#include "gnunet_common.h"
#include "platform.h"
#include <gcrypt.h>
#include <sodium.h>
#include "gnunet_util_lib.h"
#include "benchmark.h"
#include <stdint.h>
#include <stdbool.h>
#include <string.h>
#include <gmp.h>
#include <limits.h>

Include dependency graph for crypto_elligator.c:

Macros
#define	P_BITS (256)

#define	P_BYTES ((P_BITS + CHAR_BIT - 1) / CHAR_BIT)

#define	P_LIMBS ((P_BITS + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)

Functions
static void	decode_bytes (mp_limb_t number, const uint8_t bytes)

static void	encode_bytes (uint8_t bytes, mp_limb_t number)

void	__attribute__ ((constructor))
	Initialize elligator scratch space. More...

static void	least_square_root (mp_limb_t root, const mp_limb_t number, mp_limb_t *scratch_space)
	Calculates the root of a given number. More...

bool	GNUNET_CRYPTO_ecdhe_elligator_encoding_norand (struct GNUNET_CRYPTO_ElligatorRepresentative r, uint8_t seed, const struct GNUNET_CRYPTO_EcdhePublicKey pub)

bool	GNUNET_CRYPTO_ecdhe_elligator_encoding (struct GNUNET_CRYPTO_ElligatorRepresentative r, const struct GNUNET_CRYPTO_EcdhePublicKey pub)
	Encodes a point on Curve25519 to a an element of the underlying finite field. More...

static bool	elligator_direct_map (uint8_t point, bool high_y, uint8_t *representative)
	Takes a number of the underlying finite field of Curve25519 and projects it into a valid point on that curve. More...

void	GNUNET_CRYPTO_ecdhe_elligator_decoding (struct GNUNET_CRYPTO_EcdhePublicKey point, bool high_y, const struct GNUNET_CRYPTO_ElligatorRepresentative *representative)
	Clears the most significant bit and second most significant bit of the serialized representaive before applying elligator direct map. More...

static bool	convert_from_ed_to_curve (uint8_t point, const uint8_t source)
	Takes a number of the underlying finite field of Curve25519 and projects it into a valid point on that curve. More...

static enum GNUNET_GenericReturnValue	elligator_generate_public_key (const struct GNUNET_CRYPTO_EcdhePrivateKey pk, struct GNUNET_CRYPTO_EcdhePublicKey pub)

enum GNUNET_GenericReturnValue	GNUNET_CRYPTO_ecdhe_elligator_key_get_public (const struct GNUNET_CRYPTO_EcdhePrivateKey sk, struct GNUNET_CRYPTO_EcdhePublicKey pk, struct GNUNET_CRYPTO_ElligatorRepresentative *repr)
	Generates a valid public key for elligator's inverse map by adding a lower order point to a prime order point. More...

void	GNUNET_CRYPTO_ecdhe_elligator_key_create (struct GNUNET_CRYPTO_EcdhePrivateKey *sk)
	Generates a private key for Curve25519. More...

Variables
static const uint8_t	lookupTable [8][crypto_scalarmult_SCALARBYTES]

static const unsigned char	p_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static const unsigned char	negative_1_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static const unsigned char	negative_2_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static const unsigned char	divide_negative_1_2_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static const unsigned char	divide_plus_p_3_8_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static const unsigned char	divide_minus_p_1_2_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static const unsigned char	square_root_negative_1_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static const unsigned char	A_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static const unsigned char	negative_A_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static const unsigned char	u_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static const unsigned char	inverted_u_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static const unsigned char	d_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static mp_limb_t	p [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]

static mp_limb_t	negative_1 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]

static mp_limb_t	negative_2 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]

static mp_limb_t	divide_negative_1_2 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]

static mp_limb_t	divide_plus_p_3_8 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]

static mp_limb_t	divide_minus_p_1_2 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]

static mp_limb_t	square_root_negative_1 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]

static mp_limb_t	A [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]

static mp_limb_t	negative_A [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]

static mp_limb_t	u [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]

static mp_limb_t	inverted_u [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]

static mp_limb_t	d [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]

static mp_size_t	scratch_space_length

Macro Definition Documentation

◆ P_BITS

#define P_BITS (256)

Definition at line 92 of file crypto_elligator.c.

◆ P_BYTES

#define P_BYTES ((P_BITS + CHAR_BIT - 1) / CHAR_BIT)

Definition at line 93 of file crypto_elligator.c.

