diff --git a/crypto_sign.js b/crypto_sign.js index c35a332..e81ce93 100644 --- a/crypto_sign.js +++ b/crypto_sign.js @@ -1,17 +1,23 @@ +/* eslint-disable camelcase, one-var */ const { crypto_verify_32 } = require('./crypto_verify') const { crypto_hash } = require('./crypto_hash') const { gf, gf0, gf1, D, D2, X, Y, I, A, Z, M, S, - sel25519, pack25519, + sel25519, car25519, pack25519, inv25519, unpack25519 } = require('./ed25519') const { randombytes } = require('./randombytes') -const crypto_sign_BYTES = 64, - crypto_sign_PUBLICKEYBYTES = 32, - crypto_sign_SECRETKEYBYTES = 64, - crypto_sign_SEEDBYTES = 32 +const crypto_sign_ed25519_PUBLICKEYBYTES = 32 +const crypto_sign_ed25519_SECRETKEYBYTES = 64 +const crypto_sign_ed25519_SEEDBYTES = 32 +const crypto_sign_ed25519_BYTES = 64 + +const crypto_sign_BYTES = crypto_sign_ed25519_BYTES +const crypto_sign_PUBLICKEYBYTES = crypto_sign_ed25519_PUBLICKEYBYTES +const crypto_sign_SECRETKEYBYTES = crypto_sign_ed25519_SECRETKEYBYTES +const crypto_sign_SEEDBYTES = crypto_sign_ed25519_SEEDBYTES module.exports = { crypto_sign_keypair, @@ -23,276 +29,310 @@ module.exports = { crypto_sign_BYTES, crypto_sign_PUBLICKEYBYTES, crypto_sign_SECRETKEYBYTES, - crypto_sign_SEEDBYTES + crypto_sign_SEEDBYTES, + crypto_sign_ed25519_PUBLICKEYBYTES, + crypto_sign_ed25519_SECRETKEYBYTES, + crypto_sign_ed25519_SEEDBYTES, + crypto_sign_ed25519_BYTES, + crypto_sign_ed25519_pk_to_curve25519, + unpackneg, + pack } -function set25519(r, a) { - var i; - for (i = 0; i < 16; i++) r[i] = a[i]|0; +function set25519 (r, a) { + for (let i = 0; i < 16; i++) r[i] = a[i] | 0 } -function pow2523(o, i) { - var c = gf(); - var a; - for (a = 0; a < 16; a++) c[a] = i[a]; +function pow2523 (o, i) { + var c = gf() + var a + for (a = 0; a < 16; a++) c[a] = i[a] for (a = 250; a >= 0; a--) { - S(c, c); - if(a !== 1) M(c, c, i); + S(c, c) + if (a !== 1) M(c, c, i) } - for (a = 0; a < 16; a++) o[a] = c[a]; + for (a = 0; a < 16; a++) o[a] = c[a] } -function add(p, q) { +function add (p, q) { var a = gf(), b = gf(), c = gf(), - d = gf(), e = gf(), f = gf(), - g = gf(), h = gf(), t = gf(); + d = gf(), e = gf(), f = gf(), + g = gf(), h = gf(), t = gf() - Z(a, p[1], p[0]); - Z(t, q[1], q[0]); - M(a, a, t); - A(b, p[0], p[1]); - A(t, q[0], q[1]); - M(b, b, t); - M(c, p[3], q[3]); - M(c, c, D2); - M(d, p[2], q[2]); - A(d, d, d); - Z(e, b, a); - Z(f, d, c); - A(g, d, c); - A(h, b, a); + Z(a, p[1], p[0]) + Z(t, q[1], q[0]) + M(a, a, t) + A(b, p[0], p[1]) + A(t, q[0], q[1]) + M(b, b, t) + M(c, p[3], q[3]) + M(c, c, D2) + M(d, p[2], q[2]) + A(d, d, d) + Z(e, b, a) + Z(f, d, c) + A(g, d, c) + A(h, b, a) - M(p[0], e, f); - M(p[1], h, g); - M(p[2], g, f); - M(p[3], e, h); + M(p[0], e, f) + M(p[1], h, g) + M(p[2], g, f) + M(p[3], e, h) } -function cswap(p, q, b) { - var i; +function cswap (p, q, b) { + var i for (i = 0; i < 4; i++) { - sel25519(p[i], q[i], b); + sel25519(p[i], q[i], b) } } -function pack(r, p) { - var tx = gf(), ty = gf(), zi = gf(); - inv25519(zi, p[2]); - M(tx, p[0], zi); - M(ty, p[1], zi); - pack25519(r, ty); - r[31] ^= par25519(tx) << 