GNUnet 0.22.2
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Modules Pages
Macros | Functions | Variables
crypto_elligator.c File Reference
#include "platform.h"
#include "gnunet_common.h"
#include <gcrypt.h>
#include <sodium.h>
#include "gnunet_util_lib.h"
#include "benchmark.h"
#include <stdint.h>
#include <stdbool.h>
#include <string.h>
#include <gmp.h>
#include <limits.h>
Include dependency graph for crypto_elligator.c:

Go to the source code of this file.

Macros

#define P_BITS   (256)
 
#define P_BYTES   ((P_BITS + CHAR_BIT - 1) / CHAR_BIT)
 
#define P_LIMBS   ((P_BITS + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
 

Functions

static void decode_bytes (mp_limb_t *number, const uint8_t *bytes)
 This function decodes the byte buffer into the MPI limb. More...
 
static void encode_bytes (uint8_t *bytes, mp_limb_t *number)
 This function encodes the MPI limb into a byte buffer. More...
 
void GNUNET_CRYPTO_ecdhe_elligator_initialize (void)
 
void __attribute__ ((constructor))
 Initialize elligator scratch space. More...
 
static void least_square_root (mp_limb_t *root, const mp_limb_t *number, mp_limb_t *scratch_space)
 Calculates the root of a given number. More...
 
bool GNUNET_CRYPTO_ecdhe_elligator_encoding (uint8_t random_tweak, struct GNUNET_CRYPTO_ElligatorRepresentative *r, const struct GNUNET_CRYPTO_EcdhePublicKey *pub)
 Encodes a point on Curve25519 to a an element of the underlying finite field. More...
 
static bool elligator_direct_map (uint8_t *point, bool *high_y, uint8_t *representative)
 Takes a number of the underlying finite field of Curve25519 and projects it into a valid point on that curve. More...
 
void GNUNET_CRYPTO_ecdhe_elligator_decoding (struct GNUNET_CRYPTO_EcdhePublicKey *point, bool *high_y, const struct GNUNET_CRYPTO_ElligatorRepresentative *representative)
 Clears the most significant bit and second most significant bit of the serialized representaive before applying elligator direct map. More...
 
static bool convert_from_ed_to_curve (uint8_t *point, const uint8_t *source)
 Takes a number of the underlying finite field of Curve25519 and projects it into a valid point on that curve. More...
 
static enum GNUNET_GenericReturnValue elligator_generate_public_key (const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *pk, struct GNUNET_CRYPTO_EcdhePublicKey *pub)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand (uint8_t random_tweak, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk, struct GNUNET_CRYPTO_EcdhePublicKey *pk, struct GNUNET_CRYPTO_ElligatorRepresentative *repr)
 Generates a valid public key for elligator's inverse map by adding a lower order point to a prime order point. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdhe_elligator_key_get_public (const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk, struct GNUNET_CRYPTO_EcdhePublicKey *pk, struct GNUNET_CRYPTO_ElligatorRepresentative *repr)
 Generates a valid public key for elligator's inverse map by adding a lower order point to a prime order point. More...
 
void GNUNET_CRYPTO_ecdhe_elligator_key_create (struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk)
 Generates a private key for Curve25519. More...
 

Variables

static const uint8_t lookupTable [8][crypto_scalarmult_SCALARBYTES]
 
static const unsigned char p_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char negative_1_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char negative_2_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char divide_negative_1_2_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char divide_plus_p_3_8_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char divide_minus_p_1_2_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char square_root_negative_1_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char A_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char negative_A_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char u_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char inverted_u_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char d_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static mp_limb_t p [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t negative_1 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t negative_2 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t divide_negative_1_2 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t divide_plus_p_3_8 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t divide_minus_p_1_2 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t square_root_negative_1 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t A [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t negative_A [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t u [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t inverted_u [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t d [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_size_t scratch_space_length
 

Macro Definition Documentation

◆ P_BITS

#define P_BITS   (256)

Definition at line 92 of file crypto_elligator.c.

