GNUnet debian-0.24.3-29-g453fda2cf
 
Loading...
Searching...
No Matches
crypto_elligator.c File Reference
#include "platform.h"
#include "gnunet_common.h"
#include <gcrypt.h>
#include <sodium.h>
#include "gnunet_util_lib.h"
#include "benchmark.h"
#include <stdint.h>
#include <stdbool.h>
#include <string.h>
#include <gmp.h>
#include <limits.h>
Include dependency graph for crypto_elligator.c:

Go to the source code of this file.

Macros

#define P_BITS   (256)
 
#define P_BYTES   ((P_BITS + CHAR_BIT - 1) / CHAR_BIT)
 
#define P_LIMBS   ((P_BITS + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
 

Functions

static void decode_bytes (mp_limb_t *number, const uint8_t *bytes)
 This function decodes the byte buffer into the MPI limb.
 
static void encode_bytes (uint8_t *bytes, mp_limb_t *number)
 This function encodes the MPI limb into a byte buffer.
 
void GNUNET_CRYPTO_ecdhe_elligator_initialize (void)
 
void __attribute__ ((constructor))
 Initialize elligator scratch space.
 
static void least_square_root (mp_limb_t *root, const mp_limb_t *number, mp_limb_t *scratch_space)
 Calculates the root of a given number.
 
bool GNUNET_CRYPTO_ecdhe_elligator_encoding (uint8_t random_tweak, struct GNUNET_CRYPTO_ElligatorRepresentative *r, const struct GNUNET_CRYPTO_EcdhePublicKey *pub)
 Encodes a point on Curve25519 to a an element of the underlying finite field.
 
static bool elligator_direct_map (uint8_t *point, bool *high_y, uint8_t *representative)
 Takes a number of the underlying finite field of Curve25519 and projects it into a valid point on that curve.
 
void GNUNET_CRYPTO_ecdhe_elligator_decoding (struct GNUNET_CRYPTO_EcdhePublicKey *point, bool *high_y, const struct GNUNET_CRYPTO_ElligatorRepresentative *representative)
 Clears the most significant bit and second most significant bit of the serialized representaive before applying elligator direct map.
 
static bool convert_from_ed_to_curve (uint8_t *point, const uint8_t *source)
 Takes a number of the underlying finite field of Curve25519 and projects it into a valid point on that curve.
 
static enum GNUNET_GenericReturnValue elligator_generate_public_key (const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *pk, struct GNUNET_CRYPTO_EcdhePublicKey *pub)
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand (uint8_t random_tweak, const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk, struct GNUNET_CRYPTO_EcdhePublicKey *pk, struct GNUNET_CRYPTO_ElligatorRepresentative *repr)
 Generates a valid public key for elligator's inverse map by adding a lower order point to a prime order point.
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_ecdhe_elligator_key_get_public (const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk, struct GNUNET_CRYPTO_EcdhePublicKey *pk, struct GNUNET_CRYPTO_ElligatorRepresentative *repr)
 Generates a valid public key for elligator's inverse map by adding a lower order point to a prime order point.
 
void GNUNET_CRYPTO_ecdhe_elligator_key_create (struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey *sk)
 Generates a private key for Curve25519.
 

Variables

static const uint8_t lookupTable [8][crypto_scalarmult_SCALARBYTES]
 
static const unsigned char p_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char negative_1_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char negative_2_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char divide_negative_1_2_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char divide_plus_p_3_8_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char divide_minus_p_1_2_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char square_root_negative_1_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char A_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char negative_A_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char u_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char inverted_u_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static const unsigned char d_bytes [(((256)+CHAR_BIT - 1)/CHAR_BIT)]
 
static mp_limb_t p [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t negative_1 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t negative_2 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t divide_negative_1_2 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t divide_plus_p_3_8 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t divide_minus_p_1_2 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t square_root_negative_1 [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t A [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t negative_A [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t u [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t inverted_u [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_limb_t d [(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
 
static mp_size_t scratch_space_length
 

Macro Definition Documentation

◆ P_BITS

#define P_BITS   (256)

Definition at line 92 of file crypto_elligator.c.

◆ P_BYTES

#define P_BYTES   ((P_BITS + CHAR_BIT - 1) / CHAR_BIT)

Definition at line 93 of file crypto_elligator.c.

