High severity7.5NVD Advisory· Published May 14, 2024· Updated Apr 15, 2026
CVE-2024-30172
CVE-2024-30172
Description
An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.bouncycastle:bcprov-jdk18onMaven | >= 1.73, < 1.78 | 1.78 |
org.bouncycastle:bcprov-jdk15to18Maven | >= 1.73, < 1.78 | 1.78 |
org.bouncycastle:bcprov-jdk14Maven | >= 1.73, < 1.78 | 1.78 |
org.bouncycastle:bctls-jdk18onMaven | >= 1.73, < 1.78 | 1.78 |
org.bouncycastle:bctls-jdk14Maven | >= 1.73, < 1.78 | 1.78 |
org.bouncycastle:bctls-jdk15to18Maven | >= 1.73, < 1.78 | 1.78 |
BouncyCastleNuGet | >= 0 | — |
BouncyCastle.CryptographyNuGet | < 2.3.1 | 2.3.1 |
Patches
3ebe1c7557917EdDSA: Explicit guard against infinite looping
5 files changed · +56 −20
core/src/main/java/org/bouncycastle/math/ec/rfc8032/Ed25519.java+12 −2 modified@@ -566,7 +566,12 @@ private static boolean implVerify(byte[] sig, int sigOff, byte[] pk, int pkOff, int[] v0 = new int[4]; int[] v1 = new int[4]; - Scalar25519.reduceBasisVar(nA, v0, v1); + + if (!Scalar25519.reduceBasisVar(nA, v0, v1)) + { + throw new IllegalStateException(); + } + Scalar25519.multiply128Var(nS, v1, nS); PointAccum pZ = new PointAccum(); @@ -628,7 +633,12 @@ private static boolean implVerify(byte[] sig, int sigOff, PublicPoint publicPoin int[] v0 = new int[4]; int[] v1 = new int[4]; - Scalar25519.reduceBasisVar(nA, v0, v1); + + if (!Scalar25519.reduceBasisVar(nA, v0, v1)) + { + throw new IllegalStateException(); + } + Scalar25519.multiply128Var(nS, v1, nS); PointAccum pZ = new PointAccum();
core/src/main/java/org/bouncycastle/math/ec/rfc8032/Ed448.java+12 −2 modified@@ -510,7 +510,12 @@ private static boolean implVerify(byte[] sig, int sigOff, byte[] pk, int pkOff, int[] v0 = new int[8]; int[] v1 = new int[8]; - Scalar448.reduceBasisVar(nA, v0, v1); + + if (!Scalar448.reduceBasisVar(nA, v0, v1)) + { + throw new IllegalStateException(); + } + Scalar448.multiply225Var(nS, v1, nS); PointProjective pZ = new PointProjective(); @@ -569,7 +574,12 @@ private static boolean implVerify(byte[] sig, int sigOff, PublicPoint publicPoin int[] v0 = new int[8]; int[] v1 = new int[8]; - Scalar448.reduceBasisVar(nA, v0, v1); + + if (!Scalar448.reduceBasisVar(nA, v0, v1)) + { + throw new IllegalStateException(); + } + Scalar448.multiply225Var(nS, v1, nS); PointProjective pZ = new PointProjective();
core/src/main/java/org/bouncycastle/math/ec/rfc8032/Scalar25519.java+9 −1 modified@@ -295,7 +295,7 @@ static byte[] reduce512(byte[] n) return r; } - static void reduceBasisVar(int[] k, int[] z0, int[] z1) + static boolean reduceBasisVar(int[] k, int[] z0, int[] z1) { /* * Split scalar k into two half-size scalars z0 and z1, such that z1 * k == z0 mod L. @@ -312,11 +312,18 @@ static void reduceBasisVar(int[] k, int[] z0, int[] z1) int[] v0 = new int[4]; System.arraycopy(k, 0, v0, 0, 4); int[] v1 = new int[4]; v1[0] = 1; + // Conservative upper bound on the number of loop iterations needed + int iterations = TARGET_LENGTH * 4; int last = 15; int len_Nv = ScalarUtil.getBitLengthPositive(last, Nv); while (len_Nv > TARGET_LENGTH) { + if (--iterations < 0) + { + return false; + } + int len_p = ScalarUtil.getBitLength(last, p); int s = len_p - len_Nv; s &= ~(s >> 31); @@ -346,6 +353,7 @@ static void reduceBasisVar(int[] k, int[] z0, int[] z1) // v1 * k == v0 mod L System.arraycopy(v0, 0, z0, 0, 4); System.arraycopy(v1, 0, z1, 0, 4); + return true; } static void toSignedDigits(int bits, int[] z)
core/src/main/java/org/bouncycastle/math/ec/rfc8032/Scalar448.java+9 −1 modified@@ -560,7 +560,7 @@ static byte[] reduce912(byte[] n) return r; } - static void reduceBasisVar(int[] k, int[] z0, int[] z1) + static boolean reduceBasisVar(int[] k, int[] z0, int[] z1) { /* * Split scalar k into two half-size scalars z0 and z1, such that z1 * k == z0 mod L. @@ -577,11 +577,18 @@ static void reduceBasisVar(int[] k, int[] z0, int[] z1) int[] v0 = new int[8]; System.arraycopy(k, 0, v0, 0, 8); int[] v1 = new int[8]; v1[0] = 1; + // Conservative upper bound on the number of loop iterations needed + int iterations = TARGET_LENGTH * 4; int last = 27; int len_Nv = ScalarUtil.getBitLengthPositive(last, Nv); while (len_Nv > TARGET_LENGTH) { + if (--iterations < 0) + { + return false; + } + int len_p = ScalarUtil.getBitLength(last, p); int s = len_p - len_Nv; s &= ~(s >> 31); @@ -614,6 +621,7 @@ static void reduceBasisVar(int[] k, int[] z0, int[] z1) // v1 * k == v0 mod L System.arraycopy(v0, 0, z0, 0, 8); System.arraycopy(v1, 0, z1, 0, 8); + return true; } static void toSignedDigits(int bits, int[] x, int[] z)
core/src/main/java/org/bouncycastle/math/ec/rfc8032/ScalarUtil.java+14 −14 modified@@ -22,11 +22,11 @@ static void addShifted_NP(int last, int s, int[] Nu, int[] Nv, int[] p, int[] t) cc_p += p_i & M; cc_p += Nv[i] & M; - p_i = (int)cc_p; cc_p >>= 32; - p[i] = p_i; + p_i = (int)cc_p; cc_p >>>= 32; + p[i] = p_i; cc_Nu += p_i & M; - Nu[i] = (int)cc_Nu; cc_Nu >>= 32; + Nu[i] = (int)cc_Nu; cc_Nu >>>= 32; } } else if (s < 32) @@ -50,20 +50,20 @@ else if (s < 32) cc_p += p_i & M; cc_p += v_s & M; - p_i = (int)cc_p; cc_p >>= 32; + p_i = (int)cc_p; cc_p >>>= 32; p[i] = p_i; int q_s = (p_i << s) | (prev_q >>> -s); - prev_q =p_i; + prev_q = p_i; cc_Nu += q_s & M; - Nu[i] = (int)cc_Nu; cc_Nu >>= 32; + Nu[i] = (int)cc_Nu; cc_Nu >>>= 32; } } else { - // Keep the original value of p in t. - System.arraycopy(p, 0, t, 0, p.length); + // Copy the low limbs of the original p + System.arraycopy(p, 0, t, 0, last); int sWords = s >>> 5; int sBits = s & 31; if (sBits == 0) @@ -75,10 +75,10 @@ else if (s < 32) cc_p += p[i] & M; cc_p += Nv[i - sWords] & M; - p[i] = (int)cc_p; cc_p >>= 32; + p[i] = (int)cc_p; cc_p >>>= 32; cc_Nu += p[i - sWords] & M; - Nu[i] = (int)cc_Nu; cc_Nu >>= 32; + Nu[i] = (int)cc_Nu; cc_Nu >>>= 32; } } else @@ -102,14 +102,14 @@ else if (s < 32) cc_p += p[i] & M; cc_p += v_s & M; - p[i] = (int)cc_p; cc_p >>= 32; + p[i] = (int)cc_p; cc_p >>>= 32; int next_q = p[i - sWords]; int q_s = (next_q << sBits) | (prev_q >>> -sBits); prev_q = next_q; cc_Nu += q_s & M; - Nu[i] = (int)cc_Nu; cc_Nu >>= 32; + Nu[i] = (int)cc_Nu; cc_Nu >>>= 32; } } } @@ -251,8 +251,8 @@ else if (s < 32) } else { - // Keep the original value of p in t. - System.arraycopy(p, 0, t, 0, p.length); + // Copy the low limbs of the original p + System.arraycopy(p, 0, t, 0, last); int sWords = s >>> 5; int sBits = s & 31; if (sBits == 0)
9c165791b68aFix for EdDSA verification infinite loop
3 files changed · +164 −54
core/src/main/java/org/bouncycastle/math/ec/rfc8032/Scalar25519.java+3 −2 modified@@ -306,6 +306,7 @@ static void reduceBasisVar(int[] k, int[] z0, int[] z1) int[] Nu = new int[16]; System.arraycopy(LSq, 0, Nu, 0, 16); int[] Nv = new int[16]; Nat256.square(k, Nv); ++Nv[0]; int[] p = new int[16]; Nat256.mul(L, k, p); + int[] t = new int[16]; // temp array int[] u0 = new int[4]; System.arraycopy(L, 0, u0, 0, 4); int[] u1 = new int[4]; int[] v0 = new int[4]; System.arraycopy(k, 0, v0, 0, 4); @@ -322,12 +323,12 @@ static void reduceBasisVar(int[] k, int[] z0, int[] z1) if (p[last] < 0) { - ScalarUtil.addShifted_NP(last, s, Nu, Nv, p); + ScalarUtil.addShifted_NP(last, s, Nu, Nv, p, t); ScalarUtil.addShifted_UV(3, s, u0, u1, v0, v1); } else { - ScalarUtil.subShifted_NP(last, s, Nu, Nv, p); + ScalarUtil.subShifted_NP(last, s, Nu, Nv, p, t); ScalarUtil.subShifted_UV(3, s, u0, u1, v0, v1); }
core/src/main/java/org/bouncycastle/math/ec/rfc8032/Scalar448.java+3 −2 modified@@ -571,6 +571,7 @@ static void reduceBasisVar(int[] k, int[] z0, int[] z1) int[] Nu = new int[28]; System.arraycopy(LSq, 0, Nu, 0, 28); int[] Nv = new int[28]; Nat448.square(k, Nv); ++Nv[0]; int[] p = new int[28]; Nat448.mul(L, k, p); + int[] t = new int[28]; // temp array int[] u0 = new int[8]; System.arraycopy(L, 0, u0, 0, 8); int[] u1 = new int[8]; int[] v0 = new int[8]; System.arraycopy(k, 0, v0, 0, 8); @@ -587,12 +588,12 @@ static void reduceBasisVar(int[] k, int[] z0, int[] z1) if (p[last] < 0) { - ScalarUtil.addShifted_NP(last, s, Nu, Nv, p); + ScalarUtil.addShifted_NP(last, s, Nu, Nv, p, t); ScalarUtil.addShifted_UV(7, s, u0, u1, v0, v1); } else { - ScalarUtil.subShifted_NP(last, s, Nu, Nv, p); + ScalarUtil.subShifted_NP(last, s, Nu, Nv, p, t); ScalarUtil.subShifted_UV(7, s, u0, u1, v0, v1); }
core/src/main/java/org/bouncycastle/math/ec/rfc8032/ScalarUtil.java+158 −50 modified@@ -6,57 +6,111 @@ abstract class ScalarUtil { private static final long M = 0xFFFFFFFFL; - static void addShifted_NP(int last, int s, int[] Nu, int[] Nv, int[] _p) + static void addShifted_NP(int last, int s, int[] Nu, int[] Nv, int[] p, int[] t) { - int sWords = s >>> 5, sBits = s & 31; - - long cc__p = 0L; + long cc_p = 0L; long cc_Nu = 0L; - if (sBits == 0) + if (s == 0) { - for (int i = sWords; i <= last; ++i) + for (int i = 0; i <= last; ++i) { + int p_i = p[i]; + cc_Nu += Nu[i] & M; - cc_Nu += _p[i - sWords] & M; + cc_Nu += p_i & M; - cc__p += _p[i] & M; - cc__p += Nv[i - sWords] & M; - _p[i] = (int)cc__p; cc__p >>>= 32; + cc_p += p_i & M; + cc_p += Nv[i] & M; + p_i = (int)cc_p; cc_p >>= 32; + p[i] = p_i; - cc_Nu += _p[i - sWords] & M; - Nu[i] = (int)cc_Nu; cc_Nu >>>= 32; + cc_Nu += p_i & M; + Nu[i] = (int)cc_Nu; cc_Nu >>= 32; } } - else + else if (s < 32) { int prev_p = 0; int prev_q = 0; int prev_v = 0; - for (int i = sWords; i <= last; ++i) + for (int i = 0; i <= last; ++i) { - int next_p = _p[i - sWords]; - int p_s = (next_p << sBits) | (prev_p >>> -sBits); - prev_p = next_p; + int p_i = p[i]; + int p_s = (p_i << s) | (prev_p >>> -s); + prev_p = p_i; cc_Nu += Nu[i] & M; cc_Nu += p_s & M; - int next_v = Nv[i - sWords]; - int v_s = (next_v << sBits) | (prev_v >>> -sBits); + int next_v = Nv[i]; + int v_s = (next_v << s) | (prev_v >>> -s); prev_v = next_v; - cc__p += _p[i] & M; - cc__p += v_s & M; - _p[i] = (int)cc__p; cc__p >>>= 32; + cc_p += p_i & M; + cc_p += v_s & M; + p_i = (int)cc_p; cc_p >>= 32; + p[i] = p_i; - int next_q = _p[i - sWords]; - int q_s = (next_q << sBits) | (prev_q >>> -sBits); - prev_q = next_q; + int q_s = (p_i << s) | (prev_q >>> -s); + prev_q =p_i; cc_Nu += q_s & M; - Nu[i] = (int)cc_Nu; cc_Nu >>>= 32; + Nu[i] = (int)cc_Nu; cc_Nu >>= 32; + } + } + else + { + // Keep the original value of p in t. + System.arraycopy(p, 0, t, 0, p.length); + + int sWords = s >>> 5; int sBits = s & 31; + if (sBits == 0) + { + for (int i = sWords; i <= last; ++i) + { + cc_Nu += Nu[i] & M; + cc_Nu += t[i - sWords] & M; + + cc_p += p[i] & M; + cc_p += Nv[i - sWords] & M; + p[i] = (int)cc_p; cc_p >>= 32; + + cc_Nu += p[i - sWords] & M; + Nu[i] = (int)cc_Nu; cc_Nu >>= 32; + } + } + else + { + int prev_t = 0; + int prev_q = 0; + int prev_v = 0; + + for (int i = sWords; i <= last; ++i) + { + int next_t = t[i - sWords]; + int t_s = (next_t << sBits) | (prev_t >>> -sBits); + prev_t = next_t; + + cc_Nu += Nu[i] & M; + cc_Nu += t_s & M; + + int next_v = Nv[i - sWords]; + int v_s = (next_v << sBits) | (prev_v >>> -sBits); + prev_v = next_v; + + cc_p += p[i] & M; + cc_p += v_s & M; + p[i] = (int)cc_p; cc_p >>= 32; + + int next_q = p[i - sWords]; + int q_s = (next_q << sBits) | (prev_q >>> -sBits); + prev_q = next_q; + + cc_Nu += q_s & M; + Nu[i] = (int)cc_Nu; cc_Nu >>= 32; + } } } } @@ -141,59 +195,113 @@ static boolean lessThan(int last, int[] x, int[] y) return false; } - static void subShifted_NP(int last, int s, int[] Nu, int[] Nv, int[] _p) + static void subShifted_NP(int last, int s, int[] Nu, int[] Nv, int[] p, int[] t) { - int sWords = s >>> 5, sBits = s & 31; - - long cc__p = 0L; + long cc_p = 0L; long cc_Nu = 0L; - if (sBits == 0) + if (s == 0) { - for (int i = sWords; i <= last; ++i) + for (int i = 0; i <= last; ++i) { + int p_i = p[i]; + cc_Nu += Nu[i] & M; - cc_Nu -= _p[i - sWords] & M; + cc_Nu -= p_i & M; - cc__p += _p[i] & M; - cc__p -= Nv[i - sWords] & M; - _p[i] = (int)cc__p; cc__p >>= 32; + cc_p += p_i & M; + cc_p -= Nv[i] & M; + p_i = (int)cc_p; cc_p >>= 32; + p[i] = p_i; - cc_Nu -= _p[i - sWords] & M; + cc_Nu -= p_i & M; Nu[i] = (int)cc_Nu; cc_Nu >>= 32; } } - else + else if (s < 32) { int prev_p = 0; int prev_q = 0; int prev_v = 0; - for (int i = sWords; i <= last; ++i) + for (int i = 0; i <= last; ++i) { - int next_p = _p[i - sWords]; - int p_s = (next_p << sBits) | (prev_p >>> -sBits); - prev_p = next_p; + int p_i = p[i]; + int p_s = (p_i << s) | (prev_p >>> -s); + prev_p = p_i; cc_Nu += Nu[i] & M; cc_Nu -= p_s & M; - int next_v = Nv[i - sWords]; - int v_s = (next_v << sBits) | (prev_v >>> -sBits); + int next_v = Nv[i]; + int v_s = (next_v << s) | (prev_v >>> -s); prev_v = next_v; - cc__p += _p[i] & M; - cc__p -= v_s & M; - _p[i] = (int)cc__p; cc__p >>= 32; + cc_p += p_i & M; + cc_p -= v_s & M; + p_i = (int)cc_p; cc_p >>= 32; + p[i] = p_i; - int next_q = _p[i - sWords]; - int q_s = (next_q << sBits) | (prev_q >>> -sBits); - prev_q = next_q; + int q_s = (p_i << s) | (prev_q >>> -s); + prev_q = p_i; cc_Nu -= q_s & M; Nu[i] = (int)cc_Nu; cc_Nu >>= 32; } } + else + { + // Keep the original value of p in t. + System.arraycopy(p, 0, t, 0, p.length); + + int sWords = s >>> 5; int sBits = s & 31; + if (sBits == 0) + { + for (int i = sWords; i <= last; ++i) + { + cc_Nu += Nu[i] & M; + cc_Nu -= t[i - sWords] & M; + + cc_p += p[i] & M; + cc_p -= Nv[i - sWords] & M; + p[i] = (int)cc_p; cc_p >>= 32; + + cc_Nu -= p[i - sWords] & M; + Nu[i] = (int)cc_Nu; cc_Nu >>= 32; + } + } + else + { + int prev_t = 0; + int prev_q = 0; + int prev_v = 0; + + for (int i = sWords; i <= last; ++i) + { + int next_t = t[i - sWords]; + int t_s = (next_t << sBits) | (prev_t >>> -sBits); + prev_t = next_t; + + cc_Nu += Nu[i] & M; + cc_Nu -= t_s & M; + + int next_v = Nv[i - sWords]; + int v_s = (next_v << sBits) | (prev_v >>> -sBits); + prev_v = next_v; + + cc_p += p[i] & M; + cc_p -= v_s & M; + p[i] = (int)cc_p; cc_p >>= 32; + + int next_q = p[i - sWords]; + int q_s = (next_q << sBits) | (prev_q >>> -sBits); + prev_q = next_q; + + cc_Nu -= q_s & M; + Nu[i] = (int)cc_Nu; cc_Nu >>= 32; + } + } + } } static void subShifted_UV(int last, int s, int[] u0, int[] u1, int[] v0, int[] v1)
1b9fd9b545e6EdDSA improvements from bc-csharp
17 files changed · +2554 −1096
core/src/main/java/org/bouncycastle/crypto/params/Ed25519PrivateKeyParameters.java+1 −3 modified@@ -64,9 +64,7 @@ public Ed25519PublicKeyParameters generatePublicKey() { if (null == cachedPublicKey) { - byte[] publicKey = new byte[Ed25519.PUBLIC_KEY_SIZE]; - Ed25519.generatePublicKey(data, 0, publicKey, 0); - cachedPublicKey = new Ed25519PublicKeyParameters(publicKey, 0); + cachedPublicKey = new Ed25519PublicKeyParameters(Ed25519.generatePublicKey(data, 0)); } return cachedPublicKey;
core/src/main/java/org/bouncycastle/crypto/params/Ed25519PublicKeyParameters.java+35 −8 modified@@ -5,15 +5,14 @@ import java.io.InputStream; import org.bouncycastle.math.ec.rfc8032.Ed25519; -import org.bouncycastle.util.Arrays; import org.bouncycastle.util.io.Streams; public final class Ed25519PublicKeyParameters extends AsymmetricKeyParameter { public static final int KEY_SIZE = Ed25519.PUBLIC_KEY_SIZE; - private final byte[] data = new byte[KEY_SIZE]; + private final Ed25519.PublicPoint publicPoint; public Ed25519PublicKeyParameters(byte[] buf) { @@ -24,27 +23,45 @@ public Ed25519PublicKeyParameters(byte[] buf, int off) { super(false); - System.arraycopy(buf, off, data, 0, KEY_SIZE); + this.publicPoint = parse(buf, off); } public Ed25519PublicKeyParameters(InputStream input) throws IOException { super(false); + byte[] data = new byte[KEY_SIZE]; + if (KEY_SIZE != Streams.readFully(input, data)) { throw new EOFException("EOF encountered in middle of Ed25519 public key"); } + + this.publicPoint = parse(data, 0); + } + + public Ed25519PublicKeyParameters(Ed25519.PublicPoint publicPoint) + { + super(false); + + if (publicPoint == null) + { + throw new NullPointerException("'publicPoint' cannot be null"); + } + + this.publicPoint = publicPoint; } public void encode(byte[] buf, int off) { - System.arraycopy(data, 0, buf, off, KEY_SIZE); + Ed25519.encodePublicPoint(publicPoint, buf, off); } public byte[] getEncoded() { - return Arrays.clone(data); + byte[] data = new byte[KEY_SIZE]; + encode(data, 0); + return data; } public boolean verify(int algorithm, byte[] ctx, byte[] msg, int msgOff, int msgLen, byte[] sig, int sigOff) @@ -58,7 +75,7 @@ public boolean verify(int algorithm, byte[] ctx, byte[] msg, int msgOff, int msg throw new IllegalArgumentException("ctx"); } - return Ed25519.verify(sig, sigOff, data, 0, msg, msgOff, msgLen); + return Ed25519.verify(sig, sigOff, publicPoint, msg, msgOff, msgLen); } case Ed25519.Algorithm.Ed25519ctx: { @@ -71,7 +88,7 @@ public boolean verify(int algorithm, byte[] ctx, byte[] msg, int msgOff, int msg throw new IllegalArgumentException("ctx"); } - return Ed25519.verify(sig, sigOff, data, 0, ctx, msg, msgOff, msgLen); + return Ed25519.verify(sig, sigOff, publicPoint, ctx, msg, msgOff, msgLen); } case Ed25519.Algorithm.Ed25519ph: { @@ -88,7 +105,7 @@ public boolean verify(int algorithm, byte[] ctx, byte[] msg, int msgOff, int msg throw new IllegalArgumentException("msgLen"); } - return Ed25519.verifyPrehash(sig, sigOff, data, 0, ctx, msg, msgOff); + return Ed25519.verifyPrehash(sig, sigOff, publicPoint, ctx, msg, msgOff); } default: { @@ -97,6 +114,16 @@ public boolean verify(int algorithm, byte[] ctx, byte[] msg, int msgOff, int msg } } + private static Ed25519.PublicPoint parse(byte[] buf, int off) + { + Ed25519.PublicPoint publicPoint = Ed25519.validatePublicKeyPartialExport(buf, off); + if (publicPoint == null) + { + throw new IllegalArgumentException("invalid public key"); + } + return publicPoint; + } + private static byte[] validate(byte[] buf) { if (buf.length != KEY_SIZE)
core/src/main/java/org/bouncycastle/crypto/params/Ed448PrivateKeyParameters.java+1 −3 modified@@ -64,9 +64,7 @@ public Ed448PublicKeyParameters generatePublicKey() { if (null == cachedPublicKey) { - byte[] publicKey = new byte[Ed448.PUBLIC_KEY_SIZE]; - Ed448.generatePublicKey(data, 0, publicKey, 0); - cachedPublicKey = new Ed448PublicKeyParameters(publicKey, 0); + cachedPublicKey = new Ed448PublicKeyParameters(Ed448.generatePublicKey(data, 0)); } return cachedPublicKey;
core/src/main/java/org/bouncycastle/crypto/params/Ed448PublicKeyParameters.java+34 −7 modified@@ -5,15 +5,14 @@ import java.io.InputStream; import org.bouncycastle.math.ec.rfc8032.Ed448; -import org.bouncycastle.util.Arrays; import org.bouncycastle.util.io.Streams; public final class Ed448PublicKeyParameters extends AsymmetricKeyParameter { public static final int KEY_SIZE = Ed448.PUBLIC_KEY_SIZE; - private final byte[] data = new byte[KEY_SIZE]; + private final Ed448.PublicPoint publicPoint; public Ed448PublicKeyParameters(byte[] buf) { @@ -24,27 +23,45 @@ public Ed448PublicKeyParameters(byte[] buf, int off) { super(false); - System.arraycopy(buf, off, data, 0, KEY_SIZE); + this.publicPoint = parse(buf, off); } public Ed448PublicKeyParameters(InputStream input) throws IOException { super(false); + byte[] data = new byte[KEY_SIZE]; + if (KEY_SIZE != Streams.readFully(input, data)) { throw new EOFException("EOF encountered in middle of Ed448 public key"); } + + this.publicPoint = parse(data, 0); + } + + public Ed448PublicKeyParameters(Ed448.PublicPoint publicPoint) + { + super(false); + + if (publicPoint == null) + { + throw new NullPointerException("'publicPoint' cannot be null"); + } + + this.publicPoint = publicPoint; } public void encode(byte[] buf, int off) { - System.arraycopy(data, 0, buf, off, KEY_SIZE); + Ed448.encodePublicPoint(publicPoint, buf, off); } public byte[] getEncoded() { - return Arrays.clone(data); + byte[] data = new byte[KEY_SIZE]; + encode(data, 0); + return data; } public boolean verify(int algorithm, byte[] ctx, byte[] msg, int msgOff, int msgLen, byte[] sig, int sigOff) @@ -62,7 +79,7 @@ public boolean verify(int algorithm, byte[] ctx, byte[] msg, int msgOff, int msg throw new IllegalArgumentException("ctx"); } - return Ed448.verify(sig, sigOff, data, 0, ctx, msg, msgOff, msgLen); + return Ed448.verify(sig, sigOff, publicPoint, ctx, msg, msgOff, msgLen); } case Ed448.Algorithm.Ed448ph: { @@ -79,7 +96,7 @@ public boolean verify(int algorithm, byte[] ctx, byte[] msg, int msgOff, int msg throw new IllegalArgumentException("msgLen"); } - return Ed448.verifyPrehash(sig, sigOff, data, 0, ctx, msg, msgOff); + return Ed448.verifyPrehash(sig, sigOff, publicPoint, ctx, msg, msgOff); } default: { @@ -88,6 +105,16 @@ public boolean verify(int algorithm, byte[] ctx, byte[] msg, int msgOff, int msg } } + private static Ed448.PublicPoint parse(byte[] buf, int off) + { + Ed448.PublicPoint publicPoint = Ed448.validatePublicKeyPartialExport(buf, off); + if (publicPoint == null) + { + throw new IllegalArgumentException("invalid public key"); + } + return publicPoint; + } + private static byte[] validate(byte[] buf) { if (buf.length != KEY_SIZE)