◆ P_BYTES

#define P_BYTES   ((P_BITS + CHAR_BIT - 1) / CHAR_BIT)

Definition at line 93 of file crypto_elligator.c.

◆ P_LIMBS

#define P_LIMBS   ((P_BITS + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)

Definition at line 94 of file crypto_elligator.c.

Function Documentation

◆ decode_bytes()

static void decode_bytes ( mp_limb_t *  number,
const uint8_t *  bytes 
)
static

This function decodes the byte buffer into the MPI limb.

Parameters
numberdecoded number
bytesinput bytes to decode into number

Definition at line 205 of file crypto_elligator.c.

206{
207 mp_limb_t scratch_space[1];
208
209 for (size_t i = 0; i < P_BYTES; ++i)
210 {
211 mpn_lshift (number, number, P_LIMBS, 8);
212 mpn_sec_add_1 (number, number, 1, bytes[P_BYTES - i - 1], scratch_space);
213 }
214}
P_BYTES
#define P_BYTES
Definition: crypto_elligator.c:93
P_LIMBS
#define P_LIMBS
Definition: crypto_elligator.c:94
number
uint32_t number
Definition: plugin_gnsrecord_abd.c:276

References number, P_BYTES, and P_LIMBS.

Referenced by __attribute__(), convert_from_ed_to_curve(), elligator_direct_map(), and GNUNET_CRYPTO_ecdhe_elligator_encoding().

Here is the caller graph for this function:

◆ encode_bytes()

static void encode_bytes ( uint8_t *  bytes,
mp_limb_t *  number 
)
static

This function encodes the MPI limb into a byte buffer.

Parameters
bytesoutput bytes
numbernumber to encode

Definition at line 225 of file crypto_elligator.c.

226{
227 for (size_t i = 0; i < P_BYTES; ++i)
228 {
229 bytes[P_BYTES - i - 1] = mpn_lshift (number, number, P_LIMBS, 8);
230 }
231}

References number, P_BYTES, and P_LIMBS.

Referenced by convert_from_ed_to_curve(), elligator_direct_map(), and GNUNET_CRYPTO_ecdhe_elligator_encoding().

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdhe_elligator_initialize()

void GNUNET_CRYPTO_ecdhe_elligator_initialize ( void  )

◆ __attribute__()

void __attribute__ ( (constructor)  )

Initialize elligator scratch space.

Definition at line 239 of file crypto_elligator.c.