◆ P_LIMBS

#define P_LIMBS   ((P_BITS + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)

Definition at line 94 of file crypto_elligator.c.

Function Documentation

◆ decode_bytes()

static void decode_bytes ( mp_limb_t *  number,
const uint8_t *  bytes 
)
static

This function decodes the byte buffer into the MPI limb.

Parameters
numberdecoded number
bytesinput bytes to decode into number

Definition at line 205 of file crypto_elligator.c.

206{
207 mp_limb_t scratch_space[1];
208
209 for (size_t i = 0; i < P_BYTES; ++i)
210 {
211 mpn_lshift (number, number, P_LIMBS, 8);
212 mpn_sec_add_1 (number, number, 1, bytes[P_BYTES - i - 1], scratch_space);
213 }
214}
#define P_BYTES
#define P_LIMBS
uint32_t number

References number, P_BYTES, and P_LIMBS.

Referenced by __attribute__(), convert_from_ed_to_curve(), elligator_direct_map(), and GNUNET_CRYPTO_ecdhe_elligator_encoding().

Here is the caller graph for this function:

◆ encode_bytes()

static void encode_bytes ( uint8_t *  bytes,
mp_limb_t *  number 
)
static

This function encodes the MPI limb into a byte buffer.

Parameters
bytesoutput bytes
numbernumber to encode

Definition at line 225 of file crypto_elligator.c.

226{
227 for (size_t i = 0; i < P_BYTES; ++i)
228 {
229 bytes[P_BYTES - i - 1] = mpn_lshift (number, number, P_LIMBS, 8);
230 }
231}

References number, P_BYTES, and P_LIMBS.

Referenced by convert_from_ed_to_curve(), elligator_direct_map(), and GNUNET_CRYPTO_ecdhe_elligator_encoding().

Here is the caller graph for this function:

◆ GNUNET_CRYPTO_ecdhe_elligator_initialize()

void GNUNET_CRYPTO_ecdhe_elligator_initialize ( void  )

◆ __attribute__()

void __attribute__ ( (constructor)  )

Initialize elligator scratch space.

Definition at line 239 of file crypto_elligator.c.

241{
242 static bool initialized = false;
243
244 mp_size_t scratch_space_lengths[] = {
245 // For least_square_root
246
247 mpn_sec_powm_itch (P_LIMBS, P_BITS - 1, P_LIMBS),
248 mpn_sec_sqr_itch (P_LIMBS),
249 mpn_sec_div_r_itch (P_LIMBS + P_LIMBS, P_LIMBS),
250 mpn_sec_sub_1_itch (P_LIMBS),
251 mpn_sec_mul_itch (P_LIMBS, P_LIMBS),
252
253 // For Elligator_2_Curve25519_encode
254
255 mpn_sec_powm_itch (P_LIMBS, P_BITS - 1, P_LIMBS),
256 mpn_sec_mul_itch (P_LIMBS, P_LIMBS),
257 mpn_sec_div_r_itch (P_LIMBS + P_LIMBS, P_LIMBS),
258 mpn_sec_sqr_itch (P_LIMBS),
259 mpn_sec_sub_1_itch (P_LIMBS),
260
261 // For Elligator_2_Curve25519_decode
262
263 mpn_sec_sqr_itch (P_LIMBS),
264 mpn_sec_div_r_itch (P_LIMBS + P_LIMBS, P_LIMBS),
265 mpn_sec_div_r_itch (P_LIMBS, P_LIMBS),
266 mpn_sec_mul_itch (P_LIMBS, P_LIMBS),
267 mpn_sec_add_1_itch (P_LIMBS),
268 mpn_sec_powm_itch (P_LIMBS, P_BITS - 1, P_LIMBS),
269
270 // For Elligator_2_Curve25519_convert_from_Ed25519
271 mpn_sec_sqr_itch (P_LIMBS),
272 mpn_sec_div_r_itch (P_LIMBS + P_LIMBS, P_LIMBS),
273 mpn_sec_mul_itch (P_LIMBS, P_LIMBS),
274 mpn_sec_add_1_itch (P_LIMBS),
275 mpn_sec_powm_itch (P_LIMBS, P_BITS - 1, P_LIMBS),
276 mpn_sec_sub_1_itch (P_LIMBS)
277 };
278
279 if (initialized)
280 {
281 return;
282 }
283
296
297
298 for (size_t i = 0; i < sizeof scratch_space_lengths
299 / sizeof *scratch_space_lengths; ++i)
300 {
301 if (scratch_space_lengths[i] > scratch_space_length)
302 {
303 scratch_space_length = scratch_space_lengths[i];
304 }
305 }
306
307 initialized = true;
308}
static void decode_bytes(mp_limb_t *number, const uint8_t *bytes)
This function decodes the byte buffer into the MPI limb.
static mp_limb_t divide_minus_p_1_2[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static mp_limb_t negative_A[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static mp_limb_t negative_2[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
#define P_BITS
static mp_limb_t square_root_negative_1[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static mp_limb_t p[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static const unsigned char divide_minus_p_1_2_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static const unsigned char negative_A_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static mp_limb_t d[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static const unsigned char u_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static const unsigned char p_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static const unsigned char negative_1_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static const unsigned char negative_2_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static mp_size_t scratch_space_length
static const unsigned char A_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static const unsigned char square_root_negative_1_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static const unsigned char d_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static mp_limb_t negative_1[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static const unsigned char divide_plus_p_3_8_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static const unsigned char divide_negative_1_2_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static mp_limb_t A[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static mp_limb_t inverted_u[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static mp_limb_t divide_plus_p_3_8[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static mp_limb_t u[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static const unsigned char inverted_u_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static mp_limb_t divide_negative_1_2[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static int initialized
Have we been initialized?
Definition plugin.c:57

