2020-06-26 08:16:14 +00:00
|
|
|
const assert = require('nanoassert')
|
|
|
|
const ec = require('./fe25519_25')
|
|
|
|
|
|
|
|
module.exports = {
|
|
|
|
crypto_scalarmult_ed25519,
|
|
|
|
crypto_scalarmult_ed25519_base,
|
|
|
|
crypto_scalarmult_curve25519,
|
2020-10-15 23:10:52 +00:00
|
|
|
crypto_scalarmult_curve25519_1,
|
2020-10-30 09:45:51 +00:00
|
|
|
crypto_scalarmult_curve25519_base,
|
|
|
|
crypto_scalarmult_ristretto255,
|
|
|
|
crypto_scalarmult_ristretto255_base
|
2020-06-26 08:16:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
const _121666buf = Buffer.alloc(32)
|
|
|
|
_121666buf.writeUInt32LE(121666)
|
|
|
|
|
|
|
|
const _121666 = ec.fe25519()
|
|
|
|
ec.fe25519_frombytes(_121666, _121666buf)
|
|
|
|
|
|
|
|
function _crypto_scalarmult_ed25519_is_inf (s) {
|
|
|
|
var c
|
|
|
|
var i
|
|
|
|
|
|
|
|
c = s[0] ^ 0x01
|
|
|
|
for (i = 1; i < 31; i++) {
|
|
|
|
c |= s[i]
|
|
|
|
}
|
|
|
|
c |= s[31] & 0x7f
|
|
|
|
|
|
|
|
return ((c - 1) >> 8) & 1
|
|
|
|
}
|
|
|
|
|
|
|
|
function _crypto_scalarmult_ed25519_clamp (k) {
|
|
|
|
k[0] &= 248
|
|
|
|
k[31] |= 64
|
|
|
|
}
|
|
|
|
|
|
|
|
function _crypto_scalarmult_ed25519 (q, n, p, clamp) {
|
|
|
|
var Q = ec.ge3()
|
|
|
|
var P = ec.ge3()
|
|
|
|
var t = q.slice()
|
|
|
|
var i
|
|
|
|
|
|
|
|
// if (ec.ge25519_is_canonical(p) == 0 || ec.ge25519_has_small_order(p) != 0 ||
|
|
|
|
if ( ec.ge25519_frombytes(P, p) != 0 || ec.ge25519_is_on_main_subgroup(P) == 0) {
|
|
|
|
return -1
|
|
|
|
}
|
|
|
|
for (i = 0; i < 32; ++i) {
|
|
|
|
t[i] = n[i]
|
|
|
|
}
|
|
|
|
if (clamp !== 0) {
|
|
|
|
_crypto_scalarmult_ed25519_clamp(t)
|
|
|
|
}
|
|
|
|
t[31] &= 127
|
|
|
|
|
|
|
|
ec.ge25519_scalarmult(Q, t, P)
|
|
|
|
ec.ge25519_p3_tobytes(q, Q)
|
|
|
|
if (_crypto_scalarmult_ed25519_is_inf(q) != 0 || sodium_is_zero(n, 32)) {
|
|
|
|
return -1
|
|
|
|
}
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
function crypto_scalarmult_ed25519 (q, n, p) {
|
|
|
|
assert(q instanceof Uint8Array && q.byteLength === 32)
|
|
|
|
assert(n instanceof Uint8Array && n.byteLength === 32)
|
|
|
|
assert(p instanceof Uint8Array && p.byteLength === 32)
|
|
|
|
|
|
|
|
return _crypto_scalarmult_ed25519(q, n, p, 1)
|
|
|
|
}
|
|
|
|
|
|
|
|
function crypto_scalarmult_ed25519_noclamp (q, n, p) {
|
|
|
|
assert(q instanceof Uint8Array && q.byteLength === 32)
|
|
|
|
assert(n instanceof Uint8Array && n.byteLength === 32)
|
|
|
|
assert(p instanceof Uint8Array && p.byteLength === 32)
|
|
|
|
|
|
|
|
return _crypto_scalarmult_ed25519(q, n, p, 0)
|
|
|
|
}
|
|
|
|
|
|
|
|
function _crypto_scalarmult_ed25519_base (q, n, clamp) {
|
|
|
|
var t = q.slice()
|
|
|
|
var Q = ec.ge3()
|
|
|
|
var i
|
|
|
|
|
|
|
|
for (i = 0; i < 32; ++i) {
|
|
|
|
t[i] = n[i]
|
|
|
|
}
|
|
|
|
|
|
|
|
if (clamp !== 0) {
|
|
|
|
_crypto_scalarmult_ed25519_clamp(t)
|
|
|
|
}
|
|
|
|
|
|
|
|
t[31] &= 127
|
|
|
|