241{
242 static bool initialized = false;
243
244 mp_size_t scratch_space_lengths[] = {
245 // For least_square_root
246
247 mpn_sec_powm_itch (P_LIMBS, P_BITS - 1, P_LIMBS),
248 mpn_sec_sqr_itch (P_LIMBS),
249 mpn_sec_div_r_itch (P_LIMBS + P_LIMBS, P_LIMBS),
250 mpn_sec_sub_1_itch (P_LIMBS),
251 mpn_sec_mul_itch (P_LIMBS, P_LIMBS),
252
253 // For Elligator_2_Curve25519_encode
254
255 mpn_sec_powm_itch (P_LIMBS, P_BITS - 1, P_LIMBS),
256 mpn_sec_mul_itch (P_LIMBS, P_LIMBS),
257 mpn_sec_div_r_itch (P_LIMBS + P_LIMBS, P_LIMBS),
258 mpn_sec_sqr_itch (P_LIMBS),
259 mpn_sec_sub_1_itch (P_LIMBS),
260
261 // For Elligator_2_Curve25519_decode
262
263 mpn_sec_sqr_itch (P_LIMBS),
264 mpn_sec_div_r_itch (P_LIMBS + P_LIMBS, P_LIMBS),
265 mpn_sec_div_r_itch (P_LIMBS, P_LIMBS),
266 mpn_sec_mul_itch (P_LIMBS, P_LIMBS),
267 mpn_sec_add_1_itch (P_LIMBS),
268 mpn_sec_powm_itch (P_LIMBS, P_BITS - 1, P_LIMBS),
269
270 // For Elligator_2_Curve25519_convert_from_Ed25519
271 mpn_sec_sqr_itch (P_LIMBS),
272 mpn_sec_div_r_itch (P_LIMBS + P_LIMBS, P_LIMBS),
273 mpn_sec_mul_itch (P_LIMBS, P_LIMBS),
274 mpn_sec_add_1_itch (P_LIMBS),
275 mpn_sec_powm_itch (P_LIMBS, P_BITS - 1, P_LIMBS),
276 mpn_sec_sub_1_itch (P_LIMBS)
277 };
278
279 if (initialized)
280 {
281 return;
282 }
283
284 decode_bytes (p, p_bytes);
285 decode_bytes (negative_1, negative_1_bytes);
286 decode_bytes (negative_2, negative_2_bytes);
287 decode_bytes (divide_negative_1_2, divide_negative_1_2_bytes);
288 decode_bytes (divide_plus_p_3_8, divide_plus_p_3_8_bytes);
289 decode_bytes (divide_minus_p_1_2, divide_minus_p_1_2_bytes);
290 decode_bytes (square_root_negative_1, square_root_negative_1_bytes);
291 decode_bytes (A, A_bytes);
292 decode_bytes (negative_A, negative_A_bytes);
293 decode_bytes (u, u_bytes);
294 decode_bytes (inverted_u, inverted_u_bytes);
295 decode_bytes (d, d_bytes);
296
297
298 for (size_t i = 0; i < sizeof scratch_space_lengths
299 / sizeof *scratch_space_lengths; ++i)
300 {
301 if (scratch_space_lengths[i] > scratch_space_length)
302 {
303 scratch_space_length = scratch_space_lengths[i];
304 }
305 }
306
307 initialized = true;
308}
decode_bytes
static void decode_bytes(mp_limb_t *number, const uint8_t *bytes)
This function decodes the byte buffer into the MPI limb.
Definition: crypto_elligator.c:205
divide_minus_p_1_2
static mp_limb_t divide_minus_p_1_2[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
Definition: crypto_elligator.c:187
negative_A
static mp_limb_t negative_A[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
Definition: crypto_elligator.c:190
negative_2
static mp_limb_t negative_2[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
Definition: crypto_elligator.c:184
P_BITS
#define P_BITS
Definition: crypto_elligator.c:92
square_root_negative_1
static mp_limb_t square_root_negative_1[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
Definition: crypto_elligator.c:188
p
static mp_limb_t p[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
Definition: crypto_elligator.c:182
divide_minus_p_1_2_bytes
static const unsigned char divide_minus_p_1_2_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
Definition: crypto_elligator.c:133
negative_A_bytes
static const unsigned char negative_A_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
Definition: crypto_elligator.c:154
d
static mp_limb_t d[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
Definition: crypto_elligator.c:193
u_bytes
static const unsigned char u_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
Definition: crypto_elligator.c:161
p_bytes
static const unsigned char p_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
Definition: crypto_elligator.c:98
negative_1_bytes
static const unsigned char negative_1_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
Definition: crypto_elligator.c:105
negative_2_bytes
static const unsigned char negative_2_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
Definition: crypto_elligator.c:112
scratch_space_length
static mp_size_t scratch_space_length
Definition: crypto_elligator.c:195
A_bytes
static const unsigned char A_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
Definition: crypto_elligator.c:147
square_root_negative_1_bytes
static const unsigned char square_root_negative_1_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
Definition: crypto_elligator.c:140
d_bytes
static const unsigned char d_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
Definition: crypto_elligator.c:175
negative_1
static mp_limb_t negative_1[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
Definition: crypto_elligator.c:183
divide_plus_p_3_8_bytes
static const unsigned char divide_plus_p_3_8_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
Definition: crypto_elligator.c:126
divide_negative_1_2_bytes
static const unsigned char divide_negative_1_2_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
Definition: crypto_elligator.c:119
A
static mp_limb_t A[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
Definition: crypto_elligator.c:189
inverted_u
static mp_limb_t inverted_u[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
Definition: crypto_elligator.c:192
divide_plus_p_3_8
static mp_limb_t divide_plus_p_3_8[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
Definition: crypto_elligator.c:186
u
static mp_limb_t u[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
Definition: crypto_elligator.c:191
inverted_u_bytes
static const unsigned char inverted_u_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
Definition: crypto_elligator.c:168
divide_negative_1_2
static mp_limb_t divide_negative_1_2[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
Definition: crypto_elligator.c:185
initialized
static int initialized
Have we been initialized?
Definition: plugin.c:57

