include "fe_51/base.h" #else # include "fe_25_5/base.h" #endif }; - ge_select(t, base[pos], b); + ge25519_select(t, base[pos], b); } /* @@ -564,7 +564,7 @@ ge_select_base(ge_precomp *t, const int pos, const signed char b) */ static void -ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) +ge25519_sub(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_cached *q) { fe25519 t0; @@ -582,7 +582,7 @@ ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) } void -ge_tobytes(unsigned char *s, const ge_p2 *h) +ge25519_tobytes(unsigned char *s, const ge25519_p2 *h) { fe25519 recip; fe25519 x; @@ -605,53 +605,53 @@ ge_tobytes(unsigned char *s, const ge_p2 *h) */ void -ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A, +ge25519_double_scalarmult_vartime(ge25519_p2 *r, const unsigned char *a, const ge25519_p3 *A, const unsigned char *b) { - static const ge_precomp Bi[8] = { + static const ge25519_precomp Bi[8] = { #ifdef HAVE_TI_MODE # include "fe_51/base2.h" #else # include "fe_25_5/base2.h" #endif }; - signed char aslide[256]; - signed char bslide[256]; - ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */ - ge_p1p1 t; - ge_p3 u; - ge_p3 A2; - int i; + signed char aslide[256]; + signed char bslide[256]; + ge25519_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */ + ge25519_p1p1 t; + ge25519_p3 u; + ge25519_p3 A2; + int i; slide_vartime(aslide, a); slide_vartime(bslide, b); - ge_p3_to_cached(&Ai[0], A); - ge_p3_dbl(&t, A); - ge_p1p1_to_p3(&A2, &t); - ge_add(&t, &A2, &Ai[0]); - ge_p1p1_to_p3(&u, &t); - ge_p3_to_cached(&Ai[1], &u); - ge_add(&t, &A2, &Ai[1]); - ge_p1p1_to_p3(&u, &t); - ge_p3_to_cached(&Ai[2], &u); - ge_add(&t, &A2, &Ai[2]); - ge_p1p1_to_p3(&u, &t); - ge_p3_to_cached(&Ai[3], &u); - ge_add(&t, &A2, &Ai[3]); - ge_p1p1_to_p3(&u, &t); - ge_p3_to_cached(&Ai[4], &u); - ge_add(&t, &A2, &Ai[4]); - ge_p1p1_to_p3(&u, &t); - ge_p3_to_cached(&Ai[5], &u); - ge_add(&t, &A2, &Ai[5]); - ge_p1p1_to_p3(&u, &t); - ge_p3_to_cached(&Ai[6], &u); - ge_add(&t, &A2, &Ai[6]); - ge_p1p1_to_p3(&u, &t); - ge_p3_to_cached(&Ai[7], &u); + ge25519_p3_to_cached(&Ai[0], A); + ge25519_p3_dbl(&t, A); + ge25519_p1p1_to_p3(&A2, &t); + ge25519_add(&t, &A2, &Ai[0]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_p3_to_cached(&Ai[1], &u); + ge25519_add(&t, &A2, &Ai[1]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_p3_to_cached(&Ai[2], &u); + ge25519_add(&t, &A2, &Ai[2]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_p3_to_cached(&Ai[3], &u); + ge25519_add(&t, &A2, &Ai[3]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_p3_to_cached(&Ai[4], &u); + ge25519_add(&t, &A2, &Ai[4]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_p3_to_cached(&Ai[5], &u); + ge25519_add(&t, &A2, &Ai[5]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_p3_to_cached(&Ai[6], &u); + ge25519_add(&t, &A2, &Ai[6]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_p3_to_cached(&Ai[7], &u); - ge_p2_0(r); + ge25519_p2_0(r); for (i = 255; i >= 0; --i) { if (aslide[i] || bslide[i]) { @@ -660,25 +660,25 @@ ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A, } for (; i >= 0; --i) { - ge_p2_dbl(&t, r); + ge25519_p2_dbl(&t, r); if (aslide[i] > 0) { - ge_p1p1_to_p3(&u, &t); - ge_add(&t, &u, &Ai[aslide[i] / 2]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_add(&t, &u, &Ai[aslide[i] / 2]); } else if (aslide[i] < 0) { - ge_p1p1_to_p3(&u, &t); - ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_sub(&t, &u, &Ai[(-aslide[i]) / 2]); } if (bslide[i] > 0) { - ge_p1p1_to_p3(&u, &t); - ge_madd(&t, &u, &Bi[bslide[i] / 2]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_madd(&t, &u, &Bi[bslide[i] / 2]); } else if (bslide[i] < 0) { - ge_p1p1_to_p3(&u, &t); - ge_msub(&t, &u, &Bi[(-bslide[i]) / 2]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_msub(&t, &u, &Bi[(-bslide[i]) / 2]); } - ge_p1p1_to_p2(r, &t); + ge25519_p1p1_to_p2(r, &t); } } @@ -693,47 +693,47 @@ ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A, */ void -ge_scalarmult(ge_p3 *h, const unsigned char *a, const ge_p3 *p) +ge25519_scalarmult(ge25519_p3 *h, const unsigned char *a, const ge25519_p3 *p) { - signed char e[64]; - signed char carry; - ge_p1p1 r; - ge_p2 s; - ge_p1p1 t2, t3, t4, t5, t6, t7, t8; - ge_p3 p2, p3, p4, p5, p6, p7, p8; - ge_precomp pi[8]; - ge_precomp t; - int i; + signed char e[64]; + signed char carry; + ge25519_p1p1 r; + ge25519_p2 s; + ge25519_p1p1 t2, t3, t4, t5, t6, t7, t8; + ge25519_p3 p2, p3, p4, p5, p6, p7, p8; + ge25519_precomp pi[8]; + ge25519_precomp t; + int i; - ge_p3_to_precomp(&pi[1 - 1], p); /* p */ + ge25519_p3_to_precomp(&pi[1 - 1], p); /* p */ - ge_p3_dbl(&t2, p); - ge_p1p1_to_p3(&p2, &t2); - ge_p3_to_precomp(&pi[2 - 1], &p2); /* 2p = 2*p */ + ge25519_p3_dbl(&t2, p); + ge25519_p1p1_to_p3(&p2, &t2); + ge25519_p3_to_precomp(&pi[2 - 1], &p2); /* 2p = 2*p */ - ge_madd(&t3, p, &pi[2 - 1]); - ge_p1p1_to_p3(&p3, &t3); - ge_p3_to_precomp(&pi[3 - 1], &p3); /* 3p = 2p+p */ + ge25519_madd(&t3, p, &pi[2 - 1]); + ge25519_p1p1_to_p3(&p3, &t3); + ge25519_p3_to_precomp(&pi[3 - 1], &p3); /* 3p = 2p+p */ - ge_p3_dbl(&t4, &p2); - ge_p1p1_to_p3(&p4, &t4); - ge_p3_to_precomp(&pi[4 - 1], &p4); /* 4p = 2*2p */ + ge25519_p3_dbl(&t4, &p2); + ge25519_p1p1_to_p3(&p4, &t4); + ge25519_p3_to_precomp(&pi[4 - 1], &p4); /* 4p = 2*2p */ - ge_madd(&t5, p, &pi[4 - 1]); - ge_p1p1_to_p3(&p5, &t5); - ge_p3_to_precomp(&pi[5 - 1], &p5); /* 5p = 4p+p */ + ge25519_madd(&t5, p, &pi[4 - 1]); + ge25519_p1p1_to_p3(&p5, &t5); + ge25519_p3_to_precomp(&pi[5 - 1], &p5); /* 5p = 4p+p */ - ge_p3_dbl(&t6, &p3); - ge_p1p1_to_p3(&p6, &t6); - ge_p3_to_precomp(&pi[6 - 1], &p6); /* 6p = 2*3p */ + ge25519_p3_dbl(&t6, &p3); + ge25519_p1p1_to_p3(&p6, &t6); + ge25519_p3_to_precomp(&pi[6 - 1], &p6); /* 6p = 2*3p */ - ge_madd(&t7, p, &pi[6 - 1]); - ge_p1p1_to_p3(&p7, &t7); - ge_p3_to_precomp(&pi[7 - 1], &p7); /* 7p = 6p+p */ + ge25519_madd(&t7, p, &pi[6 - 1]); + ge25519_p1p1_to_p3(&p7, &t7); + ge25519_p3_to_precomp(&pi[7 - 1], &p7); /* 7p = 6p+p */ - ge_p3_dbl(&t8, &p4); - ge_p1p1_to_p3(&p8, &t8); - ge_p3_to_precomp(&pi[8 - 1], &p8); /* 8p = 2*4p */ + ge25519_p3_dbl(&t8, &p4); + ge25519_p1p1_to_p3(&p8, &t8); + ge25519_p3_to_precomp(&pi[8 - 1], &p8); /* 8p = 2*4p */ for (i = 0; i < 32; ++i) { e[2 * i + 0] = (a[i] >> 0) & 15; @@ -752,27 +752,27 @@ ge_scalarmult(ge_p3 *h, const unsigned char *a, const ge_p3 *p) e[63] += carry; /* each e[i] is between -8 and 8 */ - ge_p3_0(h); + ge25519_p3_0(h); for (i = 63; i != 0; i--) { - ge_select(&t, pi, e[i]); - ge_madd(&r, h, &t); + ge25519_select(&t, pi, e[i]); + ge25519_madd(&r, h, &t); - ge_p1p1_to_p2(&s, &r); - ge_p2_dbl(&r, &s); - ge_p1p1_to_p2(&s, &r); - ge_p2_dbl(&r, &s); - ge_p1p1_to_p2(&s, &r); - ge_p2_dbl(&r, &s); - ge_p1p1_to_p2(&s, &r); - ge_p2_dbl(&r, &s); + ge25519_p1p1_to_p2(&s, &r); + ge25519_p2_dbl(&r, &s); + ge25519_p1p1_to_p2(&s, &r); + ge25519_p2_dbl(&r, &s); + ge25519_p1p1_to_p2(&s, &r); + ge25519_p2_dbl(&r, &s); + ge25519_p1p1_to_p2(&s, &r); + ge25519_p2_dbl(&r, &s); - ge_p1p1_to_p3(h, &r); /* *16 */ + ge25519_p1p1_to_p3(h, &r); /* *16 */ } - ge_select(&t, pi, e[i]); - ge_madd(&r, h, &t); + ge25519_select(&t, pi, e[i]); + ge25519_madd(&r, h, &t); - ge_p1p1_to_p3(h, &r); + ge25519_p1p1_to_p3(h, &r); } /* @@ -786,14 +786,14 @@ ge_scalarmult(ge_p3 *h, const unsigned char *a, const ge_p3 *p) */ void -ge_scalarmult_base(ge_p3 *h, const unsigned char *a) +ge25519_scalarmult_base(ge25519_p3 *h, const unsigned char *a) { - signed char e[64]; - signed char carry; - ge_p1p1 r; - ge_p2 s; - ge_precomp t; - int i; + signed char e[64]; + signed char carry; + ge25519_p1p1 r; + ge25519_p2 s; + ge25519_precomp t; + int i; for (i = 0; i < 32; ++i) { e[2 * i + 0] = (a[i] >> 0) & 15; @@ -812,86 +812,86 @@ ge_scalarmult_base(ge_p3 *h, const unsigned char *a) e[63] += carry; /* each e[i] is between -8 and 8 */ - ge_p3_0(h); + ge25519_p3_0(h); for (i = 1; i < 64; i += 2) { - ge_select_base(&t, i / 2, e[i]); - ge_madd(&r, h, &t); - ge_p1p1_to_p3(h, &r); + ge25519_select_base(&t, i / 2, e[i]); + ge25519_madd(&r, h, &t); + ge25519_p1p1_to_p3(h, &r); } - ge_p3_dbl(&r, h); - ge_p1p1_to_p2(&s, &r); - ge_p2_dbl(&r, &s); - ge_p1p1_to_p2(&s, &r); - ge_p2_dbl(&r, &s); - ge_p1p1_to_p2(&s, &r); - ge_p2_dbl(&r, &s); - ge_p1p1_to_p3(h, &r); + ge25519_p3_dbl(&r, h); + ge25519_p1p1_to_p2(&s, &r); + ge25519_p2_dbl(&r, &s); + ge25519_p1p1_to_p2(&s, &r); + ge25519_p2_dbl(&r, &s); + ge25519_p1p1_to_p2(&s, &r); + ge25519_p2_dbl(&r, &s); + ge25519_p1p1_to_p3(h, &r); for (i = 0; i < 64; i += 2) { - ge_select_base(&t, i / 2, e[i]); - ge_madd(&r, h, &t); - ge_p1p1_to_p3(h, &r); + ge25519_select_base(&t, i / 2, e[i]); + ge25519_madd(&r, h, &t); + ge25519_p1p1_to_p3(h, &r); } } /* multiply by the order of the main subgroup l = 2^252+27742317777372353535851937790883648493 */ static void -ge_mul_l(ge_p3 *r, const ge_p3 *A) +ge25519_mul_l(ge25519_p3 *r, const ge25519_p3 *A) { static const signed char aslide[253] = { 13, 0, 0, 0, 0, -1, 0, 0, 0, 0, -11, 0, 0, 0, 0, 0, 0, -5, 0, 0, 0, 0, 0, 0, -3, 