|
|
|
|
ec.ge25519_scalarmult_base(Q, t)
|
|
|
|
ec.ge25519_p3_tobytes(q, Q)
|
|
|
|
if (_crypto_scalarmult_ed25519_is_inf(q) !== 0 || sodium_is_zero(n, 32)) {
|
|
|
|
return -1
|
|
|
|
}
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
function crypto_scalarmult_ed25519_base(q, n) {
|
|
|
|
assert(q instanceof Uint8Array && q.byteLength === 32)
|
|
|
|
assert(n instanceof Uint8Array && n.byteLength === 32)
|
|
|
|
|
|
|
|
return _crypto_scalarmult_ed25519_base(q, n, 1)
|
|
|
|
}
|
|
|
|
|
|
|
|
function crypto_scalarmult_ed25519_base_noclamp (q, n) {
|
|
|
|
return _crypto_scalarmult_ed25519_base(q, n, 0)
|
|
|
|
}
|
|
|
|
|
|
|
|
function crypto_scalarmult_ed25519_bytes () {
|
|
|
|
return crypto_scalarmult_ed25519_BYTES
|
|
|
|
}
|
|
|
|
|
|
|
|
function crypto_scalarmult_ed25519_scalarbytes () {
|
|
|
|
return crypto_scalarmult_ed25519_SCALARBYTES
|
|
|
|
}
|
|
|
|
|
|
|
|
function crypto_scalarmult_ristretto255 (q, n, p) {
|
|
|
|
assert(q instanceof Uint8Array && k.byteLength === 32)
|
|
|
|
assert(n instanceof Uint8Array && k.byteLength === 32)
|
|
|
|
assert(p instanceof Uint8Array && k.byteLength === 32)
|
|
|
|
|
|
|
|
var t = q.slice()
|
|
|
|
var Q = ec.ge3()
|
|
|
|
var P = ec.ge3()
|
|
|
|
var i
|
|
|
|
|
|
|
|
if (ec.ristretto255_frombytes(P, p) != 0) {
|
|
|
|
return -1
|
|
|
|
}
|
|
|
|
for (i = 0; i < 32; ++i) {
|
|
|
|
t[i] = n[i]
|
|
|
|
}
|
|
|
|
t[31] &= 127
|
|
|
|
ec.ge25519_scalarmult(Q, t, P)
|
|
|
|
ec.ristretto255_p3_tobytes(q, Q)
|
|
|
|
if (sodium_is_zero(q, 32)) {
|
|
|
|
return -1
|
|
|
|
}
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
function crypto_scalarmult_ristretto255_base (q, n) {
|
|
|
|
var t = q.slice
|
|
|
|
var Q = ec.ge3()
|
|
|
|
var i
|
|
|
|
|
|
|
|
for (i = 0; i < 32; ++i) {
|
|
|
|
t[i] = n[i]
|
|
|
|
}
|
|
|
|
|
|
|
|
t[31] &= 127
|
|
|
|
|
|
|
|
ec.ge25519_scalarmult_base(Q, t)
|
|
|
|
ec.ristretto255_p3_tobytes(q, Q)
|
|
|
|
if (sodium_is_zero(q, 32)) {
|
|
|
|
return -1
|
|
|
|
}
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
function crypto_scalarmult_ristretto255_bytes () {
|
|
|
|
return crypto_scalarmult_ristretto255_BYTES
|
|
|
|
}
|
|
|
|
|
|
|
|
function crypto_scalarmult_ristretto255_scalarbytes () {
|
|
|
|
return crypto_scalarmult_ristretto255_SCALARBYTES
|
|
|
|
}
|
|
|
|
|
|
|
|
function has_small_order (s) {
|
|
|
|
assert(s instanceof Uint8Array && s.byteLength === 32)
|
|
|
|
|
|
|
|
const blacklist = [
|
|
|
|
/* 0 (order 4) */
|
|
|
|
[ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ],
|
|
|
|
/* 1 (order 1) */
|
|
|
|
[ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ],
|
|
|
|
/* 325606250916557431795983626356110631294008115727848805560023387167927233504
|
|
|
|
(order 8) */
|
|
|
|
[ 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3,
|
|
|
|
0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32,
|
|
|
|