References A, A_bytes, d, d_bytes, decode_bytes(), divide_minus_p_1_2, divide_minus_p_1_2_bytes, divide_negative_1_2, divide_negative_1_2_bytes, divide_plus_p_3_8, divide_plus_p_3_8_bytes, initialized, inverted_u, inverted_u_bytes, negative_1, negative_1_bytes, negative_2, negative_2_bytes, negative_A, negative_A_bytes, p, P_BITS, p_bytes, P_LIMBS, scratch_space_length, square_root_negative_1, square_root_negative_1_bytes, u, and u_bytes.

Here is the call graph for this function:

◆ least_square_root()

static void least_square_root ( mp_limb_t *  root,
const mp_limb_t *  number,
mp_limb_t *  scratch_space 
)
static

Calculates the root of a given number.

Returns trash if the number is a quadratic non-residue.

Parameters
rootstorage for calculated root
numbervalue for which the root is calculated
scratch_spacebuffer for calculation

Definition at line 320 of file crypto_elligator.c.

323{
324 mp_limb_t a[P_LIMBS + P_LIMBS];
325 mp_limb_t b[P_LIMBS];
326 mp_limb_t condition;
327
328 // root := number ^ ((p + 3) / 8)
329
330 mpn_add_n (b, number, p, P_LIMBS); // The next function requires a nonzero input
331 mpn_sec_powm (root, b, P_LIMBS, divide_plus_p_3_8, P_BITS - 1, p, P_LIMBS,
332 scratch_space);
333
334 // If root ^ 2 != number, root := root * square_root(-1)
335
336 mpn_sec_sqr (a, root, P_LIMBS, scratch_space);
337 mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
338 mpn_sub_n (b, a, number, P_LIMBS);
339
340 condition = mpn_sec_sub_1 (b, b, P_LIMBS, 1, scratch_space) ^ 1;
341
342 mpn_sec_mul (a, root, P_LIMBS, square_root_negative_1, P_LIMBS,
343 scratch_space);
344 mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
345
346 mpn_cnd_swap (condition, root, a, P_LIMBS);
347
348 // If root > (p - 1) / 2, root := -root
349
350 condition = mpn_sub_n (a, divide_minus_p_1_2, root, P_LIMBS);
351
352 mpn_sub_n (a, p, root, P_LIMBS); // If root = 0, a := p
353
354 mpn_cnd_swap (condition, root, a, P_LIMBS);
355}

References divide_minus_p_1_2, divide_plus_p_3_8, number, p, P_BITS, P_LIMBS, and square_root_negative_1.

Referenced by GNUNET_CRYPTO_ecdhe_elligator_encoding().

Here is the caller graph for this function:

◆ elligator_direct_map()

static bool elligator_direct_map ( uint8_t *  point,
bool *  high_y,
uint8_t *  representative 
)
static

Takes a number of the underlying finite field of Curve25519 and projects it into a valid point on that curve.

This function works deterministically. This step is also known as elligators "decoding" step. Taken from https://github.com/Kleshni/Elligator-2/blob/master/main.c.

Parameters
pointstorage for calculated point on Curve25519
high_yThe 'high_y' argument of the corresponding GNUNET_CRYPTO_ecdhe_elligator_encoding call
representativeGiven representative
Returns
'false' if extra step during direct map calculation is needed, otherwise 'true'

Definition at line 447 of file crypto_elligator.c.