core/src/main/java/org/bouncycastle/math/ec/rfc7748/X25519Field.java+26 −0 modified@@ -152,13 +152,27 @@ public static void decode(int[] x, int xOff, int[] z) z[9] &= M24; } + public static void decode(byte[] x, int[] z) + { + decode128(x, 0, z, 0); + decode128(x, 16, z, 5); + z[9] &= M24; + } + public static void decode(byte[] x, int xOff, int[] z) { decode128(x, xOff, z, 0); decode128(x, xOff + 16, z, 5); z[9] &= M24; } + public static void decode(byte[] x, int xOff, int[] z, int zOff) + { + decode128(x, xOff, z, zOff); + decode128(x, xOff + 16, z, zOff + 5); + z[zOff + 9] &= M24; + } + private static void decode128(int[] is, int off, int[] z, int zOff) { int t0 = is[off + 0], t1 = is[off + 1], t2 = is[off + 2], t3 = is[off + 3]; @@ -199,12 +213,24 @@ public static void encode(int[] x, int[] z, int zOff) encode128(x, 5, z, zOff + 4); } + public static void encode(int[] x, byte[] z) + { + encode128(x, 0, z, 0); + encode128(x, 5, z, 16); + } + public static void encode(int[] x, byte[] z, int zOff) { encode128(x, 0, z, zOff); encode128(x, 5, z, zOff + 16); } + public static void encode(int[] x, int xOff, byte[] z, int zOff) + { + encode128(x, xOff, z, zOff); + encode128(x, xOff + 5, z, zOff + 16); + } + private static void encode128(int[] x, int xOff, int[] is, int off) { int x0 = x[xOff + 0], x1 = x[xOff + 1], x2 = x[xOff + 2], x3 = x[xOff + 3], x4 = x[xOff + 4];
core/src/main/java/org/bouncycastle/math/ec/rfc7748/X448Field.java+49 −1 modified@@ -156,6 +156,18 @@ public static void decode(int[] x, int xOff, int[] z) decode224(x, xOff + 7, z, 8); } + public static void decode(byte[] x, int[] z) + { + decode56(x, 0, z, 0); + decode56(x, 7, z, 2); + decode56(x, 14, z, 4); + decode56(x, 21, z, 6); + decode56(x, 28, z, 8); + decode56(x, 35, z, 10); + decode56(x, 42, z, 12); + decode56(x, 49, z, 14); + } + public static void decode(byte[] x, int xOff, int[] z) { decode56(x, xOff, z, 0); @@ -168,6 +180,18 @@ public static void decode(byte[] x, int xOff, int[] z) decode56(x, xOff + 49, z, 14); } + public static void decode(byte[] x, int xOff, int[] z, int zOff) + { + decode56(x, xOff, z, zOff); + decode56(x, xOff + 7, z, zOff + 2); + decode56(x, xOff + 14, z, zOff + 4); + decode56(x, xOff + 21, z, zOff + 6); + decode56(x, xOff + 28, z, zOff + 8); + decode56(x, xOff + 35, z, zOff + 10); + decode56(x, xOff + 42, z, zOff + 12); + decode56(x, xOff + 49, z, zOff + 14); + } + private static void decode224(int[] x, int xOff, int[] z, int zOff) { int x0 = x[xOff + 0], x1 = x[xOff + 1], x2 = x[xOff + 2], x3 = x[xOff + 3]; @@ -214,7 +238,19 @@ public static void encode(int[] x, int[] z, int zOff) encode224(x, 8, z, zOff + 7); } - public static void encode(int[] x, byte[] z , int zOff) + public static void encode(int[] x, byte[] z) + { + encode56(x, 0, z, 0); + encode56(x, 2, z, 7); + encode56(x, 4, z, 14); + encode56(x, 6, z, 21); + encode56(x, 8, z, 28); + encode56(x, 10, z, 35); + encode56(x, 12, z, 42); + encode56(x, 14, z, 49); + } + + public static void encode(int[] x, byte[] z, int zOff) { encode56(x, 0, z, zOff); encode56(x, 2, z, zOff + 7); @@ -226,6 +262,18 @@ public static void encode(int[] x, byte[] z , int zOff) encode56(x, 14, z, zOff + 49); } + public static void encode(int[] x, int xOff, byte[] z, int zOff) + { + encode56(x, xOff, z, zOff); + encode56(x, xOff + 2, z, zOff + 7); + encode56(x, xOff + 4, z, zOff + 14); + encode56(x, xOff + 6, z, zOff + 21); + encode56(x, xOff + 8, z, zOff + 28); + encode56(x, xOff + 10, z, zOff + 35); + encode56(x, xOff + 12, z, zOff + 42); + encode56(x, xOff + 14, z, zOff + 49); + } + private static void encode224(int[] x, int xOff, int[] is, int off) { int x0 = x[xOff + 0], x1 = x[xOff + 1], x2 = x[xOff + 2], x3 = x[xOff + 3];
core/src/main/java/org/bouncycastle/math/ec/rfc8032/Codec.java+65 −0 added@@ -0,0 +1,65 @@ +package org.bouncycastle.math.ec.rfc8032; + +abstract class Codec +{ + static int decode16(byte[] bs, int off) + { + int n = bs[off] & 0xFF; + n |= (bs[++off] & 0xFF) << 8; + return n; + } + + static int decode24(byte[] bs, int off) + { + int n = bs[ off] & 0xFF; + n |= (bs[++off] & 0xFF) << 8; + n |= (bs[++off] & 0xFF) << 16; + return n; + } + + static int decode32(byte[] bs, int off) + { + int n = bs[off] & 0xFF; + n |= (bs[++off] & 0xFF) << 8; + n |= (bs[++off] & 0xFF) << 16; + n |= bs[++off] << 24; + return n; + } + + static void decode32(byte[] bs, int bsOff, int[] n, int nOff, int nLen) + { + for (int i = 0; i < nLen; ++i) + { + n[nOff + i] = decode32(bs, bsOff + i * 4); + } + } + + static void encode24(int n, byte[] bs, int off) + { + bs[ off] = (byte)(n ); + bs[++off] = (byte)(n >>> 8); + bs[++off] = (byte)(n >>> 16); + } + + static void encode32(int n, byte[] bs, int off) + { + bs[ off] = (byte)(n ); + bs[++off] = (byte)(n >>> 8); + bs[++off] = (byte)(n >>> 16); + bs[++off] = (byte)(n >>> 24); + } + + static void encode32(int[] n, int nOff, int nLen, byte[] bs, int bsOff) + { + for (int i = 0; i < nLen; ++i) + { + encode32(n[nOff + i], bs, bsOff + i * 4); + } + } + + static void encode56(long n, byte[] bs, int off) + { + encode32((int)n, bs, off); + encode24((int)(n >>> 32), bs, off + 4); + } +}
core/src/main/java/org/bouncycastle/math/ec/rfc8032/Ed25519.java+463 −398 modified@@ -7,9 +7,7 @@ import org.bouncycastle.math.ec.rfc7748.X25519; import org.bouncycastle.math.ec.rfc7748.X25519Field; import org.bouncycastle.math.raw.Interleave; -import org.bouncycastle.math.raw.Nat; import org.bouncycastle.math.raw.Nat256; -import org.bouncycastle.util.Arrays; /** * A low-level implementation of the Ed25519, Ed25519ctx, and Ed25519ph instantiations of the Edwards-Curve @@ -33,11 +31,17 @@ public static final class Algorithm public static final int Ed25519ph = 2; } - private static class F extends X25519Field {}; + public static final class PublicPoint + { + final int[] data; - private static final long M08L = 0x000000FFL; - private static final long M28L = 0x0FFFFFFFL; - private static final long M32L = 0xFFFFFFFFL; + PublicPoint(int[] data) + { + this.data = data; + } + } + + private static class F extends X25519Field {}; private static final int COORD_INTS = 8; private static final int POINT_BYTES = COORD_INTS * 4; @@ -56,20 +60,23 @@ private static class F extends X25519Field {}; private static final int[] P = new int[]{ 0xFFFFFFED, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x7FFFFFFF }; - private static final int[] L = new int[]{ 0x5CF5D3ED, 0x5812631A, 0xA2F79CD6, 0x14DEF9DE, 0x00000000, 0x00000000, - 0x00000000, 0x10000000 }; - private static final int L0 = -0x030A2C13; // L0:26/-- - private static final int L1 = 0x012631A6; // L1:24/22 - private static final int L2 = 0x079CD658; // L2:27/-- - private static final int L3 = -0x006215D1; // L3:23/-- - private static final int L4 = 0x000014DF; // L4:12/11 + private static final int[] ORDER8_y1 = new int[]{ 0x706A17C7, 0x4FD84D3D, 0x760B3CBA, 0x0F67100D, 0xFA53202A, + 0xC6CC392C, 0x77FDC74E, 0x7A03AC92 }; + private static final int[] ORDER8_y2 = new int[]{ 0x8F95E826, 0xB027B2C2, 0x89F4C345, 0xF098EFF2, 0x05ACDFD5, + 0x3933C6D3, 0x880238B1, 0x05FC536D }; private static final int[] B_x = new int[]{ 0x0325D51A, 0x018B5823, 0x007B2C95, 0x0304A92D, 0x00D2598E, 0x01D6DC5C, 0x01388C7F, 0x013FEC0A, 0x029E6B72, 0x0042D26D }; private static final int[] B_y = new int[]{ 0x02666658, 0x01999999, 0x00666666, 0x03333333, 0x00CCCCCC, 0x02666666, 0x01999999, 0x00666666, 0x03333333, 0x00CCCCCC, }; + // 2^128 * B + private static final int[] B128_x = new int[]{ 0x00B7E824, 0x0011EB98, 0x003E5FC8, 0x024E1739, 0x0131CD0B, + 0x014E29A0, 0x034E6138, 0x0132C952, 0x03F9E22F, 0x00984F5F }; + private static final int[] B128_y = new int[]{ 0x03F5A66B, 0x02AF4452, 0x0049E5BB, 0x00F28D26, 0x0121A17C, + 0x02C29C3A, 0x0047AD89, 0x0087D95F, 0x0332936E, 0x00BE5933 }; + // Note that d == -121665/121666 private static final int[] C_d = new int[]{ 0x035978A3, 0x02D37284, 0x018AB75E, 0x026A0A0E, 0x0000E014, 0x0379E898, 0x01D01E5D, 0x01E738CC, 0x03715B7F, 0x00A406D9 }; @@ -78,19 +85,21 @@ private static class F extends X25519Field {}; private static final int[] C_d4 = new int[]{ 0x0165E2B2, 0x034DCA13, 0x002ADD7A, 0x01A8283B, 0x00038052, 0x01E7A260, 0x03407977, 0x019CE331, 0x01C56DFF, 0x00901B67 }; - private static final int WNAF_WIDTH = 5; - private static final int WNAF_WIDTH_BASE = 7; +// private static final int WNAF_WIDTH = 5; + private static final int WNAF_WIDTH_128 = 4; + private static final int WNAF_WIDTH_BASE = 6; // scalarMultBase is hard-coded for these values of blocks, teeth, spacing so they can't be freely changed private static final int PRECOMP_BLOCKS = 8; private static final int PRECOMP_TEETH = 4; private static final int PRECOMP_SPACING = 8; -// private static final int PRECOMP_RANGE = PRECOMP_BLOCKS * PRECOMP_TEETH * PRECOMP_SPACING; // range == 256 + private static final int PRECOMP_RANGE = PRECOMP_BLOCKS * PRECOMP_TEETH * PRECOMP_SPACING; // range == 256 private static final int PRECOMP_POINTS = 1 << (PRECOMP_TEETH - 1); private static final int PRECOMP_MASK = PRECOMP_POINTS - 1; private static final Object PRECOMP_LOCK = new Object(); private static PointPrecomp[] PRECOMP_BASE_WNAF = null; + private static PointPrecomp[] PRECOMP_BASE128_WNAF = null; private static int[] PRECOMP_BASE_COMB = null; private static class PointAccum @@ -140,18 +149,15 @@ private static class PointTemp private static byte[] calculateS(byte[] r, byte[] k, byte[] s) { - int[] t = new int[SCALAR_INTS * 2]; decodeScalar(r, 0, t); - int[] u = new int[SCALAR_INTS]; decodeScalar(k, 0, u); - int[] v = new int[SCALAR_INTS]; decodeScalar(s, 0, v); + int[] t = new int[SCALAR_INTS * 2]; Scalar25519.decode(r, t); + int[] u = new int[SCALAR_INTS]; Scalar25519.decode(k, u); + int[] v = new int[SCALAR_INTS]; Scalar25519.decode(s, v); Nat256.mulAddTo(u, v, t); byte[] result = new byte[SCALAR_BYTES * 2]; - for (int i = 0; i < t.length; ++i) - { - encode32(t[i], result, i * 4); - } - return reduceScalar(result); + Codec.encode32(t, 0, t.length, result, 0); + return Scalar25519.reduce(result); } private static boolean checkContextVar(byte[] ctx , byte phflag) @@ -160,14 +166,14 @@ private static boolean checkContextVar(byte[] ctx , byte phflag) || ctx != null && ctx.length < 256; } - private static int checkPoint(int[] x, int[] y) + private static int checkPoint(PointAffine p) { int[] t = F.create(); int[] u = F.create(); int[] v = F.create(); - F.sqr(x, u); - F.sqr(y, v); + F.sqr(p.x, u); + F.sqr(p.y, v); F.mul(u, v, t); F.sub(v, u, v); F.mul(t, C_d, t); @@ -178,16 +184,16 @@ private static int checkPoint(int[] x, int[] y) return F.isZero(t); } - private static int checkPoint(int[] x, int[] y, int[] z) + private static int checkPoint(PointAccum p) { int[] t = F.create(); int[] u = F.create(); int[] v = F.create(); int[] w = F.create(); - F.sqr(x, u); - F.sqr(y, v); - F.sqr(z, w); + F.sqr(p.x, u); + F.sqr(p.y, v); + F.sqr(p.z, w); F.mul(u, v, t); F.sub(v, u, v); F.mul(v, w, v); @@ -200,25 +206,62 @@ private static int checkPoint(int[] x, int[] y, int[] z) return F.isZero(t); } + private static boolean checkPointFullVar(byte[] p) + { + int y7 = Codec.decode32(p, 28) & 0x7FFFFFFF; + + int t0 = y7; + int t1 = y7 ^ P[7]; + int t2 = y7 ^ ORDER8_y1[7]; + int t3 = y7 ^ ORDER8_y2[7]; + + for (int i = COORD_INTS - 2; i > 0; --i) + { + int yi = Codec.decode32(p, i * 4); + + t0 |= yi; + t1 |= yi ^ P[i]; + t2 |= yi ^ ORDER8_y1[i]; + t3 |= yi ^ ORDER8_y2[i]; + } + + int y0 = Codec.decode32(p, 0); + + // Reject 0 and 1 + if (t0 == 0 && (y0 + Integer.MIN_VALUE) <= (1 + Integer.MIN_VALUE)) + return false; + + // Reject P - 1 and non-canonical encodings (i.e. >= P) + if (t1 == 0 && (y0 + Integer.MIN_VALUE) >= (P[0] - 1 + Integer.MIN_VALUE)) + return false; + + t2 |= y0 ^ ORDER8_y1[0]; + t3 |= y0 ^ ORDER8_y2[0]; + + // Reject order 8 points + return (t2 != 0) & (t3 != 0); + } + + private static boolean checkPointOrderVar(PointAffine p) + { + PointAccum r = new PointAccum(); + scalarMultOrderVar(p, r); + return normalizeToNeutralElementVar(r); + } + private static boolean checkPointVar(byte[] p) { - if ((decode32(p, 28) & 0x7FFFFFFF) < P[7]) + if ((Codec.decode32(p, 28) & 0x7FFFFFFF) < P[7]) { return true; } int[] t = new int[COORD_INTS]; - decode32(p, 0, t, 0, COORD_INTS); + Codec.decode32(p, 0, t, 0, COORD_INTS); t[COORD_INTS - 1] &= 0x7FFFFFFF; return !Nat256.gte(t, P); } - private static boolean checkScalarVar(byte[] s, int[] n) - { - decodeScalar(s, 0, n); - return !Nat256.gte(n, L); - } - private static byte[] copy(byte[] buf, int off, int len) { byte[] result = new byte[len]; @@ -241,43 +284,11 @@ public static Digest createPrehash() return createDigest(); } - private static int decode24(byte[] bs, int off) + private static boolean decodePointVar(byte[] p, boolean negate, PointAffine r) { - int n = bs[ off] & 0xFF; - n |= (bs[++off] & 0xFF) << 8; - n |= (bs[++off] & 0xFF) << 16; - return n; - } + int x_0 = (p[POINT_BYTES - 1] & 0x80) >>> 7; - private static int decode32(byte[] bs, int off) - { - int n = bs[off] & 0xFF; - n |= (bs[++off] & 0xFF) << 8; - n |= (bs[++off] & 0xFF) << 16; - n |= bs[++off] << 24; - return n; - } - - private static void decode32(byte[] bs, int bsOff, int[] n, int nOff, int nLen) - { - for (int i = 0; i < nLen; ++i) - { - n[nOff + i] = decode32(bs, bsOff + i * 4); - } - } - - private static boolean decodePointVar(byte[] p, int pOff, boolean negate, PointAffine r) - { - byte[] py = copy(p, pOff, POINT_BYTES); - if (!checkPointVar(py)) - { - return false; - } - - int x_0 = (py[POINT_BYTES - 1] & 0x80) >>> 7; - py[POINT_BYTES - 1] &= 0x7F; - - F.decode(py, 0, r.y); + F.decode(p, r.y); int[] u = F.create(); int[] v = F.create(); @@ -301,71 +312,59 @@ private static boolean decodePointVar(byte[] p, int pOff, boolean negate, PointA if (negate ^ (x_0 != (r.x[0] & 1))) { F.negate(r.x, r.x); + F.normalize(r.x); } return true; } - private static void decodeScalar(byte[] k, int kOff, int[] n) - { - decode32(k, kOff, n, 0, SCALAR_INTS); - } - private static void dom2(Digest d, byte phflag, byte[] ctx) { - if (ctx != null) - { - int n = DOM2_PREFIX.length; - byte[] t = new byte[n + 2 + ctx.length]; - System.arraycopy(DOM2_PREFIX, 0, t, 0, n); - t[n] = phflag; - t[n + 1] = (byte)ctx.length; - System.arraycopy(ctx, 0, t, n + 2, ctx.length); - - d.update(t, 0, t.length); - } - } +// assert ctx != null; - private static void encode24(int n, byte[] bs, int off) - { - bs[ off] = (byte)(n ); - bs[++off] = (byte)(n >>> 8); - bs[++off] = (byte)(n >>> 16); + int n = DOM2_PREFIX.length; + byte[] t = new byte[n + 2 + ctx.length]; + System.arraycopy(DOM2_PREFIX, 0, t, 0, n); + t[n] = phflag; + t[n + 1] = (byte)ctx.length; + System.arraycopy(ctx, 0, t, n + 2, ctx.length); + + d.update(t, 0, t.length); } - private static void encode32(int n, byte[] bs, int off) + private static void encodePoint(PointAffine p, byte[] r, int rOff) { - bs[ off] = (byte)(n ); - bs[++off] = (byte)(n >>> 8); - bs[++off] = (byte)(n >>> 16); - bs[++off] = (byte)(n >>> 24); + F.encode(p.y, r, rOff); + r[rOff + POINT_BYTES - 1] |= (p.x[0] & 1) << 7; } - private static void encode56(long n, byte[] bs, int off) + public static void encodePublicPoint(PublicPoint publicPoint, byte[] pk, int pkOff) { - encode32((int)n, bs, off); - encode24((int)(n >>> 32), bs, off + 4); + F.encode(publicPoint.data, F.SIZE, pk, pkOff); + pk[pkOff + POINT_BYTES - 1] |= (publicPoint.data[0] & 1) << 7; } - private static int encodePoint(PointAccum p, byte[] r, int rOff) + private static int encodeResult(PointAccum p, byte[] r, int rOff) { - int[] x = F.create(); - int[] y = F.create(); + PointAffine q = new PointAffine(); + normalizeToAffine(p, q); - F.inv(p.z, y); - F.mul(p.x, y, x); - F.mul(p.y, y, y); - F.normalize(x); - F.normalize(y); + int result = checkPoint(q); - int result = checkPoint(x, y); - - F.encode(y, r, rOff); - r[rOff + POINT_BYTES - 1] |= ((x[0] & 1) << 7); + encodePoint(q, r, rOff); return result; } + private static PublicPoint exportPoint(PointAffine p) + { + int[] data = new int[F.SIZE * 2]; + F.copy(p.x, 0, data, 0); + F.copy(p.y, 0, data, F.SIZE); + + return new PublicPoint(data); + } + public static void generatePrivateKey(SecureRandom random, byte[] k) { if (k.length != SECRET_KEY_SIZE) @@ -390,81 +389,74 @@ public static void generatePublicKey(byte[] sk, int skOff, byte[] pk, int pkOff) scalarMultBaseEncoded(s, pk, pkOff); } - private static int getWindow4(int[] x, int n) + public static PublicPoint generatePublicKey(byte[] sk, int skOff) { - int w = n >>> 3, b = (n & 7) << 2; - return (x[w] >>> b) & 15; - } + Digest d = createDigest(); + byte[] h = new byte[64]; - private static byte[] getWnafVar(int[] n, int width) - { -// assert 0 <= n[SCALAR_INTS - 1] && n[SCALAR_INTS - 1] <= L[SCALAR_INTS - 1]; -// assert 2 <= width && width <= 8; + d.update(sk, skOff, SECRET_KEY_SIZE); + d.doFinal(h, 0); - int[] t = new int[SCALAR_INTS * 2]; - { - int tPos = t.length, c = 0; - int i = SCALAR_INTS; - while (--i >= 0) - { - int next = n[i]; - t[--tPos] = (next >>> 16) | (c << 16); - t[--tPos] = c = next; - } - } + byte[] s = new byte[SCALAR_BYTES]; + pruneScalar(h, 0, s); - byte[] ws = new byte[253]; + PointAccum p = new PointAccum(); + scalarMultBase(s, p); - final int lead = 32 - width; + PointAffine q = new PointAffine(); + normalizeToAffine(p, q); - int j = 0, carry = 0; - for (int i = 0; i < t.length; ++i, j -= 16) + if (0 == checkPoint(q)) { - int word = t[i]; - while (j < 16) - { - int word16 = word >>> j; - int bit = word16 & 1; - - if (bit == carry) - { - ++j; - continue; - } + throw new IllegalStateException(); + } - int digit = (word16 | 1) << lead; - carry = digit >>> 31; + return exportPoint(q); + } - ws[(i << 4) + j] = (byte)(digit >> lead); + private static int getWindow4(int[] x, int n) + { + int w = n >>> 3, b = (n & 7) << 2; + return (x[w] >>> b) & 15; + } - j += width; - } + private static void groupCombBits(int[] n) + { + /* + * Because we are using 4 teeth and 8 spacing, each limb of n corresponds to one of the 8 blocks. + * Therefore we can efficiently group the bits for each comb position using a (double) shuffle. + */ + for (int i = 0; i < n.length; ++i) + { + n[i] = Interleave.shuffle2(n[i]); } - -// assert carry == 0; - - return ws; } private static void implSign(Digest d, byte[] h, byte[] s, byte[] pk, int pkOff, byte[] ctx, byte phflag, byte[] m, int mOff, int mLen, byte[] sig, int sigOff) { - dom2(d, phflag, ctx); + if (ctx != null) + { + dom2(d, phflag, ctx); + } d.update(h, SCALAR_BYTES, SCALAR_BYTES); d.update(m, mOff, mLen); d.doFinal(h, 0); - byte[] r = reduceScalar(h); + byte[] r = Scalar25519.reduce(h); byte[] R = new byte[POINT_BYTES]; scalarMultBaseEncoded(r, R, 0); - dom2(d, phflag, ctx); + if (ctx != null) + { + dom2(d, phflag, ctx); + } d.update(R, 0, POINT_BYTES); d.update(pk, pkOff, POINT_BYTES); d.update(m, mOff, mLen); d.doFinal(h, 0); - byte[] k = reduceScalar(h); + byte[] k = Scalar25519.reduce(h); byte[] S = calculateS(r, k, s); System.arraycopy(R, 0, sig, sigOff, POINT_BYTES); @@ -524,43 +516,121 @@ private static boolean implVerify(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[] R = copy(sig, sigOff, POINT_BYTES); byte[] S = copy(sig, sigOff + POINT_BYTES, SCALAR_BYTES); + byte[] A = copy(pk, pkOff, PUBLIC_KEY_SIZE); if (!checkPointVar(R)) { return false; } int[] nS = new int[SCALAR_INTS]; - if (!checkScalarVar(S, nS)) + if (!Scalar25519.checkVar(S, nS)) + { + return false; + } + + if (!checkPointFullVar(A)) + return false; + + PointAffine pR = new PointAffine(); + if (!decodePointVar(R, true, pR)) { return false; } PointAffine pA = new PointAffine(); - if (!decodePointVar(pk, pkOff, true, pA)) + if (!decodePointVar(A, true, pA)) { return false; } Digest d = createDigest(); byte[] h = new byte[64]; - dom2(d, phflag, ctx); + if (ctx != null) + { + dom2(d, phflag, ctx); + } d.update(R, 0, POINT_BYTES); - d.update(pk, pkOff, POINT_BYTES); + d.update(A, 0, POINT_BYTES); d.update(m, mOff, mLen); d.doFinal(h, 0); - byte[] k = reduceScalar(h); + byte[] k = Scalar25519.reduce(h); int[] nA = new int[SCALAR_INTS]; - decodeScalar(k, 0, nA); + Scalar25519.decode(k, nA); - PointAccum pR = new PointAccum(); - scalarMultStrausVar(nS, nA, pA, pR); + int[] v0 = new int[4]; + int[] v1 = new int[4]; + Scalar25519.reduceBasisVar(nA, v0, v1); + Scalar25519.multiply128Var(nS, v1, nS); - byte[] check = new byte[POINT_BYTES]; - return 0 != encodePoint(pR, check, 0) && Arrays.areEqual(check, R); + PointAccum pZ = new PointAccum(); + scalarMultStraus128Var(nS, v0, pA, v1, pR, pZ); + return normalizeToNeutralElementVar(pZ); + } + + private static boolean implVerify(byte[] sig, int sigOff, PublicPoint publicPoint, byte[] ctx, byte phflag, + byte[] m, int mOff, int mLen) + { + if (!checkContextVar(ctx, phflag)) + { + throw new IllegalArgumentException("ctx"); + } + + byte[] R = copy(sig, sigOff, POINT_BYTES); + byte[] S = copy(sig, sigOff + POINT_BYTES, SCALAR_BYTES); + + if (!checkPointVar(R)) + { + return false; + } + + int[] nS = new int[SCALAR_INTS]; + if (!Scalar25519.checkVar(S, nS)) + { + return false; + } + + PointAffine pR = new PointAffine(); + if (!decodePointVar(R, true, pR)) + { + return false; + } + + PointAffine pA = new PointAffine(); + F.negate(publicPoint.data, pA.x); + F.copy(publicPoint.data, F.SIZE, pA.y, 0); + + byte[] A = new byte[PUBLIC_KEY_SIZE]; + encodePublicPoint(publicPoint, A, 0); + + Digest d = createDigest(); + byte[] h = new byte[64]; + + if (ctx != null) + { + dom2(d, phflag, ctx); + } + d.update(R, 0, POINT_BYTES); + d.update(A, 0, POINT_BYTES); + d.update(m, mOff, mLen); + d.doFinal(h, 0); + + byte[] k = Scalar25519.reduce(h); + + int[] nA = new int[SCALAR_INTS]; + Scalar25519.decode(k, nA); + + int[] v0 = new int[4]; + int[] v1 = new int[4]; + Scalar25519.reduceBasisVar(nA, v0, v1); + Scalar25519.multiply128Var(nS, v1, nS); + + PointAccum pZ = new PointAccum(); + scalarMultStraus128Var(nS, v0, pA, v1, pR, pZ); + return normalizeToNeutralElementVar(pZ); } private static void invertDoubleZs(PointExtended[] points) @@ -597,16 +667,34 @@ private static void invertDoubleZs(PointExtended[] points) F.copy(u, 0, points[0].z, 0); } - private static boolean isNeutralElementVar(int[] x, int[] y) - { - return F.isZeroVar(x) && F.isOneVar(y); - } +// private static boolean isNeutralElementVar(int[] x, int[] y) +// { +// return F.isZeroVar(x) && F.isOneVar(y); +// } private static boolean isNeutralElementVar(int[] x, int[] y, int[] z) { return F.isZeroVar(x) && F.areEqualVar(y, z); } + private static void normalizeToAffine(PointAccum p, PointAffine r) + { + F.inv(p.z, r.y); + F.mul(r.y, p.x, r.x); + F.mul(r.y, p.y, r.y); + F.normalize(r.x); + F.normalize(r.y); + } + + private static boolean normalizeToNeutralElementVar(PointAccum p) + { + F.normalize(p.x); + F.normalize(p.y); + F.normalize(p.z); + + return isNeutralElementVar(p.x, p.y, p.z); + } + private static void pointAdd(PointExtended p, PointExtended q, PointExtended r, PointTemp t) { // p may ref the same point as r (or q), but q may not ref the same point as r. @@ -841,18 +929,19 @@ private static void pointLookupZ(int[] x, int n, int[] table, PointPrecompZ r) F.cnegate(sign, r.xyd); } - private static void pointPrecompute(PointAffine p, PointExtended[] points, int count, PointTemp t) + private static void pointPrecompute(PointAffine p, PointExtended[] points, int pointsOff, int pointsLen, + PointTemp t) { -// assert count > 0; +// assert pointsLen > 0; - pointCopy(p, points[0] = new PointExtended()); + pointCopy(p, points[pointsOff] = new PointExtended()); PointExtended d = new PointExtended(); - pointAdd(points[0], points[0], d, t); + pointAdd(points[pointsOff], points[pointsOff], d, t); - for (int i = 1; i < count; ++i) + for (int i = 1; i < pointsLen; ++i) { - pointAdd(points[i - 1], d, points[i] = new PointExtended(), t); + pointAdd(points[pointsOff + i - 1], d, points[pointsOff + i] = new PointExtended(), t); } } @@ -929,23 +1018,29 @@ public static void precompute() { synchronized (PRECOMP_LOCK) { - if (PRECOMP_BASE_WNAF != null && PRECOMP_BASE_COMB != null) + if (PRECOMP_BASE_COMB != null) { return; } int wnafPoints = 1 << (WNAF_WIDTH_BASE - 2); int combPoints = PRECOMP_BLOCKS * PRECOMP_POINTS; - int totalPoints = wnafPoints + combPoints; + int totalPoints = wnafPoints * 2 + combPoints; PointExtended[] points = new PointExtended[totalPoints]; PointTemp t = new PointTemp(); - PointAffine b = new PointAffine(); - F.copy(B_x, 0, b.x, 0); - F.copy(B_y, 0, b.y, 0); + PointAffine B = new PointAffine(); + F.copy(B_x, 0, B.x, 0); + F.copy(B_y, 0, B.y, 0); + + pointPrecompute(B, points, 0, wnafPoints, t); - pointPrecompute(b, points, wnafPoints, t); + PointAffine B128 = new PointAffine(); + F.copy(B128_x, 0, B128.x, 0); + F.copy(B128_y, 0, B128.y, 0); + + pointPrecompute(B128, points, wnafPoints, wnafPoints, t); PointAccum p = new PointAccum(); F.copy(B_x, 0, p.x, 0); @@ -954,12 +1049,13 @@ public static void precompute() F.copy(p.x, 0, p.u, 0); F.copy(p.y, 0, p.v, 0); - int pointsIndex = wnafPoints; + int pointsIndex = wnafPoints * 2; PointExtended[] toothPowers = new PointExtended[PRECOMP_TEETH]; for (int tooth = 0; tooth < PRECOMP_TEETH; ++tooth) { toothPowers[tooth] = new PointExtended(); } + PointExtended u = new PointExtended(); for (int block = 0; block < PRECOMP_BLOCKS; ++block) { @@ -1029,10 +1125,32 @@ public static void precompute() F.normalize(r.xyd); } + PRECOMP_BASE128_WNAF = new PointPrecomp[wnafPoints]; + for (int i = 0; i < wnafPoints; ++i) + { + PointExtended q = points[wnafPoints + i]; + PointPrecomp r = PRECOMP_BASE128_WNAF[i] = new PointPrecomp(); + + // Calculate x/2 and y/2 (because the z value holds half the inverse; see above). + F.mul(q.x, q.z, q.x); + F.mul(q.y, q.z, q.y); + + // y/2 +/- x/2 + F.apm(q.y, q.x, r.ypx_h, r.ymx_h); + + // x/2 * y/2 * (4.d) == x.y.d + F.mul(q.x, q.y, r.xyd); + F.mul(r.xyd, C_d4, r.xyd); + + F.normalize(r.ymx_h); + F.normalize(r.ypx_h); + F.normalize(r.xyd); + } + PRECOMP_BASE_COMB = F.createTable(combPoints * 3); PointPrecomp s = new PointPrecomp(); int off = 0; - for (int i = wnafPoints; i < totalPoints; ++i) + for (int i = wnafPoints * 2; i < totalPoints; ++i) { PointExtended q = points[i]; @@ -1055,7 +1173,7 @@ public static void precompute() F.copy(s.ypx_h, 0, PRECOMP_BASE_COMB, off); off += F.SIZE; F.copy(s.xyd , 0, PRECOMP_BASE_COMB, off); off += F.SIZE; } -// assert off == precompBaseComb.length; +// assert off == PRECOMP_BASE_COMB.length; } } @@ -1068,154 +1186,11 @@ private static void pruneScalar(byte[] n, int nOff, byte[] r) r[SCALAR_BYTES - 1] |= 0x40; } - private static byte[] reduceScalar(byte[] n) - { - long x00 = decode32(n, 0) & M32L; // x00:32/-- - long x01 = (decode24(n, 4) << 4) & M32L; // x01:28/-- - long x02 = decode32(n, 7) & M32L; // x02:32/-- - long x03 = (decode24(n, 11) << 4) & M32L; // x03:28/-- - long x04 = decode32(n, 14) & M32L; // x04:32/-- - long x05 = (decode24(n, 18) << 4) & M32L; // x05:28/-- - long x06 = decode32(n, 21) & M32L; // x06:32/-- - long x07 = (decode24(n, 25) << 4) & M32L; // x07:28/-- - long x08 = decode32(n, 28) & M32L; // x08:32/-- - long x09 = (decode24(n, 32) << 4) & M32L; // x09:28/-- - long x10 = decode32(n, 35) & M32L; // x10:32/-- - long x11 = (decode24(n, 39) << 4) & M32L; // x11:28/-- - long x12 = decode32(n, 42) & M32L; // x12:32/-- - long x13 = (decode24(n, 46) << 4) & M32L; // x13:28/-- - long x14 = decode32(n, 49) & M32L; // x14:32/-- - long x15 = (decode24(n, 53) << 4) & M32L; // x15:28/-- - long x16 = decode32(n, 56) & M32L; // x16:32/-- - long x17 = (decode24(n, 60) << 4) & M32L; // x17:28/-- - long x18 = n[63] & M08L; // x18:08/-- - long t; - -// x18 += (x17 >> 28); x17 &= M28L; - x09 -= x18 * L0; // x09:34/28 - x10 -= x18 * L1; // x10:33/30 - x11 -= x18 * L2; // x11:35/28 - x12 -= x18 * L3; // x12:32/31 - x13 -= x18 * L4; // x13:28/21 - - x17 += (x16 >> 28); x16 &= M28L; // x17:28/--, x16:28/-- - x08 -= x17 * L0; // x08:54/32 - x09 -= x17 * L1; // x09:52/51 - x10 -= x17 * L2; // x10:55/34 - x11 -= x17 * L3; // x11:51/36 - x12 -= x17 * L4; // x12:41/-- - -// x16 += (x15 >> 28); x15 &= M28L; - x07 -= x16 * L0; // x07:54/28 - x08 -= x16 * L1; // x08:54/53 - x09 -= x16 * L2; // x09:55/53 - x10 -= x16 * L3; // x10:55/52 - x11 -= x16 * L4; // x11:51/41 - - x15 += (x14 >> 28); x14 &= M28L; // x15:28/--, x14:28/-- - x06 -= x15 * L0; // x06:54/32 - x07 -= x15 * L1; // x07:54/53 - x08 -= x15 * L2; // x08:56/-- - x09 -= x15 * L3; // x09:55/54 - x10 -= x15 * L4; // x10:55/53 - -// x14 += (x13 >> 28); x13 &= M28L; - x05 -= x14 * L0; // x05:54/28 - x06 -= x14 * L1; // x06:54/53 - x07 -= x14 * L2; // x07:56/-- - x08 -= x14 * L3; // x08:56/51 - x09 -= x14 * L4; // x09:56/-- - - x13 += (x12 >> 28); x12 &= M28L; // x13:28/22, x12:28/-- - x04 -= x13 * L0; // x04:54/49 - x05 -= x13 * L1; // x05:54/53 - x06 -= x13 * L2; // x06:56/-- - x07 -= x13 * L3; // x07:56/52 - x08 -= x13 * L4; // x08:56/52 - - x12 += (x11 >> 28); x11 &= M28L; // x12:28/24, x11:28/-- - x03 -= x12 * L0; // x03:54/49 - x04 -= x12 * L1; // x04:54/51 - x05 -= x12 * L2; // x05:56/-- - x06 -= x12 * L3; // x06:56/52 - x07 -= x12 * L4; // x07:56/53 - - x11 += (x10 >> 28); x10 &= M28L; // x11:29/--, x10:28/-- - x02 -= x11 * L0; // x02:55/32 - x03 -= x11 * L1; // x03:55/-- - x04 -= x11 * L2; // x04:56/55 - x05 -= x11 * L3; // x05:56/52 - x06 -= x11 * L4; // x06:56/53 - - x10 += (x09 >> 28); x09 &= M28L; // x10:29/--, x09:28/-- - x01 -= x10 * L0; // x01:55/28 - x02 -= x10 * L1; // x02:55/54 - x03 -= x10 * L2; // x03:56/55 - x04 -= x10 * L3; // x04:57/-- - x05 -= x10 * L4; // x05:56/53 - - x08 += (x07 >> 28); x07 &= M28L; // x08:56/53, x07:28/-- - x09 += (x08 >> 28); x08 &= M28L; // x09:29/25, x08:28/-- - - t = x08 >>> 27; - x09 += t; // x09:29/26 - - x00 -= x09 * L0; // x00:55/53 - x01 -= x09 * L1; // x01:55/54 - x02 -= x09 * L2; // x02:57/-- - x03 -= x09 * L3; // x03:57/-- - x04 -= x09 * L4; // x04:57/42 - - x01 += (x00 >> 28); x00 &= M28L; - x02 += (x01 >> 28); x01 &= M28L; - x03 += (x02 >> 28); x02 &= M28L; - x04 += (x03 >> 28); x03 &= M28L; - x05 += (x04 >> 28); x04 &= M28L; - x06 += (x05 >> 28); x05 &= M28L; - x07 += (x06 >> 28); x06 &= M28L; - x08 += (x07 >> 28); x07 &= M28L; - x09 = (x08 >> 28); x08 &= M28L; - - x09 -= t; - -// assert x09 == 0L || x09 == -1L; - - x00 += x09 & L0; - x01 += x09 & L1; - x02 += x09 & L2; - x03 += x09 & L3; - x04 += x09 & L4; - - x01 += (x00 >> 28); x00 &= M28L; - x02 += (x01 >> 28); x01 &= M28L; - x03 += (x02 >> 28); x02 &= M28L; - x04 += (x03 >> 28); x03 &= M28L; - x05 += (x04 >> 28); x04 &= M28L; - x06 += (x05 >> 28); x05 &= M28L; - x07 += (x06 >> 28); x06 &= M28L; - x08 += (x07 >> 28); x07 &= M28L; - - byte[] r = new byte[SCALAR_BYTES]; - encode56(x00 | (x01 << 28), r, 0); - encode56(x02 | (x03 << 28), r, 7); - encode56(x04 | (x05 << 28), r, 14); - encode56(x06 | (x07 << 28), r, 21); - encode32((int)x08, r, 28); - return r; - } - private static void scalarMult(byte[] k, PointAffine p, PointAccum r) { int[] n = new int[SCALAR_INTS]; - decodeScalar(k, 0, n); - - // Recode the scalar into signed-digit form - { - //int c1 = - Nat.cadd(SCALAR_INTS, ~n[0] & 1, n, L, n); //assert c1 == 0; - //int c2 = - Nat.shiftDownBit(SCALAR_INTS, n, 1); //assert c2 == (1 << 31); - } + Scalar25519.decode(k, n); + Scalar25519.toSignedDigits(256, n, n); PointPrecompZ q = new PointPrecompZ(); PointTemp t = new PointTemp(); @@ -1252,24 +1227,9 @@ private static void scalarMultBase(byte[] k, PointAccum r) precompute(); int[] n = new int[SCALAR_INTS]; - decodeScalar(k, 0, n); - - // Recode the scalar into signed-digit form, then group comb bits in each block - { - //int c1 = - Nat.cadd(SCALAR_INTS, ~n[0] & 1, n, L, n); //assert c1 == 0; - //int c2 = - Nat.shiftDownBit(SCALAR_INTS, n, 1); //assert c2 == (1 << 31); - - /* - * Because we are using 4 teeth and 8 spacing, each limb of n corresponds to one of the 8 blocks. - * Therefore we can efficiently group the bits for each comb position using a (double) shuffle. - */ - for (int i = 0; i < SCALAR_INTS; ++i) - { - n[i] = Interleave.shuffle2(n[i]); - } - } + Scalar25519.decode(k, n); + Scalar25519.toSignedDigits(PRECOMP_RANGE, n, n); + groupCombBits(n); PointPrecomp p = new PointPrecomp(); PointTemp t = new PointTemp(); @@ -1280,16 +1240,16 @@ private static void scalarMultBase(byte[] k, PointAccum r) int cOff = (PRECOMP_SPACING - 1) * PRECOMP_TEETH; for (;;) { - for (int b = 0; b < PRECOMP_BLOCKS; ++b) + for (int block = 0; block < PRECOMP_BLOCKS; ++block) { - int w = n[b] >>> cOff; + int w = n[block] >>> cOff; int sign = (w >>> (PRECOMP_TEETH - 1)) & 1; int abs = (w ^ -sign) & PRECOMP_MASK; // assert sign == 0 || sign == 1; // assert 0 <= abs && abs < PRECOMP_POINTS; - pointLookup(b, abs, p); + pointLookup(block, abs, p); F.cnegate(resultSign ^ sign, r.x); F.cnegate(resultSign ^ sign, r.u); @@ -1314,7 +1274,7 @@ private static void scalarMultBaseEncoded(byte[] k, byte[] r, int rOff) { PointAccum p = new PointAccum(); scalarMultBase(k, p); - if (0 == encodePoint(p, r, rOff)) + if (0 == encodeResult(p, r, rOff)) { throw new IllegalStateException(); } @@ -1335,19 +1295,23 @@ public static void scalarMultBaseYZ(X25519.Friend friend, byte[] k, int kOff, in PointAccum p = new PointAccum(); scalarMultBase(n, p); - if (0 == checkPoint(p.x, p.y, p.z)) + if (0 == checkPoint(p)) { throw new IllegalStateException(); } + F.copy(p.y, 0, y, 0); F.copy(p.z, 0, z, 0); } private static void scalarMultOrderVar(PointAffine p, PointAccum r) { - byte[] ws_p = getWnafVar(L, WNAF_WIDTH); + byte[] ws_p = new byte[253]; - int count = 1 << (WNAF_WIDTH - 2); + // NOTE: WNAF_WIDTH_128 because of the special structure of the order + Scalar25519.getOrderWnafVar(WNAF_WIDTH_128, ws_p); + + int count = 1 << (WNAF_WIDTH_128 - 2); PointPrecompZ[] tp = new PointPrecompZ[count]; PointTemp t = new PointTemp(); pointPrecomputeZ(p, tp, count, t); @@ -1359,10 +1323,8 @@ private static void scalarMultOrderVar(PointAffine p, PointAccum r) int wp = ws_p[bit]; if (wp != 0) { - int sign = wp >> 31; - int index = (wp ^ sign) >>> 1; - - pointAddVar((sign != 0), tp[index], r, t); + int index = (wp >> 1) ^ (wp >> 31); + pointAddVar(wp < 0, tp[index], r, t); } if (--bit < 0) @@ -1374,47 +1336,69 @@ private static void scalarMultOrderVar(PointAffine p, PointAccum r) } } - private static void scalarMultStrausVar(int[] nb, int[] np, PointAffine p, PointAccum r) + private static void scalarMultStraus128Var(int[] nb, int[] np, PointAffine p, int[] nq, PointAffine q, PointAccum r) { +// assert nb.length == SCALAR_INTS; +// assert nb[SCALAR_INTS - 1] >>> 29 == 0; +// assert np.length == 4; +// assert nq.length == 4; + precompute(); - byte[] ws_b = getWnafVar(nb, WNAF_WIDTH_BASE); - byte[] ws_p = getWnafVar(np, WNAF_WIDTH); + byte[] ws_b = new byte[256]; + byte[] ws_p = new byte[128]; + byte[] ws_q = new byte[128]; + + Wnaf.getSignedVar(nb, WNAF_WIDTH_BASE, ws_b); + Wnaf.getSignedVar(np, WNAF_WIDTH_128, ws_p); + Wnaf.getSignedVar(nq, WNAF_WIDTH_128, ws_q); - int count = 1 << (WNAF_WIDTH - 2); + int count = 1 << (WNAF_WIDTH_128 - 2); PointPrecompZ[] tp = new PointPrecompZ[count]; + PointPrecompZ[] tq = new PointPrecompZ[count]; PointTemp t = new PointTemp(); pointPrecomputeZ(p, tp, count, t); + pointPrecomputeZ(q, tq, count, t); pointSetNeutral(r); - for (int bit = 252;;) + int bit = 128; + while (--bit >= 0) { int wb = ws_b[bit]; if (wb != 0) { - int sign = wb >> 31; - int index = (wb ^ sign) >>> 1; + int index = (wb >> 1) ^ (wb >> 31); + pointAddVar(wb < 0, PRECOMP_BASE_WNAF[index], r, t); + } - pointAddVar(sign != 0, PRECOMP_BASE_WNAF[index], r, t); + int wb128 = ws_b[128 + bit]; + if (wb128 != 0) + { + int index = (wb128 >> 1) ^ (wb128 >> 31); + pointAddVar(wb128 < 0, PRECOMP_BASE128_WNAF[index], r, t); } int wp = ws_p[bit]; if (wp != 0) { - int sign = wp >> 31; - int index = (wp ^ sign) >>> 1; - - pointAddVar(sign != 0, tp[index], r, t); + int index = (wp >> 1) ^ (wp >> 31); + pointAddVar(wp < 0, tp[index], r, t); } - if (--bit < 0) + int wq = ws_q[bit]; + if (wq != 0) { - break; + int index = (wq >> 1) ^ (wq >> 31); + pointAddVar(wq < 0, tq[index], r, t); } pointDouble(r); } + + // NOTE: Together with the final pointDouble of the loop, this clears the cofactor of 8 + pointDouble(r); + pointDouble(r); } public static void sign(byte[] sk, int skOff, byte[] m, int mOff, int mLen, byte[] sig, int sigOff) @@ -1425,7 +1409,8 @@ public static void sign(byte[] sk, int skOff, byte[] m, int mOff, int mLen, byte implSign(sk, skOff, ctx, phflag, m, mOff, mLen, sig, sigOff); } - public static void sign(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] m, int mOff, int mLen, byte[] sig, int sigOff) + public static void sign(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] m, int mOff, int mLen, byte[] sig, + int sigOff) { byte[] ctx = null; byte phflag = 0x00; @@ -1440,7 +1425,8 @@ public static void sign(byte[] sk, int skOff, byte[] ctx, byte[] m, int mOff, in implSign(sk, skOff, ctx, phflag, m, mOff, mLen, sig, sigOff); } - public static void sign(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] m, int mOff, int mLen, byte[] sig, int sigOff) + public static void sign(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] m, int mOff, int mLen, + byte[] sig, int sigOff) { byte phflag = 0x00; @@ -1454,7 +1440,8 @@ public static void signPrehash(byte[] sk, int skOff, byte[] ctx, byte[] ph, int implSign(sk, skOff, ctx, phflag, ph, phOff, PREHASH_SIZE, sig, sigOff); } - public static void signPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] ph, int phOff, byte[] sig, int sigOff) + public static void signPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] ph, int phOff, + byte[] sig, int sigOff) { byte phflag = 0x01; @@ -1474,7 +1461,8 @@ public static void signPrehash(byte[] sk, int skOff, byte[] ctx, Digest ph, byte implSign(sk, skOff, ctx, phflag, m, 0, m.length, sig, sigOff); } - public static void signPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, Digest ph, byte[] sig, int sigOff) + public static void signPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, Digest ph, byte[] sig, + int sigOff) { byte[] m = new byte[PREHASH_SIZE]; if (PREHASH_SIZE != ph.doFinal(m, 0)) @@ -1489,34 +1477,74 @@ public static void signPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[ public static boolean validatePublicKeyFull(byte[] pk, int pkOff) { - PointAffine p = new PointAffine(); - if (!decodePointVar(pk, pkOff, false, p)) + byte[] A = copy(pk, pkOff, PUBLIC_KEY_SIZE); + + if (!checkPointFullVar(A)) { return false; } - F.normalize(p.x); - F.normalize(p.y); - - if (isNeutralElementVar(p.x, p.y)) + PointAffine pA = new PointAffine(); + if (!decodePointVar(A, false, pA)) { return false; } - PointAccum r = new PointAccum(); - scalarMultOrderVar(p, r); + return checkPointOrderVar(pA); + } - F.normalize(r.x); - F.normalize(r.y); - F.normalize(r.z); + public static PublicPoint validatePublicKeyFullExport(byte[] pk, int pkOff) + { + byte[] A = copy(pk, pkOff, PUBLIC_KEY_SIZE); - return isNeutralElementVar(r.x, r.y, r.z); + if (!checkPointFullVar(A)) + { + return null; + } + + PointAffine pA = new PointAffine(); + if (!decodePointVar(A, false, pA)) + { + return null; + } + + if (!checkPointOrderVar(pA)) + { + return null; + } + + return exportPoint(pA); } public static boolean validatePublicKeyPartial(byte[] pk, int pkOff) { - PointAffine p = new PointAffine(); - return decodePointVar(pk, pkOff, false, p); + byte[] A = copy(pk, pkOff, PUBLIC_KEY_SIZE); + + if (!checkPointFullVar(A)) + { + return false; + } + + PointAffine pA = new PointAffine(); + return decodePointVar(A, false, pA); + } + + public static PublicPoint validatePublicKeyPartialExport(byte[] pk, int pkOff) + { + byte[] A = copy(pk, pkOff, PUBLIC_KEY_SIZE); + + if (!checkPointFullVar(A)) + { + return null; + } + + PointAffine pA = new PointAffine(); + if (!decodePointVar(A, false, pA)) + { + return null; + } + + return exportPoint(pA); } public static boolean verify(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[] m, int mOff, int mLen) @@ -1527,20 +1555,44 @@ public static boolean verify(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[ return implVerify(sig, sigOff, pk, pkOff, ctx, phflag, m, mOff, mLen); } + public static boolean verify(byte[] sig, int sigOff, PublicPoint publicPoint, byte[] m, int mOff, int mLen) + { + byte[] ctx = null; + byte phflag = 0x00; + + return implVerify(sig, sigOff, publicPoint, ctx, phflag, m, mOff, mLen); + } + public static boolean verify(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[] ctx, byte[] m, int mOff, int mLen) { byte phflag = 0x00; return implVerify(sig, sigOff, pk, pkOff, ctx, phflag, m, mOff, mLen); } + public static boolean verify(byte[] sig, int sigOff, PublicPoint publicPoint, byte[] ctx, byte[] m, int mOff, + int mLen) + { + byte phflag = 0x00; + + return implVerify(sig, sigOff, publicPoint, ctx, phflag, m, mOff, mLen); + } + public static boolean verifyPrehash(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[] ctx, byte[] ph, int phOff) { byte phflag = 0x01; return implVerify(sig, sigOff, pk, pkOff, ctx, phflag, ph, phOff, PREHASH_SIZE); } + public static boolean verifyPrehash(byte[] sig, int sigOff, PublicPoint publicPoint, byte[] ctx, byte[] ph, + int phOff) + { + byte phflag = 0x01; + + return implVerify(sig, sigOff, publicPoint, ctx, phflag, ph, phOff, PREHASH_SIZE); + } + public static boolean verifyPrehash(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[] ctx, Digest ph) { byte[] m = new byte[PREHASH_SIZE]; @@ -1553,4 +1605,17 @@ public static boolean verifyPrehash(byte[] sig, int sigOff, byte[] pk, int pkOff return implVerify(sig, sigOff, pk, pkOff, ctx, phflag, m, 0, m.length); } + + public static boolean verifyPrehash(byte[] sig, int sigOff, PublicPoint publicPoint, byte[] ctx, Digest ph) + { + byte[] m = new byte[PREHASH_SIZE]; + if (PREHASH_SIZE != ph.doFinal(m, 0)) + { + throw new IllegalArgumentException("ph"); + } + + byte phflag = 0x01; + + return implVerify(sig, sigOff, publicPoint, ctx, phflag, m, 0, m.length); + } }