0, 0, 0, 0, -13, 0, 0, 0, 0, 7, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, -13, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 11, 0, 0, 0, 0, 0, 11, 0, 0, 0, 0, -13, 0, 0, 0, 0, 0, 0, -3, 0, 0, 0, 0, 0, -1, 0, 0, 0, 0, 3, 0, 0, 0, 0, -11, 0, 0, 0, 0, 0, 0, 0, 15, 0, 0, 0, 0, 0, -1, 0, 0, 0, 0, -1, 0, 0, 0, 0, 7, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 }; - ge_cached Ai[8]; - ge_p1p1 t; - ge_p3 u; - ge_p3 A2; - int i; + ge25519_cached Ai[8]; + ge25519_p1p1 t; + ge25519_p3 u; + ge25519_p3 A2; + int i; - ge_p3_to_cached(&Ai[0], A); - ge_p3_dbl(&t, A); - ge_p1p1_to_p3(&A2, &t); - ge_add(&t, &A2, &Ai[0]); - ge_p1p1_to_p3(&u, &t); - ge_p3_to_cached(&Ai[1], &u); - ge_add(&t, &A2, &Ai[1]); - ge_p1p1_to_p3(&u, &t); - ge_p3_to_cached(&Ai[2], &u); - ge_add(&t, &A2, &Ai[2]); - ge_p1p1_to_p3(&u, &t); - ge_p3_to_cached(&Ai[3], &u); - ge_add(&t, &A2, &Ai[3]); - ge_p1p1_to_p3(&u, &t); - ge_p3_to_cached(&Ai[4], &u); - ge_add(&t, &A2, &Ai[4]); - ge_p1p1_to_p3(&u, &t); - ge_p3_to_cached(&Ai[5], &u); - ge_add(&t, &A2, &Ai[5]); - ge_p1p1_to_p3(&u, &t); - ge_p3_to_cached(&Ai[6], &u); - ge_add(&t, &A2, &Ai[6]); - ge_p1p1_to_p3(&u, &t); - ge_p3_to_cached(&Ai[7], &u); + ge25519_p3_to_cached(&Ai[0], A); + ge25519_p3_dbl(&t, A); + ge25519_p1p1_to_p3(&A2, &t); + ge25519_add(&t, &A2, &Ai[0]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_p3_to_cached(&Ai[1], &u); + ge25519_add(&t, &A2, &Ai[1]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_p3_to_cached(&Ai[2], &u); + ge25519_add(&t, &A2, &Ai[2]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_p3_to_cached(&Ai[3], &u); + ge25519_add(&t, &A2, &Ai[3]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_p3_to_cached(&Ai[4], &u); + ge25519_add(&t, &A2, &Ai[4]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_p3_to_cached(&Ai[5], &u); + ge25519_add(&t, &A2, &Ai[5]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_p3_to_cached(&Ai[6], &u); + ge25519_add(&t, &A2, &Ai[6]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_p3_to_cached(&Ai[7], &u); - ge_p3_0(r); + ge25519_p3_0(r); for (i = 252; i >= 0; --i) { - ge_p3_dbl(&t, r); + ge25519_p3_dbl(&t, r); if (aslide[i] > 0) { - ge_p1p1_to_p3(&u, &t); - ge_add(&t, &u, &Ai[aslide[i] / 2]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_add(&t, &u, &Ai[aslide[i] / 2]); } else if (aslide[i] < 0) { - ge_p1p1_to_p3(&u, &t); - ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]); + ge25519_p1p1_to_p3(&u, &t); + ge25519_sub(&t, &u, &Ai[(-aslide[i]) / 2]); } - ge_p1p1_to_p3(r, &t); + ge25519_p1p1_to_p3(r, &t); } } int -ge_is_on_curve(const ge_p3 *p) +ge25519_is_on_curve(const ge25519_p3 *p) { fe25519 x2; fe25519 y2; @@ -916,17 +916,17 @@ ge_is_on_curve(const ge_p3 *p) } int -ge_is_on_main_subgroup(const ge_p3 *p) +ge25519_is_on_main_subgroup(const ge25519_p3 *p) { - ge_p3 pl; + ge25519_p3 pl; - ge_mul_l(&pl, p); + ge25519_mul_l(&pl, p); return fe25519_iszero(pl.X); } int -ge_is_canonical(const unsigned char *s) +ge25519_is_canonical(const