450{
451 mp_limb_t scratch_space[scratch_space_length];
452
453 mp_limb_t a[P_LIMBS + P_LIMBS];
454 mp_limb_t b[P_LIMBS + P_LIMBS];
455 mp_limb_t c[P_LIMBS];
456 mp_limb_t e[P_LIMBS + P_LIMBS];
457 bool result;
458
459 // a := representative
460
461 decode_bytes (a, representative);
462
463 // Determine whether a < (p - 1) / 2
464
465 result = mpn_sub_n (b, divide_minus_p_1_2, a, P_LIMBS) ^ 1;
466
467 // b := -A / (1 + u * a ^ 2)
468
469 mpn_sec_sqr (b, a, P_LIMBS, scratch_space);
470 mpn_sec_div_r (b, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
471 mpn_sec_mul (a, u, P_LIMBS, b, P_LIMBS, scratch_space);
472 mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
473 mpn_sec_add_1 (b, a, P_LIMBS, 1, scratch_space);
474 mpn_sec_powm (a, b, P_LIMBS, negative_2, P_BITS - 1, p, P_LIMBS,
475 scratch_space);
476 mpn_sec_mul (b, a, P_LIMBS, negative_A, P_LIMBS, scratch_space);
477 mpn_sec_div_r (b, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
478
479 // a := b ^ 3 + A * b ^ 2 + b (with 1-bit overflow)
480
481 mpn_sec_sqr (a, b, P_LIMBS, scratch_space);
482 mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
483 mpn_add_n (c, b, A, P_LIMBS);
484 mpn_sec_mul (e, c, P_LIMBS, a, P_LIMBS, scratch_space);
485 mpn_sec_div_r (e, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
486 mpn_add_n (a, e, b, P_LIMBS);
487
488 // If a is a quadratic residue modulo p, point := b and high_y := 1
489 // Otherwise point := -b - A and high_y := 0
490
491 mpn_sub_n (c, p, b, P_LIMBS);
492 mpn_add_n (c, c, negative_A, P_LIMBS);
493 mpn_sec_div_r (c, P_LIMBS, p, P_LIMBS, scratch_space);
494
495 mpn_sec_powm (e, a, P_LIMBS, divide_minus_p_1_2, P_BITS - 1, p, P_LIMBS,
496 scratch_space);
497 *high_y = mpn_sub_n (e, e, divide_minus_p_1_2, P_LIMBS);
498
499 mpn_cnd_swap (*high_y, b, c, P_LIMBS);
500
501 encode_bytes (point, c);
502
503 return result;
504}
encode_bytes
static void encode_bytes(uint8_t *bytes, mp_limb_t *number)
This function encodes the MPI limb into a byte buffer.
Definition: crypto_elligator.c:225
result
static int result
Global testing status.
Definition: gnunet-regex-profiler.c:240

References A, decode_bytes(), divide_minus_p_1_2, encode_bytes(), negative_2, negative_A, p, P_BITS, P_LIMBS, result, scratch_space_length, and u.

Referenced by GNUNET_CRYPTO_ecdhe_elligator_decoding().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ convert_from_ed_to_curve()

static bool convert_from_ed_to_curve ( uint8_t *  point,
const uint8_t *  source 
)
static

Takes a number of the underlying finite field of Curve25519 and projects it into a valid point on that curve.

This function works deterministically. This step is also known as elligators "decoding" step. Taken from https://github.com/Kleshni/Elligator-2/blob/master/main.c.

Parameters
pointstorage for calculated point on Curve25519
sourceEd25519 curve point
Returns
'false' if source is not a valid Ed25519 point. In this case the 'point' array will be undefined but dependent on source.

Definition at line 542 of file crypto_elligator.c.

