add js ed25519_pk_to_curve25519

This commit is contained in:
Christophe Diederichs 2020-08-28 04:40:23 +02:00
parent 3753006318
commit 3c2f81c3f3

View File

@ -1,17 +1,23 @@
/* eslint-disable camelcase, one-var */
const { crypto_verify_32 } = require('./crypto_verify')
const { crypto_hash } = require('./crypto_hash')
const {
gf, gf0, gf1, D, D2,
X, Y, I, A, Z, M, S,
sel25519, pack25519,
sel25519, car25519, pack25519,
inv25519, unpack25519
} = require('./ed25519')
const { randombytes } = require('./randombytes')
const crypto_sign_BYTES = 64,
crypto_sign_PUBLICKEYBYTES = 32,
crypto_sign_SECRETKEYBYTES = 64,
crypto_sign_SEEDBYTES = 32
const crypto_sign_ed25519_PUBLICKEYBYTES = 32
const crypto_sign_ed25519_SECRETKEYBYTES = 64
const crypto_sign_ed25519_SEEDBYTES = 32
const crypto_sign_ed25519_BYTES = 64
const crypto_sign_BYTES = crypto_sign_ed25519_BYTES
const crypto_sign_PUBLICKEYBYTES = crypto_sign_ed25519_PUBLICKEYBYTES
const crypto_sign_SECRETKEYBYTES = crypto_sign_ed25519_SECRETKEYBYTES
const crypto_sign_SEEDBYTES = crypto_sign_ed25519_SEEDBYTES
module.exports = {
crypto_sign_keypair,
@ -23,150 +29,158 @@ module.exports = {
crypto_sign_BYTES,
crypto_sign_PUBLICKEYBYTES,
crypto_sign_SECRETKEYBYTES,
crypto_sign_SEEDBYTES
crypto_sign_SEEDBYTES,
crypto_sign_ed25519_PUBLICKEYBYTES,
crypto_sign_ed25519_SECRETKEYBYTES,
crypto_sign_ed25519_SEEDBYTES,
crypto_sign_ed25519_BYTES,
crypto_sign_ed25519_pk_to_curve25519,
unpackneg,
pack
}
function set25519 (r, a) {
var i;
for (i = 0; i < 16; i++) r[i] = a[i]|0;
for (let i = 0; i < 16; i++) r[i] = a[i] | 0
}
function pow2523 (o, i) {
var c = gf();
var a;
for (a = 0; a < 16; a++) c[a] = i[a];
var c = gf()
var a
for (a = 0; a < 16; a++) c[a] = i[a]
for (a = 250; a >= 0; a--) {
S(c, c);
if(a !== 1) M(c, c, i);
S(c, c)
if (a !== 1) M(c, c, i)
}
for (a = 0; a < 16; a++) o[a] = c[a];
for (a = 0; a < 16; a++) o[a] = c[a]
}
function add (p, q) {
var a = gf(), b = gf(), c = gf(),
d = gf(), e = gf(), f = gf(),
g = gf(), h = gf(), t = gf();
g = gf(), h = gf(), t = gf()
Z(a, p[1], p[0]);
Z(t, q[1], q[0]);
M(a, a, t);
A(b, p[0], p[1]);
A(t, q[0], q[1]);
M(b, b, t);
M(c, p[3], q[3]);
M(c, c, D2);
M(d, p[2], q[2]);
A(d, d, d);
Z(e, b, a);
Z(f, d, c);
A(g, d, c);
A(h, b, a);
Z(a, p[1], p[0])
Z(t, q[1], q[0])
M(a, a, t)
A(b, p[0], p[1])
A(t, q[0], q[1])
M(b, b, t)
M(c, p[3], q[3])
M(c, c, D2)
M(d, p[2], q[2])
A(d, d, d)
Z(e, b, a)
Z(f, d, c)
A(g, d, c)
A(h, b, a)
M(p[0], e, f);
M(p[1], h, g);
M(p[2], g, f);
M(p[3], e, h);
M(p[0], e, f)
M(p[1], h, g)
M(p[2], g, f)
M(p[3], e, h)
}
function cswap (p, q, b) {
var i;
var i
for (i = 0; i < 4; i++) {
sel25519(p[i], q[i], b);
sel25519(p[i], q[i], b)
}
}
function pack (r, p) {
var tx = gf(), ty = gf(), zi = gf();
inv25519(zi, p[2]);
M(tx, p[0], zi);
M(ty, p[1], zi);
pack25519(r, ty);
r[31] ^= par25519(tx) << 7;
var tx = gf(), ty = gf(), zi = gf()
inv25519(zi, p[2])
M(tx, p[0], zi)