◆ P_LIMBS

#define P_LIMBS ((P_BITS + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)

Definition at line 94 of file crypto_elligator.c.

Function Documentation

◆ decode_bytes()

static void decode_bytes	(	mp_limb_t *	number,
		const uint8_t *	bytes
	)

static

Definition at line 199 of file crypto_elligator.c.

{
  mp_limb_t scratch_space[1];
 
  for (size_t i = 0; i < P_BYTES; ++i)
  {
    mpn_lshift (number, number, P_LIMBS, 8);
    mpn_sec_add_1 (number, number, 1, bytes[P_BYTES - i - 1], scratch_space);
  }
}

References number, P_BYTES, and P_LIMBS.

Referenced by __attribute__(), convert_from_ed_to_curve(), elligator_direct_map(), and GNUNET_CRYPTO_ecdhe_elligator_encoding_norand().

Here is the caller graph for this function:

◆ encode_bytes()

static void encode_bytes	(	uint8_t *	bytes,
		mp_limb_t *	number
	)

static

Definition at line 213 of file crypto_elligator.c.

{
  for (size_t i = 0; i < P_BYTES; ++i)
  {
    bytes[P_BYTES - i - 1] = mpn_lshift (number, number, P_LIMBS, 8);
  }
}

References number, P_BYTES, and P_LIMBS.

Referenced by convert_from_ed_to_curve(), elligator_direct_map(), and GNUNET_CRYPTO_ecdhe_elligator_encoding_norand().

Here is the caller graph for this function:

◆ attribute()

void __attribute__ ( (constructor) )

Initialize elligator scratch space.

Definition at line 225 of file crypto_elligator.c.

{
  static bool initialized = false;
 
  if (initialized)
  {
    return;
  }
 
  decode_bytes (p, p_bytes);
  decode_bytes (negative_1, negative_1_bytes);
  decode_bytes (negative_2, negative_2_bytes);
  decode_bytes (divide_negative_1_2, divide_negative_1_2_bytes);
  decode_bytes (divide_plus_p_3_8, divide_plus_p_3_8_bytes);
  decode_bytes (divide_minus_p_1_2, divide_minus_p_1_2_bytes);
  decode_bytes (square_root_negative_1, square_root_negative_1_bytes);
  decode_bytes (A, A_bytes);
  decode_bytes (negative_A, negative_A_bytes);
  decode_bytes (u, u_bytes);
  decode_bytes (inverted_u, inverted_u_bytes);
  decode_bytes (d, d_bytes);
 
  mp_size_t scratch_space_lengths[] = {
    // For least_square_root
 
    mpn_sec_powm_itch (P_LIMBS, P_BITS - 1, P_LIMBS),
    mpn_sec_sqr_itch (P_LIMBS),
    mpn_sec_div_r_itch (P_LIMBS + P_LIMBS, P_LIMBS),
    mpn_sec_sub_1_itch (P_LIMBS),
    mpn_sec_mul_itch (P_LIMBS, P_LIMBS),
 
    // For Elligator_2_Curve25519_encode
 
    mpn_sec_powm_itch (P_LIMBS, P_BITS - 1, P_LIMBS),
    mpn_sec_mul_itch (P_LIMBS, P_LIMBS),
    mpn_sec_div_r_itch (P_LIMBS + P_LIMBS, P_LIMBS),
    mpn_sec_sqr_itch (P_LIMBS),
    mpn_sec_sub_1_itch (P_LIMBS),
 
    // For Elligator_2_Curve25519_decode
 
    mpn_sec_sqr_itch (P_LIMBS),
    mpn_sec_div_r_itch (P_LIMBS + P_LIMBS, P_LIMBS),
    mpn_sec_div_r_itch (P_LIMBS, P_LIMBS),
    mpn_sec_mul_itch (P_LIMBS, P_LIMBS),
    mpn_sec_add_1_itch (P_LIMBS),
    mpn_sec_powm_itch (P_LIMBS, P_BITS - 1, P_LIMBS),
 