References A, A_bytes, d, d_bytes, decode_bytes(), divide_minus_p_1_2, divide_minus_p_1_2_bytes, divide_negative_1_2, divide_negative_1_2_bytes, divide_plus_p_3_8, divide_plus_p_3_8_bytes, initialized, inverted_u, inverted_u_bytes, negative_1, negative_1_bytes, negative_2, negative_2_bytes, negative_A, negative_A_bytes, p, P_BITS, p_bytes, P_LIMBS, scratch_space_length, square_root_negative_1, square_root_negative_1_bytes, u, and u_bytes.

Here is the call graph for this function:

◆ least_square_root()

static void least_square_root ( mp_limb_t *  root,
const mp_limb_t *  number,
mp_limb_t *  scratch_space 
)
static

Calculates the root of a given number.

Returns trash if the number is a quadratic non-residue.

Parameters
rootstorage for calculated root
numbervalue for which the root is calculated
scratch_spacebuffer for calculation

Definition at line 320 of file crypto_elligator.c.

323{
324 mp_limb_t a[P_LIMBS + P_LIMBS];
325 mp_limb_t b[P_LIMBS];
326 mp_limb_t condition;
327
328 // root := number ^ ((p + 3) / 8)
329
330 mpn_add_n (b, number, p, P_LIMBS); // The next function requires a nonzero input
331 mpn_sec_powm (root, b, P_LIMBS, divide_plus_p_3_8, P_BITS - 1, p, P_LIMBS,
332 scratch_space);
333
334 // If root ^ 2 != number, root := root * square_root(-1)
335
336 mpn_sec_sqr (a, root, P_LIMBS, scratch_space);
337 mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
338 mpn_sub_n (b, a, number, P_LIMBS);
339
340 condition = mpn_sec_sub_1 (b, b, P_LIMBS, 1, scratch_space) ^ 1;
341
342 mpn_sec_mul (a, root, P_LIMBS, square_root_negative_1, P_LIMBS,
343 scratch_space);
344 mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
345
346 mpn_cnd_swap (condition, root, a, P_LIMBS);
347
348 // If root > (p - 1) / 2, root := -root
349
350 condition = mpn_sub_n (a, divide_minus_p_1_2, root, P_LIMBS);
351
352 mpn_sub_n (a, p, root, P_LIMBS); // If root = 0, a := p
353
354 mpn_cnd_swap (condition, root, a, P_LIMBS);
355}

References divide_minus_p_1_2, divide_plus_p_3_8, number, p, P_BITS, P_LIMBS, and square_root_negative_1.

Referenced by GNUNET_CRYPTO_ecdhe_elligator_encoding().

Here is the caller graph for this function:

◆ elligator_direct_map()

static bool elligator_direct_map ( uint8_t *  point,
bool *  high_y,
uint8_t *  representative 
)
static

Takes a number of the underlying finite field of Curve25519 and projects it into a valid point on that curve.