M(ty, p[1], zi)
pack25519(r, ty)
r[31] ^= par25519(tx) << 7
}
function scalarmult (p, q, s) {
var b, i;
set25519(p[0], gf0);
set25519(p[1], gf1);
set25519(p[2], gf1);
set25519(p[3], gf0);
// don't mutate q
var h = [gf(q[0]), gf(q[1]), gf(q[2]), gf(q[3])]
var b, i
set25519(p[0], gf0)
set25519(p[1], gf1)
set25519(p[2], gf1)
set25519(p[3], gf0)
for (i = 255; i >= 0; --i) {
b = (s[(i/8)|0] >> (i&7)) & 1;
cswap(p, q, b);
add(q, p);
add(p, p);
cswap(p, q, b);
b = (s[(i / 8) | 0] >> (i & 7)) & 1
cswap(p, h, b)
add(h, p)
add(p, p)
cswap(p, h, b)
}
}
function scalarbase (p, s) {
var q = [gf(), gf(), gf(), gf()];
set25519(q[0], X);
set25519(q[1], Y);
set25519(q[2], gf1);
M(q[3], X, Y);
scalarmult(p, q, s);
var q = [gf(), gf(), gf(), gf()]
set25519(q[0], X)
set25519(q[1], Y)
set25519(q[2], gf1)
M(q[3], X, Y)
scalarmult(p, q, s)
}
function crypto_sign_keypair (pk, sk, seeded) {
check(pk, crypto_sign_PUBLICKEYBYTES)
check(sk, crypto_sign_SECRETKEYBYTES)
var d = new Uint8Array(64);
var p = [gf(), gf(), gf(), gf()];
var i;
var d = new Uint8Array(64)
var p = [gf(), gf(), gf(), gf()]
var i
if (!seeded) randombytes(sk, 32);
crypto_hash(d, sk, 32);
d[0] &= 248;
d[31] &= 127;
d[31] |= 64;
if (!seeded) randombytes(sk, 32)
crypto_hash(d, sk, 32)
d[0] &= 248
d[31] &= 127
d[31] |= 64
scalarbase(p, d);
pack(pk, p);
scalarbase(p, d)
pack(pk, p)
for (i = 0; i < 32; i++) sk[i+32] = pk[i];
return 0;
for (i = 0; i < 32; i++) sk[i + 32] = pk[i]
return 0
}
function crypto_sign_seed_keypair (pk, sk, seed) {
check(seed, crypto_sign_SEEDBYTES)
seed.copy(sk)
sk.set(seed)
return crypto_sign_keypair(pk, sk, true)
}
var L = new Float64Array([0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10]);
var L = new Float64Array([0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10])
function modL (r, x) {
var carry, i, j, k;
var carry, i, j, k
for (i = 63; i >= 32; --i) {
carry = 0;
carry = 0
for (j = i - 32, k = i - 12; j < k; ++j) {
x[j] += carry - 16 * x[i] * L[j - (i - 32)];
carry = (x[j] + 128) >> 8;
x[j] -= carry * 256;
x[j] += carry - 16 * x[i] * L[j - (i - 32)]
carry = (x[j] + 128) >> 8
x[j] -= carry * 256
}
x[j] += carry;
x[i] = 0;
x[j] += carry
x[i] = 0
}
carry = 0;
carry = 0
for (j = 0; j < 32; j++) {
x[j] += carry - (x[31] >> 4) * L[j];
carry = x[j] >> 8;
x[j] &= 255;
x[j] += carry - (x[31] >> 4) * L[j]
carry = x[j] >> 8
x[j] &= 255
}
for (j = 0; j < 32; j++) x[j] -= carry * L[j];
for (j = 0; j < 32; j++) x[j] -= carry * L[j]
for (i = 0; i < 32; i++) {
x[i+1] += x[i] >> 8;
r[i] = x[i] & 255;
x[i + 1] += x[i] >> 8
r[i] = x[i] & 255
}
}
function reduce (r) {
var x = new Float64Array(64), i;
for (i = 0; i < 64; i++) x[i] = r[i];
for (i = 0; i < 64; i++) r[i] = 0;
modL(r, x);
var x = new Float64Array(64)
for (let i = 0; i < 64; i++) x[i] = r[i]
for (let i = 0; i < 64; i++) r[i] = 0
modL(r, x)
}
// Note: difference from C - smlen returned, not passed as argument.