core/src/main/java/org/bouncycastle/math/ec/rfc8032/Ed448.java+508 −611 modified@@ -7,7 +7,6 @@ import org.bouncycastle.math.ec.rfc7748.X448; import org.bouncycastle.math.ec.rfc7748.X448Field; import org.bouncycastle.math.raw.Nat; -import org.bouncycastle.util.Arrays; /** * A low-level implementation of the Ed448 and Ed448ph instantiations of the Edwards-Curve Digital Signature @@ -28,11 +27,17 @@ public static final class Algorithm public static final int Ed448ph = 1; } - private static class F extends X448Field {}; + public static final class PublicPoint + { + final int[] data; - private static final long M26L = 0x03FFFFFFL; - private static final long M28L = 0x0FFFFFFFL; - private static final long M32L = 0xFFFFFFFFL; + PublicPoint(int[] data) + { + this.data = data; + } + } + + private static class F extends X448Field {}; private static final int COORD_INTS = 14; private static final int POINT_BYTES = COORD_INTS * 4 + 1; @@ -47,36 +52,28 @@ private static class F extends X448Field {}; // "SigEd448" private static final byte[] DOM4_PREFIX = new byte[]{ 0x53, 0x69, 0x67, 0x45, 0x64, 0x34, 0x34, 0x38 }; - private static final int[] P = new int[] { 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, - 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF }; - private static final int[] L = new int[] { 0xAB5844F3, 0x2378C292, 0x8DC58F55, 0x216CC272, 0xAED63690, 0xC44EDB49, 0x7CCA23E9, - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x3FFFFFFF }; - - private static final int L_0 = 0x04A7BB0D; // L_0:26/24 - private static final int L_1 = 0x0873D6D5; // L_1:27/23 - private static final int L_2 = 0x0A70AADC; // L_2:27/26 - private static final int L_3 = 0x03D8D723; // L_3:26/-- - private static final int L_4 = 0x096FDE93; // L_4:27/25 - private static final int L_5 = 0x0B65129C; // L_5:27/26 - private static final int L_6 = 0x063BB124; // L_6:27/-- - private static final int L_7 = 0x08335DC1; // L_7:27/22 - - private static final int L4_0 = 0x029EEC34; // L4_0:25/24 - private static final int L4_1 = 0x01CF5B55; // L4_1:25/-- - private static final int L4_2 = 0x09C2AB72; // L4_2:27/25 - private static final int L4_3 = 0x0F635C8E; // L4_3:28/-- - private static final int L4_4 = 0x05BF7A4C; // L4_4:26/25 - private static final int L4_5 = 0x0D944A72; // L4_5:28/-- - private static final int L4_6 = 0x08EEC492; // L4_6:27/24 - private static final int L4_7 = 0x20CD7705; // L4_7:29/24 - - private static final int[] B_x = new int[] { 0x070CC05E, 0x026A82BC, 0x00938E26, 0x080E18B0, 0x0511433B, 0x0F72AB66, 0x0412AE1A, - 0x0A3D3A46, 0x0A6DE324, 0x00F1767E, 0x04657047, 0x036DA9E1, 0x05A622BF, 0x0ED221D1, 0x066BED0D, 0x04F1970C }; - private static final int[] B_y = new int[] { 0x0230FA14, 0x008795BF, 0x07C8AD98, 0x0132C4ED, 0x09C4FDBD, 0x01CE67C3, 0x073AD3FF, - 0x005A0C2D, 0x07789C1E, 0x0A398408, 0x0A73736C, 0x0C7624BE, 0x003756C9, 0x02488762, 0x016EB6BC, 0x0693F467 }; + private static final int[] P = new int[] { 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, + 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF }; + + private static final int[] B_x = new int[]{ 0x070CC05E, 0x026A82BC, 0x00938E26, 0x080E18B0, 0x0511433B, 0x0F72AB66, + 0x0412AE1A, 0x0A3D3A46, 0x0A6DE324, 0x00F1767E, 0x04657047, 0x036DA9E1, 0x05A622BF, 0x0ED221D1, 0x066BED0D, + 0x04F1970C }; + private static final int[] B_y = new int[]{ 0x0230FA14, 0x008795BF, 0x07C8AD98, 0x0132C4ED, 0x09C4FDBD, 0x01CE67C3, + 0x073AD3FF, 0x005A0C2D, 0x07789C1E, 0x0A398408, 0x0A73736C, 0x0C7624BE, 0x003756C9, 0x02488762, 0x016EB6BC, + 0x0693F467 }; + + // 2^225 * B + private static final int[] B225_x = new int[]{ 0x06909EE2, 0x01D7605C, 0x0995EC8A, 0x0FC4D970, 0x0CF2B361, + 0x02D82E9D, 0x01225F55, 0x007F0EF6, 0x0AEE9C55, 0x0A240C13, 0x05627B54, 0x0D449D1E, 0x03A44575, 0x007164A7, + 0x0BD4BD71, 0x061A15FD }; + private static final int[] B225_y = new int[]{ 0x0D3A9FE4, 0x030696B9, 0x07E7E326, 0x068308C7, 0x0CE0B8C8, + 0x03AC222B, 0x0304DB8E, 0x083EE319, 0x05E5DB0B, 0x0ECA503B, 0x0B1C6539, 0x078A8DCE, 0x02D256BC, 0x04A8B05E, + 0x0BD9FD57, 0x0A1C3CB8 }; + private static final int C_d = -39081; - private static final int WNAF_WIDTH = 5; +// private static final int WNAF_WIDTH = 6; + private static final int WNAF_WIDTH_225 = 5; private static final int WNAF_WIDTH_BASE = 7; // scalarMultBase supports varying blocks, teeth, spacing so long as their product is in range [449, 479] @@ -89,6 +86,7 @@ private static class F extends X448Field {}; private static final Object PRECOMP_LOCK = new Object(); private static PointAffine[] PRECOMP_BASE_WNAF = null; + private static PointAffine[] PRECOMP_BASE225_WNAF = null; private static int[] PRECOMP_BASE_COMB = null; private static class PointAffine @@ -104,35 +102,45 @@ private static class PointProjective int[] z = F.create(); } + // Temp space to avoid allocations in point formulae. + private static class PointTemp + { + int[] r0 = F.create(); + int[] r1 = F.create();; + int[] r2 = F.create(); + int[] r3 = F.create();; + int[] r4 = F.create(); + int[] r5 = F.create();; + int[] r6 = F.create(); + int[] r7 = F.create();; + } + private static byte[] calculateS(byte[] r, byte[] k, byte[] s) { - int[] t = new int[SCALAR_INTS * 2]; decodeScalar(r, 0, t); - int[] u = new int[SCALAR_INTS]; decodeScalar(k, 0, u); - int[] v = new int[SCALAR_INTS]; decodeScalar(s, 0, v); + int[] t = new int[SCALAR_INTS * 2]; Scalar448.decode(r, t); + int[] u = new int[SCALAR_INTS]; Scalar448.decode(k, u); + int[] v = new int[SCALAR_INTS]; Scalar448.decode(s, v); Nat.mulAddTo(SCALAR_INTS, u, v, t); byte[] result = new byte[SCALAR_BYTES * 2]; - for (int i = 0; i < t.length; ++i) - { - encode32(t[i], result, i * 4); - } - return reduceScalar(result); + Codec.encode32(t, 0, t.length, result, 0); + return Scalar448.reduce(result); } private static boolean checkContextVar(byte[] ctx) { return ctx != null && ctx.length < 256; } - private static int checkPoint(int[] x, int[] y) + private static int checkPoint(PointAffine p) { int[] t = F.create(); int[] u = F.create(); int[] v = F.create(); - F.sqr(x, u); - F.sqr(y, v); + F.sqr(p.x, u); + F.sqr(p.y, v); F.mul(u, v, t); F.add(u, v, u); F.mul(t, -C_d, t); @@ -143,16 +151,16 @@ private static int checkPoint(int[] x, int[] y) return F.isZero(t); } - private static int checkPoint(int[] x, int[] y, int[] z) + private static int checkPoint(PointProjective p) { int[] t = F.create(); int[] u = F.create(); int[] v = F.create(); int[] w = F.create(); - F.sqr(x, u); - F.sqr(y, v); - F.sqr(z, w); + F.sqr(p.x, u); + F.sqr(p.y, v); + F.sqr(p.z, w); F.mul(u, v, t); F.add(u, v, u); F.mul(u, w, u); @@ -165,31 +173,62 @@ private static int checkPoint(int[] x, int[] y, int[] z) return F.isZero(t); } - private static boolean checkPointVar(byte[] p) + private static boolean checkPointFullVar(byte[] p) { if ((p[POINT_BYTES - 1] & 0x7F) != 0x00) - { return false; - } - if (decode32(p, 52) != P[13]) + + int y13 = Codec.decode32(p, 52); + + int t0 = y13; + int t1 = y13 ^ P[13]; + + for (int i = COORD_INTS - 2; i > 0; --i) { - return true; + int yi = Codec.decode32(p, i * 4); + + // Reject non-canonical encodings (i.e. >= P) + if (t1 == 0 && (yi + Integer.MIN_VALUE) > (P[i] + Integer.MIN_VALUE)) + return false; + + t0 |= yi; + t1 |= yi ^ P[i]; } - int[] t = new int[COORD_INTS]; - decode32(p, 0, t, 0, COORD_INTS); - return !Nat.gte(COORD_INTS, t, P); + int y0 = Codec.decode32(p, 0); + + // Reject 0 and 1 + if (t0 == 0 && (y0 + Integer.MIN_VALUE) <= (1 + Integer.MIN_VALUE)) + return false; + + // Reject P - 1 and non-canonical encodings (i.e. >= P) + if (t1 == 0 && (y0 + Integer.MIN_VALUE) >= (P[0] - 1 + Integer.MIN_VALUE)) + return false; + + return true; + } + + private static boolean checkPointOrderVar(PointAffine p) + { + PointProjective r = new PointProjective(); + scalarMultOrderVar(p, r); + return normalizeToNeutralElementVar(r); } - private static boolean checkScalarVar(byte[] s, int[] n) + private static boolean checkPointVar(byte[] p) { - if (s[SCALAR_BYTES - 1] != 0x00) + if ((p[POINT_BYTES - 1] & 0x7F) != 0x00) { return false; } + if (Codec.decode32(p, 52) != P[13]) + { + return true; + } - decodeScalar(s, 0, n); - return !Nat.gte(SCALAR_INTS, n, L); + int[] t = new int[COORD_INTS]; + Codec.decode32(p, 0, t, 0, COORD_INTS); + return !Nat.gte(COORD_INTS, t, P); } private static byte[] copy(byte[] buf, int off, int len) @@ -209,50 +248,11 @@ private static Xof createXof() return new SHAKEDigest(256); } - private static int decode16(byte[] bs, int off) - { - int n = bs[off] & 0xFF; - n |= (bs[++off] & 0xFF) << 8; - return n; - } - - private static int decode24(byte[] bs, int off) - { - int n = bs[ off] & 0xFF; - n |= (bs[++off] & 0xFF) << 8; - n |= (bs[++off] & 0xFF) << 16; - return n; - } - - private static int decode32(byte[] bs, int off) - { - int n = bs[off] & 0xFF; - n |= (bs[++off] & 0xFF) << 8; - n |= (bs[++off] & 0xFF) << 16; - n |= bs[++off] << 24; - return n; - } - - private static void decode32(byte[] bs, int bsOff, int[] n, int nOff, int nLen) + private static boolean decodePointVar(byte[] p, boolean negate, PointAffine r) { - for (int i = 0; i < nLen; ++i) - { - n[nOff + i] = decode32(bs, bsOff + i * 4); - } - } + int x_0 = (p[POINT_BYTES - 1] & 0x80) >>> 7; - private static boolean decodePointVar(byte[] p, int pOff, boolean negate, PointProjective r) - { - byte[] py = copy(p, pOff, POINT_BYTES); - if (!checkPointVar(py)) - { - return false; - } - - int x_0 = (py[POINT_BYTES - 1] & 0x80) >>> 7; - py[POINT_BYTES - 1] &= 0x7F; - - F.decode(py, 0, r.y); + F.decode(p, r.y); int[] u = F.create(); int[] v = F.create(); @@ -277,21 +277,16 @@ private static boolean decodePointVar(byte[] p, int pOff, boolean negate, PointP if (negate ^ (x_0 != (r.x[0] & 1))) { F.negate(r.x, r.x); + F.normalize(r.x); } - F.one(r.z); return true; } - private static void decodeScalar(byte[] k, int kOff, int[] n) - { -// assert k[kOff + SCALAR_BYTES - 1] == 0x00; - - decode32(k, kOff, n, 0, SCALAR_INTS); - } - private static void dom4(Xof d, byte phflag, byte[] ctx) { +// assert ctx != null; + int n = DOM4_PREFIX.length; byte[] t = new byte[n + 2 + ctx.length]; System.arraycopy(DOM4_PREFIX, 0, t, 0, n); @@ -302,44 +297,37 @@ private static void dom4(Xof d, byte phflag, byte[] ctx) d.update(t, 0, t.length); } - private static void encode24(int n, byte[] bs, int off) + private static void encodePoint(PointAffine p, byte[] r, int rOff) { - bs[ off] = (byte)(n ); - bs[++off] = (byte)(n >>> 8); - bs[++off] = (byte)(n >>> 16); + F.encode(p.y, r, rOff); + r[rOff + POINT_BYTES - 1] = (byte)((p.x[0] & 1) << 7); } - private static void encode32(int n, byte[] bs, int off) + public static void encodePublicPoint(PublicPoint publicPoint, byte[] pk, int pkOff) { - bs[ off] = (byte)(n ); - bs[++off] = (byte)(n >>> 8); - bs[++off] = (byte)(n >>> 16); - bs[++off] = (byte)(n >>> 24); + F.encode(publicPoint.data, F.SIZE, pk, pkOff); + pk[pkOff + POINT_BYTES - 1] = (byte)((publicPoint.data[0] & 1) << 7); } - private static void encode56(long n, byte[] bs, int off) + private static int encodeResult(PointProjective p, byte[] r, int rOff) { - encode32((int)n, bs, off); - encode24((int)(n >>> 32), bs, off + 4); - } + PointAffine q = new PointAffine(); + normalizeToAffine(p, q); - private static int encodePoint(PointProjective p, byte[] r, int rOff) - { - int[] x = F.create(); - int[] y = F.create(); + int result = checkPoint(q); - F.inv(p.z, y); - F.mul(p.x, y, x); - F.mul(p.y, y, y); - F.normalize(x); - F.normalize(y); + encodePoint(q, r, rOff); - int result = checkPoint(x, y); + return result; + } - F.encode(y, r, rOff); - r[rOff + POINT_BYTES - 1] = (byte)((x[0] & 1) << 7); + private static PublicPoint exportPoint(PointAffine p) + { + int[] data = new int[F.SIZE * 2]; + F.copy(p.x, 0, data, 0); + F.copy(p.y, 0, data, F.SIZE); - return result; + return new PublicPoint(data); } public static void generatePrivateKey(SecureRandom random, byte[] k) @@ -366,60 +354,35 @@ public static void generatePublicKey(byte[] sk, int skOff, byte[] pk, int pkOff) scalarMultBaseEncoded(s, pk, pkOff); } - private static int getWindow4(int[] x, int n) + public static PublicPoint generatePublicKey(byte[] sk, int skOff) { - int w = n >>> 3, b = (n & 7) << 2; - return (x[w] >>> b) & 15; - } + Xof d = createXof(); + byte[] h = new byte[SCALAR_BYTES * 2]; - private static byte[] getWnafVar(int[] n, int width) - { -// assert 0 <= n[SCALAR_INTS - 1] && n[SCALAR_INTS - 1] <= L[SCALAR_INTS - 1]; -// assert 2 <= width && width <= 8; + d.update(sk, skOff, SECRET_KEY_SIZE); + d.doFinal(h, 0, h.length); - int[] t = new int[SCALAR_INTS * 2]; - { - int tPos = t.length, c = 0; - int i = SCALAR_INTS; - while (--i >= 0) - { - int next = n[i]; - t[--tPos] = (next >>> 16) | (c << 16); - t[--tPos] = c = next; - } - } + byte[] s = new byte[SCALAR_BYTES]; + pruneScalar(h, 0, s); - byte[] ws = new byte[447]; + PointProjective p = new PointProjective(); + scalarMultBase(s, p); - final int lead = 32 - width; + PointAffine q = new PointAffine(); + normalizeToAffine(p, q); - int j = 0, carry = 0; - for (int i = 0; i < t.length; ++i, j -= 16) + if (0 == checkPoint(q)) { - int word = t[i]; - while (j < 16) - { - int word16 = word >>> j; - int bit = word16 & 1; - - if (bit == carry) - { - ++j; - continue; - } - - int digit = (word16 | 1) << lead; - carry = digit >>> 31; - - ws[(i << 4) + j] = (byte)(digit >> lead); - - j += width; - } + throw new IllegalStateException(); } -// assert carry == 0; + return exportPoint(q); + } - return ws; + private static int getWindow4(int[] x, int n) + { + int w = n >>> 3, b = (n & 7) << 2; + return (x[w] >>> b) & 15; } private static void implSign(Xof d, byte[] h, byte[] s, byte[] pk, int pkOff, byte[] ctx, byte phflag, @@ -430,7 +393,7 @@ private static void implSign(Xof d, byte[] h, byte[] s, byte[] pk, int pkOff, by d.update(m, mOff, mLen); d.doFinal(h, 0, h.length); - byte[] r = reduceScalar(h); + byte[] r = Scalar448.reduce(h); byte[] R = new byte[POINT_BYTES]; scalarMultBaseEncoded(r, R, 0); @@ -440,7 +403,7 @@ private static void implSign(Xof d, byte[] h, byte[] s, byte[] pk, int pkOff, by d.update(m, mOff, mLen); d.doFinal(h, 0, h.length); - byte[] k = reduceScalar(h); + byte[] k = Scalar448.reduce(h); byte[] S = calculateS(r, k, s); System.arraycopy(R, 0, sig, sigOff, POINT_BYTES); @@ -500,20 +463,30 @@ private static boolean implVerify(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[] R = copy(sig, sigOff, POINT_BYTES); byte[] S = copy(sig, sigOff + POINT_BYTES, SCALAR_BYTES); + byte[] A = copy(pk, pkOff, PUBLIC_KEY_SIZE); if (!checkPointVar(R)) { return false; } int[] nS = new int[SCALAR_INTS]; - if (!checkScalarVar(S, nS)) + if (!Scalar448.checkVar(S, nS)) { return false; } - PointProjective pA = new PointProjective(); - if (!decodePointVar(pk, pkOff, true, pA)) + if (!checkPointFullVar(A)) + return false; + + PointAffine pR = new PointAffine(); + if (!decodePointVar(R, true, pR)) + { + return false; + } + + PointAffine pA = new PointAffine(); + if (!decodePointVar(A, true, pA)) { return false; } @@ -523,20 +496,82 @@ private static boolean implVerify(byte[] sig, int sigOff, byte[] pk, int pkOff, dom4(d, phflag, ctx); d.update(R, 0, POINT_BYTES); - d.update(pk, pkOff, POINT_BYTES); + d.update(A, 0, POINT_BYTES); d.update(m, mOff, mLen); d.doFinal(h, 0, h.length); - byte[] k = reduceScalar(h); + byte[] k = Scalar448.reduce(h); int[] nA = new int[SCALAR_INTS]; - decodeScalar(k, 0, nA); + Scalar448.decode(k, nA); - PointProjective pR = new PointProjective(); - scalarMultStrausVar(nS, nA, pA, pR); + int[] v0 = new int[8]; + int[] v1 = new int[8]; + Scalar448.reduceBasisVar(nA, v0, v1); + Scalar448.multiply225Var(nS, v1, nS); - byte[] check = new byte[POINT_BYTES]; - return 0 != encodePoint(pR, check, 0) && Arrays.areEqual(check, R); + PointProjective pZ = new PointProjective(); + scalarMultStraus225Var(nS, v0, pA, v1, pR, pZ); + return normalizeToNeutralElementVar(pZ); + } + + private static boolean implVerify(byte[] sig, int sigOff, PublicPoint publicPoint, byte[] ctx, byte phflag, + byte[] m, int mOff, int mLen) + { + if (!checkContextVar(ctx)) + { + throw new IllegalArgumentException("ctx"); + } + + byte[] R = copy(sig, sigOff, POINT_BYTES); + byte[] S = copy(sig, sigOff + POINT_BYTES, SCALAR_BYTES); + + if (!checkPointVar(R)) + { + return false; + } + + int[] nS = new int[SCALAR_INTS]; + if (!Scalar448.checkVar(S, nS)) + { + return false; + } + + PointAffine pR = new PointAffine(); + if (!decodePointVar(R, true, pR)) + { + return false; + } + + PointAffine pA = new PointAffine(); + F.negate(publicPoint.data, pA.x); + F.copy(publicPoint.data, F.SIZE, pA.y, 0); + + byte[] A = new byte[PUBLIC_KEY_SIZE]; + encodePublicPoint(publicPoint, A, 0); + + Xof d = createXof(); + byte[] h = new byte[SCALAR_BYTES * 2]; + + dom4(d, phflag, ctx); + d.update(R, 0, POINT_BYTES); + d.update(A, 0, POINT_BYTES); + d.update(m, mOff, mLen); + d.doFinal(h, 0, h.length); + + byte[] k = Scalar448.reduce(h); + + int[] nA = new int[SCALAR_INTS]; + Scalar448.decode(k, nA); + + int[] v0 = new int[8]; + int[] v1 = new int[8]; + Scalar448.reduceBasisVar(nA, v0, v1); + Scalar448.multiply225Var(nS, v1, nS); + + PointProjective pZ = new PointProjective(); + scalarMultStraus225Var(nS, v0, pA, v1, pR, pZ); + return normalizeToNeutralElementVar(pZ); } private static void invertZs(PointProjective[] points) @@ -572,20 +607,43 @@ private static void invertZs(PointProjective[] points) F.copy(u, 0, points[0].z, 0); } +// private static boolean isNeutralElementVar(int[] x, int[] y) +// { +// return F.isZeroVar(x) && F.isOneVar(y); +// } + private static boolean isNeutralElementVar(int[] x, int[] y, int[] z) { return F.isZeroVar(x) && F.areEqualVar(y, z); } - private static void pointAdd(PointAffine p, PointProjective r) + private static void normalizeToAffine(PointProjective p, PointAffine r) { - int[] b = F.create(); - int[] c = F.create(); - int[] d = F.create(); - int[] e = F.create(); - int[] f = F.create(); - int[] g = F.create(); - int[] h = F.create(); + F.inv(p.z, r.y); + F.mul(r.y, p.x, r.x); + F.mul(r.y, p.y, r.y); + F.normalize(r.x); + F.normalize(r.y); + } + + private static boolean normalizeToNeutralElementVar(PointProjective p) + { + F.normalize(p.x); + F.normalize(p.y); + F.normalize(p.z); + + return isNeutralElementVar(p.x, p.y, p.z); + } + + private static void pointAdd(PointAffine p, PointProjective r, PointTemp t) + { + int[] b = t.r1; + int[] c = t.r2; + int[] d = t.r3; + int[] e = t.r4; + int[] f = t.r5; + int[] g = t.r6; + int[] h = t.r7; F.sqr(r.z, b); F.mul(p.x, r.x, c); @@ -610,16 +668,16 @@ private static void pointAdd(PointAffine p, PointProjective r) F.mul(f, g, r.z); } - private static void pointAdd(PointProjective p, PointProjective r) + private static void pointAdd(PointProjective p, PointProjective r, PointTemp t) { - int[] a = F.create(); - int[] b = F.create(); - int[] c = F.create(); - int[] d = F.create(); - int[] e = F.create(); - int[] f = F.create(); - int[] g = F.create(); - int[] h = F.create(); + int[] a = t.r0; + int[] b = t.r1; + int[] c = t.r2; + int[] d = t.r3; + int[] e = t.r4; + int[] f = t.r5; + int[] g = t.r6; + int[] h = t.r7; F.mul(p.z, r.z, a); F.sqr(a, b); @@ -645,15 +703,15 @@ private static void pointAdd(PointProjective p, PointProjective r) F.mul(f, g, r.z); } - private static void pointAddVar(boolean negate, PointAffine p, PointProjective r) + private static void pointAddVar(boolean negate, PointAffine p, PointProjective r, PointTemp t) { - int[] b = F.create(); - int[] c = F.create(); - int[] d = F.create(); - int[] e = F.create(); - int[] f = F.create(); - int[] g = F.create(); - int[] h = F.create(); + int[] b = t.r1; + int[] c = t.r2; + int[] d = t.r3; + int[] e = t.r4; + int[] f = t.r5; + int[] g = t.r6; + int[] h = t.r7; int[] nb, ne, nf, ng; if (negate) @@ -689,16 +747,16 @@ private static void pointAddVar(boolean negate, PointAffine p, PointProjective r F.mul(f, g, r.z); } - private static void pointAddVar(boolean negate, PointProjective p, PointProjective r) + private static void pointAddVar(boolean negate, PointProjective p, PointProjective r, PointTemp t) { - int[] a = F.create(); - int[] b = F.create(); - int[] c = F.create(); - int[] d = F.create(); - int[] e = F.create(); - int[] f = F.create(); - int[] g = F.create(); - int[] h = F.create(); + int[] a = t.r0; + int[] b = t.r1; + int[] c = t.r2; + int[] d = t.r3; + int[] e = t.r4; + int[] f = t.r5; + int[] g = t.r6; + int[] h = t.r7; int[] nb, ne, nf, ng; if (negate) @@ -735,21 +793,28 @@ private static void pointAddVar(boolean negate, PointProjective p, PointProjecti F.mul(f, g, r.z); } + private static void pointCopy(PointAffine p, PointProjective r) + { + F.copy(p.x, 0, r.x, 0); + F.copy(p.y, 0, r.y, 0); + F.one(r.z); + } + private static void pointCopy(PointProjective p, PointProjective r) { F.copy(p.x, 0, r.x, 0); F.copy(p.y, 0, r.y, 0); F.copy(p.z, 0, r.z, 0); } - private static void pointDouble(PointProjective r) + private static void pointDouble(PointProjective r, PointTemp t) { - int[] b = F.create(); - int[] c = F.create(); - int[] d = F.create(); - int[] e = F.create(); - int[] h = F.create(); - int[] j = F.create(); + int[] b = t.r1; + int[] c = t.r2; + int[] d = t.r3; + int[] e = t.r4; + int[] h = t.r7; + int[] j = t.r0; F.add(r.x, r.y, b); F.sqr(b, b); @@ -815,7 +880,7 @@ private static void pointLookup15(int[] table, PointProjective r) F.copy(table, off, r.z, 0); } - private static int[] pointPrecompute(PointProjective p, int count) + private static int[] pointPrecompute(PointProjective p, int count, PointTemp t) { // assert count > 0; @@ -824,7 +889,7 @@ private static int[] pointPrecompute(PointProjective p, int count) PointProjective d = new PointProjective(); pointCopy(q, d); - pointDouble(d); + pointDouble(d, t); int[] table = F.createTable(count * 3); int off = 0; @@ -841,27 +906,28 @@ private static int[] pointPrecompute(PointProjective p, int count) break; } - pointAdd(d, q); + pointAdd(d, q, t); } return table; } - private static void pointPrecomputeVar(PointProjective p, PointProjective[] points, int count) + private static void pointPrecompute(PointAffine p, PointProjective[] points, int pointsOff, int pointsLen, + PointTemp t) { -// assert count > 0; +// assert pointsLen > 0; PointProjective d = new PointProjective(); pointCopy(p, d); - pointDouble(d); + pointDouble(d, t); - points[0] = new PointProjective(); - pointCopy(p, points[0]); - for (int i = 1; i < count; ++i) + points[pointsOff] = new PointProjective(); + pointCopy(p, points[pointsOff]); + for (int i = 1; i < pointsLen; ++i) { - points[i] = new PointProjective(); - pointCopy(points[i - 1], points[i]); - pointAdd(d, points[i]); + points[pointsOff + i] = new PointProjective(); + pointCopy(points[pointsOff + i - 1], points[pointsOff + i]); + pointAdd(d, points[pointsOff + i], t); } } @@ -876,7 +942,7 @@ public static void precompute() { synchronized (PRECOMP_LOCK) { - if (PRECOMP_BASE_WNAF != null && PRECOMP_BASE_COMB != null) + if (PRECOMP_BASE_COMB != null) { return; } @@ -886,23 +952,33 @@ public static void precompute() int wnafPoints = 1 << (WNAF_WIDTH_BASE - 2); int combPoints = PRECOMP_BLOCKS * PRECOMP_POINTS; - int totalPoints = wnafPoints + combPoints; + int totalPoints = wnafPoints * 2 + combPoints; PointProjective[] points = new PointProjective[totalPoints]; + PointTemp t = new PointTemp(); - PointProjective p = new PointProjective(); - F.copy(B_x, 0, p.x, 0); - F.copy(B_y, 0, p.y, 0); - F.one(p.z); + PointAffine B = new PointAffine(); + F.copy(B_x, 0, B.x, 0); + F.copy(B_y, 0, B.y, 0); - pointPrecomputeVar(p, points, wnafPoints); + pointPrecompute(B, points, 0, wnafPoints, t); + + PointAffine B225 = new PointAffine(); + F.copy(B225_x, 0, B225.x, 0); + F.copy(B225_y, 0, B225.y, 0); + + pointPrecompute(B225, points, wnafPoints, wnafPoints, t); + + PointProjective p = new PointProjective(); + pointCopy(B, p); - int pointsIndex = wnafPoints; + int pointsIndex = wnafPoints * 2; PointProjective[] toothPowers = new PointProjective[PRECOMP_TEETH]; for (int tooth = 0; tooth < PRECOMP_TEETH; ++tooth) { toothPowers[tooth] = new PointProjective(); } + for (int block = 0; block < PRECOMP_BLOCKS; ++block) { PointProjective sum = points[pointsIndex++] = new PointProjective(); @@ -915,17 +991,17 @@ public static void precompute() } else { - pointAdd(p, sum); + pointAdd(p, sum, t); } - pointDouble(p); + pointDouble(p, t); pointCopy(p, toothPowers[tooth]); if (block + tooth != PRECOMP_BLOCKS + PRECOMP_TEETH - 2) { for (int spacing = 1; spacing < PRECOMP_SPACING; ++spacing) { - pointDouble(p); + pointDouble(p, t); } } } @@ -939,7 +1015,7 @@ public static void precompute() { points[pointsIndex] = new PointProjective(); pointCopy(points[pointsIndex - size], points[pointsIndex]); - pointAdd(toothPowers[tooth], points[pointsIndex]); + pointAdd(toothPowers[tooth], points[pointsIndex], t); } } } @@ -957,9 +1033,19 @@ public static void precompute() F.mul(q.y, q.z, r.y); F.normalize(r.y); } + PRECOMP_BASE225_WNAF = new PointAffine[wnafPoints]; + for (int i = 0; i < wnafPoints; ++i) + { + PointProjective q = points[wnafPoints + i]; + PointAffine r = PRECOMP_BASE225_WNAF[i] = new PointAffine(); + + F.mul(q.x, q.z, r.x); F.normalize(r.x); + F.mul(q.y, q.z, r.y); F.normalize(r.y); + } + PRECOMP_BASE_COMB = F.createTable(combPoints * 2); int off = 0; - for (int i = wnafPoints; i < totalPoints; ++i) + for (int i = wnafPoints * 2; i < totalPoints; ++i) { PointProjective q = points[i]; @@ -982,309 +1068,28 @@ private static void pruneScalar(byte[] n, int nOff, byte[] r) r[SCALAR_BYTES - 1] = 0x00; } - private static byte[] reduceScalar(byte[] n) - { - long x00 = decode32(n, 0) & M32L; // x00:32/-- - long x01 = (decode24(n, 4) << 4) & M32L; // x01:28/-- - long x02 = decode32(n, 7) & M32L; // x02:32/-- - long x03 = (decode24(n, 11) << 4) & M32L; // x03:28/-- - long x04 = decode32(n, 14) & M32L; // x04:32/-- - long x05 = (decode24(n, 18) << 4) & M32L; // x05:28/-- - long x06 = decode32(n, 21) & M32L; // x06:32/-- - long x07 = (decode24(n, 25) << 4) & M32L; // x07:28/-- - long x08 = decode32(n, 28) & M32L; // x08:32/-- - long x09 = (decode24(n, 32) << 4) & M32L; // x09:28/-- - long x10 = decode32(n, 35) & M32L; // x10:32/-- - long x11 = (decode24(n, 39) << 4) & M32L; // x11:28/-- - long x12 = decode32(n, 42) & M32L; // x12:32/-- - long x13 = (decode24(n, 46) << 4) & M32L; // x13:28/-- - long x14 = decode32(n, 49) & M32L; // x14:32/-- - long x15 = (decode24(n, 53) << 4) & M32L; // x15:28/-- - long x16 = decode32(n, 56) & M32L; // x16:32/-- - long x17 = (decode24(n, 60) << 4) & M32L; // x17:28/-- - long x18 = decode32(n, 63) & M32L; // x18:32/-- - long x19 = (decode24(n, 67) << 4) & M32L; // x19:28/-- - long x20 = decode32(n, 70) & M32L; // x20:32/-- - long x21 = (decode24(n, 74) << 4) & M32L; // x21:28/-- - long x22 = decode32(n, 77) & M32L; // x22:32/-- - long x23 = (decode24(n, 81) << 4) & M32L; // x23:28/-- - long x24 = decode32(n, 84) & M32L; // x24:32/-- - long x25 = (decode24(n, 88) << 4) & M32L; // x25:28/-- - long x26 = decode32(n, 91) & M32L; // x26:32/-- - long x27 = (decode24(n, 95) << 4) & M32L; // x27:28/-- - long x28 = decode32(n, 98) & M32L; // x28:32/-- - long x29 = (decode24(n, 102) << 4) & M32L; // x29:28/-- - long x30 = decode32(n, 105) & M32L; // x30:32/-- - long x31 = (decode24(n, 109) << 4) & M32L; // x31:28/-- - long x32 = decode16(n, 112) & M32L; // x32:16/-- - -// x32 += (x31 >>> 28); x31 &= M28L; - x16 += x32 * L4_0; // x16:42/-- - x17 += x32 * L4_1; // x17:41/28 - x18 += x32 * L4_2; // x18:43/42 - x19 += x32 * L4_3; // x19:44/28 - x20 += x32 * L4_4; // x20:43/-- - x21 += x32 * L4_5; // x21:44/28 - x22 += x32 * L4_6; // x22:43/41 - x23 += x32 * L4_7; // x23:45/41 - - x31 += (x30 >>> 28); x30 &= M28L; // x31:28/--, x30:28/-- - x15 += x31 * L4_0; // x15:54/-- - x16 += x31 * L4_1; // x16:53/42 - x17 += x31 * L4_2; // x17:55/54 - x18 += x31 * L4_3; // x18:56/44 - x19 += x31 * L4_4; // x19:55/-- - x20 += x31 * L4_5; // x20:56/43 - x21 += x31 * L4_6; // x21:55/53 - x22 += x31 * L4_7; // x22:57/53 - -// x30 += (x29 >>> 28); x29 &= M28L; - x14 += x30 * L4_0; // x14:54/-- - x15 += x30 * L4_1; // x15:54/53 - x16 += x30 * L4_2; // x16:56/-- - x17 += x30 * L4_3; // x17:57/-- - x18 += x30 * L4_4; // x18:56/55 - x19 += x30 * L4_5; // x19:56/55 - x20 += x30 * L4_6; // x20:57/-- - x21 += x30 * L4_7; // x21:57/56 - - x29 += (x28 >>> 28); x28 &= M28L; // x29:28/--, x28:28/-- - x13 += x29 * L4_0; // x13:54/-- - x14 += x29 * L4_1; // x14:54/53 - x15 += x29 * L4_2; // x15:56/-- - x16 += x29 * L4_3; // x16:57/-- - x17 += x29 * L4_4; // x17:57/55 - x18 += x29 * L4_5; // x18:57/55 - x19 += x29 * L4_6; // x19:57/52 - x20 += x29 * L4_7; // x20:58/52 - -// x28 += (x27 >>> 28); x27 &= M28L; - x12 += x28 * L4_0; // x12:54/-- - x13 += x28 * L4_1; // x13:54/53 - x14 += x28 * L4_2; // x14:56/-- - x15 += x28 * L4_3; // x15:57/-- - x16 += x28 * L4_4; // x16:57/55 - x17 += x28 * L4_5; // x17:58/-- - x18 += x28 * L4_6; // x18:58/-- - x19 += x28 * L4_7; // x19:58/53 - - x27 += (x26 >>> 28); x26 &= M28L; // x27:28/--, x26:28/-- - x11 += x27 * L4_0; // x11:54/-- - x12 += x27 * L4_1; // x12:54/53 - x13 += x27 * L4_2; // x13:56/-- - x14 += x27 * L4_3; // x14:57/-- - x15 += x27 * L4_4; // x15:57/55 - x16 += x27 * L4_5; // x16:58/-- - x17 += x27 * L4_6; // x17:58/56 - x18 += x27 * L4_7; // x18:59/-- - -// x26 += (x25 >>> 28); x25 &= M28L; - x10 += x26 * L4_0; // x10:54/-- - x11 += x26 * L4_1; // x11:54/53 - x12 += x26 * L4_2; // x12:56/-- - x13 += x26 * L4_3; // x13:57/-- - x14 += x26 * L4_4; // x14:57/55 - x15 += x26 * L4_5; // x15:58/-- - x16 += x26 * L4_6; // x16:58/56 - x17 += x26 * L4_7; // x17:59/-- - - x25 += (x24 >>> 28); x24 &= M28L; // x25:28/--, x24:28/-- - x09 += x25 * L4_0; // x09:54/-- - x10 += x25 * L4_1; // x10:54/53 - x11 += x25 * L4_2; // x11:56/-- - x12 += x25 * L4_3; // x12:57/-- - x13 += x25 * L4_4; // x13:57/55 - x14 += x25 * L4_5; // x14:58/-- - x15 += x25 * L4_6; // x15:58/56 - x16 += x25 * L4_7; // x16:59/-- - - x21 += (x20 >>> 28); x20 &= M28L; // x21:58/--, x20:28/-- - x22 += (x21 >>> 28); x21 &= M28L; // x22:57/54, x21:28/-- - x23 += (x22 >>> 28); x22 &= M28L; // x23:45/42, x22:28/-- - x24 += (x23 >>> 28); x23 &= M28L; // x24:28/18, x23:28/-- - - x08 += x24 * L4_0; // x08:54/-- - x09 += x24 * L4_1; // x09:55/-- - x10 += x24 * L4_2; // x10:56/46 - x11 += x24 * L4_3; // x11:57/46 - x12 += x24 * L4_4; // x12:57/55 - x13 += x24 * L4_5; // x13:58/-- - x14 += x24 * L4_6; // x14:58/56 - x15 += x24 * L4_7; // x15:59/-- - - x07 += x23 * L4_0; // x07:54/-- - x08 += x23 * L4_1; // x08:54/53 - x09 += x23 * L4_2; // x09:56/53 - x10 += x23 * L4_3; // x10:57/46 - x11 += x23 * L4_4; // x11:57/55 - x12 += x23 * L4_5; // x12:58/-- - x13 += x23 * L4_6; // x13:58/56 - x14 += x23 * L4_7; // x14:59/-- - - x06 += x22 * L4_0; // x06:54/-- - x07 += x22 * L4_1; // x07:54/53 - x08 += x22 * L4_2; // x08:56/-- - x09 += x22 * L4_3; // x09:57/53 - x10 += x22 * L4_4; // x10:57/55 - x11 += x22 * L4_5; // x11:58/-- - x12 += x22 * L4_6; // x12:58/56 - x13 += x22 * L4_7; // x13:59/-- - - x18 += (x17 >>> 28); x17 &= M28L; // x18:59/31, x17:28/-- - x19 += (x18 >>> 28); x18 &= M28L; // x19:58/54, x18:28/-- - x20 += (x19 >>> 28); x19 &= M28L; // x20:30/29, x19:28/-- - x21 += (x20 >>> 28); x20 &= M28L; // x21:28/03, x20:28/-- - - x05 += x21 * L4_0; // x05:54/-- - x06 += x21 * L4_1; // x06:55/-- - x07 += x21 * L4_2; // x07:56/31 - x08 += x21 * L4_3; // x08:57/31 - x09 += x21 * L4_4; // x09:57/56 - x10 += x21 * L4_5; // x10:58/-- - x11 += x21 * L4_6; // x11:58/56 - x12 += x21 * L4_7; // x12:59/-- - - x04 += x20 * L4_0; // x04:54/-- - x05 += x20 * L4_1; // x05:54/53 - x06 += x20 * L4_2; // x06:56/53 - x07 += x20 * L4_3; // x07:57/31 - x08 += x20 * L4_4; // x08:57/55 - x09 += x20 * L4_5; // x09:58/-- - x10 += x20 * L4_6; // x10:58/56 - x11 += x20 * L4_7; // x11:59/-- - - x03 += x19 * L4_0; // x03:54/-- - x04 += x19 * L4_1; // x04:54/53 - x05 += x19 * L4_2; // x05:56/-- - x06 += x19 * L4_3; // x06:57/53 - x07 += x19 * L4_4; // x07:57/55 - x08 += x19 * L4_5; // x08:58/-- - x09 += x19 * L4_6; // x09:58/56 - x10 += x19 * L4_7; // x10:59/-- - - x15 += (x14 >>> 28); x14 &= M28L; // x15:59/31, x14:28/-- - x16 += (x15 >>> 28); x15 &= M28L; // x16:59/32, x15:28/-- - x17 += (x16 >>> 28); x16 &= M28L; // x17:31/29, x16:28/-- - x18 += (x17 >>> 28); x17 &= M28L; // x18:28/04, x17:28/-- - - x02 += x18 * L4_0; // x02:54/-- - x03 += x18 * L4_1; // x03:55/-- - x04 += x18 * L4_2; // x04:56/32 - x05 += x18 * L4_3; // x05:57/32 - x06 += x18 * L4_4; // x06:57/56 - x07 += x18 * L4_5; // x07:58/-- - x08 += x18 * L4_6; // x08:58/56 - x09 += x18 * L4_7; // x09:59/-- - - x01 += x17 * L4_0; // x01:54/-- - x02 += x17 * L4_1; // x02:54/53 - x03 += x17 * L4_2; // x03:56/53 - x04 += x17 * L4_3; // x04:57/32 - x05 += x17 * L4_4; // x05:57/55 - x06 += x17 * L4_5; // x06:58/-- - x07 += x17 * L4_6; // x07:58/56 - x08 += x17 * L4_7; // x08:59/-- - - x16 *= 4; - x16 += (x15 >>> 26); x15 &= M26L; - x16 += 1; // x16:30/01 - - x00 += x16 * L_0; - x01 += x16 * L_1; - x02 += x16 * L_2; - x03 += x16 * L_3; - x04 += x16 * L_4; - x05 += x16 * L_5; - x06 += x16 * L_6; - x07 += x16 * L_7; - - x01 += (x00 >>> 28); x00 &= M28L; - x02 += (x01 >>> 28); x01 &= M28L; - x03 += (x02 >>> 28); x02 &= M28L; - x04 += (x03 >>> 28); x03 &= M28L; - x05 += (x04 >>> 28); x04 &= M28L; - x06 += (x05 >>> 28); x05 &= M28L; - x07 += (x06 >>> 28); x06 &= M28L; - x08 += (x07 >>> 28); x07 &= M28L; - x09 += (x08 >>> 28); x08 &= M28L; - x10 += (x09 >>> 28); x09 &= M28L; - x11 += (x10 >>> 28); x10 &= M28L; - x12 += (x11 >>> 28); x11 &= M28L; - x13 += (x12 >>> 28); x12 &= M28L; - x14 += (x13 >>> 28); x13 &= M28L; - x15 += (x14 >>> 28); x14 &= M28L; - x16 = (x15 >>> 26); x15 &= M26L; - - x16 -= 1; - -// assert x16 == 0L || x16 == -1L; - - x00 -= x16 & L_0; - x01 -= x16 & L_1; - x02 -= x16 & L_2; - x03 -= x16 & L_3; - x04 -= x16 & L_4; - x05 -= x16 & L_5; - x06 -= x16 & L_6; - x07 -= x16 & L_7; - - x01 += (x00 >> 28); x00 &= M28L; - x02 += (x01 >> 28); x01 &= M28L; - x03 += (x02 >> 28); x02 &= M28L; - x04 += (x03 >> 28); x03 &= M28L; - x05 += (x04 >> 28); x04 &= M28L; - x06 += (x05 >> 28); x05 &= M28L; - x07 += (x06 >> 28); x06 &= M28L; - x08 += (x07 >> 28); x07 &= M28L; - x09 += (x08 >> 28); x08 &= M28L; - x10 += (x09 >> 28); x09 &= M28L; - x11 += (x10 >> 28); x10 &= M28L; - x12 += (x11 >> 28); x11 &= M28L; - x13 += (x12 >> 28); x12 &= M28L; - x14 += (x13 >> 28); x13 &= M28L; - x15 += (x14 >> 28); x14 &= M28L; - -// assert x15 >>> 26 == 0L; - - byte[] r = new byte[SCALAR_BYTES]; - encode56(x00 | (x01 << 28), r, 0); - encode56(x02 | (x03 << 28), r, 7); - encode56(x04 | (x05 << 28), r, 14); - encode56(x06 | (x07 << 28), r, 21); - encode56(x08 | (x09 << 28), r, 28); - encode56(x10 | (x11 << 28), r, 35); - encode56(x12 | (x13 << 28), r, 42); - encode56(x14 | (x15 << 28), r, 49); -// r[SCALAR_BYTES - 1] = 0; - return r; - } - private static void scalarMult(byte[] k, PointProjective p, PointProjective r) { - int[] n = new int[SCALAR_INTS]; - decodeScalar(k, 0, n); - - // Recode the scalar into signed-digit form - { - int c1 = Nat.cadd(SCALAR_INTS, ~n[0] & 1, n, L, n); - //int c2 = - Nat.shiftDownBit(SCALAR_INTS, n, c1); //assert c2 == (1 << 31); + int[] n = new int[SCALAR_INTS + 1]; + Scalar448.decode(k, n); + Scalar448.toSignedDigits(449, n, n); - // NOTE: Bit 448 is implicitly set after the signed-digit recoding - } + // NOTE: Bit 448 is handled explicitly by an initial addition +// assert n[SCALAR_INTS] == 1; - int[] table = pointPrecompute(p, 8); PointProjective q = new PointProjective(); + PointTemp t = new PointTemp(); + int[] table = pointPrecompute(p, 8, t); // Replace first 4 doublings (2^4 * P) with 1 addition (P + 15 * P) pointLookup15(table, r); - pointAdd(p, r); + pointAdd(p, r, t); int w = 111; for (;;) { pointLookup(n, w, table, q); - pointAdd(q, r); + pointAdd(q, r, t); if (--w < 0) { @@ -1293,7 +1098,7 @@ private static void scalarMult(byte[] k, PointProjective p, PointProjective r) for (int i = 0; i < 4; ++i) { - pointDouble(r); + pointDouble(r, t); } } } @@ -1310,18 +1115,11 @@ private static void scalarMultBase(byte[] k, PointProjective r) precompute(); int[] n = new int[SCALAR_INTS + 1]; - decodeScalar(k, 0, n); - - // Recode the scalar into signed-digit form - { - n[SCALAR_INTS] = (1 << (PRECOMP_RANGE - 448)) - + Nat.cadd(SCALAR_INTS, ~n[0] & 1, n, L, n); - //int c = - Nat.shiftDownBit(n.length, n, 0); - //assert c == (1 << 31); - } + Scalar448.decode(k, n); + Scalar448.toSignedDigits(PRECOMP_RANGE, n, n); PointAffine p = new PointAffine(); + PointTemp t = new PointTemp(); pointSetNeutral(r); @@ -1330,14 +1128,14 @@ private static void scalarMultBase(byte[] k, PointProjective r) { int tPos = cOff; - for (int b = 0; b < PRECOMP_BLOCKS; ++b) + for (int block = 0; block < PRECOMP_BLOCKS; ++block) { int w = 0; - for (int t = 0; t < PRECOMP_TEETH; ++t) + for (int tooth = 0; tooth < PRECOMP_TEETH; ++tooth) { int tBit = n[tPos >>> 5] >>> (tPos & 0x1F); - w &= ~(1 << t); - w ^= (tBit << t); + w &= ~(1 << tooth); + w ^= (tBit << tooth); tPos += PRECOMP_SPACING; } @@ -1347,27 +1145,27 @@ private static void scalarMultBase(byte[] k, PointProjective r) // assert sign == 0 || sign == 1; // assert 0 <= abs && abs < PRECOMP_POINTS; - pointLookup(b, abs, p); + pointLookup(block, abs, p); F.cnegate(sign, p.x); - pointAdd(p, r); + pointAdd(p, r, t); } if (--cOff < 0) { break; } - pointDouble(r); + pointDouble(r, t); } } private static void scalarMultBaseEncoded(byte[] k, byte[] r, int rOff) { PointProjective p = new PointProjective(); scalarMultBase(k, p); - if (0 == encodePoint(p, r, rOff)) + if (0 == encodeResult(p, r, rOff)) { throw new IllegalStateException(); } @@ -1388,21 +1186,26 @@ public static void scalarMultBaseXY(X448.Friend friend, byte[] k, int kOff, int[ PointProjective p = new PointProjective(); scalarMultBase(n, p); - if (0 == checkPoint(p.x, p.y, p.z)) + if (0 == checkPoint(p)) { throw new IllegalStateException(); } + F.copy(p.x, 0, x, 0); F.copy(p.y, 0, y, 0); } - private static void scalarMultOrderVar(PointProjective p, PointProjective r) + private static void scalarMultOrderVar(PointAffine p, PointProjective r) { - byte[] ws_p = getWnafVar(L, WNAF_WIDTH); + byte[] ws_p = new byte[447]; - int count = 1 << (WNAF_WIDTH - 2); + // NOTE: WNAF_WIDTH_225 because of the special structure of the order + Scalar448.getOrderWnafVar(WNAF_WIDTH_225, ws_p); + + int count = 1 << (WNAF_WIDTH_225 - 2); PointProjective[] tp = new PointProjective[count]; - pointPrecomputeVar(p, tp, count); + PointTemp t = new PointTemp(); + pointPrecompute(p, tp, 0, count, t); pointSetNeutral(r); @@ -1411,61 +1214,84 @@ private static void scalarMultOrderVar(PointProjective p, PointProjective r) int wp = ws_p[bit]; if (wp != 0) { - int sign = wp >> 31; - int index = (wp ^ sign) >>> 1; - - pointAddVar(sign != 0, tp[index], r); + int index = (wp >> 1) ^ (wp >> 31); + pointAddVar(wp < 0, tp[index], r, t); } if (--bit < 0) { break; } - pointDouble(r); + pointDouble(r, t); } } - private static void scalarMultStrausVar(int[] nb, int[] np, PointProjective p, PointProjective r) + private static void scalarMultStraus225Var(int[] nb, int[] np, PointAffine p, int[] nq, PointAffine q, + PointProjective r) { +// assert nb.length == SCALAR_INTS; +// assert nb[SCALAR_INTS - 1] >>> 