0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 ],
|
|
|
|
/* 39382357235489614581723060781553021112529911719440698176882885853963445705823
|
|
|
|
(order 8) */
|
|
|
|
[ 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1,
|
|
|
|
0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c,
|
|
|
|
0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 ],
|
|
|
|
/* p-1 (order 2) */
|
|
|
|
[ 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f ],
|
|
|
|
/* p (=0, order 4) */
|
|
|
|
[ 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f ],
|
|
|
|
/* p+1 (=1, order 1) */
|
|
|
|
[ 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
|
|
|
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f ]
|
|
|
|
]
|
|
|
|
|
|
|
|
const c = Buffer.alloc(7)
|
|
|
|
|
|
|
|
var k
|
|
|
|
var i, j
|
|
|
|
|
|
|
|
assert(blacklist.length === 7)
|
|
|
|
for (j = 0; j < 31; j++) {
|
|
|
|
for (i = 0; i < 7; i++) {
|
|
|
|
c[i] |= s[j] ^ blacklist[i][j]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for (i = 0; i < 7; i++) {
|
|
|
|
c[i] |= (s[j] & 0x7f) ^ blacklist[i][j]
|
|
|
|
}
|
|
|
|
k = 0
|
|
|
|
for (i = 0; i < 7; i++) {
|
|
|
|
k |= (c[i] - 1)
|
|
|
|
}
|
|
|
|
return ((k >> 8) & 1)
|
|
|
|
}
|
|
|
|
|
|
|
|
function crypto_scalarmult_curve25519 (q, n, p) {
|
|
|
|
var t = q.slice()
|
|
|
|
var i
|
|
|
|
var x1 = ec.fe25519()
|
|
|
|
var x2 = ec.fe25519()
|
|
|
|
var z2 = ec.fe25519()
|
|
|
|
var x3 = ec.fe25519()
|
|
|
|
var z3 = ec.fe25519()
|
|
|
|
var tmp0 = ec.fe25519()
|
|
|
|
var tmp1 = ec.fe25519()
|
|
|
|
var pos
|
|
|
|
var swap
|
|
|
|
var b
|
|
|
|
|
|
|
|
if (has_small_order(p)) {
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
for (i = 0; i < 32; i++) {
|
|
|
|
t[i] = n[i]
|
|
|
|
}
|
|
|
|
t[0] &= 248
|
|
|
|
t[31] &= 127
|
|
|
|
t[31] |= 64
|
|
|
|
ec.fe25519_frombytes(x1, p)
|
|
|
|
ec.fe25519_1(x2)
|
|
|
|
ec.fe25519_0(z2)
|
|
|
|
ec.fe25519_copy(x3, x1)
|
|
|
|
ec.fe25519_1(z3)
|
|
|
|
|
|
|
|
for (pos = 254; pos >= 0; --pos) {
|
2020-10-17 20:42:56 +00:00
|
|
|
b = t[Math.floor(pos / 8)] >> (pos & 7)
|
2020-06-26 08:16:14 +00:00
|
|
|
b &= 1
|
|
|
|
swap ^= b
|
2020-10-17 20:42:56 +00:00
|
|
|
|
2020-06-26 08:16:14 +00:00
|
|
|
ec.fe25519_cswap(x2, x3, swap)
|
|
|
|
ec.fe25519_cswap(z2, z3, swap)
|
|
|
|
swap = b
|
|
|
|
ec.fe25519_sub(tmp0, x3, z3)
|
2020-10-17 20:42:56 +00:00
|
|
|
|
2020-06-26 08:16:14 +00:00
|
|
|
ec.fe25519_sub(tmp1, x2, z2)
|
|
|
|
ec.fe25519_add(x2, x2, z2)
|
|
|
|
ec.fe25519_add(z2, x3, z3)
|
|
|
|
ec.fe25519_mul(z3, tmp0, x2)
|
|
|
|
ec.fe25519_mul(z2, z2, tmp1)
|
|
|
|
ec.fe25519_sq(tmp0, tmp1)
|
|
|
|
ec.fe25519_sq(tmp1, x2)
|
|
|
|
ec.fe25519_add(x3, z3, z2)
|
|
|
|
ec.fe25519_sub(z2, z3, z2)
|
|
|
|
ec.fe25519_mul(x2, tmp1, tmp0)
|
|
|
|
ec.fe25519_sub(tmp1, tmp1, tmp0)
|
|
|
|
ec.fe25519_sq(z2, z2)
|
|
|
|
// TODO
|
|
|
|
// ec.fe25519_mul32(z3, tmp1, 121666)
|
|
|