@ -176,85 +190,110 @@ function crypto_sign(sm, m, sk) {
check(sk, crypto_sign_SECRETKEYBYTES)
var n = m.length
var d = new Uint8Array(64), h = new Uint8Array(64), r = new Uint8Array(64);
var i, j, x = new Float64Array(64);
var p = [gf(), gf(), gf(), gf()];
var d = new Uint8Array(64), h = new Uint8Array(64), r = new Uint8Array(64)
var i, j, x = new Float64Array(64)
var p = [gf(), gf(), gf(), gf()]
crypto_hash(d, sk, 32);
d[0] &= 248;
d[31] &= 127;
d[31] |= 64;
crypto_hash(d, sk, 32)
d[0] &= 248
d[31] &= 127
d[31] |= 64
var smlen = n + 64;
for (i = 0; i < n; i++) sm[64 + i] = m[i];
for (i = 0; i < 32; i++) sm[32 + i] = d[32 + i];
var smlen = n + 64
for (i = 0; i < n; i++) sm[64 + i] = m[i]
for (i = 0; i < 32; i++) sm[32 + i] = d[32 + i]
crypto_hash(r, sm.subarray(32), n+32);
reduce(r);
scalarbase(p, r);
pack(sm, p);
crypto_hash(r, sm.subarray(32), n + 32)
reduce(r)
scalarbase(p, r)
pack(sm, p)
for (i = 32; i < 64; i++) sm[i] = sk[i];
crypto_hash(h, sm, n + 64);
reduce(h);
for (i = 32; i < 64; i++) sm[i] = sk[i]
crypto_hash(h, sm, n + 64)
reduce(h)
for (i = 0; i < 64; i++) x[i] = 0;
for (i = 0; i < 32; i++) x[i] = r[i];
for (i = 0; i < 64; i++) x[i] = 0
for (i = 0; i < 32; i++) x[i] = r[i]
for (i = 0; i < 32; i++) {
for (j = 0; j < 32; j++) {
x[i+j] += h[i] * d[j];
x[i + j] += h[i] * d[j]
}
}
modL(sm.subarray(32), x);
// console.log(Buffer.from(sm).toString('hex'))
modL(sm.subarray(32), x)
return smlen
}
function crypto_sign_detached (sig, m, sk) {
var sm = new Uint8Array(m.length + crypto_sign_BYTES)
crypto_sign(sm, m, sk)
for (var i = 0; i < crypto_sign_BYTES; i++) sig[i] = sm[i]
for (let i = 0; i < crypto_sign_BYTES; i++) sig[i] = sm[i]
}
function is_zero25519 (f) {
var s = new Uint8Array(32)
pack25519(s, f)
return sodium_is_zero(s, 32)
function sodium_is_zero (n) {
let i
let d = 0
for (let i = 0; i < n.length; i++) {
d |= n[i]
}
return 1 & ((d - 1) >> 8)
}
}
function unpackneg (r, p) {
var t = gf(), chk = gf(), num = gf(),
den = gf(), den2 = gf(), den4 = gf(),
den6 = gf();
den6 = gf(), x_sqrtm1 = gf(), m_root_check = gf()
set25519(r[2], gf1);
unpack25519(r[1], p);
S(num, r[1]);
M(den, num, D);
Z(num, num, r[2]);
A(den, r[2], den);
set25519(r[2], gf1)
unpack25519(r[1], p)
S(num, r[1])
M(den, num, D)
Z(num, num, r[2])
A(den, r[2], den)
S(den2, den);
S(den4, den2);
M(den6, den4, den2);
M(t, den6, num);
M(t, t, den);
S(den2, den)
S(den4, den2)
M(den6, den4, den2)
M(t, den6, num)
M(t, t, den)
pow2523(t, t);
M(t, t, num);
M(t, t, den);
M(t, t, den);
M(r[0], t, den);
pow2523(t, t)
M(t, t, num)
M(t, t, den)
M(t, t, den)
M(r[0], t, den)
S(chk, r[0]);
M(chk, chk, den);
if (neq25519(chk, num)) M(r[0], r[0], I);
S(chk, r[0])