This function works deterministically. This step is also known as elligators "decoding" step. Taken from https://github.com/Kleshni/Elligator-2/blob/master/main.c.

Parameters
pointstorage for calculated point on Curve25519
high_yThe 'high_y' argument of the corresponding GNUNET_CRYPTO_ecdhe_elligator_encoding call
representativeGiven representative
Returns
'false' if extra step during direct map calculation is needed, otherwise 'true'

Definition at line 447 of file crypto_elligator.c.

450{
451 mp_limb_t scratch_space[scratch_space_length];
452
453 mp_limb_t a[P_LIMBS + P_LIMBS];
454 mp_limb_t b[P_LIMBS + P_LIMBS];
455 mp_limb_t c[P_LIMBS];
456 mp_limb_t e[P_LIMBS + P_LIMBS];
457 bool result;
458
459 // a := representative
460
461 decode_bytes (a, representative);
462
463 // Determine whether a < (p - 1) / 2
464
465 result = mpn_sub_n (b, divide_minus_p_1_2, a, P_LIMBS) ^ 1;
466
467 // b := -A / (1 + u * a ^ 2)
468
469 mpn_sec_sqr (b, a, P_LIMBS, scratch_space);
470 mpn_sec_div_r (b, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
471 mpn_sec_mul (a, u, P_LIMBS, b, P_LIMBS, scratch_space);
472 mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
473 mpn_sec_add_1 (b, a, P_LIMBS, 1, scratch_space);
474 mpn_sec_powm (a, b, P_LIMBS, negative_2, P_BITS - 1, p, P_LIMBS,
475 scratch_space);
476 mpn_sec_mul (b, a, P_LIMBS, negative_A, P_LIMBS, scratch_space);
477 mpn_sec_div_r (b, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
478
479 // a := b ^ 3 + A * b ^ 2 + b (with 1-bit overflow)
480
481 mpn_sec_sqr (a, b, P_LIMBS, scratch_space);
482 mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
483 mpn_add_n (c, b, A, P_LIMBS);
484 mpn_sec_mul (e, c, P_LIMBS, a, P_LIMBS, scratch_space);
485 mpn_sec_div_r (e, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
486 mpn_add_n (a, e, b, P_LIMBS);
487
488 // If a is a quadratic residue modulo p, point := b and high_y := 1
489 // Otherwise point := -b - A and high_y := 0
490
491 mpn_sub_n (c, p, b, P_LIMBS);
492 mpn_add_n (c, c, negative_A, P_LIMBS);
493 mpn_sec_div_r (c, P_LIMBS, p, P_LIMBS, scratch_space);
494
495 mpn_sec_powm (e, a, P_LIMBS, divide_minus_p_1_2, P_BITS - 1, p, P_LIMBS,
496 scratch_space);
497 *high_y = mpn_sub_n (e, e, divide_minus_p_1_2, P_LIMBS);
498
499 mpn_cnd_swap (*high_y, b, c, P_LIMBS);
500
501 encode_bytes (point, c);
502
503 return result;
504}
static void encode_bytes(uint8_t *bytes, mp_limb_t *number)
This function encodes the MPI limb into a byte buffer.
static int result
Global testing status.

References A, decode_bytes(), divide_minus_p_1_2, encode_bytes(), negative_2, negative_A, p, P_BITS, P_LIMBS, result, scratch_space_length, and u.

Referenced by GNUNET_CRYPTO_ecdhe_elligator_decoding().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ convert_from_ed_to_curve()

static bool convert_from_ed_to_curve ( uint8_t *  point,
const uint8_t *  source 
)
static

Takes a number of the underlying finite field of Curve25519 and projects it into a valid point on that curve.

This function works deterministically. This step is also known as elligators "decoding" step. Taken from https://github.com/Kleshni/Elligator-2/blob/master/main.c.

Parameters
pointstorage for calculated point on Curve25519
sourceEd25519 curve point
Returns
'false' if source is not a valid Ed25519 point. In this case the 'point' array will be undefined but dependent on source.

Definition at line 542 of file crypto_elligator.c.