7; +function pack (r, p) { + var tx = gf(), ty = gf(), zi = gf() + inv25519(zi, p[2]) + M(tx, p[0], zi) + M(ty, p[1], zi) + pack25519(r, ty) + r[31] ^= par25519(tx) << 7 } -function scalarmult(p, q, s) { - var b, i; - set25519(p[0], gf0); - set25519(p[1], gf1); - set25519(p[2], gf1); - set25519(p[3], gf0); +function scalarmult (p, q, s) { + // don't mutate q + var h = [gf(q[0]), gf(q[1]), gf(q[2]), gf(q[3])] + var b, i + set25519(p[0], gf0) + set25519(p[1], gf1) + set25519(p[2], gf1) + set25519(p[3], gf0) for (i = 255; i >= 0; --i) { - b = (s[(i/8)|0] >> (i&7)) & 1; - cswap(p, q, b); - add(q, p); - add(p, p); - cswap(p, q, b); + b = (s[(i / 8) | 0] >> (i & 7)) & 1 + cswap(p, h, b) + add(h, p) + add(p, p) + cswap(p, h, b) } } -function scalarbase(p, s) { - var q = [gf(), gf(), gf(), gf()]; - set25519(q[0], X); - set25519(q[1], Y); - set25519(q[2], gf1); - M(q[3], X, Y); - scalarmult(p, q, s); +function scalarbase (p, s) { + var q = [gf(), gf(), gf(), gf()] + set25519(q[0], X) + set25519(q[1], Y) + set25519(q[2], gf1) + M(q[3], X, Y) + scalarmult(p, q, s) } -function crypto_sign_keypair(pk, sk, seeded) { +function crypto_sign_keypair (pk, sk, seeded) { check(pk, crypto_sign_PUBLICKEYBYTES) check(sk, crypto_sign_SECRETKEYBYTES) - var d = new Uint8Array(64); - var p = [gf(), gf(), gf(), gf()]; - var i; + var d = new Uint8Array(64) + var p = [gf(), gf(), gf(), gf()] + var i - if (!seeded) randombytes(sk, 32); - crypto_hash(d, sk, 32); - d[0] &= 248; - d[31] &= 127; - d[31] |= 64; + if (!seeded) randombytes(sk, 32) + crypto_hash(d, sk, 32) + d[0] &= 248 + d[31] &= 127 + d[31] |= 64 - scalarbase(p, d); - pack(pk, p); + scalarbase(p, d) + pack(pk, p) - for (i = 0; i < 32; i++) sk[i+32] = pk[i]; - return 0; + for (i = 0; i < 32; i++) sk[i + 32] = pk[i] + return 0 } function crypto_sign_seed_keypair (pk, sk, seed) { check(seed, crypto_sign_SEEDBYTES) - seed.copy(sk) + sk.set(seed) return crypto_sign_keypair(pk, sk, true) } -var L = new Float64Array([0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10]); +var L = new Float64Array([0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10]) -function modL(r, x) { - var carry, i, j, k; +function modL (r, x) { + var carry, i, j, k for (i = 63; i >= 32; --i) { - carry = 0; + carry = 0 for (j = i - 32, k = i - 12; j < k; ++j) { - x[j] += carry - 16 * x[i] * L[j - (i - 32)]; - carry = (x[j] + 128) >> 8; - x[j] -= carry * 256; + x[j] += carry - 16 * x[i] * L[j - (i - 32)] + carry = (x[j] + 128) >> 8 + x[j] -= carry * 256 } - x[j] += carry; - x[i] = 0; + x[j] += carry + x[i] = 0 } - carry = 0; + carry = 0 for (j = 0; j < 32; j++) { - x[j] += carry - (x[31] >> 4) * L[j]; - carry = x[j] >> 8; - x[j] &= 255; + x[j] += carry - (x[31] >> 4) * L[j] + carry = x[j] >> 8 + x[j] &= 255 } - for (j = 0; j < 32; j++) x[j] -= carry * L[j]; + for (j = 0; j < 32; j++) x[j] -= carry * L[j] for (i = 0; i < 32; i++) { - x[i+1] += x[i] >> 8; - r[i] = x[i] & 255; + x[i + 1] += x[i] >> 8 + r[i] = x[i] & 255 } } -function reduce(r) { - var x = new