M(chk, chk, den)
if (neq25519(chk, num)) M(r[0], r[0], I)
S(chk, r[0]);
M(chk, chk, den);
if (neq25519(chk, num)) return -1;
S(chk, r[0])
M(chk, chk, den)
if (neq25519(chk, num)) return -1
if (par25519(r[0]) === (p[31]>>7)) Z(r[0], gf0, r[0]);
M(x_sqrtm1, r[0], I) /* x*sqrt(-1) */
// sel25519(r[0], x_sqrtm1, 1 - has_m_root)
M(r[3], r[0], r[1]);
return 0;
if (par25519(r[0]) === (p[31] >> 7)) {
Z(r[0], gf(), r[0])
}
M(r[3], r[0], r[1])
return 0
}
/* eslint-disable no-unused-vars */
function crypto_sign_open (msg, sm, pk) {
check(msg, sm.length - crypto_sign_BYTES)
check(sm, crypto_sign_BYTES)
@ -262,37 +301,38 @@ function crypto_sign_open(msg, sm, pk) {
var n = sm.length
var m = new Uint8Array(sm.length)
var i, mlen;
var t = new Uint8Array(32), h = new Uint8Array(64);
var i, mlen
var t = new Uint8Array(32), h = new Uint8Array(64)
var p = [gf(), gf(), gf(), gf()],
q = [gf(), gf(), gf(), gf()];
q = [gf(), gf(), gf(), gf()]
mlen = -1;
if (n < 64) return false;
mlen = -1
if (n < 64) return false
if (unpackneg(q, pk)) return false;
pack(t, q);
if (unpackneg(q, pk)) return false
for (i = 0; i < n; i++) m[i] = sm[i];
for (i = 0; i < 32; i++) m[i+32] = pk[i];
crypto_hash(h, m, n);
reduce(h);
scalarmult(p, q, h);
for (i = 0; i < n; i++) m[i] = sm[i]
for (i = 0; i < 32; i++) m[i + 32] = pk[i]
crypto_hash(h, m, n)
reduce(h)
scalarmult(p, q, h)
scalarbase(q, sm.subarray(32));
add(p, q);
pack(t, p);
scalarbase(q, sm.subarray(32))
add(p, q)
pack(t, p)
n -= 64;
n -= 64
if (crypto_verify_32(sm, 0, t, 0)) {
for (i = 0; i < n; i++) m[i] = 0;
return false;
for (i = 0; i < n; i++) m[i] = 0
return false
// throw new Error('crypto_sign_open failed')
}
for (i = 0; i < n; i++) msg[i] = sm[i + 64];
mlen = n;
return true;
for (i = 0; i < n; i++) msg[i] = sm[i + 64]
mlen = n
return true
}
/* eslint-enable no-unused-vars */
function crypto_sign_verify_detached (sig, m, pk) {
check(sig, crypto_sign_BYTES)
@ -304,18 +344,145 @@ function crypto_sign_verify_detached (sig, m, pk) {
}
function par25519 (a) {
var d = new Uint8Array(32);
pack25519(d, a);
return d[0] & 1;
var d = new Uint8Array(32)
pack25519(d, a)
return d[0] & 1
}
function neq25519 (a, b) {
var c = new Uint8Array(32), d = new Uint8Array(32);
pack25519(c, a);
pack25519(d, b);
return crypto_verify_32(c, 0, d, 0);
var c = new Uint8Array(32), d = new Uint8Array(32)
pack25519(c, a)
pack25519(d, b)
return crypto_verify_32(c, 0, d, 0)
}
function ed25519_mul_l (p, q) {
scalarmult(p, q, L)
}
function ed25519_is_on_main_subgroup (p) {
var pl = [gf(), gf(), gf(), gf()]
ed25519_mul_l(pl, p)
var zero = 0
for (let i = 0; i < 16; i++) {
zero |= (pl[0][i] & 0xffff)
}
return zero === 0
}
