From 491a0261ce9a52eabaf92f68d7ae5a70a9e46b37 Mon Sep 17 00:00:00 2001
From: Loup Vaillant <loup@loup-vaillant.fr>
Date: Tue, 24 Mar 2020 19:05:28 +0100
Subject: [PATCH] s/dangerous/dirty

Those functions are not that dangerous, and such a scary word
would send the wrong message.  The manual though will make clear
this is not for everyone
---
 src/monocypher.c    | 22 +++++++++++-----------
 src/monocypher.h    |  6 +++---
 tests/speed/speed.c |  8 ++++----
 tests/test.c        |  8 ++++----
 4 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/src/monocypher.c b/src/monocypher.c
index 3460b99..0d656b5 100644
--- a/src/monocypher.c
+++ b/src/monocypher.c
@@ -2235,9 +2235,9 @@ int crypto_check(const u8  signature[64],
     return crypto_check_final(actx);
 }
 
-/////////////////////////////////////////////////
-/// Dangerous ephemeral public key generation ///
-/////////////////////////////////////////////////
+/////////////////////////////////////////////
+/// Dirty ephemeral public key generation ///
+/////////////////////////////////////////////
 
 // Those functions generates a public key, *without* clearing the
 // cofactor.  Sending that key over the network leaks 3 bits of the
@@ -2295,7 +2295,7 @@ static void add_xl(u8 s[32], u8 x)
     }
 }
 
-// "Small" dangerous ephemeral key.
+// "Small" dirty ephemeral key.
 // Use if you need to shrink the size of the binary, and can tolerate a
 // slowdow by a factor of two (compared to the fast version)
 //
@@ -2306,14 +2306,14 @@ static void add_xl(u8 s[32], u8 x)
 //
 // Cofactor and main factor are combined into a single scalar, which is
 // then multiplied by a point of order 8*L (unlike the base point, which
-// has prime order).  That "dangerous" base point is the addition of the
+// has prime order).  That "dirty" base point is the addition of the
 // regular base point (9), and a point of order 8.
-void crypto_x25519_dangerous_small(u8 public_key[32], const u8 secret_key[32])
+void crypto_x25519_dirty_small(u8 public_key[32], const u8 secret_key[32])
 {
     // Base point of order 8*L
     // Raw scalar multiplication with it does not clear the cofactor,
     // and the resulting public key will reveal 3 bits of the scalar.
-    static const u8 dangerous_base_point[32] = {
+    static const u8 dirty_base_point[32] = {
         0x34, 0xfc, 0x6c, 0xb7, 0xc8, 0xde, 0x58, 0x97,
         0x77, 0x70, 0xd9, 0x52, 0x16, 0xcc, 0xdc, 0x6c,
         0x85, 0x90, 0xbe, 0xcd, 0x91, 0x9c, 0x07, 0x59,
@@ -2334,18 +2334,18 @@ void crypto_x25519_dangerous_small(u8 public_key[32], const u8 secret_key[32])
     //   combined = scalar + cofactor       (modulo 8*L)
     //   combined = scalar + (lsb * 5 * L)  (modulo 8*L)
     add_xl(scalar, secret_key[0] * 5);
-    scalarmult(public_key, scalar, dangerous_base_point, 256);
+    scalarmult(public_key, scalar, dirty_base_point, 256);
     WIPE_BUFFER(scalar);
 }
 
-// "Fast" dangerous ephemeral key
+// "Fast" dirty ephemeral key
 // We use this one by default.
 //
 // This version works by performing a regular scalar multiplication,
 // then add a low order point.  The scalar multiplication is done in
 // Edwards space for more speed (*2 compared to the "small" version).
 // The cost is a bigger binary programs that don't also sign messages.
-void crypto_x25519_dangerous_fast(u8 public_key[32], const u8 secret_key[32])
+void crypto_x25519_dirty_fast(u8 public_key[32], const u8 secret_key[32])
 {
     static const fe lop_x = {
         21352778, 5345713, 4660180, -8347857, 24143090,
@@ -2593,7 +2593,7 @@ void crypto_hidden_key_pair(u8 hidden[32], u8 secret_key[32], u8 seed[32])
     COPY(buf + 32, seed, 32);
     do {
         crypto_chacha20(buf, 0, 64, buf+32, zero);
-        crypto_x25519_dangerous_fast(pk, buf); // or the "small" version
+        crypto_x25519_dirty_fast(pk, buf); // or the "small" version
     } while(crypto_curve_to_hidden(buf+32, pk, buf[32]));
     // Note that the return value of crypto_private_to_hidden() is
     // independent from its tweak parameter.
diff --git a/src/monocypher.h b/src/monocypher.h
index ed1123c..2269bd6 100644
--- a/src/monocypher.h
+++ b/src/monocypher.h
@@ -335,10 +335,10 @@ void crypto_x25519(uint8_t       raw_shared_secret[32],
                    const uint8_t your_secret_key  [32],
                    const uint8_t their_public_key [32]);
 