|
ec.fe25519_mul(z3, tmp1, _121666)
|
|
|
|
ec.fe25519_sq(x3, x3)
|
|
|
|
ec.fe25519_add(tmp0, tmp0, z3)
|
|
|
|
ec.fe25519_mul(z3, x1, z2)
|
|
|
|
ec.fe25519_mul(z2, tmp1, tmp0)
|
|
|
|
}
|
2020-10-17 20:42:56 +00:00
|
|
|
|
2020-06-26 08:16:14 +00:00
|
|
|
ec.fe25519_cswap(x2, x3, swap)
|
|
|
|
ec.fe25519_cswap(z2, z3, swap)
|
|
|
|
|
|
|
|
ec.fe25519_invert(z2, z2)
|
|
|
|
ec.fe25519_mul(x2, x2, z2)
|
|
|
|
ec.fe25519_tobytes(q, x2)
|
|
|
|
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
2020-10-15 23:10:52 +00:00
|
|
|
function crypto_scalarmult_curve25519_1 (q, n, p) {
|
|
|
|
var t = q.slice()
|
|
|
|
var i
|
|
|
|
var x1 = ec.fe25519()
|
|
|
|
var x2 = ec.fe25519()
|
|
|
|
var z2 = ec.fe25519()
|
|
|
|
var x3 = ec.fe25519()
|
|
|
|
var z3 = ec.fe25519()
|
|
|
|
var pos
|
|
|
|
var swap
|
|
|
|
var b
|
2020-10-17 20:42:56 +00:00
|
|
|
var _q = Buffer.alloc(32)
|
2020-10-15 23:10:52 +00:00
|
|
|
|
|
|
|
if (has_small_order(p)) {
|
|
|
|
return -1;
|
|
|
|
}
|
2020-10-17 20:42:56 +00:00
|
|
|
t.set(n)
|
2020-10-15 23:10:52 +00:00
|
|
|
t[0] &= 248
|
|
|
|
t[31] &= 127
|
|
|
|
t[31] |= 64
|
|
|
|
|
2020-10-17 20:42:56 +00:00
|
|
|
ec.fe25519_frombytes(x1, p)
|
|
|
|
swap = ec.scalarmult_curve25519_inner_loop(x1, x2, t)
|
2020-10-15 23:10:52 +00:00
|
|
|
|
|
|
|
ec.fe25519_tobytes(q, x2)
|
|
|
|
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
2020-06-26 08:16:14 +00:00
|
|
|
function edwards_to_montgomery(montgomeryX, edwardsY, edwardsZ) {
|
|
|
|
var tempX = ec.fe25519()
|
|
|
|
var tempZ = ec.fe25519()
|
|
|
|
|
|
|
|
ec.fe25519_add(tempX, edwardsZ, edwardsY)
|
|
|
|
ec.fe25519_sub(tempZ, edwardsZ, edwardsY)
|
|
|
|
ec.fe25519_invert(tempZ, tempZ)
|
|
|
|
ec.fe25519_mul(montgomeryX, tempX, tempZ)
|
|
|
|
}
|
|
|
|
|
|
|
|
function crypto_scalarmult_curve25519_base (q, n) {
|
|
|
|
var t = q.slice()
|
2020-10-30 09:45:51 +00:00
|
|
|
var Q = ec.ge3()
|
|
|
|
const pk = ec.fe25519()
|
|
|
|
|
2020-06-26 08:16:14 +00:00
|
|
|
var i
|
|
|
|
|
|
|
|
for (i = 0; i < 32; i++) {
|
|
|
|
t[i] = n[i]
|
|
|
|
}
|
|
|
|
|
|
|
|
t[0] &= 248
|
|
|
|
t[31] |= 64
|
2020-10-30 09:45:51 +00:00
|
|
|
t[31] &= 127
|
|
|
|
|
|
|
|
ec.ge25519_scalarmult_base(Q, t)
|
|
|
|
edwards_to_montgomery(pk, Q[1], Q[2]);
|
2020-06-26 08:16:14 +00:00
|
|
|
ec.fe25519_tobytes(q, pk)
|
|
|
|
|
|
|
|
return 0
|
|
|
|
}
|
2020-10-17 20:42:56 +00:00
|
|
|
|
|
|
|
function print32 (num) {
|
|
|
|
if (num < 0) return print32(0x100000000 + num)
|
|
|
|
console.log(num.toString(16).padStart(16, '0'))
|
|
|
|
}
|
|
|
|
|
|
|
|
function printfe (fe) {
|
|
|
|
for (let i of fe) print32(i)
|
|
|
|
}
|
2020-10-30 09:45:51 +00:00
|
|
|
|
|
|
|
function sodium_is_zero (n) {
|
|
|
|
let i
|
|
|
|
let d = 0
|
|
|
|
|
|
|
|
for (let i = 0; i < n.length; i++) {
|
|
|
|
d |= n[i]
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1 & ((d - 1) >> 8)
|
|
|
|
}
|