// private key. Use only to generate ephemeral keys that will be hidden
// with crypto_curve_to_hidden().
//
-// The public key is otherwise compatible with crypto_x25519() and
-// crypto_key_exchange() (those properly clear the cofactor).
+// The public key is otherwise compatible with crypto_x25519(), which
+// properly clears the cofactor.
//
// Note that the distribution of the resulting public keys is almost
// uniform. Flipping the sign of the v coordinate (not provided by this
WIPE_BUFFER(pk);
}
-////////////////////
-/// Key exchange ///
-////////////////////
-void crypto_key_exchange(u8 shared_key[32],
- const u8 your_secret_key [32],
- const u8 their_public_key[32])
-{
- crypto_x25519(shared_key, your_secret_key, their_public_key);
- crypto_hchacha20(shared_key, shared_key, zero);
-}
-
///////////////////////
/// Scalar division ///
///////////////////////
const uint8_t *key, uint32_t key_size,
const uint8_t *ad, uint32_t ad_size);
+// Key exchange (X-25519)
+// ----------------------
+
+// Shared secrets are not quite random.
+// Hash them to derive an actual shared key.
+void crypto_x25519_public_key(uint8_t public_key[32],
+ const uint8_t secret_key[32]);
+void crypto_x25519(uint8_t raw_shared_secret[32],
+ const uint8_t your_secret_key [32],
+ const uint8_t their_public_key [32]);
-// Key exchange (x25519 + HChacha20)
-// ---------------------------------
-#define crypto_key_exchange_public_key crypto_x25519_public_key
-void crypto_key_exchange(uint8_t shared_key [32],
- const uint8_t your_secret_key [32],
- const uint8_t their_public_key[32]);
// Signatures (EdDSA with curve25519 + BLAKE2b)
void crypto_poly1305_final (crypto_poly1305_ctx *ctx, uint8_t mac[16]);
-// X-25519
-// -------
-
-// Shared secrets are not quite random.
-// Hash them to derive an actual shared key.
-void crypto_x25519_public_key(uint8_t public_key[32],
- const uint8_t secret_key[32]);
-void crypto_x25519(uint8_t raw_shared_secret[32],
- const uint8_t your_secret_key [32],
- const uint8_t their_public_key [32]);
+// X-25519 extras
+// --------------
// "Dirty" versions of x25519_public_key()
// Only use to generate ephemeral keys you want to hide.
const uint8_t private_key[32],
const uint8_t curve_point[32]);
-// EdDSA
-// -----
+// EdDSA building blocks
+// ---------------------
void crypto_eddsa_trim_scalar(uint8_t out[32], const uint8_t in[32]);
void crypto_eddsa_reduce(uint8_t reduced[32], const uint8_t expanded[64]);
void crypto_eddsa_mul_add(uint8_t r[32],
.PHONY: all clean
-VEC = chacha20 hchacha20 xchacha20 ietf_chacha20 aead_ietf \
- poly1305 blake2b sha512 hmac_sha512 argon2i \
- edDSA edDSA_pk ed_25519 ed_25519_pk ed_25519_check \
- x25519 x25519_pk key_exchange elligator_inv elligator_dir
+VEC = chacha20 hchacha20 xchacha20 ietf_chacha20 aead_ietf \
+ poly1305 blake2b sha512 hmac_sha512 argon2i \
+ edDSA edDSA_pk ed_25519 ed_25519_pk ed_25519_check \
+ x25519 x25519_pk elligator_inv elligator_dir
VEC2 = $(patsubst %, %.all.vec, $(VEC))
HEADERS = $(patsubst %, %.h.vec , $(VEC))
VECTORS = ../vectors.h
ed_25519.all.vec : ed_25519.vec
ed_25519_pk.all.vec : ed_25519_pk.vec
ed_25519_check.all.vec: vectors/ed_25519_check
-key_exchange.all.vec : vectors/key_exchange
elligator_dir.all.vec : elligator_dir.vec vectors/elligator_dir
elligator_inv.all.vec : elligator_inv.vec vectors/elligator_inv
$(VEC2):
+++ /dev/null
-a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4:
-e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c:
-c7328db7e9756741bf3eb4f082c5bc57c58c77a5be31df0a02340cf235f81828:
-
-4b66e9d4d1b4673c5ad22691957d6af5c11b6421e0ea01d42ca4169e7918ba0d:
-e5210f12786811d3f4b7959d0538ae2c31dbe7106fc03c3efc4cd549c715a493:
-85041b68835411fbec93a848d3f97816c28b4a778f8e4793bb6b68b8573cbe2d:
-
-77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a:
-de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f:
-8e47ca376bdc7e59d2ced8107ceb2c27f4a80e8575f996baffb1a869ffcd5179:
-
-5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb:
-8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a:
-8e47ca376bdc7e59d2ced8107ceb2c27f4a80e8575f996baffb1a869ffcd5179:
-
-0900000000000000000000000000000000000000000000000000000000000000:
-0900000000000000000000000000000000000000000000000000000000000000:
-a60c2a7a4be7a39b1208f7cb7305c0caa711174f425d932b86b201896251f452:
crypto_x25519_public_key(out.buf, in.buf);
}
-static void key_exchange(vector_reader *reader)
-{
- vector secret_key = next_input(reader);
- vector public_key = next_input(reader);
- vector out = next_output(reader);
- crypto_key_exchange(out.buf, secret_key.buf, public_key.buf);
-}
-
static void edDSA(vector_reader *reader)
{
vector secret_k = next_input(reader);
return status;
}
-// Tests that the shared key and secret key buffers of
-// crypto_key_exchange can overlap.
