cheng/libsodium
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve clarity

Browse Source 
No need to clamp the key prior to computing a synthetic nonce
This commit is contained in:
Frank Denis 2017-10-11 18:04:43 +02:00
parent 90f5b55a0a
commit ebb614cb0e
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/libsodium/crypto_sign/ed25519/ref10/sign.c
View File

@ -37,8 +37,7 @@ _crypto_sign_ed25519_clamp(unsigned char k[32])
static void
_crypto_sign_ed25519_synthetic_r_hv(crypto_hash_sha512_state *hs,
unsigned char nonce[64],
unsigned char sk_copy[64],
const unsigned char sk[64])
const unsigned char sk[32])
{
static const unsigned char B[32] = {
0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
@ -49,14 +48,12 @@ _crypto_sign_ed25519_synthetic_r_hv(crypto_hash_sha512_state *hs,
static const unsigned char zeros[16] = { 0x00 };
static const unsigned char empty_labelset[3] = { 0x02, 0x00, 0x00 };
memcpy(sk_copy, sk, 32);
_crypto_sign_ed25519_clamp(sk_copy);
crypto_hash_sha512_update(hs, B, 32);
crypto_hash_sha512_update(hs, empty_labelset, 3);
randombytes_buf(nonce, 32);
crypto_hash_sha512_update(hs, nonce, 32);
crypto_hash_sha512_update(hs, zeros, 16 - (32 + 3 + 32) % 16);
crypto_hash_sha512_update(hs, sk_copy, 32);
crypto_hash_sha512_update(hs, sk, 32);
/* empty pad2 */
crypto_hash_sha512_update(hs, empty_labelset, 3);
crypto_hash_sha512_update(hs, sk + 32, 32);
@ -75,18 +72,21 @@ _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p,
unsigned char hram[64];
ge_p3 R;
#ifdef ED25519_NONDETERMINISTIC
_crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
_crypto_sign_ed25519_synthetic_r_hv(&hs, nonce, az, sk);
#ifdef ED25519_NONDETERMINISTIC
memcpy(az, sk, 32);
_crypto_sign_ed25519_synthetic_r_hv(&hs, nonce, sk);
#else
crypto_hash_sha512(az, sk, 32);
_crypto_sign_ed25519_clamp(az);
_crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
crypto_hash_sha512_update(&hs, az + 32, 32);
#endif
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, nonce);
_crypto_sign_ed25519_clamp(az);
memmove(sig + 32, sk + 32, 32);
sc_reduce(nonce);