unsigned char *s) { unsigned char c; unsigned char d; @@ -943,7 +943,7 @@ ge_is_canonical(const unsigned char *s) } int -ge_has_small_order(const unsigned char s[32]) +ge25519_has_small_order(const unsigned char s[32]) { CRYPTO_ALIGN(16) static const unsigned char blacklist[][32] = { diff --git a/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c b/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c index 6309a79c..adfa15c4 100644 --- a/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c +++ b/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c @@ -91,7 +91,7 @@ crypto_scalarmult_curve25519_ref10_base(unsigned char *q, const unsigned char *n) { unsigned char *t = q; - ge_p3 A; + ge25519_p3 A; fe25519 pk; unsigned int i; @@ -101,7 +101,7 @@ crypto_scalarmult_curve25519_ref10_base(unsigned char *q, t[0] &= 248; t[31] &= 127; t[31] |= 64; - ge_scalarmult_base(&A, t); + ge25519_scalarmult_base(&A, t); edwards_to_montgomery(pk, A.Y, A.Z); fe25519_tobytes(q, pk); diff --git a/src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c b/src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c index 8b511f66..c26dc5b7 100644 --- a/src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c +++ b/src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c @@ -33,20 +33,20 @@ crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n, const unsigned char *p) { unsigned char *t = q; - ge_p3 Q; - ge_p3 P; + ge25519_p3 Q; + ge25519_p3 P; unsigned int i; - if (ge_is_canonical(p) == 0 || ge_has_small_order(p) != 0 || - ge_frombytes(&P, p) != 0 || ge_is_on_main_subgroup(&P) == 0) { + if (ge25519_is_canonical(p) == 0 || ge25519_has_small_order(p) != 0 || + ge25519_frombytes(&P, p) != 0 || ge25519_is_on_main_subgroup(&P) == 0) { return -1; } for (i = 0; i < 32; ++i) { t[i] = n[i]; } _crypto_scalarmult_ed25519_clamp(t); - ge_scalarmult(&Q, t, &P); - ge_p3_tobytes(q, &Q); + ge25519_scalarmult(&Q, t, &P); + ge25519_p3_tobytes(q, &Q); if (_crypto_scalarmult_ed25519_is_inf(q) != 0) { return -1; } @@ -58,15 +58,15 @@ crypto_scalarmult_ed25519_base(unsigned char *q, const unsigned char *n) { unsigned char *t = q; - ge_p3 Q; + ge25519_p3 Q; unsigned int i; for (i = 0; i < 32; ++i) { t[i] = n[i]; } _crypto_scalarmult_ed25519_clamp(t); - ge_scalarmult_base(&Q, t); - ge_p3_tobytes(q, &Q); + ge25519_scalarmult_base(&Q, t); + ge25519_p3_tobytes(q, &Q); if (sodium_is_zero(t, 32) != 0) { return -1; } diff --git a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c index a83aa3cc..915a3567 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c @@ -13,7 +13,7 @@ int crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk, const unsigned char *seed) { - ge_p3 A; + ge25519_p3 A; #ifdef ED25519_NONDETERMINISTIC memmove(sk, seed, 32); @@ -24,8 +24,8 @@ crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk, sk[31] &= 127; sk[31] |= 64; - ge_scalarmult_base(&A, sk); - ge_p3_tobytes(pk, &A); + ge25519_scalarmult_base(&A, sk); + ge25519_p3_tobytes(pk, &A); memmove(sk, seed, 