Float64Array(64), i; - for (i = 0; i < 64; i++) x[i] = r[i]; - for (i = 0; i < 64; i++) r[i] = 0; - modL(r, x); +function reduce (r) { + var x = new Float64Array(64) + for (let i = 0; i < 64; i++) x[i] = r[i] + for (let i = 0; i < 64; i++) r[i] = 0 + modL(r, x) } // Note: difference from C - smlen returned, not passed as argument. -function crypto_sign(sm, m, sk) { +function crypto_sign (sm, m, sk) { check(sm, crypto_sign_BYTES + m.length) check(m, 0) check(sk, crypto_sign_SECRETKEYBYTES) var n = m.length - var d = new Uint8Array(64), h = new Uint8Array(64), r = new Uint8Array(64); - var i, j, x = new Float64Array(64); - var p = [gf(), gf(), gf(), gf()]; + var d = new Uint8Array(64), h = new Uint8Array(64), r = new Uint8Array(64) + var i, j, x = new Float64Array(64) + var p = [gf(), gf(), gf(), gf()] - crypto_hash(d, sk, 32); - d[0] &= 248; - d[31] &= 127; - d[31] |= 64; + crypto_hash(d, sk, 32) + d[0] &= 248 + d[31] &= 127 + d[31] |= 64 - var smlen = n + 64; - for (i = 0; i < n; i++) sm[64 + i] = m[i]; - for (i = 0; i < 32; i++) sm[32 + i] = d[32 + i]; + var smlen = n + 64 + for (i = 0; i < n; i++) sm[64 + i] = m[i] + for (i = 0; i < 32; i++) sm[32 + i] = d[32 + i] - crypto_hash(r, sm.subarray(32), n+32); - reduce(r); - scalarbase(p, r); - pack(sm, p); + crypto_hash(r, sm.subarray(32), n + 32) + reduce(r) + scalarbase(p, r) + pack(sm, p) - for (i = 32; i < 64; i++) sm[i] = sk[i]; - crypto_hash(h, sm, n + 64); - reduce(h); + for (i = 32; i < 64; i++) sm[i] = sk[i] + crypto_hash(h, sm, n + 64) + reduce(h) - for (i = 0; i < 64; i++) x[i] = 0; - for (i = 0; i < 32; i++) x[i] = r[i]; + for (i = 0; i < 64; i++) x[i] = 0 + for (i = 0; i < 32; i++) x[i] = r[i] for (i = 0; i < 32; i++) { for (j = 0; j < 32; j++) { - x[i+j] += h[i] * d[j]; + x[i + j] += h[i] * d[j] } } - modL(sm.subarray(32), x); - // console.log(Buffer.from(sm).toString('hex')) + modL(sm.subarray(32), x) return smlen } -function crypto_sign_detached(sig, m, sk) { +function crypto_sign_detached (sig, m, sk) { var sm = new Uint8Array(m.length + crypto_sign_BYTES) crypto_sign(sm, m, sk) - for (var i = 0; i < crypto_sign_BYTES; i++) sig[i] = sm[i] + for (let i = 0; i < crypto_sign_BYTES; i++) sig[i] = sm[i] } -function unpackneg(r, p) { +function is_zero25519 (f) { + var s = new Uint8Array(32) + pack25519(s, f) + + return sodium_is_zero(s, 32) + + function sodium_is_zero (n) { + let i + let d = 0 + + for (let i = 0; i < n.length; i++) { + d |= n[i] + } + + return 1 & ((d - 1) >> 8) + } +} + +function unpackneg (r, p) { var t = gf(), chk = gf(), num = gf(), - den = gf(), den2 = gf(), den4 = gf(), - den6 = gf(); + den = gf(), den2 = gf(), den4 = gf(), + den6 = gf(), x_sqrtm1 = gf(), m_root_check = gf() - set25519(r[2], gf1); - unpack25519(r[1], p); - S(num, r[1]); - M(den, num, D); - Z(num, num, r[2]); - A(den, r[2], den); + set25519(r[2], gf1) + unpack25519(r[1], p) + S(num, r[1]) + M(den, num, D) + Z(num, num, r[2]) + A(den, r[2], den) - S(den2, den); - S(den4, den2); - M(den6, den4, den2); - M(t, den6, num); - M(t, t, den); + S(den2, den) + S(den4, den2) + M(den6, den4, den2) + M(t, den6, num) + M(t, t, den) - pow2523(t, t); - M(t, t, num); - M(t, t, den); - M(t, t, den); - M(r[0], t, den); + pow2523(t, t) + M(t, t, num) + M(t, t, den) + M(t, t, den) + M(r[0], t, den) - S(chk, r[0]); - M(chk, chk, den); - if (neq25519(chk, num)) M(r[0], r[0], I); + S(chk, r[0]) + M(chk, chk, den) + if (neq25519(chk, num)) M(r[0], r[0], I) - S(chk, r[0]); - M(chk, chk, den); - if (neq25519(chk, num)) return -1; + S(chk, r[0]) + M(chk, chk, den) + if (neq25519(chk, num)) return -1 - if (par25519(r[0]) === (p[31]>>7)) Z(r[0], gf0, r[0]); + M(x_sqrtm1, r[0], I) /* x*sqrt(-1) */ + // sel25519(r[0], x_sqrtm1, 1 - has_m_root) - M(r[3], r[0], r[1]); - return 0; + if (par25519(r[0]) === (p[31] >> 7)) { + Z(r[0], gf(), r[0]) + } + + M(r[3], r[0], r[1]) + + + return 0 } -function crypto_sign_open(msg, sm, pk) { +/* eslint-disable no-unused-vars */ +function crypto_sign_open (msg, sm, pk) { check(msg, sm.length - crypto_sign_BYTES) check(sm, crypto_sign_BYTES) check(pk, crypto_sign_PUBLICKEYBYTES) var n = sm.length var m = new Uint8Array(sm.length) - var i, mlen; - var t = new Uint8Array(32), h = new Uint8Array(64); + var i, mlen + var t = new Uint8Array(32), h = new Uint8Array(64) var p = [gf(), gf(), gf(), gf()], - q = [gf(), gf(), gf(), gf()]; + q = [gf(), gf(), gf(), gf()] - mlen = -1; - if (n < 64) return false; + mlen = -1 + if (n < 64) return false - if (unpackneg(q, pk)) return false; - pack(t, q); + if (unpackneg(q, pk)) return false - for (i = 0; i < n; i++) m[i] = sm[i]; - for (i = 0; i < 32; i++) m[i+32] = pk[i]; - crypto_hash(h, m, n); - reduce(h); - scalarmult(p, q, h); + for (i = 0; i < n; i++) m[i] = sm[i] + for (i = 0; i < 32; i++) m[i + 32] = pk[i] + crypto_hash(h, m, n) + reduce(h) + scalarmult(p, q, h) - scalarbase(q, sm.subarray(32)); - add(p, q); - pack(t, p); + scalarbase(q, sm.subarray(32)) + add(p, q) + pack(t, p) - n -= 64; + n -= 64 if (crypto_verify_32(sm, 0, t, 0)) { - for (i = 0; i < n; i++) m[i] = 0; - return false; + for (i = 0; i < n; i++) m[i] = 0 + return false + // throw new Error('crypto_sign_open failed') } - for (i = 0; i < n; i++) msg[i] = sm[i + 64]; - mlen = n; - return true; + for (i = 0; i < n; i++) msg[i] = sm[i + 64] + mlen = n + return true } +/* eslint-enable no-unused-vars */ function crypto_sign_verify_detached (sig, m, pk) { check(sig, crypto_sign_BYTES) @@ -303,19 +343,146 @@ function crypto_sign_verify_detached (sig, m, pk) { return crypto_sign_open(m, sm, pk) } -function par25519(a) { - var d = new Uint8Array(32); - pack25519(d, a); - return d[0] & 1; +function par25519 (a) { + var d = new Uint8Array(32) + pack25519(d, a) + return d[0] & 1 } -function neq25519(a, b) { - var c = new Uint8Array(32), d = new Uint8Array(32); - pack25519(c, a); - pack25519(d, b); - return crypto_verify_32(c, 0, d, 0); +function neq25519 (a, b) { + var c = new Uint8Array(32), d = new Uint8Array(32) + pack25519(c, a) + pack25519(d, b) + return crypto_verify_32(c, 0, d, 0) } +function ed25519_mul_l (p, q) { + scalarmult(p, q, L) +} + +function