544{
545 mp_limb_t scratch_space[scratch_space_length];
546
547 mp_limb_t y[P_LIMBS];
548 mp_limb_t a[P_LIMBS + P_LIMBS];
549 mp_limb_t b[P_LIMBS + P_LIMBS];
550 mp_limb_t c[P_LIMBS + P_LIMBS];
551
552 uint8_t y_bytes[P_BYTES];
553 bool result;
554
555 memcpy (y_bytes, source, 31);
556
557 y_bytes[31] = source[31] & 0x7f;
558
559 decode_bytes (y, y_bytes);
560
561 // Check if y < p
562
563 result = mpn_sub_n (a, y, p, P_LIMBS);
564
565 // a := (y ^ 2 - 1) / (1 + d * y ^ 2)
566
567 mpn_sec_sqr (a, y, P_LIMBS, scratch_space);
568 mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
569 mpn_sec_mul (b, a, P_LIMBS, d, P_LIMBS, scratch_space);
570 mpn_sec_add_1 (b, b, P_LIMBS, 1, scratch_space);
571 mpn_sec_div_r (b, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
572 mpn_sec_powm (c, b, P_LIMBS, negative_2, P_BITS - 1, p, P_LIMBS,
573 scratch_space);
574 mpn_add_n (b, a, negative_1, P_LIMBS);
575 mpn_sec_mul (a, b, P_LIMBS, c, P_LIMBS, scratch_space);
576 mpn_sec_div_r (a, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
577
578 // Check, whether a is a square modulo p (including a = 0)
579
580 mpn_add_n (a, a, p, P_LIMBS);
581 mpn_sec_powm (b, a, P_LIMBS, divide_negative_1_2, P_BITS - 1, p, P_LIMBS,
582 scratch_space);
583
584 result &= mpn_sub_n (c, b, divide_minus_p_1_2, P_LIMBS);
585
586 // If a = p, the parity bit must be 0
587
588 mpn_sub_n (a, a, p, P_LIMBS);
589
590 result ^= mpn_sec_sub_1 (a, a, P_LIMBS, 1, scratch_space) & source[31] >> 7;
591
592 // If y != 1, c := (1 + y) / (1 - y), otherwise c := 0
593
594 mpn_sub_n (a, p, y, P_LIMBS);
595 mpn_sec_add_1 (a, a, P_LIMBS, 1, scratch_space);
596 mpn_sec_powm (b, a, P_LIMBS, negative_2, P_BITS - 1, p, P_LIMBS,
597 scratch_space);
598 mpn_sec_add_1 (a, y, P_LIMBS, 1, scratch_space);
599 mpn_sec_mul (c, a, P_LIMBS, b, P_LIMBS, scratch_space);
600 mpn_sec_div_r (c, P_LIMBS + P_LIMBS, p, P_LIMBS, scratch_space);
601
602 encode_bytes (point, c);
603
604 return result;
605}
static GstElement * source
Appsrc instance into which we write data for the pipeline.

References d, decode_bytes(), divide_minus_p_1_2, divide_negative_1_2, encode_bytes(), negative_1, negative_2, p, P_BITS, P_BYTES, P_LIMBS, result, scratch_space_length, and source.

Referenced by elligator_generate_public_key().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ elligator_generate_public_key()

static enum GNUNET_GenericReturnValue elligator_generate_public_key ( const struct GNUNET_CRYPTO_ElligatorEcdhePrivateKey pk,
struct GNUNET_CRYPTO_EcdhePublicKey pub 
)
static

Definition at line 609 of file crypto_elligator.c.

612{
613 // eHigh
614 // crypto_scalarmult_ed25519_base clamps the scalar pk->d and return only 0 if pk->d is zero
615 unsigned char eHigh[crypto_scalarmult_SCALARBYTES] = {0};
616 int sLow = (pk->d)[0] % 8;
617 unsigned char eLow[crypto_scalarmult_SCALARBYTES] = {0};
618 unsigned char edPub[crypto_scalarmult_SCALARBYTES] = {0};
619 GNUNET_assert (0 == crypto_scalarmult_ed25519_base (eHigh, pk->d));
620
621 // eLow: choose a random point of low order
622 memcpy (eLow, lookupTable[sLow], crypto_scalarmult_SCALARBYTES);
623
624 // eHigh + eLow
625 if (crypto_core_ed25519_add (edPub, eLow, eHigh) == -1)
626 {
627 return GNUNET_SYSERR;
628 }
629
630 if (convert_from_ed_to_curve (pub->q_y, edPub) == false)
631 {
632 return GNUNET_SYSERR;
633 }
634 return GNUNET_OK;
635}
static const uint8_t lookupTable[8][crypto_scalarmult_SCALARBYTES]
static bool convert_from_ed_to_curve(uint8_t *point, const uint8_t *source)
Takes a number of the underlying finite field of Curve25519 and projects it into a valid point on tha...
struct GNUNET_CRYPTO_PrivateKey pk
Private key from command line option, or NULL.
static struct GNUNET_CRYPTO_EddsaPublicKey pub
@ GNUNET_OK
@ GNUNET_SYSERR
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
unsigned char q_y[256/8]
Point Q consists of a y-value mod p (256 bits); the x-value is always positive.

