2013-02-04 13:48:25 -05:00
|
|
|
#include "ed25519.h"
|
2013-04-11 14:17:21 -04:00
|
|
|
#include "sha512.h"
|
2013-02-04 11:56:19 -05:00
|
|
|
#include "ge.h"
|
|
|
|
#include "sc.h"
|
|
|
|
|
|
|
|
|
|
|
|
/* see http://crypto.stackexchange.com/a/6215/4697 */
|
|
|
|
void ed25519_add_scalar(unsigned char *public_key, unsigned char *private_key, const unsigned char *scalar) {
|
|
|
|
const unsigned char SC_1[32] = {1}; /* scalar with value 1 */
|
|
|
|
|
2013-04-11 14:17:21 -04:00
|
|
|
unsigned char n[32];
|
|
|
|
unsigned char salt[64];
|
2013-02-04 11:56:19 -05:00
|
|
|
ge_p3 nB;
|
|
|
|
ge_p1p1 A_p1p1;
|
2013-04-11 12:53:20 -04:00
|
|
|
ge_p3 A;
|
2013-02-04 11:56:19 -05:00
|
|
|
ge_p3 public_key_unpacked;
|
|
|
|
ge_cached T;
|
|
|
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
/* copy the scalar and clear highest bit */
|
|
|
|
for (i = 0; i < 31; ++i) {
|
|
|
|
n[i] = scalar[i];
|
|
|
|
}
|
|
|
|
n[31] = scalar[31] & 127;
|
|
|
|
|
|
|
|
/* private key: a = n + t */
|
2013-04-11 14:17:21 -04:00
|
|
|
/* we also create a new salt, just to be sure */
|
2013-02-04 11:56:19 -05:00
|
|
|
if (private_key) {
|
|
|
|
sc_muladd(private_key, SC_1, n, private_key);
|
2013-04-11 14:17:21 -04:00
|
|
|
|
2013-04-11 14:18:49 -04:00
|
|
|
/* generate new salt as the last 32 bytes of SHA512(new_private_key, old_salt) */
|
|
|
|
sha512(private_key, 64, salt);
|
|
|
|
for (i = 0; i < 32; ++i) {
|
|
|
|
private_key[i + 32] = salt[i + 32];
|
|
|
|
}
|
2013-02-04 11:56:19 -05:00
|
|
|
}
|
|
|
|
|
2013-04-11 12:53:20 -04:00
|
|
|
/* public key: A = nB + T */
|
2013-02-04 11:56:19 -05:00
|
|
|
if (public_key) {
|
2013-04-11 12:53:20 -04:00
|
|
|
/* if we know the private key we don't need a point addition, which is faster */
|
|
|
|
/* using a "timing attack" you could find out wether or not we know the private
|
|
|
|
key, but this information seems rather useless - if this is important pass
|
|
|
|
public_key and private_key seperately in 2 function calls */
|
|
|
|
if (private_key) {
|
|
|
|
ge_scalarmult_base(&A, private_key);
|
|
|
|
} else {
|
|
|
|
/* unpack public key into T */
|
|
|
|
ge_frombytes_negate_vartime(&public_key_unpacked, public_key);
|
|
|
|
fe_neg(public_key_unpacked.X, public_key_unpacked.X); // undo negate
|
|
|
|
fe_neg(public_key_unpacked.T, public_key_unpacked.T); // undo negate
|
|
|
|
ge_p3_to_cached(&T, &public_key_unpacked);
|
|
|
|
|
|
|
|
/* calculate n*B */
|
|
|
|
ge_scalarmult_base(&nB, n);
|
|
|
|
|
|
|
|
/* A = n*B + T */
|
|
|
|
ge_add(&A_p1p1, &nB, &T);
|
|
|
|
ge_p1p1_to_p3(&A, &A_p1p1);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* pack public key */
|
|
|
|
ge_p3_tobytes(public_key, &A);
|
2013-02-04 11:56:19 -05:00
|
|
|
}
|
|
|
|
}
|