    // For Elligator_2_Curve25519_convert_from_Ed25519
    mpn_sec_sqr_itch (P_LIMBS),
    mpn_sec_div_r_itch (P_LIMBS + P_LIMBS, P_LIMBS),
    mpn_sec_mul_itch (P_LIMBS, P_LIMBS),
    mpn_sec_add_1_itch (P_LIMBS),
    mpn_sec_powm_itch (P_LIMBS, P_BITS - 1, P_LIMBS),
    mpn_sec_sub_1_itch (P_LIMBS)
  };
 
  for (size_t i = 0; i < sizeof scratch_space_lengths
       / sizeof *scratch_space_lengths; ++i)
  {
    if (scratch_space_lengths[i] > scratch_space_length)
    {
      scratch_space_length = scratch_space_lengths[i];
    }
  }
 
  initialized = true;
}

References A, A_bytes, d, d_bytes, decode_bytes(), divide_minus_p_1_2, divide_minus_p_1_2_bytes, divide_negative_1_2, divide_negative_1_2_bytes, divide_plus_p_3_8, divide_plus_p_3_8_bytes, initialized, inverted_u, inverted_u_bytes, negative_1, negative_1_bytes, negative_2, negative_2_bytes, negative_A, negative_A_bytes, p, P_BITS, p_bytes, P_LIMBS, scratch_space_length, square_root_negative_1, square_root_negative_1_bytes, u, and u_bytes.

Here is the call graph for this function:

◆ least_square_root()

static void least_square_root	(	mp_limb_t *	root,
		const mp_limb_t *	number,
		mp_limb_t *	scratch_space
	)

static

Calculates the root of a given number.

Returns trash if the number is a quadratic non-residue.

Parameters

root	storage for calculated root
number	value for which the root is calculated
scratch_space	buffer for calculation

Definition at line 305 of file crypto_elligator.c.

{
  mp_limb_t a[P_LIMBS + P_LIMBS];
  mp_limb_t b[P_LIMBS];
 
  // root := number ^ ((p + 3) / 8)
 
  mpn_add_n (b, number, p, P_LIMBS); // The next function requires a nonzero input
  mpn_sec_powm (root, b, P_LIMBS, divide_plus_p_3_8, P_BITS - 1, p, P_LIMBS,
                scratch_space);
 
  // If root ^ 2 != number, root := root * square_root(-1)
 
  mpn_sec_sqr (a, root, P_LIMBS, scratch_space);
  mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
  mpn_sub_n (b, a, number, P_LIMBS);
 
  mp_limb_t condition = mpn_sec_sub_1 (b, b, P_LIMBS, 1, scratch_space) ^ 1;
 
  mpn_sec_mul (a, root, P_LIMBS, square_root_negative_1, P_LIMBS,
               scratch_space);
  mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
 
  mpn_cnd_swap (condition, root, a, P_LIMBS);
 
  // If root > (p - 1) / 2, root := -root
 
  condition = mpn_sub_n (a, divide_minus_p_1_2, root, P_LIMBS);
 
  mpn_sub_n (a, p, root, P_LIMBS); // If root = 0, a := p
 
  mpn_cnd_swap (condition, root, a, P_LIMBS);
}

References divide_minus_p_1_2, divide_plus_p_3_8, number, p, P_BITS, P_LIMBS, and square_root_negative_1.

Referenced by GNUNET_CRYPTO_ecdhe_elligator_encoding_norand().

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdhe_elligator_encoding_norand()

bool GNUNET_CRYPTO_ecdhe_elligator_encoding_norand	(	struct GNUNET_CRYPTO_ElligatorRepresentative *	r,
		uint8_t	seed,
		const struct GNUNET_CRYPTO_EcdhePublicKey *	pub
	)

Definition at line 342 of file crypto_elligator.c.

{
  bool high_y;
  bool msb_set;
  bool smsb_set;
 
  high_y = seed & 1;
 
  uint8_t *representative = r->r;
  uint8_t *point = (uint8_t *) pub->q_y;
 
  mp_limb_t scratch_space[scratch_space_length];
 
  mp_limb_t a[P_LIMBS + P_LIMBS];
  mp_limb_t b[P_LIMBS + P_LIMBS];
  mp_limb_t c[P_LIMBS + P_LIMBS];
 
  // a := point
 
  decode_bytes (a, point);
 
  // b := -a / (a + A), or b := p if a = 0
 
  mpn_add_n (b, a, A, P_LIMBS);
  mpn_sec_powm (c, b, P_LIMBS, negative_2, P_BITS - 1, p, P_LIMBS,
                scratch_space);
  mpn_sec_mul (b, c, P_LIMBS, a, P_LIMBS, scratch_space);
  mpn_sec_div_r (b, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
  mpn_sub_n (b, p, b, P_LIMBS);
 