References convert_from_ed_to_curve(), GNUNET_assert, GNUNET_OK, GNUNET_SYSERR, lookupTable, pk, pub, and GNUNET_CRYPTO_EddsaPublicKey::q_y.

Referenced by GNUNET_CRYPTO_ecdhe_elligator_key_get_public_norand().

Here is the call graph for this function:
Here is the caller graph for this function:

Variable Documentation

◆ lookupTable

const uint8_t lookupTable[8][crypto_scalarmult_SCALARBYTES]
static

Definition at line 42 of file crypto_elligator.c.

42 {
43 {
44 0x26, 0xE8, 0x95, 0x8F, 0xC2, 0xB2, 0x27, 0xB0,
45 0x45, 0xC3, 0xF4, 0x89, 0xF2, 0xEF, 0x98, 0xF0,
46 0xD5, 0xDF, 0xAC, 0x05, 0xD3, 0xC6, 0x33, 0x39,
47 0xB1, 0x38, 0x02, 0x88, 0x6D, 0x53, 0xFC, 0x05
48 },
49 {
50 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
51 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
52 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
53 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
54 },
55 {
56 0xC7, 0x17, 0x6A, 0x70, 0x3D, 0x4D, 0xD8, 0x4F,
57 0xBA, 0x3C, 0x0B, 0x76, 0x0D, 0x10, 0x67, 0x0F,
58 0x2A, 0x20, 0x53, 0xFA, 0x2C, 0x39, 0xCC, 0xC6,
59 0x4E, 0xC7, 0xFD, 0x77, 0x92, 0xAC, 0x03, 0x7A
60 },
61 {
62 0xEC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
63 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
64 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
65 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F
66 }, {
67 0xC7, 0x17, 0x6A, 0x70, 0x3D, 0x4D, 0xD8, 0x4F,
68 0xBA, 0x3C, 0x0B, 0x76, 0x0D, 0x10, 0x67, 0x0F,
69 0x2A, 0x20, 0x53, 0xFA, 0x2C, 0x39, 0xCC, 0xC6,
70 0x4E, 0xC7, 0xFD, 0x77, 0x92, 0xAC, 0x03, 0xFA
71 }, {
72 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
73 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
74 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
75 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80
76 }, {
77 0x26, 0xE8, 0x95, 0x8F, 0xC2, 0xB2, 0x27, 0xB0,
78 0x45, 0xC3, 0xF4, 0x89, 0xF2, 0xEF, 0x98, 0xF0,
79 0xD5, 0xDF, 0xAC, 0x05, 0xD3, 0xC6, 0x33, 0x39,
80 0xB1, 0x38, 0x02, 0x88, 0x6D, 0x53, 0xFC, 0x85
81 },{
82 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
83 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
84 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
85 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
86 }
87};

Referenced by elligator_generate_public_key().

◆ p_bytes

const unsigned char p_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
}

Definition at line 98 of file crypto_elligator.c.

98 {
99 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
100 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
101 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
102 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
103};

Referenced by __attribute__().

◆ negative_1_bytes

const unsigned char negative_1_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
}

Definition at line 105 of file crypto_elligator.c.

105 {
106 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
107 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
108 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
109 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
110};

Referenced by __attribute__().

◆ negative_2_bytes

const unsigned char negative_2_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
}

Definition at line 112 of file crypto_elligator.c.

112 {
113 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
114 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
115 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
116 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
117};

Referenced by __attribute__().

◆ divide_negative_1_2_bytes

const unsigned char divide_negative_1_2_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f
}

Definition at line 119 of file crypto_elligator.c.

119 {
120 0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
121 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
122 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
123 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f
124};

Referenced by __attribute__().