-static int p_key_exchange_overlap()
-{
- int status = 0;
- FOR (i, 0, 62) {
- u8 overlapping[94];
- u8 separate[32];
- RANDOM_INPUT(sk, 32);
- RANDOM_INPUT(pk, 32);
- memcpy(overlapping + 31, sk, 32);
- crypto_key_exchange(overlapping + i, overlapping + 31, pk);
- crypto_key_exchange(separate, sk, pk);
- status |= memcmp(separate, overlapping + i, 32);
- }
- printf("%s: key_exchange (overlapping i/o)\n", status != 0 ? "FAILED":"OK");
- return status;
-}
-
static int p_eddsa_roundtrip()
{
#define MESSAGE_SIZE 30
status |= TEST(argon2i);
status |= TEST(x25519);
status |= TEST(x25519_pk);
- status |= TEST(key_exchange);
status |= TEST(edDSA);
status |= TEST(edDSA_pk);
status |= TEST(ed_25519);
status |= p_argon2i_easy();
status |= p_argon2i_overlap();
status |= p_x25519_overlap();
- status |= p_key_exchange_overlap();
status |= p_eddsa_roundtrip();
status |= p_eddsa_random();
status |= p_eddsa_overlap();
"ff",
};
static size_t nb_ed_25519_check_vectors=12;
-static const char *key_exchange_vectors[]={
- "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a",
- "de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f",
- "8e47ca376bdc7e59d2ced8107ceb2c27f4a80e8575f996baffb1a869ffcd5179",
+static const char *x25519_vectors[]={
+ "e4e4c4054fe35a75d9c0f679ad8770d8227e68e4c1e68ce67ee88e6be251a207",
+ "6531e5010ab797ec0dc3c7038a94cbfcbb8ff1d1aad061b802b3c3232a42b352",
+ "600e94ef1d60878dd40c330704b7648bdd32901bbfdbdef0e59e600229384642",
};
-static size_t nb_key_exchange_vectors=3;
+static size_t nb_x25519_vectors=3;
static const char *elligator_inv_vectors[]={
"2920d46f2f37b04d00ff73df4115fda3876810c2144e94a7e6d0c09290ff7359",
"d5",
free(work_area);
}
-static void key_exchange(vector_reader *reader)
+static void x25519(vector_reader *reader)
{
- vector secret_key = next_input(reader);
- vector public_key = next_input(reader);
- vector out = next_output(reader);
- crypto_key_exchange(out.buf, secret_key.buf, public_key.buf);
+ vector scalar = next_input(reader);
+ vector point = next_input(reader);
+ vector out = next_output(reader);
+ crypto_x25519(out.buf, scalar.buf, point.buf);
}
static void edDSA(vector_reader *reader)
//@ ensures \result == 0;
TEST(argon2i)
//@ ensures \result == 0;
-TEST(key_exchange)
+TEST(x25519)
//@ ensures \result == 0;
TEST(edDSA)
//@ ensures \result == 0;
status |= v_sha512 ();
status |= v_hmac_sha512 ();
status |= v_argon2i ();
- status |= v_key_exchange ();
+ status |= v_x25519 ();
status |= v_edDSA ();
status |= v_ed_25519 ();
status |= v_ed_25519_check();
projects / Monocypher.git / commitdiff