ed25519_is_on_main_subgroup (p) { + var pl = [gf(), gf(), gf(), gf()] + + ed25519_mul_l(pl, p) + + var zero = 0 + for (let i = 0; i < 16; i++) { + zero |= (pl[0][i] & 0xffff) + } + + return zero === 0 +} + +function crypto_sign_ed25519_pk_to_curve25519 (x25519_pk, ed25519_pk) { + check(x25519_pk, crypto_sign_PUBLICKEYBYTES) + check(ed25519_pk, crypto_sign_ed25519_PUBLICKEYBYTES) + + var a = [gf(), gf(), gf(), gf()] + var x = gf([1]) + var one_minus_y = gf([1]) + + if (isSmallOrder(ed25519_pk) !== 0 || + unpackneg(a, ed25519_pk) !== 0 || + !ed25519_is_on_main_subgroup(a)) return -1 + + for (let i = 0; i < a.length; i++) { + pack25519(x25519_pk, a[i]); + } + + Z(one_minus_y, one_minus_y, a[1]) + A(x, x, a[1]) + inv25519(one_minus_y, one_minus_y) + M(x, x, one_minus_y) + pack25519(x25519_pk, x) + + return 0 +} + +function isSmallOrder (s) { + Uint8Array.from([]) + + var bad_points = [ + // 0 (order 4) + Uint8Array.from([0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]), + + // 1 (order 1) + Uint8Array.from([0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]), + + // 2707385501144840649318225287225658788936804267575313519463743609750303402022(order 8) + Uint8Array.from([0x26, 0xe8, 0x95, 0x8f, 0xc2, 0xb2, 0x27, 0xb0, 0x45, 0xc3, + 0xf4, 0x89, 0xf2, 0xef, 0x98, 0xf0, 0xd5, 0xdf, 0xac, 0x05, 0xd3, + 0xc6, 0x33, 0x39, 0xb1, 0x38, 0x02, 0x88, 0x6d, 0x53, 0xfc, 0x05]), + + // 55188659117513257062467267217118295137698188065244968500265048394206261417927 (order 8) + Uint8Array.from([0xc7, 0x17, 0x6a, 0x70, 0x3d, 0x4d, 0xd8, 0x4f, 0xba, 0x3c, + 0x0b, 0x76, 0x0d, 0x10, 0x67, 0x0f, 0x2a, 0x20, 0x53, 0xfa, 0x2c, + 0x39, 0xcc, 0xc6, 0x4e, 0xc7, 0xfd, 0x77, 0x92, 0xac, 0x03, 0x7a]), + + // p-1 (order 2) + Uint8Array.from([0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f]), + + // p (=0 order 4) + Uint8Array.from([0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f]), + + // p + 1 (=1 order 1) + Uint8Array.from([0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f]) + ] + + var c = new Uint8Array(7) + var j + + check (bad_points, 7) + for (let i = 0; i < bad_points.length; i++) { + for (j = 0; j < 31; j++) { + c[i] |= s[j] ^ bad_points[i][j] + } + } + + for (let i = 0; i < bad_points.length; i++) { + c[i] |= (s[j] & 0x7f) ^ bad_points[i][j] + } + + var k = 0 + for (let i = 0; i < bad_points.length; i++) { + k |= (c[i] - 1) + } + + return ((k >> 8) & 1) +} + +function crypto_sign_ed25519_sk_to_pk (pk, sk) { + check(pk, crypto_sign_ed25519_PUBLICKEYBYTES) + pk.set(sk.subarray(crypto_sign_ed25519_SEEDBYTES)) + return pk +} + +function crypto_sign_ed25519_sk_to_curve25519 (curveSk, edSk) { + check(curveSk, crypto_sign_SECRETKEYBYTES) + check(edSk, crypto_sign_ed25519_SECRETKEYBYTES) + + var h = Buffer.alloc(crypto_hash_sha512_BYTES); + crypto_hash(h, edSk, 32) + + h[0] &= 248; + h[31] &= 127; + h[31] |= 64; + + curveSk.set(edSk) + h.fill(0) + return curveSk +} + + function check (buf, len) { if (!buf || (len && buf.length < len)) throw new Error('Argument must be a buffer' + (len ? ' of length ' + len : '')) }