-// "Dangerous" versions of x25519_public_key()
+// "Dirty" versions of x25519_public_key()
 // Only use to generate ephemeral keys you want to hide.
-void crypto_x25519_dangerous_small(uint8_t pk[32], const uint8_t sk[32]);
-void crypto_x25519_dangerous_fast (uint8_t pk[32], const uint8_t sk[32]);
+void crypto_x25519_dirty_small(uint8_t pk[32], const uint8_t sk[32]);
+void crypto_x25519_dirty_fast (uint8_t pk[32], const uint8_t sk[32]);
 
 // scalar division
 // ---------------
diff --git a/tests/speed/speed.c b/tests/speed/speed.c
index 258c37c..2254884 100644
--- a/tests/speed/speed.c
+++ b/tests/speed/speed.c
@@ -188,7 +188,7 @@ static u64 x25519_sp_fast(void)
 {
     RANDOM_INPUT(sk, 32);
     TIMING_START {
-        crypto_x25519_dangerous_fast(sk, sk);
+        crypto_x25519_dirty_fast(sk, sk);
     }
     TIMING_END;
 }
@@ -197,7 +197,7 @@ static u64 x25519_sp_small(void)
 {
     RANDOM_INPUT(sk, 32);
     TIMING_START {
-        crypto_x25519_dangerous_small(sk, sk);
+        crypto_x25519_dirty_small(sk, sk);
     }
     TIMING_END;
 }
@@ -214,8 +214,8 @@ int main()
     print("EdDSA(sign)         ",edDSA_sign()        ,"signatures per second");
     print("EdDSA(check)        ",edDSA_check()       ,"checks     per second");
     print("x25519 inverse      ",x25519_inverse()    ,"scalar inv per second");
-    print("x25519 special fast ",x25519_sp_fast()    ,"scalar inv per second");
-    print("x25519 special small",x25519_sp_small()    ,"scalar inv per second");
+    print("x25519 dirty fast   ",x25519_sp_fast()    ,"scalar inv per second");
+    print("x25519 dirty small  ",x25519_sp_small()    ,"scalar inv per second");
     printf("\n");
     return 0;
 }
diff --git a/tests/test.c b/tests/test.c
index f9181f6..a24ed31 100644
--- a/tests/test.c
+++ b/tests/test.c
@@ -927,9 +927,9 @@ static int p_elligator_x25519()
         // Maximise tweak diversity.
         // We want to set the bits 1 (sign) and 6-7 (padding)
         u8 tweak = (i & 1) + (i << 6);
-        // Both dangerous functions behave the same
-        u8 pks[32];  crypto_x25519_dangerous_small(pks, sk1);
-        u8 pkf[32];  crypto_x25519_dangerous_fast (pkf, sk1);
+        // Both dirty functions behave the same
+        u8 pks[32];  crypto_x25519_dirty_small(pks, sk1);
+        u8 pkf[32];  crypto_x25519_dirty_fast (pkf, sk1);
         status |= memcmp(pks, pkf, 32);
         u8 r[32];
         if (crypto_curve_to_hidden(r, pkf, tweak)) {
@@ -940,7 +940,7 @@ static int p_elligator_x25519()
         u8 pkr[32];  crypto_hidden_to_curve(pkr, r);
         status |= memcmp(pkr, pkf, 32);
 
-        // Dangerous and safe keys are compatible
+        // Dirty and safe keys are compatible
         u8 e1 [32];  crypto_x25519(e1, sk2, pk1);
         u8 e2 [32];  crypto_x25519(e2, sk2, pkr);
         status |= memcmp(e1, e2, 32);
-- 
2.47.3