Add ed25519 conversion operations (#46)

* add ed25519 methods and constants

crypto_sign.js

@@ -8,11 +8,19 @@ const {
   inv25519, unpack25519
 } = require('./internal/ed25519')
 const { randombytes } = require('./randombytes')
+const { crypto_scalarmult_BYTES } = require('./crypto_scalarmult.js')
+const { crypto_hash_sha512_BYTES } = require('./crypto_hash.js')
+const assert = require('nanoassert')
 
-const crypto_sign_BYTES = 64
+const crypto_sign_ed25519_PUBLICKEYBYTES = 32
-const crypto_sign_PUBLICKEYBYTES = 32
+const crypto_sign_ed25519_SECRETKEYBYTES = 64
-const crypto_sign_SECRETKEYBYTES = 64
+const crypto_sign_ed25519_SEEDBYTES = 32
-const crypto_sign_SEEDBYTES = 32
+const crypto_sign_ed25519_BYTES = 64
+
+const crypto_sign_BYTES = crypto_sign_ed25519_BYTES
+const crypto_sign_PUBLICKEYBYTES = crypto_sign_ed25519_PUBLICKEYBYTES
+const crypto_sign_SECRETKEYBYTES = crypto_sign_ed25519_SECRETKEYBYTES
+const crypto_sign_SEEDBYTES = crypto_sign_ed25519_SEEDBYTES
 
 module.exports = {
   crypto_sign_keypair,
@@ -24,7 +32,15 @@ module.exports = {
   crypto_sign_BYTES,
   crypto_sign_PUBLICKEYBYTES,
   crypto_sign_SECRETKEYBYTES,
-  crypto_sign_SEEDBYTES
+  crypto_sign_SEEDBYTES,
+  crypto_sign_ed25519_PUBLICKEYBYTES,
+  crypto_sign_ed25519_SECRETKEYBYTES,
+  crypto_sign_ed25519_SEEDBYTES,
+  crypto_sign_ed25519_BYTES,
+  crypto_sign_ed25519_pk_to_curve25519,
+  crypto_sign_ed25519_sk_to_curve25519,
+  unpackneg,
+  pack
 }
 
 function set25519 (r, a) {
@@ -85,6 +101,8 @@ function pack (r, p) {
 }
 
 function scalarmult (p, q, s) {
+  // don't mutate q
+  var h = [gf(q[0]), gf(q[1]), gf(q[2]), gf(q[3])]
   var b, i
   set25519(p[0], gf0)
   set25519(p[1], gf1)
@@ -92,10 +110,10 @@ function scalarmult (p, q, s) {
   set25519(p[3], gf0)
   for (i = 255; i >= 0; --i) {
     b = (s[(i / 8) | 0] >> (i & 7)) & 1
-    cswap(p, q, b)
+    cswap(p, h, b)
-    add(q, p)
+    add(h, p)
     add(p, p)
-    cswap(p, q, b)
+    cswap(p, h, b)
   }
 }
 
@@ -126,7 +144,6 @@ function crypto_sign_keypair (pk, sk, seeded) {
   pack(pk, p)
 
   for (i = 0; i < 32; i++) sk[i + 32] = pk[i]
-  return 0
 }
 
 function crypto_sign_seed_keypair (pk, sk, seed) {
@@ -216,6 +233,24 @@ function crypto_sign_detached (sig, m, sk) {
   for (let i = 0; i < crypto_sign_BYTES; i++) sig[i] = sm[i]
 }
 
+function is_zero25519 (f) {
+  var s = new Uint8Array(32)
+  pack25519(s, f)
+
+  return sodium_is_zero(s, 32)
+
+  function sodium_is_zero (n) {
+    let i
+    let d = 0
+
+    for (let i = 0; i < n.length; i++) {
+      d |= n[i]
+    }
+
+    return 1 & ((d - 1) >> 8)
+  }
+}
+
 function unpackneg (r, p) {
   var t = gf(), chk = gf(), num = gf(),
     den = gf(), den2 = gf(), den4 = gf(),
@@ -248,7 +283,9 @@ function unpackneg (r, p) {
   M(chk, chk, den)
   if (!neq25519(chk, num)) return false
 
-  if (par25519(r[0]) === (p[31] >> 7)) Z(r[0], gf0, r[0])
+  if (par25519(r[0]) === (p[31] >> 7)) {
+    Z(r[0], gf(), r[0])
+  }
 
   M(r[3], r[0], r[1])
   return true
@@ -317,6 +354,134 @@ function neq25519 (a, b) {
   return crypto_verify_32(c, 0, d, 0)
 }
 