30 == 0; +// assert np.length == 8; +// assert np[7] >> 31 == np[7]; +// assert nq.length == 8; +// assert nq[7] >> 31 == nq[7]; + precompute(); - byte[] ws_b = getWnafVar(nb, WNAF_WIDTH_BASE); - byte[] ws_p = getWnafVar(np, WNAF_WIDTH); + byte[] ws_b = new byte[450]; + byte[] ws_p = new byte[225]; + byte[] ws_q = new byte[225]; + + Wnaf.getSignedVar(nb, WNAF_WIDTH_BASE, ws_b); + Wnaf.getSignedVar(np, WNAF_WIDTH_225, ws_p); + Wnaf.getSignedVar(nq, WNAF_WIDTH_225, ws_q); - int count = 1 << (WNAF_WIDTH - 2); + int count = 1 << (WNAF_WIDTH_225 - 2); PointProjective[] tp = new PointProjective[count]; - pointPrecomputeVar(p, tp, count); + PointProjective[] tq = new PointProjective[count]; + PointTemp t = new PointTemp(); + pointPrecompute(p, tp, 0, count, t); + pointPrecompute(q, tq, 0, count, t); pointSetNeutral(r); - for (int bit = 446;;) + int bit = 225; + while (--bit >= 0) { int wb = ws_b[bit]; if (wb != 0) { - int sign = wb >> 31; - int index = (wb ^ sign) >>> 1; + int index = (wb >> 1) ^ (wb >> 31); + pointAddVar(wb < 0, PRECOMP_BASE_WNAF[index], r, t); + } - pointAddVar(sign != 0, PRECOMP_BASE_WNAF[index], r); + int wb225 = ws_b[225 + bit]; + if (wb225 != 0) + { + int index = (wb225 >> 1) ^ (wb225 >> 31); + pointAddVar(wb225 < 0, PRECOMP_BASE225_WNAF[index], r, t); } int wp = ws_p[bit]; if (wp != 0) { - int sign = wp >> 31; - int index = (wp ^ sign) >>> 1; - - pointAddVar(sign != 0, tp[index], r); + int index = (wp >> 1) ^ (wp >> 31); + pointAddVar(wp < 0, tp[index], r, t); } - if (--bit < 0) + int wq = ws_q[bit]; + if (wq != 0) { - break; + int index = (wq >> 1) ^ (wq >> 31); + pointAddVar(wq < 0, tq[index], r, t); } - pointDouble(r); + pointDouble(r, t); } + + // NOTE: Together with the final pointDouble of the loop, this clears the cofactor of 4 + pointDouble(r, t); } public static void sign(byte[] sk, int skOff, byte[] ctx, byte[] m, int mOff, int mLen, byte[] sig, int sigOff) @@ -1475,7 +1301,8 @@ public static void sign(byte[] sk, int skOff, byte[] ctx, byte[] m, int mOff, in implSign(sk, skOff, ctx, phflag, m, mOff, mLen, sig, sigOff); } - public static void sign(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] m, int mOff, int mLen, byte[] sig, int sigOff) + public static void sign(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] m, int mOff, int mLen, + byte[] sig, int sigOff) { byte phflag = 0x00; @@ -1489,7 +1316,8 @@ public static void signPrehash(byte[] sk, int skOff, byte[] ctx, byte[] ph, int implSign(sk, skOff, ctx, phflag, ph, phOff, PREHASH_SIZE, sig, sigOff); } - public static void signPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] ph, int phOff, byte[] sig, int sigOff) + public static void signPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] ph, int phOff, + byte[] sig, int sigOff) { byte phflag = 0x01; @@ -1509,7 +1337,8 @@ public static void signPrehash(byte[] sk, int skOff, byte[] ctx, Xof ph, byte[] implSign(sk, skOff, ctx, phflag, m, 0, m.length, sig, sigOff); } - public static void signPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, Xof ph, byte[] sig, int sigOff) + public static void signPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, Xof ph, byte[] sig, + int sigOff) { byte[] m = new byte[PREHASH_SIZE]; if (PREHASH_SIZE != ph.doFinal(m, 0, PREHASH_SIZE)) @@ -1524,35 +1353,74 @@ public static void signPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[ public static boolean validatePublicKeyFull(byte[] pk, int pkOff) { - PointProjective p = new PointProjective(); - if (!decodePointVar(pk, pkOff, false, p)) + byte[] A = copy(pk, pkOff, PUBLIC_KEY_SIZE); + + if (!checkPointFullVar(A)) { return false; } - F.normalize(p.x); - F.normalize(p.y); - F.normalize(p.z); - - if (isNeutralElementVar(p.x, p.y, p.z)) + PointAffine pA = new PointAffine(); + if (!decodePointVar(A, false, pA)) { return false; } - PointProjective r = new PointProjective(); - scalarMultOrderVar(p, r); + return checkPointOrderVar(pA); + } - F.normalize(r.x); - F.normalize(r.y); - F.normalize(r.z); + public static PublicPoint validatePublicKeyFullExport(byte[] pk, int pkOff) + { + byte[] A = copy(pk, pkOff, PUBLIC_KEY_SIZE); - return isNeutralElementVar(r.x, r.y, r.z); + if (!checkPointFullVar(A)) + { + return null; + } + + PointAffine pA = new PointAffine(); + if (!decodePointVar(A, false, pA)) + { + return null; + } + + if (!checkPointOrderVar(pA)) + { + return null; + } + + return exportPoint(pA); } public static boolean validatePublicKeyPartial(byte[] pk, int pkOff) { - PointProjective p = new PointProjective(); - return decodePointVar(pk, pkOff, false, p); + byte[] A = copy(pk, pkOff, PUBLIC_KEY_SIZE); + + if (!checkPointFullVar(A)) + { + return false; + } + + PointAffine pA = new PointAffine(); + return decodePointVar(A, false, pA); + } + + public static PublicPoint validatePublicKeyPartialExport(byte[] pk, int pkOff) + { + byte[] A = copy(pk, pkOff, PUBLIC_KEY_SIZE); + + if (!checkPointFullVar(A)) + { + return null; + } + + PointAffine pA = new PointAffine(); + if (!decodePointVar(A, false, pA)) + { + return null; + } + + return exportPoint(pA); } public static boolean verify(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[] ctx, byte[] m, int mOff, int mLen) @@ -1562,13 +1430,29 @@ public static boolean verify(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[ return implVerify(sig, sigOff, pk, pkOff, ctx, phflag, m, mOff, mLen); } + public static boolean verify(byte[] sig, int sigOff, PublicPoint publicPoint, byte[] ctx, byte[] m, int mOff, + int mLen) + { + byte phflag = 0x00; + + return implVerify(sig, sigOff, publicPoint, ctx, phflag, m, mOff, mLen); + } + public static boolean verifyPrehash(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[] ctx, byte[] ph, int phOff) { byte phflag = 0x01; return implVerify(sig, sigOff, pk, pkOff, ctx, phflag, ph, phOff, PREHASH_SIZE); } + public static boolean verifyPrehash(byte[] sig, int sigOff, PublicPoint publicPoint, byte[] ctx, byte[] ph, + int phOff) + { + byte phflag = 0x01; + + return implVerify(sig, sigOff, publicPoint, ctx, phflag, ph, phOff, PREHASH_SIZE); + } + public static boolean verifyPrehash(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[] ctx, Xof ph) { byte[] m = new byte[PREHASH_SIZE]; @@ -1581,4 +1465,17 @@ public static boolean verifyPrehash(byte[] sig, int sigOff, byte[] pk, int pkOff return implVerify(sig, sigOff, pk, pkOff, ctx, phflag, m, 0, m.length); } + + public static boolean verifyPrehash(byte[] sig, int sigOff, PublicPoint publicPoint, byte[] ctx, Xof ph) + { + byte[] m = new byte[PREHASH_SIZE]; + if (PREHASH_SIZE != ph.doFinal(m, 0, PREHASH_SIZE)) + { + throw new IllegalArgumentException("ph"); + } + + byte phflag = 0x01; + + return implVerify(sig, sigOff, publicPoint, ctx, phflag, m, 0, m.length); + } }
core/src/main/java/org/bouncycastle/math/ec/rfc8032/Scalar25519.java+260 −0 added@@ -0,0 +1,260 @@ +package org.bouncycastle.math.ec.rfc8032; + +import org.bouncycastle.math.raw.Nat; +import org.bouncycastle.math.raw.Nat256; + +abstract class Scalar25519 +{ + static final int SIZE = 8; + + private static final long M08L = 0x000000FFL; + private static final long M28L = 0x0FFFFFFFL; + private static final long M32L = 0xFFFFFFFFL; + + private static final int TARGET_LENGTH = 254; + + private static final int[] L = new int[]{ 0x5CF5D3ED, 0x5812631A, 0xA2F79CD6, 0x14DEF9DE, 0x00000000, 0x00000000, + 0x00000000, 0x10000000 }; + private static final int[] LSq = new int[]{ 0xAB128969, 0xE2EDF685, 0x2298A31D, 0x68039276, 0xD217F5BE, 0x3DCEEC73, + 0x1B7C309A, 0xA1B39941, 0x4B9EBA7D, 0xCB024C63, 0xD45EF39A, 0x029BDF3B, 0x00000000, 0x00000000, 0x00000000, + 0x01000000 }; + + private static final int L0 = -0x030A2C13; // L0:26/-- + private static final int L1 = 0x012631A6; // L1:24/22 + private static final int L2 = 0x079CD658; // L2:27/-- + private static final int L3 = -0x006215D1; // L3:23/-- + private static final int L4 = 0x000014DF; // L4:12/11 + + static boolean checkVar(byte[] s, int[] n) + { + decode(s, n); + return !Nat256.gte(n, L); + } + + static void decode(byte[] k, int[] n) + { + Codec.decode32(k, 0, n, 0, SIZE); + } + + static void getOrderWnafVar(int width, byte[] ws) + { + Wnaf.getSignedVar(L, width, ws); + } + + static void multiply128Var(int[] x, int[] y128, int[] z) + { + int[] tt = new int[12]; + Nat256.mul128(x, y128, tt); + + if ((int)y128[3] < 0) + { + Nat256.addTo(L, 0, tt, 4, 0); + Nat256.subFrom(x, 0, tt, 4, 0); + } + + byte[] bytes = new byte[64]; + Codec.encode32(tt, 0, 12, bytes, 0); + + byte[] r = reduce(bytes); + decode(r, z); + } + + static byte[] reduce(byte[] n) + { + long x00 = Codec.decode32(n, 0) & M32L; // x00:32/-- + long x01 = (Codec.decode24(n, 4) << 4) & M32L; // x01:28/-- + long x02 = Codec.decode32(n, 7) & M32L; // x02:32/-- + long x03 = (Codec.decode24(n, 11) << 4) & M32L; // x03:28/-- + long x04 = Codec.decode32(n, 14) & M32L; // x04:32/-- + long x05 = (Codec.decode24(n, 18) << 4) & M32L; // x05:28/-- + long x06 = Codec.decode32(n, 21) & M32L; // x06:32/-- + long x07 = (Codec.decode24(n, 25) << 4) & M32L; // x07:28/-- + long x08 = Codec.decode32(n, 28) & M32L; // x08:32/-- + long x09 = (Codec.decode24(n, 32) << 4) & M32L; // x09:28/-- + long x10 = Codec.decode32(n, 35) & M32L; // x10:32/-- + long x11 = (Codec.decode24(n, 39) << 4) & M32L; // x11:28/-- + long x12 = Codec.decode32(n, 42) & M32L; // x12:32/-- + long x13 = (Codec.decode24(n, 46) << 4) & M32L; // x13:28/-- + long x14 = Codec.decode32(n, 49) & M32L; // x14:32/-- + long x15 = (Codec.decode24(n, 53) << 4) & M32L; // x15:28/-- + long x16 = Codec.decode32(n, 56) & M32L; // x16:32/-- + long x17 = (Codec.decode24(n, 60) << 4) & M32L; // x17:28/-- + long x18 = n[63] & M08L; // x18:08/-- + long t; + +// x18 += (x17 >> 28); x17 &= M28L; + x09 -= x18 * L0; // x09:34/28 + x10 -= x18 * L1; // x10:33/30 + x11 -= x18 * L2; // x11:35/28 + x12 -= x18 * L3; // x12:32/31 + x13 -= x18 * L4; // x13:28/21 + + x17 += (x16 >> 28); x16 &= M28L; // x17:28/--, x16:28/-- + x08 -= x17 * L0; // x08:54/32 + x09 -= x17 * L1; // x09:52/51 + x10 -= x17 * L2; // x10:55/34 + x11 -= x17 * L3; // x11:51/36 + x12 -= x17 * L4; // x12:41/-- + +// x16 += (x15 >> 28); x15 &= M28L; + x07 -= x16 * L0; // x07:54/28 + x08 -= x16 * L1; // x08:54/53 + x09 -= x16 * L2; // x09:55/53 + x10 -= x16 * L3; // x10:55/52 + x11 -= x16 * L4; // x11:51/41 + + x15 += (x14 >> 28); x14 &= M28L; // x15:28/--, x14:28/-- + x06 -= x15 * L0; // x06:54/32 + x07 -= x15 * L1; // x07:54/53 + x08 -= x15 * L2; // x08:56/-- + x09 -= x15 * L3; // x09:55/54 + x10 -= x15 * L4; // x10:55/53 + +// x14 += (x13 >> 28); x13 &= M28L; + x05 -= x14 * L0; // x05:54/28 + x06 -= x14 * L1; // x06:54/53 + x07 -= x14 * L2; // x07:56/-- + x08 -= x14 * L3; // x08:56/51 + x09 -= x14 * L4; // x09:56/-- + + x13 += (x12 >> 28); x12 &= M28L; // x13:28/22, x12:28/-- + x04 -= x13 * L0; // x04:54/49 + x05 -= x13 * L1; // x05:54/53 + x06 -= x13 * L2; // x06:56/-- + x07 -= x13 * L3; // x07:56/52 + x08 -= x13 * L4; // x08:56/52 + + x12 += (x11 >> 28); x11 &= M28L; // x12:28/24, x11:28/-- + x03 -= x12 * L0; // x03:54/49 + x04 -= x12 * L1; // x04:54/51 + x05 -= x12 * L2; // x05:56/-- + x06 -= x12 * L3; // x06:56/52 + x07 -= x12 * L4; // x07:56/53 + + x11 += (x10 >> 28); x10 &= M28L; // x11:29/--, x10:28/-- + x02 -= x11 * L0; // x02:55/32 + x03 -= x11 * L1; // x03:55/-- + x04 -= x11 * L2; // x04:56/55 + x05 -= x11 * L3; // x05:56/52 + x06 -= x11 * L4; // x06:56/53 + + x10 += (x09 >> 28); x09 &= M28L; // x10:29/--, x09:28/-- + x01 -= x10 * L0; // x01:55/28 + x02 -= x10 * L1; // x02:55/54 + x03 -= x10 * L2; // x03:56/55 + x04 -= x10 * L3; // x04:57/-- + x05 -= x10 * L4; // x05:56/53 + + x08 += (x07 >> 28); x07 &= M28L; // x08:56/53, x07:28/-- + x09 += (x08 >> 28); x08 &= M28L; // x09:29/25, x08:28/-- + + t = x08 >>> 27; + x09 += t; // x09:29/26 + + x00 -= x09 * L0; // x00:55/53 + x01 -= x09 * L1; // x01:55/54 + x02 -= x09 * L2; // x02:57/-- + x03 -= x09 * L3; // x03:57/-- + x04 -= x09 * L4; // x04:57/42 + + x01 += (x00 >> 28); x00 &= M28L; + x02 += (x01 >> 28); x01 &= M28L; + x03 += (x02 >> 28); x02 &= M28L; + x04 += (x03 >> 28); x03 &= M28L; + x05 += (x04 >> 28); x04 &= M28L; + x06 += (x05 >> 28); x05 &= M28L; + x07 += (x06 >> 28); x06 &= M28L; + x08 += (x07 >> 28); x07 &= M28L; + x09 = (x08 >> 28); x08 &= M28L; + + x09 -= t; + +// assert x09 == 0L || x09 == -1L; + + x00 += x09 & L0; + x01 += x09 & L1; + x02 += x09 & L2; + x03 += x09 & L3; + x04 += x09 & L4; + + x01 += (x00 >> 28); x00 &= M28L; + x02 += (x01 >> 28); x01 &= M28L; + x03 += (x02 >> 28); x02 &= M28L; + x04 += (x03 >> 28); x03 &= M28L; + x05 += (x04 >> 28); x04 &= M28L; + x06 += (x05 >> 28); x05 &= M28L; + x07 += (x06 >> 28); x06 &= M28L; + x08 += (x07 >> 28); x07 &= M28L; + + byte[] r = new byte[64]; + Codec.encode56(x00 | (x01 << 28), r, 0); + Codec.encode56(x02 | (x03 << 28), r, 7); + Codec.encode56(x04 | (x05 << 28), r, 14); + Codec.encode56(x06 | (x07 << 28), r, 21); + Codec.encode32((int)x08, r, 28); + return r; + } + + static void reduceBasisVar(int[] k, int[] z0, int[] z1) + { + /* + * Split scalar k into two half-size scalars z0 and z1, such that z1 * k == z0 mod L. + * + * See https://ia.cr/2020/454 (Pornin). + */ + + int[] Nu = new int[16]; System.arraycopy(LSq, 0, Nu, 0, 16); + int[] Nv = new int[16]; Nat256.square(k, Nv); ++Nv[0]; + int[] p = new int[16]; Nat256.mul(L, k, p); + int[] u0 = new int[4]; System.arraycopy(L, 0, u0, 0, 4); + int[] u1 = new int[4]; + int[] v0 = new int[4]; System.arraycopy(k, 0, v0, 0, 4); + int[] v1 = new int[4]; v1[0] = 1; + + int last = 15; + int len_Nv = ScalarUtil.getBitLengthPositive(last, Nv); + + while (len_Nv > TARGET_LENGTH) + { + int len_p = ScalarUtil.getBitLength(last, p); + int s = len_p - len_Nv; + s &= ~(s >> 31); + + if (p[last] < 0) + { + ScalarUtil.addShifted_NP(last, s, Nu, Nv, p); + ScalarUtil.addShifted_UV(3, s, u0, u1, v0, v1); + } + else + { + ScalarUtil.subShifted_NP(last, s, Nu, Nv, p); + ScalarUtil.subShifted_UV(3, s, u0, u1, v0, v1); + } + + if (ScalarUtil.lessThan(last, Nu, Nv)) + { + int[] t0 = u0; u0 = v0; v0 = t0; + int[] t1 = u1; u1 = v1; v1 = t1; + int[] tN = Nu; Nu = Nv; Nv = tN; + + last = len_Nv >>> 5; + len_Nv = ScalarUtil.getBitLengthPositive(last, Nv); + } + } + + // v1 * k == v0 mod L + System.arraycopy(v0, 0, z0, 0, 4); + System.arraycopy(v1, 0, z1, 0, 4); + } + + static void toSignedDigits(int bits, int[] x, int[] z) + { +// assert bits == 256; +// assert z.length >= SIZE; + +// int c1 = + Nat.cadd(SIZE, ~x[0] & 1, x, L, z); //assert c1 == 0; +// int c2 = + Nat.shiftDownBit(SIZE, z, 1); //assert c2 == (1 << 31); + } +}
core/src/main/java/org/bouncycastle/math/ec/rfc8032/Scalar448.java+429 −0 added@@ -0,0 +1,429 @@ +package org.bouncycastle.math.ec.rfc8032; + +import org.bouncycastle.math.raw.Nat; +import org.bouncycastle.math.raw.Nat448; + +abstract class Scalar448 +{ + static final int SIZE = 14; + + private static final int SCALAR_BYTES = SIZE * 4 + 1; + + private static final long M26L = 0x03FFFFFFL; + private static final long M28L = 0x0FFFFFFFL; + private static final long M32L = 0xFFFFFFFFL; + + private static final int TARGET_LENGTH = 447; + + private static final int[] L = new int[]{ 0xAB5844F3, 0x2378C292, 0x8DC58F55, 0x216CC272, 0xAED63690, 0xC44EDB49, + 0x7CCA23E9, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x3FFFFFFF }; + private static final int[] LSq = new int[]{ 0x1BA1FEA9, 0xC1ADFBB8, 0x49E0A8B2, 0xB91BF537, 0xE764D815, 0x4525492B, + 0xA2B8716D, 0x4AE17CF6, 0xBA3C47C4, 0xF1A9CC14, 0x7E4D070A, 0x92052BCB, 0x9F823B72, 0xC3402A93, 0x55AC2279, + 0x91BC6149, 0x46E2C7AA, 0x10B66139, 0xD76B1B48, 0xE2276DA4, 0xBE6511F4, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, + 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0FFFFFFF }; + + private static final int L_0 = 0x04A7BB0D; // L_0:26/24 + private static final int L_1 = 0x0873D6D5; // L_1:27/23 + private static final int L_2 = 0x0A70AADC; // L_2:27/26 + private static final int L_3 = 0x03D8D723; // L_3:26/-- + private static final int L_4 = 0x096FDE93; // L_4:27/25 + private static final int L_5 = 0x0B65129C; // L_5:27/26 + private static final int L_6 = 0x063BB124; // L_6:27/-- + private static final int L_7 = 0x08335DC1; // L_7:27/22 + + private static final int L4_0 = 0x029EEC34; // L4_0:25/24 + private static final int L4_1 = 0x01CF5B55; // L4_1:25/-- + private static final int L4_2 = 0x09C2AB72; // L4_2:27/25 + private static final int L4_3 = 0x0F635C8E; // L4_3:28/-- + private static final int L4_4 = 0x05BF7A4C; // L4_4:26/25 + private static final int L4_5 = 0x0D944A72; // L4_5:28/-- + private static final int L4_6 = 0x08EEC492; // L4_6:27/24 + private static final int L4_7 = 0x20CD7705; // L4_7:29/24 + + static boolean checkVar(byte[] s, int[] n) + { + if (s[SCALAR_BYTES - 1] != 0x00) + { + return false; + } + + decode(s, n); + return !Nat.gte(SIZE, n, L); + } + + static void decode(byte[] k, int[] n) + { +// assert k[SCALAR_BYTES - 1] == 0x00; + + Codec.decode32(k, 0, n, 0, SIZE); + } + + static void getOrderWnafVar(int width, byte[] ws) + { + Wnaf.getSignedVar(L, width, ws); + } + + static void multiply225Var(int[] x, int[] y225, int[] z) + { +// assert y225[7] >> 31 == y225[7]; + + int[] tt = new int[22]; + Nat.mul(y225, 0, 8, x, 0, SIZE, tt, 0); + + if (y225[7] < 0) + { + Nat.addTo(SIZE, L, 0, tt, 8); + Nat.subFrom(SIZE, x, 0, tt, 8); + } + + byte[] bytes = new byte[114]; + Codec.encode32(tt, 0, 22, bytes, 0); + + byte[] r = reduce(bytes); + decode(r, z); + } + + static byte[] reduce(byte[] n) + { + long x00 = Codec.decode32(n, 0) & M32L; // x00:32/-- + long x01 = (Codec.decode24(n, 4) << 4) & M32L; // x01:28/-- + long x02 = Codec.decode32(n, 7) & M32L; // x02:32/-- + long x03 = (Codec.decode24(n, 11) << 4) & M32L; // x03:28/-- + long x04 = Codec.decode32(n, 14) & M32L; // x04:32/-- + long x05 = (Codec.decode24(n, 18) << 4) & M32L; // x05:28/-- + long x06 = Codec.decode32(n, 21) & M32L; // x06:32/-- + long x07 = (Codec.decode24(n, 25) << 4) & M32L; // x07:28/-- + long x08 = Codec.decode32(n, 28) & M32L; // x08:32/-- + long x09 = (Codec.decode24(n, 32) << 4) & M32L; // x09:28/-- + long x10 = Codec.decode32(n, 35) & M32L; // x10:32/-- + long x11 = (Codec.decode24(n, 39) << 4) & M32L; // x11:28/-- + long x12 = Codec.decode32(n, 42) & M32L; // x12:32/-- + long x13 = (Codec.decode24(n, 46) << 4) & M32L; // x13:28/-- + long x14 = Codec.decode32(n, 49) & M32L; // x14:32/-- + long x15 = (Codec.decode24(n, 53) << 4) & M32L; // x15:28/-- + long x16 = Codec.decode32(n, 56) & M32L; // x16:32/-- + long x17 = (Codec.decode24(n, 60) << 4) & M32L; // x17:28/-- + long x18 = Codec.decode32(n, 63) & M32L; // x18:32/-- + long x19 = (Codec.decode24(n, 67) << 4) & M32L; // x19:28/-- + long x20 = Codec.decode32(n, 70) & M32L; // x20:32/-- + long x21 = (Codec.decode24(n, 74) << 4) & M32L; // x21:28/-- + long x22 = Codec.decode32(n, 77) & M32L; // x22:32/-- + long x23 = (Codec.decode24(n, 81) << 4) & M32L; // x23:28/-- + long x24 = Codec.decode32(n, 84) & M32L; // x24:32/-- + long x25 = (Codec.decode24(n, 88) << 4) & M32L; // x25:28/-- + long x26 = Codec.decode32(n, 91) & M32L; // x26:32/-- + long x27 = (Codec.decode24(n, 95) << 4) & M32L; // x27:28/-- + long x28 = Codec.decode32(n, 98) & M32L; // x28:32/-- + long x29 = (Codec.decode24(n, 102) << 4) & M32L; // x29:28/-- + long x30 = Codec.decode32(n, 105) & M32L; // x30:32/-- + long x31 = (Codec.decode24(n, 109) << 4) & M32L; // x31:28/-- + long x32 = Codec.decode16(n, 112) & M32L; // x32:16/-- + +// x32 += (x31 >>> 28); x31 &= M28L; + x16 += x32 * L4_0; // x16:42/-- + x17 += x32 * L4_1; // x17:41/28 + x18 += x32 * L4_2; // x18:43/42 + x19 += x32 * L4_3; // x19:44/28 + x20 += x32 * L4_4; // x20:43/-- + x21 += x32 * L4_5; // x21:44/28 + x22 += x32 * L4_6; // x22:43/41 + x23 += x32 * L4_7; // x23:45/41 + + x31 += (x30 >>> 28); x30 &= M28L; // x31:28/--, x30:28/-- + x15 += x31 * L4_0; // x15:54/-- + x16 += x31 * L4_1; // x16:53/42 + x17 += x31 * L4_2; // x17:55/54 + x18 += x31 * L4_3; // x18:56/44 + x19 += x31 * L4_4; // x19:55/-- + x20 += x31 * L4_5; // x20:56/43 + x21 += x31 * L4_6; // x21:55/53 + x22 += x31 * L4_7; // x22:57/53 + +// x30 += (x29 >>> 28); x29 &= M28L; + x14 += x30 * L4_0; // x14:54/-- + x15 += x30 * L4_1; // x15:54/53 + x16 += x30 * L4_2; // x16:56/-- + x17 += x30 * L4_3; // x17:57/-- + x18 += x30 * L4_4; // x18:56/55 + x19 += x30 * L4_5; // x19:56/55 + x20 += x30 * L4_6; // x20:57/-- + x21 += x30 * L4_7; // x21:57/56 + + x29 += (x28 >>> 28); x28 &= M28L; // x29:28/--, x28:28/-- + x13 += x29 * L4_0; // x13:54/-- + x14 += x29 * L4_1; // x14:54/53 + x15 += x29 * L4_2; // x15:56/-- + x16 += x29 * L4_3; // x16:57/-- + x17 += x29 * L4_4; // x17:57/55 + x18 += x29 * L4_5; // x18:57/55 + x19 += x29 * L4_6; // x19:57/52 + x20 += x29 * L4_7; // x20:58/52 + +// x28 += (x27 >>> 28); x27 &= M28L; + x12 += x28 * L4_0; // x12:54/-- + x13 += x28 * L4_1; // x13:54/53 + x14 += x28 * L4_2; // x14:56/-- + x15 += x28 * L4_3; // x15:57/-- + x16 += x28 * L4_4; // x16:57/55 + x17 += x28 * L4_5; // x17:58/-- + x18 += x28 * L4_6; // x18:58/-- + x19 += x28 * L4_7; // x19:58/53 + + x27 += (x26 >>> 28); x26 &= M28L; // x27:28/--, x26:28/-- + x11 += x27 * L4_0; // x11:54/-- + x12 += x27 * L4_1; // x12:54/53 + x13 += x27 * L4_2; // x13:56/-- + x14 += x27 * L4_3; // x14:57/-- + x15 += x27 * L4_4; // x15:57/55 + x16 += x27 * L4_5; // x16:58/-- + x17 += x27 * L4_6; // x17:58/56 + x18 += x27 * L4_7; // x18:59/-- + +// x26 += (x25 >>> 28); x25 &= M28L; + x10 += x26 * L4_0; // x10:54/-- + x11 += x26 * L4_1; // x11:54/53 + x12 += x26 * L4_2; // x12:56/-- + x13 += x26 * L4_3; // x13:57/-- + x14 += x26 * L4_4; // x14:57/55 + x15 += x26 * L4_5; // x15:58/-- + x16 += x26 * L4_6; // x16:58/56 + x17 += x26 * L4_7; // x17:59/-- + + x25 += (x24 >>> 28); x24 &= M28L; // x25:28/--, x24:28/-- + x09 += x25 * L4_0; // x09:54/-- + x10 += x25 * L4_1; // x10:54/53 + x11 += x25 * L4_2; // x11:56/-- + x12 += x25 * L4_3; // x12:57/-- + x13 += x25 * L4_4; // x13:57/55 + x14 += x25 * L4_5; // x14:58/-- + x15 += x25 * L4_6; // x15:58/56 + x16 += x25 * L4_7; // x16:59/-- + + x21 += (x20 >>> 28); x20 &= M28L; // x21:58/--, x20:28/-- + x22 += (x21 >>> 28); x21 &= M28L; // x22:57/54, x21:28/-- + x23 += (x22 >>> 28); x22 &= M28L; // x23:45/42, x22:28/-- + x24 += (x23 >>> 28); x23 &= M28L; // x24:28/18, x23:28/-- + + x08 += x24 * L4_0; // x08:54/-- + x09 += x24 * L4_1; // x09:55/-- + x10 += x24 * L4_2; // x10:56/46 + x11 += x24 * L4_3; // x11:57/46 + x12 += x24 * L4_4; // x12:57/55 + x13 += x24 * L4_5; // x13:58/-- + x14 += x24 * L4_6; // x14:58/56 + x15 += x24 * L4_7; // x15:59/-- + + x07 += x23 * L4_0; // x07:54/-- + x08 += x23 * L4_1; // x08:54/53 + x09 += x23 * L4_2; // x09:56/53 + x10 += x23 * L4_3; // x10:57/46 + x11 += x23 * L4_4; // x11:57/55 + x12 += x23 * L4_5; // x12:58/-- + x13 += x23 * L4_6; // x13:58/56 + x14 += x23 * L4_7; // x14:59/-- + + x06 += x22 * L4_0; // x06:54/-- + x07 += x22 * L4_1; // x07:54/53 + x08 += x22 * L4_2; // x08:56/-- + x09 += x22 * L4_3; // x09:57/53 + x10 += x22 * L4_4; // x10:57/55 + x11 += x22 * L4_5; // x11:58/-- + x12 += x22 * L4_6; // x12:58/56 + x13 += x22 * L4_7; // x13:59/-- + + x18 += (x17 >>> 28); x17 &= M28L; // x18:59/31, x17:28/-- + x19 += (x18 >>> 28); x18 &= M28L; // x19:58/54, x18:28/-- + x20 += (x19 >>> 28); x19 &= M28L; // x20:30/29, x19:28/-- + x21 += (x20 >>> 28); x20 &= M28L; // x21:28/03, x20:28/-- + + x05 += x21 * L4_0; // x05:54/-- + x06 += x21 * L4_1; // x06:55/-- + x07 += x21 * L4_2; // x07:56/31 + x08 += x21 * L4_3; // x08:57/31 + x09 += x21 * L4_4; // x09:57/56 + x10 += x21 * L4_5; // x10:58/-- + x11 += x21 * L4_6; // x11:58/56 + x12 += x21 * L4_7; // x12:59/-- + + x04 += x20 * L4_0; // x04:54/-- + x05 += x20 * L4_1; // x05:54/53 + x06 += x20 * L4_2; // x06:56/53 + x07 += x20 * L4_3; // x07:57/31 + x08 += x20 * L4_4; // x08:57/55 + x09 += x20 * L4_5; // x09:58/-- + x10 += x20 * L4_6; // x10:58/56 + x11 += x20 * L4_7; // x11:59/-- + + x03 += x19 * L4_0; // x03:54/-- + x04 += x19 * L4_1; // x04:54/53 + x05 += x19 * L4_2; // x05:56/-- + x06 += x19 * L4_3; // x06:57/53 + x07 += x19 * L4_4; // x07:57/55 + x08 += x19 * L4_5; // x08:58/-- + x09 += x19 * L4_6; // x09:58/56 + x10 += x19 * L4_7; // x10:59/-- + + x15 += (x14 >>> 28); x14 &= M28L; // x15:59/31, x14:28/-- + x16 += (x15 >>> 28); x15 &= M28L; // x16:59/32, x15:28/-- + x17 += (x16 >>> 28); x16 &= M28L; // x17:31/29, x16:28/-- + x18 += (x17 >>> 28); x17 &= M28L; // x18:28/04, x17:28/-- + + x02 += x18 * L4_0; // x02:54/-- + x03 += x18 * L4_1; // x03:55/-- + x04 += x18 * L4_2; // x04:56/32 + x05 += x18 * L4_3; // x05:57/32 + x06 += x18 * L4_4; // x06:57/56 + x07 += x18 * L4_5; // x07:58/-- + x08 += x18 * L4_6; // x08:58/56 + x09 += x18 * L4_7; // x09:59/-- + + x01 += x17 * L4_0; // x01:54/-- + x02 += x17 * L4_1; // x02:54/53 + x03 += x17 * L4_2; // x03:56/53 + x04 += x17 * L4_3; // x04:57/32 + x05 += x17 * L4_4; // x05:57/55 + x06 += x17 * L4_5; // x06:58/-- + x07 += x17 * L4_6; // x07:58/56 + x08 += x17 * L4_7; // x08:59/-- + + x16 *= 4; + x16 += (x15 >>> 26); x15 &= M26L; + x16 += 1; // x16:30/01 + + x00 += x16 * L_0; + x01 += x16 * L_1; + x02 += x16 * L_2; + x03 += x16 * L_3; + x04 += x16 * L_4; + x05 += x16 * L_5; + x06 += x16 * L_6; + x07 += x16 * L_7; + + x01 += (x00 >>> 28); x00 &= M28L; + x02 += (x01 >>> 28); x01 &= M28L; + x03 += (x02 >>> 28); x02 &= M28L; + x04 += (x03 >>> 28); x03 &= M28L; + x05 += (x04 >>> 28); x04 &= M28L; + x06 += (x05 >>> 28); x05 &= M28L; + x07 += (x06 >>> 28); x06 &= M28L; + x08 += (x07 >>> 28); x07 &= M28L; + x09 += (x08 >>> 28); x08 &= M28L; + x10 += (x09 >>> 28); x09 &= M28L; + x11 += (x10 >>> 28); x10 &= M28L; + x12 += (x11 >>> 28); x11 &= M28L; + x13 += (x12 >>> 28); x12 &= M28L; + x14 += (x13 >>> 28); x13 &= M28L; + x15 += (x14 >>> 28); x14 &= M28L; + x16 = (x15 >>> 26); x15 &= M26L; + + x16 -= 1; + +// assert x16 == 0L || x16 == -1L; + + x00 -= x16 & L_0; + x01 -= x16 & L_1; + x02 -= x16 & L_2; + x03 -= x16 & L_3; + x04 -= x16 & L_4; + x05 -= x16 & L_5; + x06 -= x16 & L_6; + x07 -= x16 & L_7; + + x01 += (x00 >> 28); x00 &= M28L; + x02 += (x01 >> 28); x01 &= M28L; + x03 += (x02 >> 28); x02 &= M28L; + x04 += (x03 >> 28); x03 &= M28L; + x05 += (x04 >> 28); x04 &= M28L; + x06 += (x05 >> 28); x05 &= M28L; + x07 += (x06 >> 28); x06 &= M28L; + x08 += (x07 >> 28); x07 &= M28L; + x09 += (x08 >> 28); x08 &= M28L; + x10 += (x09 >> 28); x09 &= M28L; + x11 += (x10 >> 28); x10 &= M28L; + x12 += (x11 >> 28); x11 &= M28L; + x13 += (x12 >> 28); x12 &= M28L; + x14 += (x13 >> 28); x13 &= M28L; + x15 += (x14 >> 28); x14 &= M28L; + +// assert x15 >>> 26 == 0L; + + byte[] r = new byte[SCALAR_BYTES]; + Codec.encode56(x00 | (x01 << 28), r, 0); + Codec.encode56(x02 | (x03 << 28), r, 7); + Codec.encode56(x04 | (x05 << 28), r, 14); + Codec.encode56(x06 | (x07 << 28), r, 21); + Codec.encode56(x08 | (x09 << 28), r, 28); + Codec.encode56(x10 | (x11 << 28), r, 35); + Codec.encode56(x12 | (x13 << 28), r, 42); + Codec.encode56(x14 | (x15 << 28), r, 49); +// r[SCALAR_BYTES - 1] = 0; + return r; + } + + static void reduceBasisVar(int[] k, int[] z0, int[] z1) + { + /* + * Split scalar k into two half-size scalars z0 and z1, such that z1 * k == z0 mod L. + * + * See https://ia.cr/2020/454 (Pornin). + */ + + int[] Nu = new int[28]; System.arraycopy(LSq, 0, Nu, 0, 28); + int[] Nv = new int[28]; Nat448.square(k, Nv); ++Nv[0]; + int[] p = new int[28]; Nat448.mul(L, k, p); + int[] u0 = new int[8]; System.arraycopy(L, 0, u0, 0, 8); + int[] u1 = new int[8]; + int[] v0 = new int[8]; System.arraycopy(k, 0, v0, 0, 8); + int[] v1 = new int[8]; v1[0] = 1; + + int last = 27; + int len_Nv = ScalarUtil.getBitLengthPositive(last, Nv); + + while (len_Nv > TARGET_LENGTH) + { + int len_p = ScalarUtil.getBitLength(last, p); + int s = len_p - len_Nv; + s &= ~(s >> 31); + + if (p[last] < 0) + { + ScalarUtil.addShifted_NP(last, s, Nu, Nv, p); + ScalarUtil.addShifted_UV(7, s, u0, u1, v0, v1); + } + else + { + ScalarUtil.subShifted_NP(last, s, Nu, Nv, p); + ScalarUtil.subShifted_UV(7, s, u0, u1, v0, v1); + } + + if (ScalarUtil.lessThan(last, Nu, Nv)) + { + int[] t0 = u0; u0 = v0; v0 = t0; + int[] t1 = u1; u1 = v1; v1 = t1; + int[] tN = Nu; Nu = Nv; Nv = tN; + + last = len_Nv >>> 5; + len_Nv = ScalarUtil.getBitLengthPositive(last, Nv); + } + } + +// assert v0[7] >> 31 == v0[7]; +// assert v1[7] >> 31 == v1[7]; + + // v1 * k == v0 mod L + System.arraycopy(v0, 0, z0, 0, 8); + System.arraycopy(v1, 0, z1, 0, 8); + } + + static void toSignedDigits(int bits, int[] x, int[] z) + { +// assert 448 < bits && bits < 480; +// assert z.length > SIZE; + + z[SIZE] = (1 << (bits - 448)) + + Nat.cadd(SIZE, ~x[0] & 1, x, L, z); +// int c = + Nat.shiftDownBit(SIZE + 1, z, 0); +// assert c == (1 << 31); + } +}
core/src/main/java/org/bouncycastle/math/ec/rfc8032/ScalarUtil.java+241 −0 added@@ -0,0 +1,241 @@ +package org.bouncycastle.math.ec.rfc8032; + +import org.bouncycastle.util.Integers; + +abstract class ScalarUtil +{ + private static final long M = 0xFFFFFFFFL; + + static void addShifted_NP(int last, int s, int[] Nu, int[] Nv, int[] _p) + { + int sWords = s >>> 5, sBits = s & 31; + + long cc__p = 0L; + long cc_Nu = 0L; + + if (sBits == 0) + { + for (int i = sWords; i <= last; ++i) + { + cc_Nu += Nu[i] & M; + cc_Nu += _p[i - sWords] & M; + + cc__p += _p[i] & M; + cc__p += Nv[i - sWords] & M; + _p[i] = (int)cc__p; cc__p >>>= 32; + + cc_Nu += _p[i - sWords] & M; + Nu[i] = (int)cc_Nu; cc_Nu >>>= 32; + } + } + else + { + int prev_p = 0; + int prev_q = 0; + int prev_v = 0; + + for (int i = sWords; i <= last; ++i) + { + int next_p = _p[i - sWords]; + int p_s = (next_p << sBits) | (prev_p >>> -sBits); + prev_p = next_p; + + cc_Nu += Nu[i] & M; + cc_Nu += p_s & M; + + int next_v = Nv[i - sWords]; + int v_s = (next_v << sBits) | (prev_v >>> -sBits); + prev_v = next_v; + + cc__p += _p[i] & M; + cc__p += v_s & M; + _p[i] = (int)cc__p; cc__p >>>= 32; + + int next_q = _p[i - sWords]; + int q_s = (next_q << sBits) | (prev_q >>> -sBits); + prev_q = next_q; + + cc_Nu += q_s & M; + Nu[i] = (int)cc_Nu; cc_Nu >>>= 32; + } + } + } + + static void addShifted_UV(int last, int s, int[] u0, int[] u1, int[] v0, int[] v1) + { + int sWords = s >>> 5, sBits = s & 31; + + long cc_u0 = 0L; + long cc_u1 = 0L; + + if (sBits == 0) + { + for (int i = sWords; i <= last; ++i) + { + cc_u0 += u0[i] & M; + cc_u1 += u1[i] & M; + cc_u0 += v0[i - sWords] & M; + cc_u1 += v1[i - sWords] & M; + u0[i] = (int)cc_u0; cc_u0 >>>= 32; + u1[i] = (int)cc_u1; cc_u1 >>>= 32; + } + } + else + { + int prev_v0 = 0; + int prev_v1 = 0; + + for (int i = sWords; i <= last; ++i) + { + int next_v0 = v0[i - sWords]; + int next_v1 = v1[i - sWords]; + int v0_s = (next_v0 << sBits) | (prev_v0 >>> -sBits); + int v1_s = (next_v1 << sBits) | (prev_v1 >>> -sBits); + prev_v0 = next_v0; + prev_v1 = next_v1; + + cc_u0 += u0[i] & M; + cc_u1 += u1[i] & M; + cc_u0 += v0_s & M; + cc_u1 += v1_s & M; + u0[i] = (int)cc_u0; cc_u0 >>>= 32; + u1[i] = (int)cc_u1; cc_u1 >>>= 32; + } + } + } + + static int getBitLength(int last, int[] x) + { + int i = last; + int sign = x[i] >> 31; + while (i > 0 && x[i] == sign) + { + --i; + } + return i * 32 + 32 - Integers.numberOfLeadingZeros(x[i] ^ sign); + } + + static int getBitLengthPositive(int last, int[] x) + { + int i = last; + while (i > 0 && x[i] == 0) + { + --i; + } + return i * 32 + 32 - Integers.numberOfLeadingZeros(x[i]); + } + + static boolean lessThan(int last, int[] x, int[] y) + { + int i = last; + do + { + int x_i = x[i] + Integer.MIN_VALUE; + int y_i = y[i] + Integer.MIN_VALUE; + if (x_i < y_i) + return true; + if (x_i > y_i) + return false; + } + while (--i >= 0); + return false; + } + + static void subShifted_NP(int last, int s, int[] Nu, int[] Nv, int[] _p) + { + int sWords = s >>> 5, sBits = s & 31; + + long cc__p = 0L; + long cc_Nu = 0L; + + if (sBits == 0) + { + for (int i = sWords; i <= last; ++i) + { + cc_Nu += Nu[i] & M; + cc_Nu -= _p[i - sWords] & M; + + cc__p += _p[i] & M; + cc__p -= Nv[i - sWords] & M; + _p[i] = (int)cc__p; cc__p >>= 32; + + cc_Nu -= _p[i - sWords] & M; + Nu[i] = (int)cc_Nu; cc_Nu >>= 32; + } + } + else + { + int prev_p = 0; + int prev_q = 0; + int prev_v = 0; + + for (int i = sWords; i <= last; ++i) + { + int next_p = _p[i - sWords]; + int p_s = (next_p << sBits) | (prev_p >>> -sBits); + prev_p = next_p; + + cc_Nu += Nu[i] & M; + cc_Nu -= p_s & M; + + int next_v = Nv[i - sWords]; + int v_s = (next_v << sBits) | (prev_v >>> -sBits); + prev_v = next_v; + + cc__p += _p[i] & M; + cc__p -= v_s & M; + _p[i] = (int)cc__p; cc__p >>= 32; + + int next_q = _p[i - sWords]; + int q_s = (next_q << sBits) | (prev_q >>> -sBits); + prev_q = next_q; + + cc_Nu -= q_s & M; + Nu[i] = (int)cc_Nu; cc_Nu >>= 32; + } + } + } + + static void subShifted_UV(int last, int s, int[] u0, int[] u1, int[] v0, int[] v1) + { + int sWords = s >>> 5, sBits = s & 31; + + long cc_u0 = 0L; + long cc_u1 = 0L; + + if (sBits == 0) + { + for (int i = sWords; i <= last; ++i) + { + cc_u0 += u0[i] & M; + cc_u1 += u1[i] & M; + cc_u0 -= v0[i - sWords] & M; + cc_u1 -= v1[i - sWords] & M; + u0[i] = (int)cc_u0; cc_u0 >>= 32; + u1[i] = (int)cc_u1; cc_u1 >>= 32; + } + } + else + { + int prev_v0 = 0; + int prev_v1 = 0; + + for (int i = sWords; i <= last; ++i) + { + int next_v0 = v0[i - sWords]; + int next_v1 = v1[i - sWords]; + int v0_s = (next_v0 << sBits) | (prev_v0 >>> -sBits); + int v1_s = (next_v1 << sBits) | (prev_v1 >>> -sBits); + prev_v0 = next_v0; + prev_v1 = next_v1; + + cc_u0 += u0[i] & M; + cc_u1 += u1[i] & M; + cc_u0 -= v0_s & M; + cc_u1 -= v1_s & M; + u0[i] = (int)cc_u0; cc_u0 >>= 32; + u1[i] = (int)cc_u1; cc_u1 >>= 32; + } + } + } +}
core/src/main/java/org/bouncycastle/math/ec/rfc8032/Wnaf.java+49 −0 added@@ -0,0 +1,49 @@ +package org.bouncycastle.math.ec.rfc8032; + +abstract class Wnaf +{ + static void getSignedVar(int[] n, int width, byte[] ws) + { +// assert 2 <= width && width <= 8; + + int[] t = new int[n.length * 2]; + { + int c = n[n.length - 1] >> 31, i = n.length, tPos = t.length; + while (--i >= 0) + { + int next = n[i]; + t[--tPos] = (next >>> 16) | (c << 16); + t[--tPos] = c = next; + } + } + + final int lead = 32 - width; + + int j = 0, carry = 0; + for (int i = 0; i < t.length; ++i, j -= 16) + { + int word = t[i]; + while (j < 16) + { + int word16 = word >>> j; + + // TODO Consider trailing-zeros approach from bc-csharp + int bit = word16 & 1; + if (bit == carry) + { + ++j; + continue; + } + + int digit = (word16 | 1) << lead; + carry = digit >>> 31; + + ws[(i << 4) + j] = (byte)(digit >> lead); + + j += width; + } + } + +// assert carry == n[n.length - 1] >>> 31; + } +}
core/src/main/java/org/bouncycastle/math/raw/Nat224.java+27 −0 modified@@ -143,6 +143,33 @@ public static int addTo(int[] x, int[] z) return (int)c; } + public static int addTo(int[] x, int[] z, int cIn) + { + long c = cIn & M; + c += (x[0] & M) + (z[0] & M); + z[0] = (int)c; + c >>>= 32; + c += (x[1] & M) + (z[1] & M); + z[1] = (int)c; + c >>>= 32; + c += (x[2] & M) + (z[2] & M); + z[2] = (int)c; + c >>>= 32; + c += (x[3] & M) + (z[3] & M); + z[3] = (int)c; + c >>>= 32; + c += (x[4] & M) + (z[4] & M); + z[4] = (int)c; + c >>>= 32; + c += (x[5] & M) + (z[5] & M); + z[5] = (int)c; + c >>>= 32; + c += (x[6] & M) + (z[6] & M); + z[6] = (int)c; + c >>>= 32; + return (int)c; + } + public static int addTo(int[] x, int xOff, int[] z, int zOff, int cIn) { long c = cIn & M;
core/src/main/java/org/bouncycastle/math/raw/Nat256.java+161 −0 modified@@ -158,6 +158,36 @@ public static int addTo(int[] x, int[] z) return (int)c; } + public static int addTo(int[] x, int[] z, int cIn) + { + long c = cIn & M; + c += (x[0] & M) + (z[0] & M); + z[0] = (int)c; + c >>>= 32; + c += (x[1] & M) + (z[1] & M); + z[1] = (int)c; + c >>>= 32; + c += (x[2] & M) + (z[2] & M); + z[2] = (int)c; + c >>>= 32; + c += (x[3] & M) + (z[3] & M); + z[3] = (int)c; + c >>>= 32; + c += (x[4] & M) + (z[4] & M); + z[4] = (int)c; + c >>>= 32; + c += (x[5] & M) + (z[5] & M); + z[5] = (int)c; + c >>>= 32; + c += (x[6] & M) + (z[6] & M); + z[6] = (int)c; + c >>>= 32; + c += (x[7] & M) + (z[7] & M); + z[7] = (int)c; + c >>>= 32; + return (int)c; + } + public static int addTo(int[] x, int xOff, int[] z, int zOff, int cIn) { long c = cIn & M; @@ -602,6 +632,77 @@ public static void mul(int[] x, int xOff, int[] y, int yOff, int[] zz, int zzOff } } + public static void mul128(int[] x, int[] y128, int[] zz) + { + long x_0 = x[0] & M; + long x_1 = x[1] & M; + long x_2 = x[2] & M; + long x_3 = x[3] & M; + long x_4 = x[4] & M; + long x_5 = x[5] & M; + long x_6 = x[6] & M; + long x_7 = x[7] & M; + + { + long c = 0, y_0 = y128[0] & M; + c += y_0 * x_0; + zz[0] = (int)c; + c >>>= 32; + c += y_0 * x_1; + zz[1] = (int)c; + c >>>= 32; + c += y_0 * x_2; + zz[2] = (int)c; + c >>>= 32; + c += y_0 * x_3; + zz[3] = (int)c; + c >>>= 32; + c += y_0 * x_4; + zz[4] = (int)c; + c >>>= 32; + c += y_0 * x_5; + zz[5] = (int)c; + c >>>= 32; + c += y_0 * x_6; + zz[6] = (int)c; + c >>>= 32; + c += y_0 * x_7; + zz[7] = (int)c; + c >>>= 32; + zz[8] = (int)c; + } + + for (int i = 1; i < 4; ++i) + { + long c = 0, y_i = y128[i] & M; + c += y_i * x_0 + (zz[i + 0] & M); + zz[i + 0] = (int)c; + c >>>= 32; + c += y_i * x_1 + (zz[i + 1] & M); + zz[i + 1] = (int)c; + c >>>= 32; + c += y_i * x_2 + (zz[i + 2] & M); + zz[i + 2] = (int)c; + c >>>= 32; + c += y_i * x_3 + (zz[i + 3] & M); + zz[i + 3] = (int)c; + c >>>= 32; + c += y_i * x_4 + (zz[i + 4] & M); + zz[i + 4] = (int)c; + c >>>= 32; + c += y_i * x_5 + (zz[i + 5] & M); + zz[i + 5] = (int)c; + c >>>= 32; + c += y_i * x_6 + (zz[i + 6] & M); + zz[i + 6] = (int)c; + c >>>= 32; + c += y_i * x_7 + (zz[i + 7] & M); + zz[i + 7] = (int)c; + c >>>= 32; + zz[i + 8] = (int)c; + } + } + public static int mulAddTo(int[] x, int[] y, int[] zz) { long y_0 = y[0] & M; @@ -1347,6 +1448,36 @@ public static int subFrom(int[] x, int[] z) return (int)c; } + public static int subFrom(int[] x, int[] z, int cIn) + { + long c = cIn & M; + c += (z[0] & M) - (x[0] & M); + z[0] = (int)c; + c >>= 32; + c += (z[1] & M) - (x[1] & M); + z[1] = (int)c; + c >>= 32; + c += (z[2] & M) - (x[2] & M); + z[2] = (int)c; + c >>= 32; + c += (z[3] & M) - (x[3] & M); + z[3] = (int)c; + c >>= 32; + c += (z[4] & M) - (x[4] & M); + z[4] = (int)c; + c >>= 32; + c += (z[5] & M) - (x[5] & M); + z[5] = (int)c; + c >>= 32; + c += (z[6] & M) - (x[6] & M); + z[6] = (int)c; + c >>= 32; + c += (z[7] & M) - (x[7] & M); + z[7] = (int)c; + c >>= 32; + return (int)c; + } + public static int subFrom(int[] x, int xOff, int[] z, int zOff) { long c = 0; @@ -1377,6 +1508,36 @@ public static int subFrom(int[] x, int xOff, int[] z, int zOff) return (int)c; } + public static int subFrom(int[] x, int xOff, int[] z, int zOff, int cIn) + { + long c = cIn & M; + c += (z[zOff + 0] & M) - (x[xOff + 0] & M); + z[zOff + 0] = (int)c; + c >>= 32; + c += (z[zOff + 1] & M) - (x[xOff + 1] & M); + z[zOff + 1] = (int)c; + c >>= 32; + c += (z[zOff + 2] & M) - (x[xOff + 2] & M); + z[zOff + 2] = (int)c; + c >>= 32; + c += (z[zOff + 3] & M) - (x[xOff + 3] & M); + z[zOff + 3] = (int)c; + c >>= 32; + c += (z[zOff + 4] & M) - (x[xOff + 4] & M); + z[zOff + 4] = (int)c; + c >>= 32; + c += (z[zOff + 5] & M) - (x[xOff + 5] & M); + z[zOff + 5] = (int)c; + c >>= 32; + c += (z[zOff + 6] & M) - (x[xOff + 6] & M); + z[zOff + 6] = (int)c; + c >>= 32; + c += (z[zOff + 7] & M) - (x[xOff + 7] & M); + z[zOff + 7] = (int)c; + c >>= 32; + return (int)c; + } + public static BigInteger toBigInteger(int[] x) { byte[] bs = new byte[32];
