| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970 |
- #include "ed25519.h"
- #include "ge.h"
- #include "sc.h"
- #include "sha512.h"
- /* see http://crypto.stackexchange.com/a/6215/4697 */
- void ed25519_add_scalar(unsigned char *public_key, unsigned char *private_key, const unsigned char *scalar) {
- const unsigned char SC_1[32] = {1}; /* scalar with value 1 */
-
- unsigned char n[32];
- ge_p3 nB;
- ge_p1p1 A_p1p1;
- ge_p3 A;
- ge_p3 public_key_unpacked;
- ge_cached T;
- sha512_context hash;
- unsigned char hashbuf[64];
- int i;
- /* copy the scalar and clear highest bit */
- for (i = 0; i < 31; ++i) {
- n[i] = scalar[i];
- }
- n[31] = scalar[31] & 127;
- /* private key: a = n + t */
- if (private_key) {
- sc_muladd(private_key, SC_1, n, private_key);
- // https://github.com/orlp/ed25519/issues/3
- sha512_init(&hash);
- sha512_update(&hash, private_key + 32, 32);
- sha512_update(&hash, scalar, 32);
- sha512_final(&hash, hashbuf);
- for (i = 0; i < 32; ++i) {
- private_key[32 + i] = hashbuf[i];
- }
- }
- /* public key: A = nB + T */
- if (public_key) {
- /* if we know the private key we don't need a point addition, which is faster */
- /* using a "timing attack" you could find out wether or not we know the private
- key, but this information seems rather useless - if this is important pass
- public_key and private_key seperately in 2 function calls */
- if (private_key) {
- ge_scalarmult_base(&A, private_key);
- } else {
- /* unpack public key into T */
- ge_frombytes_negate_vartime(&public_key_unpacked, public_key);
- fe_neg(public_key_unpacked.X, public_key_unpacked.X); /* undo negate */
- fe_neg(public_key_unpacked.T, public_key_unpacked.T); /* undo negate */
- ge_p3_to_cached(&T, &public_key_unpacked);
- /* calculate n*B */
- ge_scalarmult_base(&nB, n);
- /* A = n*B + T */
- ge_add(&A_p1p1, &nB, &T);
- ge_p1p1_to_p3(&A, &A_p1p1);
- }
-
- /* pack public key */
- ge_p3_tobytes(public_key, &A);
- }
- }
|