32); memmove(sk + 32, pk, 32); @@ -50,13 +50,13 @@ int crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk, const unsigned char *ed25519_pk) { - ge_p3 A; - fe25519 x; - fe25519 one_minus_y; + ge25519_p3 A; + fe25519 x; + fe25519 one_minus_y; - if (ge_has_small_order(ed25519_pk) != 0 || - ge_frombytes_negate_vartime(&A, ed25519_pk) != 0 || - ge_is_on_main_subgroup(&A) == 0) { + if (ge25519_has_small_order(ed25519_pk) != 0 || + ge25519_frombytes_negate_vartime(&A, ed25519_pk) != 0 || + ge25519_is_on_main_subgroup(&A) == 0) { return -1; } fe25519_1(one_minus_y); diff --git a/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c b/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c index afeb5a9c..0ef6b04c 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c @@ -14,15 +14,15 @@ int crypto_sign_edwards25519sha512batch_keypair(unsigned char *pk, unsigned char *sk) { - ge_p3 A; + ge25519_p3 A; randombytes_buf(sk, 32); crypto_hash_sha512(sk, sk, 32); sk[0] &= 248; sk[31] &= 127; sk[31] |= 64; - ge_scalarmult_base(&A, sk); - ge_p3_tobytes(pk, &A); + ge25519_scalarmult_base(&A, sk); + ge25519_p3_tobytes(pk, &A); return 0; } @@ -38,18 +38,18 @@ crypto_sign_edwards25519sha512batch(unsigned char *sm, unsigned char nonce[64]; unsigned char hram[64]; unsigned char sig[64]; - ge_p3 A; - ge_p3 R; + ge25519_p3 A; + ge25519_p3 R; crypto_hash_sha512_init(&hs); crypto_hash_sha512_update(&hs, sk + 32, 32); crypto_hash_sha512_update(&hs, m, mlen); crypto_hash_sha512_final(&hs, nonce); - ge_scalarmult_base(&A, sk); - ge_p3_tobytes(sig + 32, &A); + ge25519_scalarmult_base(&A, sk); + ge25519_p3_tobytes(sig + 32, &A); sc_reduce(nonce); - ge_scalarmult_base(&R, nonce); - ge_p3_tobytes(sig, &R); + ge25519_scalarmult_base(&R, nonce); + ge25519_p3_tobytes(sig, &R); crypto_hash_sha512_init(&hs); crypto_hash_sha512_update(&hs, sig, 32); crypto_hash_sha512_update(&hs, m, mlen); @@ -75,12 +75,12 @@ crypto_sign_edwards25519sha512batch_open(unsigned char *m, unsigned char h[64]; unsigned char t1[32], t2[32]; unsigned long long mlen; - ge_cached Ai; - ge_p1p1 csa; - ge_p2 cs; - ge_p3 A; - ge_p3 R; - ge_p3 cs3; + ge25519_cached Ai; + ge25519_p1p1 csa; + ge25519_p2 cs; + ge25519_p3 A; + ge25519_p3 R; + ge25519_p3 cs3; *mlen_p = 0; if (smlen < 64 || smlen - 64 > crypto_sign_edwards25519sha512batch_MESSAGEBYTES_MAX) { @@ -90,20 +90,22 @@ crypto_sign_edwards25519sha512batch_open(unsigned char *m, if (sm[smlen - 1] & 224) { return -1; } - if (ge_has_small_order(pk) != 0 || ge_frombytes_negate_vartime(&A, pk) != 0 || - ge_has_small_order(sm) != 0 || ge_frombytes_negate_vartime(&R, sm) != 0) { + if (ge25519_has_small_order(pk) != 0 || + ge25519_frombytes_negate_vartime(&A, pk) != 0 || + ge25519_has_small_order(sm) != 0 || + ge25519_frombytes_negate_vartime(&R, sm) != 0) { return -1; } - ge_p3_to_cached(&Ai, &A); + ge25519_p3_to_cached(&Ai, &A); crypto_hash_sha512(h, sm, mlen + 