-function check (buf, len) {
+function ed25519_mul_l (p, q) {
-  if (!buf || (len && buf.length < len)) throw new Error('Argument must be a buffer' + (len ? ' of length ' + len : ''))
+  scalarmult(p, q, L)
+}
+
+function ed25519_is_on_main_subgroup (p) {
+  var pl = [gf(), gf(), gf(), gf()]
+
+  ed25519_mul_l(pl, p)
+
+  var zero = 0
+  for (let i = 0; i < 16; i++) {
+    zero |= (pl[0][i] & 0xffff)
+  }
+
+  return zero === 0
+}
+
+function crypto_sign_ed25519_pk_to_curve25519 (x25519_pk, ed25519_pk) {
+  check(x25519_pk, crypto_sign_PUBLICKEYBYTES)
+  check(ed25519_pk, crypto_sign_ed25519_PUBLICKEYBYTES)
+
+  var a = [gf(), gf(), gf(), gf()]
+  var x = gf([1])
+  var one_minus_y = gf([1])
+
+  assert(
+    isSmallOrder(ed25519_pk) &&
+    unpackneg(a, ed25519_pk) &&
+    ed25519_is_on_main_subgroup(a), 'Cannot convert key: bad point')
+
+  for (let i = 0; i < a.length; i++) {
+    pack25519(x25519_pk, a[i]);
+  }
+
+  Z(one_minus_y, one_minus_y, a[1])
+  A(x, x, a[1])
+  inv25519(one_minus_y, one_minus_y)
+  M(x, x, one_minus_y)
+  pack25519(x25519_pk, x)
+
+  return 0
+}
+
+function isSmallOrder (s) {
+  Uint8Array.from([])
+
+  var bad_points = [
+    // 0 (order 4)
+    Uint8Array.from([0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]),
+
+    // 1 (order 1)
+    Uint8Array.from([0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]),
+
+    // 2707385501144840649318225287225658788936804267575313519463743609750303402022(order 8)
+    Uint8Array.from([0x26, 0xe8, 0x95, 0x8f, 0xc2, 0xb2, 0x27, 0xb0, 0x45, 0xc3,
+      0xf4, 0x89, 0xf2, 0xef, 0x98, 0xf0, 0xd5, 0xdf, 0xac, 0x05, 0xd3,
+      0xc6, 0x33, 0x39, 0xb1, 0x38, 0x02, 0x88, 0x6d, 0x53, 0xfc, 0x05]),
+
+    // 55188659117513257062467267217118295137698188065244968500265048394206261417927 (order 8)
+    Uint8Array.from([0xc7, 0x17, 0x6a, 0x70, 0x3d, 0x4d, 0xd8, 0x4f, 0xba, 0x3c,
+      0x0b, 0x76, 0x0d, 0x10, 0x67, 0x0f, 0x2a, 0x20, 0x53, 0xfa, 0x2c,
+      0x39, 0xcc, 0xc6, 0x4e, 0xc7, 0xfd, 0x77, 0x92, 0xac, 0x03, 0x7a]),
+
+    // p-1 (order 2)
+    Uint8Array.from([0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f]),
+
+    //  p (=0 order 4)
+    Uint8Array.from([0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f]),
+
+    // p + 1 (=1 order 1)
+    Uint8Array.from([0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f])
+  ]
+
+  var c = new Uint8Array(7)
+  var j
+
+  check (bad_points, 7)
+  for (let i = 0; i < bad_points.length; i++) {
+    for (j = 0; j < 31; j++) {
+      c[i] |= s[j] ^ bad_points[i][j]
+    }
+  }
+
+  for (let i = 0; i < bad_points.length; i++) {
+    c[i] |= (s[j] & 0x7f) ^ bad_points[i][j]
+  }
+
+  var k = 0
+  for (let i = 0; i < bad_points.length; i++) {
+    k |= (c[i] - 1)
+  }
+
+  return ((k >> 8) & 1) === 0
+}
+
+function crypto_sign_ed25519_sk_to_pk (pk, sk) {
+  check(pk, crypto_sign_ed25519_PUBLICKEYBYTES)
+  pk.set(sk.subarray(crypto_sign_ed25519_SEEDBYTES))
+  return pk
+}
+
+function crypto_sign_ed25519_sk_to_curve25519 (curveSk, edSk) {
+  assert(curveSk && curveSk.byteLength === crypto_scalarmult_BYTES, "curveSk must be 'crypto_sign_SECRETKEYBYTES' long")
+  assert(edSk && edSk.byteLength === crypto_sign_ed25519_SECRETKEYBYTES, "edSk must be 'crypto_sign_ed25519_SECRETKEYBYTES' long")
+
+  var h = Buffer.alloc(crypto_hash_sha512_BYTES);
+  crypto_hash(h, edSk, 32)
+
+  h[0] &= 248;
+  h[31] &= 127;
+  h[31] |= 64;
+
+  curveSk.set(h.subarray(0, crypto_scalarmult_BYTES))
+  h.fill(0)
+  return curveSk
+}
+
+
+function check (buf, len, arg = 'Argument') {
+  if (!buf || (len && buf.length < len)) throw new Error(arg + ' must be a buffer' + (len ? ' of length ' + len : ''))
 }

package.json

@@ -14,7 +14,7 @@
   },
   "devDependencies": {
     "browserify": "^16.5.1",
-    "sodium-test": "^0.9.0",
+    "sodium-test": "^0.10.0",
     "standard": "^14.3.4",
     "tape-run": "^7.0.0"
   },