544{
545 mp_limb_t scratch_space[scratch_space_length];
546
547 mp_limb_t y[P_LIMBS];
548 mp_limb_t a[P_LIMBS + P_LIMBS];
549 mp_limb_t b[P_LIMBS + P_LIMBS];
550 mp_limb_t c[P_LIMBS + P_LIMBS];
551
552 uint8_t y_bytes[P_BYTES];
553 bool result;
554
555 memcpy (y_bytes, source, 31);
556
557 y_bytes[31] = source[31] & 0x7f;
558
559 decode_bytes (y, y_bytes);
560
561 // Check if y < p
562
563 result = mpn_sub_n (a, y, p, P_LIMBS);
564
565 // a := (y ^ 2 - 1) / (1 + d * y ^ 2)
566
567 mpn_sec_sqr (a, y, P_LIMBS, scratch_space);
568 mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
569 mpn_sec_mul (b, a, P_LIMBS, d, P_LIMBS, scratch_space);
570 mpn_sec_add_1 (b, b, P_LIMBS, 1, scratch_space);
571 mpn_sec_div_r (b, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
572 mpn_sec_powm (c, b, P_LIMBS, negative_2, P_BITS - 1, p, P_LIMBS,
573 scratch_space);
574 mpn_add_n (b, a, negative_1, P_LIMBS);
575 mpn_sec_mul (a, b, P_LIMBS, c, P_LIMBS, scratch_space);
576 mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
577
578 // Check, whether a is a square modulo p (including a = 0)
579
580 mpn_add_n (a, a, p, P_LIMBS);
581 mpn_sec_powm (b, a, P_LIMBS, divide_negative_1_2, P_BITS - 1, p, P_LIMBS,
582 scratch_space);
583
584 result &= mpn_sub_n (c, b, divide_minus_p_1_2, P_LIMBS);
585
586 // If a = p, the parity bit must be 0
587
588 mpn_sub_n (a, a, p, P_LIMBS);
589
590 result ^= mpn_sec_sub_1 (a, a, P_LIMBS, 1, scratch_space) & source[31] >> 7;
591
592 // If y != 1, c := (1 + y) / (1 - y), otherwise c := 0
593
594 mpn_sub_n (a, p, y, P_LIMBS);
595 mpn_sec_add_1 (a, a, P_LIMBS, 1, scratch_space);
596 mpn_sec_powm (b, a, P_LIMBS, negative_2, P_BITS - 1, p, P_LIMBS,
597 scratch_space);
598 mpn_sec_add_1 (a, y, P_LIMBS, 1, scratch_space);
599 mpn_sec_mul (c, a, P_LIMBS, b, P_LIMBS, scratch_space);
600 mpn_sec_div_r (c, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
601
602 encode_bytes (point, c);
603
604 return result;
605}
source
static GstElement * source
Appsrc instance into which we write data for the pipeline.
Definition: gnunet-helper-audio-playback-gst.c:67

References d, decode_bytes(), divide_minus_p_1_2, divide_negative_1_2, encode_bytes(), negative_1, negative_2, p, P_BITS, P_BYTES, P_LIMBS, result, scratch_space_length, and source.

Referenced by elligator_generate_public_key().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ elligator_generate_public_key()

static enum GNUNET_GenericReturnValue elligator_generate_public_key ( const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey pk,
struct GNUNET_CRYPTO_EcdhePublicKey pub 
)
static

Definition at line 609 of file crypto_elligator.c.

612{
613 // eHigh
614 // crypto_scalarmult_ed25519_base clamps the scalar pk->d and return only 0 if pk->d is zero
615 unsigned char eHigh[crypto_scalarmult_SCALARBYTES] = {0};
616 int sLow = (pk->d)[0] % 8;
617 unsigned char eLow[crypto_scalarmult_SCALARBYTES] = {0};
618 unsigned char edPub[crypto_scalarmult_SCALARBYTES] = {0};
619 GNUNET_assert (0 == crypto_scalarmult_ed25519_base (eHigh, pk->d));
620
621 // eLow: choose a random point of low order
622 memcpy (eLow, lookupTable[sLow], crypto_scalarmult_SCALARBYTES);
623
624 // eHigh + eLow
625 if (crypto_core_ed25519_add (edPub, eLow, eHigh) == -1)
626 {
627 return GNUNET_SYSERR;
628 }
629
630 if (convert_from_ed_to_curve (pub->q_y, edPub) == false)
631 {
632 return GNUNET_SYSERR;
633 }
634 return GNUNET_OK;
635}
lookupTable
static const uint8_t lookupTable[8][crypto_scalarmult_SCALARBYTES]
Definition: crypto_elligator.c:42
convert_from_ed_to_curve
static bool convert_from_ed_to_curve(uint8_t *point, const uint8_t *source)
Takes a number of the underlying finite field of Curve25519 and projects it into a valid point on tha...
Definition: crypto_elligator.c:542
pk
struct GNUNET_CRYPTO_PrivateKey pk
Private key from command line option, or NULL.
Definition: gnunet-identity.c:126
pub
static struct GNUNET_CRYPTO_EddsaPublicKey pub
Definition: gnunet-scrypt.c:47
GNUNET_OK
@ GNUNET_OK
Definition: gnunet_common.h:111
GNUNET_SYSERR
@ GNUNET_SYSERR
Definition: gnunet_common.h:109
GNUNET_assert
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
Definition: gnunet_common.h:957
GNUNET_CRYPTO_EddsaPublicKey::q_y
unsigned char q_y[256/8]
Point Q consists of a y-value mod p (256 bits); the x-value is always positive.
Definition: gnunet_crypto_lib.h:207