32); sc_reduce(h); - ge_scalarmult(&cs3, h, &R); - ge_add(&csa, &cs3, &Ai); - ge_p1p1_to_p2(&cs, &csa); - ge_tobytes(t1, &cs); + ge25519_scalarmult(&cs3, h, &R); + ge25519_add(&csa, &cs3, &Ai); + ge25519_p1p1_to_p2(&cs, &csa); + ge25519_tobytes(t1, &cs); t1[31] ^= 1 << 7; - ge_scalarmult_base(&R, sm + 32 + mlen); - ge_p3_tobytes(t2, &R); + ge25519_scalarmult_base(&R, sm + 32 + mlen); + ge25519_p3_tobytes(t2, &R); if (crypto_verify_32(t1, t2) != 0) { return -1; } diff --git a/src/libsodium/crypto_sign/ed25519/ref10/open.c b/src/libsodium/crypto_sign/ed25519/ref10/open.c index db3170b4..2b13ec62 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/open.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/open.c @@ -21,14 +21,15 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig, unsigned char h[64]; unsigned char rcheck[32]; unsigned int i; - ge_p3 A; - ge_p2 R; + ge25519_p3 A; + ge25519_p2 R; #ifndef ED25519_COMPAT - if (sc_is_canonical(sig + 32) == 0 || ge_has_small_order(sig) != 0) { + if (sc_is_canonical(sig + 32) == 0 || + ge25519_has_small_order(sig) != 0) { return -1; } - if (ge_is_canonical(pk) == 0) { + if (ge25519_is_canonical(pk) == 0) { return -1; } #else @@ -36,7 +37,8 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig, return -1; } #endif - if (ge_has_small_order(pk) != 0 || ge_frombytes_negate_vartime(&A, pk) != 0) { + if (ge25519_has_small_order(pk) != 0 || + ge25519_frombytes_negate_vartime(&A, pk) != 0) { return -1; } _crypto_sign_ed25519_ref10_hinit(&hs, prehashed); @@ -46,8 +48,8 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig, crypto_hash_sha512_final(&hs, h); sc_reduce(h); - ge_double_scalarmult_vartime(&R, h, &A, sig + 32); - ge_tobytes(rcheck, &R); + ge25519_double_scalarmult_vartime(&R, h, &A, sig + 32); + ge25519_tobytes(rcheck, &R); return crypto_verify_32(rcheck, sig) | (-(rcheck == sig)) | sodium_memcmp(sig, rcheck, 32); diff --git a/src/libsodium/crypto_sign/ed25519/ref10/sign.c b/src/libsodium/crypto_sign/ed25519/ref10/sign.c index bc14cacc..d09117c0 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/sign.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/sign.c @@ -70,7 +70,7 @@ _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p, unsigned char az[64]; unsigned char nonce[64]; unsigned char hram[64]; - ge_p3 R; + ge25519_p3 R; _crypto_sign_ed25519_ref10_hinit(&hs, prehashed); @@ -88,8 +88,8 @@ _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p, memmove(sig + 32, sk + 32, 32); sc_reduce(nonce); - ge_scalarmult_base(&R, nonce); - ge_p3_tobytes(sig, &R); + ge25519_scalarmult_base(&R, nonce); + ge25519_p3_tobytes(sig, &R); _crypto_sign_ed25519_ref10_hinit(&hs, prehashed); crypto_hash_sha512_update(&hs, sig, 64); diff --git a/src/libsodium/include/sodium/private/curve25519_ref10.h b/src/libsodium/include/sodium/private/curve25519_ref10.h index 9aa99988..4c4f36b8 100644 --- a/src/libsodium/include/sodium/private/curve25519_ref10.h +++ b/src/libsodium/include/sodium/private/curve25519_ref10.h @@ -34,67 +34,62 @@ void fe25519_tobytes(unsigned char *s, const fe25519 h); where