  // If high_y = true, b := 1 / b or b := 0 if it was = p
 
  mpn_sec_powm (c, b, P_LIMBS, negative_2, P_BITS - 1, p, P_LIMBS,
                scratch_space);
  mpn_cnd_swap (high_y, b, c, P_LIMBS);
 
  // c := b / u
 
  mpn_sec_mul (c, b, P_LIMBS, inverted_u, P_LIMBS, scratch_space);
  mpn_sec_div_r (c, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
 
  // If c is a square modulo p, b := least_square_root(c)
 
  least_square_root (b, c, scratch_space);
 
  // Determine, whether b ^ 2 = c
 
  mpn_sec_sqr (a, b, P_LIMBS, scratch_space);
  mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
  mpn_sub_n (a, a, c, P_LIMBS);
 
  bool result = mpn_sec_sub_1 (a, a, P_LIMBS, 1, scratch_space);
 
  encode_bytes (representative, b);
 
  // Setting most significant bit and second most significant bit randomly
  msb_set = (seed >> 1) & 1;
  smsb_set = (seed >> 2) & 1;
  if (msb_set)
  {
    r->r[31] |= 128;
  }
  if (smsb_set)
  {
    r->r[31] |= 64;
  }
  return result;
}

References A, decode_bytes(), encode_bytes(), inverted_u, least_square_root(), negative_2, p, P_BITS, P_LIMBS, pub, GNUNET_CRYPTO_EddsaPublicKey::q_y, GNUNET_CRYPTO_ElligatorRepresentative::r, result, and scratch_space_length.

Referenced by GNUNET_CRYPTO_ecdhe_elligator_encoding().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ elligator_direct_map()

static bool elligator_direct_map	(	uint8_t *	point,
		bool *	high_y,
		uint8_t *	representative
	)

static

Takes a number of the underlying finite field of Curve25519 and projects it into a valid point on that curve.

This function works deterministically. This step is also known as elligators "decoding" step. Taken from https://github.com/Kleshni/Elligator-2/blob/master/main.c.

Parameters

point	storage for calculated point on Curve25519
high_y	The 'high_y' argument of the corresponding GNUNET_CRYPTO_ecdhe_elligator_encoding call
representative	Given representative

Returns: 'false' if extra step during direct map calculation is needed, otherwise 'true'

Definition at line 441 of file crypto_elligator.c.

{
  mp_limb_t scratch_space[scratch_space_length];
 
  mp_limb_t a[P_LIMBS + P_LIMBS];
  mp_limb_t b[P_LIMBS + P_LIMBS];
  mp_limb_t c[P_LIMBS];
  mp_limb_t e[P_LIMBS + P_LIMBS];
 
  // a := representative
 
  decode_bytes (a, representative);
 
  // Determine whether a < (p - 1) / 2
 
  bool result = mpn_sub_n (b, divide_minus_p_1_2, a, P_LIMBS) ^ 1;
 
  // b := -A / (1 + u * a ^ 2)
 
  mpn_sec_sqr (b, a, P_LIMBS, scratch_space);
  mpn_sec_div_r (b, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
  mpn_sec_mul (a, u, P_LIMBS, b, P_LIMBS, scratch_space);
  mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
  mpn_sec_add_1 (b, a, P_LIMBS, 1, scratch_space);
  mpn_sec_powm (a, b, P_LIMBS, negative_2, P_BITS - 1, p, P_LIMBS,
                scratch_space);
  mpn_sec_mul (b, a, P_LIMBS, negative_A, P_LIMBS, scratch_space);
  mpn_sec_div_r (b, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
 
  // a := b ^ 3 + A * b ^ 2 + b (with 1-bit overflow)
 
  mpn_sec_sqr (a, b, P_LIMBS, scratch_space);
  mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
  mpn_add_n (c, b, A, P_LIMBS);
  mpn_sec_mul (e, c, P_LIMBS, a, P_LIMBS, scratch_space);
  mpn_sec_div_r (e, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
  mpn_add_n (a, e, b, P_LIMBS);
 
  // If a is a quadratic residue modulo p, point := b and high_y := 1
  // Otherwise point := -b - A and high_y := 0
 
  mpn_sub_n (c, p, b, P_LIMBS);
  mpn_add_n (c, c, negative_A, P_LIMBS);
  mpn_sec_div_r (c, P_LIMBS, p, P_LIMBS, scratch_space);
 
  mpn_sec_powm (e, a, P_LIMBS, divide_minus_p_1_2, P_BITS - 1, p, P_LIMBS,
                scratch_space);
  *high_y = mpn_sub_n (e, e, divide_minus_p_1_2, P_LIMBS);
 
  mpn_cnd_swap (*high_y, b, c, P_LIMBS);
 
  encode_bytes (point, c);
 
  return result;
}

References A, decode_bytes(), divide_minus_p_1_2, encode_bytes(), negative_2, negative_A, p, P_BITS, P_LIMBS, result, scratch_space_length, and u.