core/src/test/java/org/bouncycastle/math/ec/rfc8032/test/Ed25519Test.java+121 −38 modified@@ -2,20 +2,19 @@ import java.security.SecureRandom; -import junit.framework.TestCase; import org.bouncycastle.crypto.Digest; import org.bouncycastle.math.ec.rfc8032.Ed25519; import org.bouncycastle.util.Arrays; import org.bouncycastle.util.Strings; import org.bouncycastle.util.encoders.Hex; +import junit.framework.TestCase; + public class Ed25519Test extends TestCase { private static final SecureRandom RANDOM = new SecureRandom(); - private static final byte[] NEUTRAL = Hex.decodeStrict("0100000000000000000000000000000000000000000000000000000000000000"); - // @BeforeClass // public static void init() public void setUp() @@ -28,6 +27,7 @@ public void testEd25519Consistency() { byte[] sk = new byte[Ed25519.SECRET_KEY_SIZE]; byte[] pk = new byte[Ed25519.PUBLIC_KEY_SIZE]; + byte[] pk2 = new byte[Ed25519.PUBLIC_KEY_SIZE]; byte[] m = new byte[255]; byte[] sig1 = new byte[Ed25519.SIGNATURE_SIZE]; byte[] sig2 = new byte[Ed25519.SIGNATURE_SIZE]; @@ -37,7 +37,14 @@ public void testEd25519Consistency() for (int i = 0; i < 10; ++i) { RANDOM.nextBytes(sk); - Ed25519.generatePublicKey(sk, 0, pk, 0); + Ed25519.PublicPoint publicPoint = Ed25519.generatePublicKey(sk, 0); + Ed25519.encodePublicPoint(publicPoint, pk, 0); + + { + Ed25519.generatePublicKey(sk, 0, pk2, 0); + + assertTrue("Ed25519 consistent generation #" + i, Arrays.areEqual(pk, pk2)); + } int mLen = RANDOM.nextInt() & 255; @@ -46,14 +53,29 @@ public void testEd25519Consistency() assertTrue("Ed25519 consistent signatures #" + i, Arrays.areEqual(sig1, sig2)); - boolean shouldVerify = Ed25519.verify(sig1, 0, pk, 0, m, 0, mLen); + { + boolean shouldVerify = Ed25519.verify(sig1, 0, pk, 0, m, 0, mLen); - assertTrue("Ed25519 consistent sign/verify #" + i, shouldVerify); + assertTrue("Ed25519 consistent sign/verify #" + i, shouldVerify); + } + { + boolean shouldVerify = Ed25519.verify(sig1, 0, publicPoint, m, 0, mLen); + + assertTrue("Ed25519 consistent sign/verify #" + i, shouldVerify); + } sig1[Ed25519.PUBLIC_KEY_SIZE - 1] ^= 0x80; - boolean shouldNotVerify = Ed25519.verify(sig1, 0, pk, 0, m, 0, mLen); - assertFalse("Ed25519 consistent verification failure #" + i, shouldNotVerify); + { + boolean shouldNotVerify = Ed25519.verify(sig1, 0, pk, 0, m, 0, mLen); + + assertFalse("Ed25519 consistent verification failure #" + i, shouldNotVerify); + } + { + boolean shouldNotVerify = Ed25519.verify(sig1, 0, publicPoint, m, 0, mLen); + + assertFalse("Ed25519 consistent verification failure #" + i, shouldNotVerify); + } } } @@ -62,6 +84,7 @@ public void testEd25519ctxConsistency() { byte[] sk = new byte[Ed25519.SECRET_KEY_SIZE]; byte[] pk = new byte[Ed25519.PUBLIC_KEY_SIZE]; + byte[] pk2 = new byte[Ed25519.PUBLIC_KEY_SIZE]; byte[] ctx = new byte[RANDOM.nextInt() & 7]; byte[] m = new byte[255]; byte[] sig1 = new byte[Ed25519.SIGNATURE_SIZE]; @@ -73,7 +96,14 @@ public void testEd25519ctxConsistency() for (int i = 0; i < 10; ++i) { RANDOM.nextBytes(sk); - Ed25519.generatePublicKey(sk, 0, pk, 0); + Ed25519.PublicPoint publicPoint = Ed25519.generatePublicKey(sk, 0); + Ed25519.encodePublicPoint(publicPoint, pk, 0); + + { + Ed25519.generatePublicKey(sk, 0, pk2, 0); + + assertTrue("Ed25519 consistent generation #" + i, Arrays.areEqual(pk, pk2)); + } int mLen = RANDOM.nextInt() & 255; @@ -82,14 +112,29 @@ public void testEd25519ctxConsistency() assertTrue("Ed25519ctx consistent signatures #" + i, Arrays.areEqual(sig1, sig2)); - boolean shouldVerify = Ed25519.verify(sig1, 0, pk, 0, ctx, m, 0, mLen); + { + boolean shouldVerify = Ed25519.verify(sig1, 0, pk, 0, ctx, m, 0, mLen); + + assertTrue("Ed25519ctx consistent sign/verify #" + i, shouldVerify); + } + { + boolean shouldVerify = Ed25519.verify(sig1, 0, publicPoint, ctx, m, 0, mLen); - assertTrue("Ed25519ctx consistent sign/verify #" + i, shouldVerify); + assertTrue("Ed25519ctx consistent sign/verify #" + i, shouldVerify); + } sig1[Ed25519.PUBLIC_KEY_SIZE - 1] ^= 0x80; - boolean shouldNotVerify = Ed25519.verify(sig1, 0, pk, 0, ctx, m, 0, mLen); - assertFalse("Ed25519ctx consistent verification failure #" + i, shouldNotVerify); + { + boolean shouldNotVerify = Ed25519.verify(sig1, 0, pk, 0, ctx, m, 0, mLen); + + assertFalse("Ed25519ctx consistent verification failure #" + i, shouldNotVerify); + } + { + boolean shouldNotVerify = Ed25519.verify(sig1, 0, publicPoint, ctx, m, 0, mLen); + + assertFalse("Ed25519ctx consistent verification failure #" + i, shouldNotVerify); + } } } @@ -98,6 +143,7 @@ public void testEd25519phConsistency() { byte[] sk = new byte[Ed25519.SECRET_KEY_SIZE]; byte[] pk = new byte[Ed25519.PUBLIC_KEY_SIZE]; + byte[] pk2 = new byte[Ed25519.PUBLIC_KEY_SIZE]; byte[] ctx = new byte[RANDOM.nextInt() & 7]; byte[] m = new byte[255]; byte[] ph = new byte[Ed25519.PREHASH_SIZE]; @@ -110,7 +156,14 @@ public void testEd25519phConsistency() for (int i = 0; i < 10; ++i) { RANDOM.nextBytes(sk); - Ed25519.generatePublicKey(sk, 0, pk, 0); + Ed25519.PublicPoint publicPoint = Ed25519.generatePublicKey(sk, 0); + Ed25519.encodePublicPoint(publicPoint, pk, 0); + + { + Ed25519.generatePublicKey(sk, 0, pk2, 0); + + assertTrue("Ed25519 consistent generation #" + i, Arrays.areEqual(pk, pk2)); + } int mLen = RANDOM.nextInt() & 255; @@ -123,14 +176,29 @@ public void testEd25519phConsistency() assertTrue("Ed25519ph consistent signatures #" + i, Arrays.areEqual(sig1, sig2)); - boolean shouldVerify = Ed25519.verifyPrehash(sig1, 0, pk, 0, ctx, ph, 0); + { + boolean shouldVerify = Ed25519.verifyPrehash(sig1, 0, pk, 0, ctx, ph, 0); + + assertTrue("Ed25519ph consistent sign/verify #" + i, shouldVerify); + } + { + boolean shouldVerify = Ed25519.verifyPrehash(sig1, 0, publicPoint, ctx, ph, 0); - assertTrue("Ed25519ph consistent sign/verify #" + i, shouldVerify); + assertTrue("Ed25519ph consistent sign/verify #" + i, shouldVerify); + } sig1[Ed25519.PUBLIC_KEY_SIZE - 1] ^= 0x80; - boolean shouldNotVerify = Ed25519.verifyPrehash(sig1, 0, pk, 0, ctx, ph, 0); - assertFalse("Ed25519ph consistent verification failure #" + i, shouldNotVerify); + { + boolean shouldNotVerify = Ed25519.verifyPrehash(sig1, 0, pk, 0, ctx, ph, 0); + + assertFalse("Ed25519ph consistent verification failure #" + i, shouldNotVerify); + } + { + boolean shouldNotVerify = Ed25519.verifyPrehash(sig1, 0, publicPoint, ctx, ph, 0); + + assertFalse("Ed25519ph consistent verification failure #" + i, shouldNotVerify); + } } } @@ -370,8 +438,6 @@ public void testEd25519phVector1() public void testPublicKeyValidationFull() { - assertFalse(Ed25519.validatePublicKeyFull(NEUTRAL, 0)); - byte[] sk = new byte[Ed25519.SECRET_KEY_SIZE]; byte[] pk = new byte[Ed25519.PUBLIC_KEY_SIZE]; @@ -382,11 +448,24 @@ public void testPublicKeyValidationFull() assertTrue(Ed25519.validatePublicKeyFull(pk, 0)); } + // Small order points (canonical encodings) + assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("0000000000000000000000000000000000000000000000000000000000000000"), 0)); + assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("0000000000000000000000000000000000000000000000000000000000000080"), 0)); + assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("0100000000000000000000000000000000000000000000000000000000000000"), 0)); + assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); + assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("C7176A703D4DD84FBA3C0B760D10670F2A2053FA2C39CCC64EC7FD7792AC037A"), 0)); + assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("C7176A703D4DD84FBA3C0B760D10670F2A2053FA2C39CCC64EC7FD7792AC03FA"), 0)); + assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("26E8958FC2B227B045C3F489F2EF98F0D5DFAC05D3C63339B13802886D53FC05"), 0)); + assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("26E8958FC2B227B045C3F489F2EF98F0D5DFAC05D3C63339B13802886D53FC85"), 0)); + + // Small order points (non-canonical encodings) assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("0100000000000000000000000000000000000000000000000000000000000080"), 0)); + assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); - assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); + // Non-canonical encodings assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); - assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); + assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); + assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); assertFalse(Ed25519.validatePublicKeyFull(Hex.decodeStrict("D73D6044821BD0DF4068AE1792F0851170F53062150AA70A87E2A58A05A26115"), 0)); @@ -414,8 +493,6 @@ public void testPublicKeyValidationFull() public void testPublicKeyValidationPartial() { - assertTrue(Ed25519.validatePublicKeyPartial(NEUTRAL, 0)); - byte[] sk = new byte[Ed25519.SECRET_KEY_SIZE]; byte[] pk = new byte[Ed25519.PUBLIC_KEY_SIZE]; @@ -426,11 +503,23 @@ public void testPublicKeyValidationPartial() assertTrue(Ed25519.validatePublicKeyPartial(pk, 0)); } + // Small order points (canonical encodings) + assertFalse(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("0000000000000000000000000000000000000000000000000000000000000000"), 0)); + assertFalse(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("0000000000000000000000000000000000000000000000000000000000000080"), 0)); + assertFalse(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("0100000000000000000000000000000000000000000000000000000000000000"), 0)); + assertFalse(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); + assertFalse(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("C7176A703D4DD84FBA3C0B760D10670F2A2053FA2C39CCC64EC7FD7792AC037A"), 0)); + assertFalse(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("C7176A703D4DD84FBA3C0B760D10670F2A2053FA2C39CCC64EC7FD7792AC03FA"), 0)); + assertFalse(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("26E8958FC2B227B045C3F489F2EF98F0D5DFAC05D3C63339B13802886D53FC05"), 0)); + assertFalse(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("26E8958FC2B227B045C3F489F2EF98F0D5DFAC05D3C63339B13802886D53FC85"), 0)); + + // Small order points (non-canonical encodings) assertFalse(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("0100000000000000000000000000000000000000000000000000000000000080"), 0)); + assertFalse(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); - assertTrue (Ed25519.validatePublicKeyPartial(Hex.decodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); + // Non-canonical encodings assertFalse(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); - assertFalse(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); + assertFalse(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); assertFalse(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); assertFalse(Ed25519.validatePublicKeyPartial(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); @@ -463,22 +552,19 @@ public void testPublicKeyValidationPartial() public void testTamingNonRepudiation() { - // TODO Algorithm 2 rejects this because A is one of 8 small order points - byte[] msg1 = Strings.toUTF8ByteArray("Send 100 USD to Alice"); byte[] msg2 = Strings.toUTF8ByteArray("Send 100000 USD to Alice"); byte[] pub = Hex.decodeStrict("ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f"); byte[] sig = Hex.decodeStrict("a9d55260f765261eb9b84e106f665e00b867287a761990d7135963ee0a7d59dc" + "a5bb704786be79fc476f91d3f3f89b03984d8068dcf1bb7dfc6637b45450ac04"); - assertTrue(Ed25519.verify(sig, 0, pub, 0, msg1, 0, msg1.length)); - assertTrue(Ed25519.verify(sig, 0, pub, 0, msg2, 0, msg2.length)); + assertFalse(Ed25519.verify(sig, 0, pub, 0, msg1, 0, msg1.length)); + assertFalse(Ed25519.verify(sig, 0, pub, 0, msg2, 0, msg2.length)); } public void testTamingVector_00() { - // TODO Algorithm 2 rejects this because A is one of 8 small order points - implTamingVector(0, true, + implTamingVector(0, false, "8c93255d71dcab10e8f379c26200f3c7bd5f09d9bc3068d3ef4edeb4853022b6", "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa", "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a" + @@ -487,8 +573,7 @@ public void testTamingVector_00() public void testTamingVector_01() { - // TODO Algorithm 2 rejects this because A is one of 8 small order points - implTamingVector(1, true, + implTamingVector(1, false, "9bd9f44f4dcc75bd531b56b2cd280b0bb38fc1cd6d1230e14861d861de092e79", "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa", "f7badec5b8abeaf699583992219b7b223f1df3fbbea919844e3f7c554a43dd43" + @@ -517,8 +602,7 @@ public void testTamingVector_03() public void testTamingVector_04() { - // TODO Algorithm 2 accepts this (cofactored verification) - implTamingVector(4, false, + implTamingVector(4, true, "e47d62c63f830dc7a6851a0b1f33ae4bb2f507fb6cffec4011eaccd55b53f56c", "cdb267ce40c5cd45306fa5d2f29731459387dbf9eb933b7bd5aed9a765b88d4d", "160a1cb0dc9c0258cd0a7d23e94d8fa878bcb1925f2c64246b2dee1796bed512" + @@ -527,8 +611,7 @@ public void testTamingVector_04() public void testTamingVector_05() { - // TODO Algorithm 2 accepts this (cofactored verification) - implTamingVector(5, false, + implTamingVector(5, true, "e47d62c63f830dc7a6851a0b1f33ae4bb2f507fb6cffec4011eaccd55b53f56c", "cdb267ce40c5cd45306fa5d2f29731459387dbf9eb933b7bd5aed9a765b88d4d", "21122a84e0b5fca4052f5b1235c80a537878b38f3142356b2c2384ebad4668b7" +
core/src/test/java/org/bouncycastle/math/ec/rfc8032/test/Ed448Test.java+84 −27 modified@@ -2,19 +2,18 @@ import java.security.SecureRandom; -import junit.framework.TestCase; import org.bouncycastle.crypto.Xof; import org.bouncycastle.math.ec.rfc8032.Ed448; import org.bouncycastle.util.Arrays; import org.bouncycastle.util.encoders.Hex; +import junit.framework.TestCase; + public class Ed448Test extends TestCase { private static final SecureRandom RANDOM = new SecureRandom(); - private static final byte[] NEUTRAL = Hex.decodeStrict("010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"); - // @BeforeClass // public static void init() public void setUp() @@ -27,6 +26,7 @@ public void testEd448Consistency() { byte[] sk = new byte[Ed448.SECRET_KEY_SIZE]; byte[] pk = new byte[Ed448.PUBLIC_KEY_SIZE]; + byte[] pk2 = new byte[Ed448.PUBLIC_KEY_SIZE]; byte[] ctx = new byte[RANDOM.nextInt() & 7]; byte[] m = new byte[255]; byte[] sig1 = new byte[Ed448.SIGNATURE_SIZE]; @@ -38,7 +38,14 @@ public void testEd448Consistency() for (int i = 0; i < 10; ++i) { RANDOM.nextBytes(sk); - Ed448.generatePublicKey(sk, 0, pk, 0); + Ed448.PublicPoint publicPoint = Ed448.generatePublicKey(sk, 0); + Ed448.encodePublicPoint(publicPoint, pk, 0); + + { + Ed448.generatePublicKey(sk, 0, pk2, 0); + + assertTrue("Ed448 consistent generation #" + i, Arrays.areEqual(pk, pk2)); + } int mLen = RANDOM.nextInt() & 255; @@ -47,14 +54,29 @@ public void testEd448Consistency() assertTrue("Ed448 consistent signatures #" + i, Arrays.areEqual(sig1, sig2)); - boolean shouldVerify = Ed448.verify(sig1, 0, pk, 0, ctx, m, 0, mLen); + { + boolean shouldVerify = Ed448.verify(sig1, 0, pk, 0, ctx, m, 0, mLen); + + assertTrue("Ed448 consistent sign/verify #" + i, shouldVerify); + } + { + boolean shouldVerify = Ed448.verify(sig1, 0, publicPoint, ctx, m, 0, mLen); - assertTrue("Ed448 consistent sign/verify #" + i, shouldVerify); + assertTrue("Ed448 consistent sign/verify #" + i, shouldVerify); + } sig1[Ed448.PUBLIC_KEY_SIZE - 1] ^= 0x80; - boolean shouldNotVerify = Ed448.verify(sig1, 0, pk, 0, ctx, m, 0, mLen); - assertFalse("Ed448 consistent verification failure #" + i, shouldNotVerify); + { + boolean shouldNotVerify = Ed448.verify(sig1, 0, pk, 0, ctx, m, 0, mLen); + + assertFalse("Ed448 consistent verification failure #" + i, shouldNotVerify); + } + { + boolean shouldNotVerify = Ed448.verify(sig1, 0, publicPoint, ctx, m, 0, mLen); + + assertFalse("Ed448 consistent verification failure #" + i, shouldNotVerify); + } } } @@ -63,6 +85,7 @@ public void testEd448phConsistency() { byte[] sk = new byte[Ed448.SECRET_KEY_SIZE]; byte[] pk = new byte[Ed448.PUBLIC_KEY_SIZE]; + byte[] pk2 = new byte[Ed448.PUBLIC_KEY_SIZE]; byte[] ctx = new byte[RANDOM.nextInt() & 7]; byte[] m = new byte[255]; byte[] ph = new byte[Ed448.PREHASH_SIZE]; @@ -75,7 +98,14 @@ public void testEd448phConsistency() for (int i = 0; i < 10; ++i) { RANDOM.nextBytes(sk); - Ed448.generatePublicKey(sk, 0, pk, 0); + Ed448.PublicPoint publicPoint = Ed448.generatePublicKey(sk, 0); + Ed448.encodePublicPoint(publicPoint, pk, 0); + + { + Ed448.generatePublicKey(sk, 0, pk2, 0); + + assertTrue("Ed448 consistent generation #" + i, Arrays.areEqual(pk, pk2)); + } int mLen = RANDOM.nextInt() & 255; @@ -88,14 +118,29 @@ public void testEd448phConsistency() assertTrue("Ed448ph consistent signatures #" + i, Arrays.areEqual(sig1, sig2)); - boolean shouldVerify = Ed448.verifyPrehash(sig1, 0, pk, 0, ctx, ph, 0); + { + boolean shouldVerify = Ed448.verifyPrehash(sig1, 0, pk, 0, ctx, ph, 0); - assertTrue("Ed448ph consistent sign/verify #" + i, shouldVerify); + assertTrue("Ed448ph consistent sign/verify #" + i, shouldVerify); + } + { + boolean shouldVerify = Ed448.verifyPrehash(sig1, 0, publicPoint, ctx, ph, 0); + + assertTrue("Ed448ph consistent sign/verify #" + i, shouldVerify); + } sig1[Ed448.PUBLIC_KEY_SIZE - 1] ^= 0x80; - boolean shouldNotVerify = Ed448.verifyPrehash(sig1, 0, pk, 0, ctx, ph, 0); - assertFalse("Ed448ph consistent verification failure #" + i, shouldNotVerify); + { + boolean shouldNotVerify = Ed448.verifyPrehash(sig1, 0, pk, 0, ctx, ph, 0); + + assertFalse("Ed448ph consistent verification failure #" + i, shouldNotVerify); + } + { + boolean shouldNotVerify = Ed448.verifyPrehash(sig1, 0, publicPoint, ctx, ph, 0); + + assertFalse("Ed448ph consistent verification failure #" + i, shouldNotVerify); + } } } @@ -466,8 +511,6 @@ public void testEd448phVector2() public void testPublicKeyValidationFull() { - assertFalse(Ed448.validatePublicKeyFull(NEUTRAL, 0)); - byte[] sk = new byte[Ed448.SECRET_KEY_SIZE]; byte[] pk = new byte[Ed448.PUBLIC_KEY_SIZE]; @@ -478,13 +521,21 @@ public void testPublicKeyValidationFull() assertTrue(Ed448.validatePublicKeyFull(pk, 0)); } + // Small order points (canonical encodings) + assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), 0)); + assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080"), 0)); + assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), 0)); + assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); + + // Small order points (non-canonical encodings) assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080"), 0)); + assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0)); - assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); - assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); - assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0)); - assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); - assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0)); + // Non-canonical encodings + assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); + assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0)); + assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("00000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); + assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("00000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0)); assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001"), 0)); assertFalse(Ed448.validatePublicKeyFull(Hex.decodeStrict("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081"), 0)); @@ -513,8 +564,6 @@ public void testPublicKeyValidationFull() public void testPublicKeyValidationPartial() { - assertTrue(Ed448.validatePublicKeyPartial(NEUTRAL, 0)); - byte[] sk = new byte[Ed448.SECRET_KEY_SIZE]; byte[] pk = new byte[Ed448.PUBLIC_KEY_SIZE]; @@ -525,13 +574,21 @@ public void testPublicKeyValidationPartial() assertTrue(Ed448.validatePublicKeyPartial(pk, 0)); } + // Small order points (canonical encodings) + assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), 0)); + assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080"), 0)); + assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), 0)); + assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); + + // Small order points (non-canonical encodings) assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080"), 0)); + assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0)); - assertTrue (Ed448.validatePublicKeyPartial(Hex.decodeStrict("FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); - assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); - assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0)); - assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); - assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0)); + // Non-canonical encodings + assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); + assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0)); + assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("00000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); + assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("00000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0)); assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001"), 0)); assertFalse(Ed448.validatePublicKeyPartial(Hex.decodeStrict("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081"), 0));
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-m44j-cfrm-g8qcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-30172ghsaADVISORY
- github.com/bcgit/bc-java/commit/1b9fd9b545e691bfb3941a9f6a797660c8860f02ghsaWEB
- github.com/bcgit/bc-java/commit/9c165791b68a204678b48ec11e4e579754c2ea49ghsaWEB
- github.com/bcgit/bc-java/commit/ebe1c75579170072dc59b8dee2b55ce31663178fghsaWEB
- security.netapp.com/advisory/ntap-20240614-0007ghsaWEB
- www.bouncycastle.org/latest_releases.htmlnvdWEB
- security.netapp.com/advisory/ntap-20240614-0007/nvd
News mentions
0No linked articles in our index yet.