◆ divide_plus_p_3_8_bytes

const unsigned char divide_plus_p_3_8_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f
}

Definition at line 126 of file crypto_elligator.c.

126 {
127 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
128 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
129 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
130 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f
131};

Referenced by __attribute__().

◆ divide_minus_p_1_2_bytes

const unsigned char divide_minus_p_1_2_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f
}

Definition at line 133 of file crypto_elligator.c.

133 {
134 0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
135 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
136 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
137 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f
138};

Referenced by __attribute__().

◆ square_root_negative_1_bytes

const unsigned char square_root_negative_1_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xb0, 0xa0, 0x0e, 0x4a, 0x27, 0x1b, 0xee, 0xc4,
0x78, 0xe4, 0x2f, 0xad, 0x06, 0x18, 0x43, 0x2f,
0xa7, 0xd7, 0xfb, 0x3d, 0x99, 0x00, 0x4d, 0x2b,
0x0b, 0xdf, 0xc1, 0x4f, 0x80, 0x24, 0x83, 0x2b
}

Definition at line 140 of file crypto_elligator.c.

140 {
141 0xb0, 0xa0, 0x0e, 0x4a, 0x27, 0x1b, 0xee, 0xc4,
142 0x78, 0xe4, 0x2f, 0xad, 0x06, 0x18, 0x43, 0x2f,
143 0xa7, 0xd7, 0xfb, 0x3d, 0x99, 0x00, 0x4d, 0x2b,
144 0x0b, 0xdf, 0xc1, 0x4f, 0x80, 0x24, 0x83, 0x2b
145};

Referenced by __attribute__().

◆ A_bytes

const unsigned char A_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0x06, 0x6d, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}

Definition at line 147 of file crypto_elligator.c.

147 {
148 0x06, 0x6d, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00,
149 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
150 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
151 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
152};

Referenced by __attribute__().

◆ negative_A_bytes

const unsigned char negative_A_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xe7, 0x92, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
}

Definition at line 154 of file crypto_elligator.c.

154 {
155 0xe7, 0x92, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
156 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
157 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
158 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
159};

Referenced by __attribute__().

◆ u_bytes

const unsigned char u_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}

Definition at line 161 of file crypto_elligator.c.

161 {
162 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
163 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
164 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
165 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
166};

Referenced by __attribute__().

◆ inverted_u_bytes

const unsigned char inverted_u_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xf7, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f
}

Definition at line 168 of file crypto_elligator.c.

168 {
169 0xf7, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
170 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
171 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
172 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f
173};

Referenced by __attribute__().

◆ d_bytes

const unsigned char d_bytes[(((256)+CHAR_BIT - 1)/CHAR_BIT)]
static
Initial value:
= {
0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75,
0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00,
0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c,
0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52
}

Definition at line 175 of file crypto_elligator.c.

175 {
176 0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75,
177 0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00,
178 0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c,
179 0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52
180};

Referenced by __attribute__().

◆ p

mp_limb_t p[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

◆ negative_1

mp_limb_t negative_1[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 183 of file crypto_elligator.c.

Referenced by __attribute__(), and convert_from_ed_to_curve().

◆ negative_2

mp_limb_t negative_2[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

◆ divide_negative_1_2

mp_limb_t divide_negative_1_2[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 185 of file crypto_elligator.c.

Referenced by __attribute__(), and convert_from_ed_to_curve().

◆ divide_plus_p_3_8

mp_limb_t divide_plus_p_3_8[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 186 of file crypto_elligator.c.

Referenced by __attribute__(), and least_square_root().

◆ divide_minus_p_1_2

mp_limb_t divide_minus_p_1_2[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

◆ square_root_negative_1

mp_limb_t square_root_negative_1[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 188 of file crypto_elligator.c.

Referenced by __attribute__(), and least_square_root().

◆ A

mp_limb_t A[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

◆ negative_A

mp_limb_t negative_A[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 190 of file crypto_elligator.c.

Referenced by __attribute__(), and elligator_direct_map().

◆ u

◆ inverted_u

mp_limb_t inverted_u[(((256)+GMP_NUMB_BITS - 1)/GMP_NUMB_BITS)]
static

Definition at line 192 of file crypto_elligator.c.

Referenced by __attribute__(), and GNUNET_CRYPTO_ecdhe_elligator_encoding().

◆ d

◆ scratch_space_length

mp_size_t scratch_space_length
static