d = -121665/121666. Representations: - ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z - ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT - ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T - ge_precomp (Duif): (y+x,y-x,2dxy) + ge25519_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z + ge25519_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT + ge25519_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T + ge25519_precomp (Duif): (y+x,y-x,2dxy) */ -#define ge_p2 ge25519_p2 typedef struct { fe25519 X; fe25519 Y; fe25519 Z; -} ge_p2; +} ge25519_p2; -#define ge_p3 ge25519_p3 typedef struct { fe25519 X; fe25519 Y; fe25519 Z; fe25519 T; -} ge_p3; +} ge25519_p3; -#define ge_p1p1 ge25519_p1p1 typedef struct { fe25519 X; fe25519 Y; fe25519 Z; fe25519 T; -} ge_p1p1; +} ge25519_p1p1; -#define ge_precomp ge25519_precomp typedef struct { fe25519 yplusx; fe25519 yminusx; fe25519 xy2d; -} ge_precomp; +} ge25519_precomp; -#define ge_cached ge25519_cached typedef struct { fe25519 YplusX; fe25519 YminusX; fe25519 Z; fe25519 T2d; -} ge_cached; +} ge25519_cached; -void ge_tobytes(unsigned char *,const ge_p2 *); -void ge_p3_tobytes(unsigned char *,const ge_p3 *); -int ge_frombytes(ge_p3 *,const unsigned char *); -int ge_frombytes_negate_vartime(ge_p3 *,const unsigned char *); +void ge25519_tobytes(unsigned char *,const ge25519_p2 *); +void ge25519_p3_tobytes(unsigned char *,const ge25519_p3 *); +int ge25519_frombytes(ge25519_p3 *,const unsigned char *); +int ge25519_frombytes_negate_vartime(ge25519_p3 *,const unsigned char *); -void ge_p3_to_cached(ge_cached *,const ge_p3 *); -void ge_p1p1_to_p2(ge_p2 *,const ge_p1p1 *); +void ge25519_p3_to_cached(ge25519_cached *,const ge25519_p3 *); +void ge25519_p1p1_to_p2(ge25519_p2 *,const ge25519_p1p1 *); -void ge_add(ge_p1p1 *,const ge_p3 *,const ge_cached *); -void ge_scalarmult_base(ge_p3 *,const unsigned char *); -void ge_double_scalarmult_vartime(ge_p2 *,const unsigned char *,const ge_p3 *,const unsigned char *); -void ge_scalarmult(ge_p3 *,const unsigned char *,const ge_p3 *); -void ge_scalarmult_vartime(ge_p3 *,const unsigned char *,const ge_p3 *); -int ge_is_canonical(const unsigned char *s); -int ge_is_on_curve(const ge_p3 *p); -int ge_is_on_main_subgroup(const ge_p3 *p); -int ge_has_small_order(const unsigned char s[32]); +void ge25519_add(ge25519_p1p1 *,const ge25519_p3 *,const ge25519_cached *); +void ge25519_scalarmult_base(ge25519_p3 *,const unsigned char *); +void ge25519_double_scalarmult_vartime(ge25519_p2 *,const unsigned char *,const ge25519_p3 *,const unsigned char *); +void ge25519_scalarmult(ge25519_p3 *,const unsigned char *,const ge25519_p3 *); +void ge25519_scalarmult_vartime(ge25519_p3 *,const unsigned char *,const ge25519_p3 *); +int ge25519_is_canonical(const unsigned char *s); +int ge25519_is_on_curve(const ge25519_p3 *p); +int ge25519_is_on_main_subgroup(const ge25519_p3 *p); +int ge25519_has_small_order(const unsigned char s[32]); /* The set of scalars is \Z/l