Referenced by GNUNET_CRYPTO_ecdhe_elligator_decoding().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ convert_from_ed_to_curve()

static bool convert_from_ed_to_curve	(	uint8_t *	point,
		const uint8_t *	source
	)

static

Takes a number of the underlying finite field of Curve25519 and projects it into a valid point on that curve.

This function works deterministically. This step is also known as elligators "decoding" step. Taken from https://github.com/Kleshni/Elligator-2/blob/master/main.c.

Parameters

point	storage for calculated point on Curve25519
source	Ed25519 curve point

Returns: 'false' if source is not a valid Ed25519 point. In this case the 'point' array will be undefined but dependent on source.

Definition at line 535 of file crypto_elligator.c.

{
  mp_limb_t scratch_space[scratch_space_length];
 
  mp_limb_t y[P_LIMBS];
  mp_limb_t a[P_LIMBS + P_LIMBS];
  mp_limb_t b[P_LIMBS + P_LIMBS];
  mp_limb_t c[P_LIMBS + P_LIMBS];
 
  uint8_t y_bytes[P_BYTES];
 
  memcpy (y_bytes, source, 31);
 
  y_bytes[31] = source[31] & 0x7f;
 
  decode_bytes (y, y_bytes);
 
  // Check if y < p
 
  bool result = mpn_sub_n (a, y, p, P_LIMBS);
 
  // a := (y ^ 2 - 1) / (1 + d * y ^ 2)
 
  mpn_sec_sqr (a, y, P_LIMBS, scratch_space);
  mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
  mpn_sec_mul (b, a, P_LIMBS, d, P_LIMBS, scratch_space);
  mpn_sec_add_1 (b, b, P_LIMBS, 1, scratch_space);
  mpn_sec_div_r (b, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
  mpn_sec_powm (c, b, P_LIMBS, negative_2, P_BITS - 1, p, P_LIMBS,
                scratch_space);
  mpn_add_n (b, a, negative_1, P_LIMBS);
  mpn_sec_mul (a, b, P_LIMBS, c, P_LIMBS, scratch_space);
  mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
 
  // Check, whether a is a square modulo p (including a = 0)
 
  mpn_add_n (a, a, p, P_LIMBS);
  mpn_sec_powm (b, a, P_LIMBS, divide_negative_1_2, P_BITS - 1, p, P_LIMBS,
                scratch_space);
 
  result &= mpn_sub_n (c, b, divide_minus_p_1_2, P_LIMBS);
 
  // If a = p, the parity bit must be 0
 
  mpn_sub_n (a, a, p, P_LIMBS);
 
  result ^= mpn_sec_sub_1 (a, a, P_LIMBS, 1, scratch_space) & source[31] >> 7;
 
  // If y != 1, c := (1 + y) / (1 - y), otherwise c := 0
 
  mpn_sub_n (a, p, y, P_LIMBS);
  mpn_sec_add_1 (a, a, P_LIMBS, 1, scratch_space);
  mpn_sec_powm (b, a, P_LIMBS, negative_2, P_BITS - 1, p, P_LIMBS,
                scratch_space);
  mpn_sec_add_1 (a, y, P_LIMBS, 1, scratch_space);
  mpn_sec_mul (c, a, P_LIMBS, b, P_LIMBS, scratch_space);
  mpn_sec_div_r (c, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
 
  encode_bytes (point, c);
 
  return result;
}

References d, decode_bytes(), divide_minus_p_1_2, divide_negative_1_2, encode_bytes(), negative_1, negative_2, p, P_BITS, P_BYTES, P_LIMBS, result, scratch_space_length, and source.

Referenced by elligator_generate_public_key().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ elligator_generate_public_key()

static enum GNUNET_GenericReturnValue elligator_generate_public_key	(	const struct GNUNET_CRYPTO_EcdhePrivateKey *	pk,
		struct GNUNET_CRYPTO_EcdhePublicKey *	pub
	)

static

Definition at line 601 of file crypto_elligator.c.