References convert_from_ed_to_curve(), GNUNET_assert, GNUNET_OK, GNUNET_SYSERR, lookupTable, pk, pub, and GNUNET_CRYPTO_EddsaPublicKey::q_y.

Referenced by GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand().

Here is the call graph for this function:
Here is the caller graph for this function:

Variable Documentation

◆ lookupTable

const uint8_t lookupTable[8][crypto_scalarmult_SCALARBYTES]
static

Definition at line 42 of file crypto_elligator.c.

Referenced by elligator_generate_public_key().

◆ p_bytes

const unsigned char p_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
}

Definition at line 98 of file crypto_elligator.c.

Referenced by __attribute__().

◆ negative_1_bytes

const unsigned char negative_1_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
}

Definition at line 105 of file crypto_elligator.c.

Referenced by __attribute__().

◆ negative_2_bytes

const unsigned char negative_2_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
}

Definition at line 112 of file crypto_elligator.c.

Referenced by __attribute__().

◆ divide_negative_1_2_bytes

const unsigned char divide_negative_1_2_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f
}

Definition at line 119 of file crypto_elligator.c.

Referenced by __attribute__().

◆ divide_plus_p_3_8_bytes

const unsigned char divide_plus_p_3_8_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f
}

Definition at line 126 of file crypto_elligator.c.

Referenced by __attribute__().

◆ divide_minus_p_1_2_bytes

const unsigned char divide_minus_p_1_2_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f
}

Definition at line 133 of file crypto_elligator.c.

Referenced by __attribute__().

◆ square_root_negative_1_bytes

const unsigned char square_root_negative_1_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xb0, 0xa0, 0x0e, 0x4a, 0x27, 0x1b, 0xee, 0xc4,
0x78, 0xe4, 0x2f, 0xad, 0x06, 0x18, 0x43, 0x2f,
0xa7, 0xd7, 0xfb, 0x3d, 0x99, 0x00, 0x4d, 0x2b,
0x0b, 0xdf, 0xc1, 0x4f, 0x80, 0x24, 0x83, 0x2b
}

Definition at line 140 of file crypto_elligator.c.

Referenced by __attribute__().

◆ A_bytes

const unsigned char A_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0x06, 0x6d, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}

Definition at line 147 of file crypto_elligator.c.

Referenced by __attribute__().

◆ negative_A_bytes

const unsigned char negative_A_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xe7, 0x92, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
}

Definition at line 154 of file crypto_elligator.c.

Referenced by __attribute__().

◆ u_bytes

const unsigned char u_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}

Definition at line 161 of file crypto_elligator.c.

Referenced by __attribute__().

◆ inverted_u_bytes

const unsigned char inverted_u_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xf7, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f
}

Definition at line 168 of file crypto_elligator.c.

Referenced by __attribute__().

◆ d_bytes

const unsigned char d_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75,
0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00,
0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c,
0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52
}

Definition at line 175 of file crypto_elligator.c.

Referenced by __attribute__().

◆ p

mp_limb_t p[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 182 of file crypto_elligator.c.