function crypto_sign_ed25519_pk_to_curve25519 (x25519_pk, ed25519_pk) {
check(x25519_pk, crypto_sign_PUBLICKEYBYTES)
check(ed25519_pk, crypto_sign_ed25519_PUBLICKEYBYTES)
var a = [gf(), gf(), gf(), gf()]
var x = gf([1])
var one_minus_y = gf([1])
if (isSmallOrder(ed25519_pk) !== 0 ||
unpackneg(a, ed25519_pk) !== 0 ||
!ed25519_is_on_main_subgroup(a)) return -1
for (let i = 0; i < a.length; i++) {
pack25519(x25519_pk, a[i]);
}
Z(one_minus_y, one_minus_y, a[1])
A(x, x, a[1])
inv25519(one_minus_y, one_minus_y)
M(x, x, one_minus_y)
pack25519(x25519_pk, x)
return 0
}
function isSmallOrder (s) {
Uint8Array.from([])
var bad_points = [
// 0 (order 4)
Uint8Array.from([0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]),
// 1 (order 1)
Uint8Array.from([0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]),
// 2707385501144840649318225287225658788936804267575313519463743609750303402022(order 8)
Uint8Array.from([0x26, 0xe8, 0x95, 0x8f, 0xc2, 0xb2, 0x27, 0xb0, 0x45, 0xc3,
0xf4, 0x89, 0xf2, 0xef, 0x98, 0xf0, 0xd5, 0xdf, 0xac, 0x05, 0xd3,
0xc6, 0x33, 0x39, 0xb1, 0x38, 0x02, 0x88, 0x6d, 0x53, 0xfc, 0x05]),
// 55188659117513257062467267217118295137698188065244968500265048394206261417927 (order 8)
Uint8Array.from([0xc7, 0x17, 0x6a, 0x70, 0x3d, 0x4d, 0xd8, 0x4f, 0xba, 0x3c,
0x0b, 0x76, 0x0d, 0x10, 0x67, 0x0f, 0x2a, 0x20, 0x53, 0xfa, 0x2c,
0x39, 0xcc, 0xc6, 0x4e, 0xc7, 0xfd, 0x77, 0x92, 0xac, 0x03, 0x7a]),
// p-1 (order 2)
Uint8Array.from([0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f]),
// p (=0 order 4)
Uint8Array.from([0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f]),
// p + 1 (=1 order 1)
Uint8Array.from([0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f])
]
var c = new Uint8Array(7)
var j
check (bad_points, 7)
for (let i = 0; i < bad_points.length; i++) {
for (j = 0; j < 31; j++) {
c[i] |= s[j] ^ bad_points[i][j]
}
}
for (let i = 0; i < bad_points.length; i++) {
c[i] |= (s[j] & 0x7f) ^ bad_points[i][j]
}
var k = 0
for (let i = 0; i < bad_points.length; i++) {
k |= (c[i] - 1)
}
return ((k >> 8) & 1)
}
function crypto_sign_ed25519_sk_to_pk (pk, sk) {
check(pk, crypto_sign_ed25519_PUBLICKEYBYTES)
pk.set(sk.subarray(crypto_sign_ed25519_SEEDBYTES))
return pk
}
function crypto_sign_ed25519_sk_to_curve25519 (curveSk, edSk) {
check(curveSk, crypto_sign_SECRETKEYBYTES)
check(edSk, crypto_sign_ed25519_SECRETKEYBYTES)
var h = Buffer.alloc(crypto_hash_sha512_BYTES);
crypto_hash(h, edSk, 32)
h[0] &= 248;
h[31] &= 127;
h[31] |= 64;
curveSk.set(edSk)
h.fill(0)
return curveSk
}
function check (buf, len) {
if (!buf || (len && buf.length < len)) throw new Error('Argument must be a buffer' + (len ? ' of length ' + len : ''))
}