{
  // eHigh
  // crypto_scalarmult_ed25519_base clamps the scalar pk->d and return only 0 if pk->d is zero
  unsigned char eHigh[crypto_scalarmult_SCALARBYTES] = {0};
  GNUNET_assert (0 == crypto_scalarmult_ed25519_base (eHigh, pk->d));
 
  // eLow: choose a random point of low order
  int sLow = (pk->d)[0] % 8;
  unsigned char eLow[crypto_scalarmult_SCALARBYTES] = {0};
  memcpy (eLow, lookupTable[sLow], crypto_scalarmult_SCALARBYTES);
 
  // eHigh + eLow
  unsigned char edPub[crypto_scalarmult_SCALARBYTES] = {0};
  if (crypto_core_ed25519_add (edPub, eLow, eHigh) == -1)
  {
    return GNUNET_SYSERR;
  }
 
  if (convert_from_ed_to_curve (pub->q_y, edPub) == false)
  {
    return GNUNET_SYSERR;
  }
  return GNUNET_OK;
}

References convert_from_ed_to_curve(), GNUNET_assert, GNUNET_OK, GNUNET_SYSERR, lookupTable, pk, pub, and GNUNET_CRYPTO_EddsaPublicKey::q_y.

Referenced by GNUNET_CRYPTO_ecdhe_elligator_key_get_public().

Here is the call graph for this function:

Here is the caller graph for this function:

Variable Documentation

◆ lookupTable

const uint8_t lookupTable[8][crypto_scalarmult_SCALARBYTES]

static

Definition at line 42 of file crypto_elligator.c.

Referenced by elligator_generate_public_key().

◆ p_bytes

const unsigned char p_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static

Initial value:

= {
  0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
}

Definition at line 98 of file crypto_elligator.c.

Referenced by __attribute__().

◆ negative_1_bytes

const unsigned char negative_1_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static

Initial value:

= {
  0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
}

Definition at line 105 of file crypto_elligator.c.

Referenced by __attribute__().

◆ negative_2_bytes

const unsigned char negative_2_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static

Initial value:

= {
  0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
}

Definition at line 112 of file crypto_elligator.c.

Referenced by __attribute__().

◆ divide_negative_1_2_bytes

const unsigned char divide_negative_1_2_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static

Initial value:

= {
  0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f
}

Definition at line 119 of file crypto_elligator.c.

Referenced by __attribute__().

◆ divide_plus_p_3_8_bytes

const unsigned char divide_plus_p_3_8_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static

Initial value:

= {
  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f
}

Definition at line 126 of file crypto_elligator.c.

Referenced by __attribute__().

◆ divide_minus_p_1_2_bytes

const unsigned char divide_minus_p_1_2_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static

Initial value:

= {
  0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f
}

Definition at line 133 of file crypto_elligator.c.

Referenced by __attribute__().

◆ square_root_negative_1_bytes

const unsigned char square_root_negative_1_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static

Initial value:

= {
  0xb0, 0xa0, 0x0e, 0x4a, 0x27, 0x1b, 0xee, 0xc4,
  0x78, 0xe4, 0x2f, 0xad, 0x06, 0x18, 0x43, 0x2f,
  0xa7, 0xd7, 0xfb, 0x3d, 0x99, 0x00, 0x4d, 0x2b,
  0x0b, 0xdf, 0xc1, 0x4f, 0x80, 0x24, 0x83, 0x2b
}

Definition at line 140 of file crypto_elligator.c.

Referenced by __attribute__().

◆ A_bytes

const unsigned char A_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static

Initial value:

= {
  0x06, 0x6d, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}

Definition at line 147 of file crypto_elligator.c.

Referenced by __attribute__().

◆ negative_A_bytes

const unsigned char negative_A_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static

Initial value:

= {
  0xe7, 0x92, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
}

Definition at line 154 of file crypto_elligator.c.

Referenced by __attribute__().

◆ u_bytes

const unsigned char u_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static

Initial value:

= {
  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}

Definition at line 161 of file crypto_elligator.c.

Referenced by __attribute__().

◆ inverted_u_bytes

const unsigned char inverted_u_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static

Initial value:

= {
  0xf7, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f
}

Definition at line 168 of file crypto_elligator.c.

Referenced by __attribute__().

◆ d_bytes

const unsigned char d_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]

static

Initial value:

= {
  0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75,
  0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00,
  0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c,
  0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52
}

Definition at line 175 of file crypto_elligator.c.

Referenced by __attribute__().