Referenced by __attribute__(), convert_from_ed_to_curve(), elligator_direct_map(), GNUNET_CRYPTO_ecdhe_elligator_encoding(), and least_square_root().

◆ negative_1

mp_limb_t negative_1[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 183 of file crypto_elligator.c.

Referenced by __attribute__(), and convert_from_ed_to_curve().

◆ negative_2

mp_limb_t negative_2[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 184 of file crypto_elligator.c.

Referenced by __attribute__(), convert_from_ed_to_curve(), elligator_direct_map(), and GNUNET_CRYPTO_ecdhe_elligator_encoding().

◆ divide_negative_1_2

mp_limb_t divide_negative_1_2[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 185 of file crypto_elligator.c.

Referenced by __attribute__(), and convert_from_ed_to_curve().

◆ divide_plus_p_3_8

mp_limb_t divide_plus_p_3_8[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 186 of file crypto_elligator.c.

Referenced by __attribute__(), and least_square_root().

◆ divide_minus_p_1_2

mp_limb_t divide_minus_p_1_2[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 187 of file crypto_elligator.c.

Referenced by __attribute__(), convert_from_ed_to_curve(), elligator_direct_map(), and least_square_root().

◆ square_root_negative_1

mp_limb_t square_root_negative_1[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 188 of file crypto_elligator.c.

Referenced by __attribute__(), and least_square_root().

◆ A

mp_limb_t A[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 189 of file crypto_elligator.c.

Referenced by __attribute__(), elligator_direct_map(), and GNUNET_CRYPTO_ecdhe_elligator_encoding().

◆ negative_A

mp_limb_t negative_A[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 190 of file crypto_elligator.c.

Referenced by __attribute__(), and elligator_direct_map().

◆ u

mp_limb_t u[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 191 of file crypto_elligator.c.

Referenced by __attribute__(), _nss_gns_gethostbyname2_r(), bind_abstime(), bind_nbotime(), bind_u16(), bind_u32(), bind_u64(), compute_scalar_product(), elligator_direct_map(), encrypt_fair(), extract_abs_time(), extract_abs_time_nbo(), extract_uint16(), extract_uint32(), extract_uint64(), GDS_u_connect(), GDS_u_drop(), GDS_u_hold(), GDS_u_send(), GDS_u_try_connect(), getopt_set_keywords(), gns_resolve_name(), GNUNET_uri_parse(), load_underlay(), qconv_abs_time(), qconv_rel_time(), shutdown_task(), u_address_add(), and update_network_size_estimate().

◆ inverted_u

mp_limb_t inverted_u[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 192 of file crypto_elligator.c.

Referenced by __attribute__(), and GNUNET_CRYPTO_ecdhe_elligator_encoding().

◆ d

mp_limb_t d[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 193 of file crypto_elligator.c.

Referenced by __attribute__(), compute_lagrange_coefficient(), convert_from_ed_to_curve(), decode_private_ecdsa_key(), decrypt_new_element(), diff_create(), feed_buffer_to_gst(), GCCH_handle_channel_plaintext_data(), get_app(), get_audiobin(), get_coder(), get_delay_randomization(), gg_load_configuration(), gg_setup_gst_bus(), GNUNET_CRYPTO_ecdsa_private_key_derive(), GNUNET_CRYPTO_eddsa_private_key_derive(), GNUNET_FS_indexing_init(), GNUNET_hton_double(), GNUNET_memcmp_ct_(), GNUNET_ntoh_double(), gnunet_read(), GNUNET_TIME_randomize(), insert_decrypt_element(), insert_round1_element(), insert_round2_element(), keygen_reveal_get_enc_preshare(), keygen_reveal_get_exp_coeff(), keygen_reveal_get_exp_preshare(), keygen_round1_new_element(), keygen_round2_new_element(), num_to_regex(), on_appsink_new_sample(), and state_changed_cb().

◆ scratch_space_length

mp_size_t scratch_space_length
static

Definition at line 195 of file crypto_elligator.c.

Referenced by __attribute__(), convert_from_ed_to_curve(), elligator_direct_map(), and GNUNET_CRYPTO_ecdhe_elligator_encoding().