From be2ca209fb9594c13db33d316036c264db43d3fa Mon Sep 17 00:00:00 2001 From: Loup Vaillant Date: Sun, 22 Mar 2020 19:54:00 +0100 Subject: [PATCH] Renamed Elligator2 functions --- src/monocypher.c | 20 ++++++++++---------- src/monocypher.h | 11 ++++++----- tests/test.c | 34 +++++++++++++++++----------------- 3 files changed, 33 insertions(+), 32 deletions(-) diff --git a/src/monocypher.c b/src/monocypher.c index 580a32e..128d5bb 100644 --- a/src/monocypher.c +++ b/src/monocypher.c @@ -2247,7 +2247,7 @@ static const fe A = {486662}; // u2 = w * -1 * -non_square * r^2 // u2 = w * non_square * r^2 // u2 = u -void crypto_elligator2_direct(uint8_t curve[32], const uint8_t hash[32]) +void crypto_hidden_to_curve(uint8_t curve[32], const uint8_t hidden[32]) { static const fe ufactor = { // -sqrt(-1) * 2 -1917299, 15887451, -18755900, -7000830, -24778944, @@ -2259,7 +2259,7 @@ void crypto_elligator2_direct(uint8_t curve[32], const uint8_t hash[32]) // Representatives are encoded in 254 bits. // The two most significant ones are random padding that must be ignored. u8 clamped[32]; - COPY(clamped, hash, 32); + COPY(clamped, hidden, 32); clamped[31] &= 0x3f; fe r, u, t1, t2, t3; @@ -2302,7 +2302,7 @@ void crypto_elligator2_direct(uint8_t curve[32], const uint8_t hash[32]) // // Note that to ensure the representative is fully random, we do *not* // clear the cofactor. It is otherwise compatible with X25519 (once -// converted with crypto_elligator2_direct()). +// converted with crypto_hidden_to_curve()). // // This compatibility was achieved by clamping the scalar, like we do // with regular X25519 key exchanges. The cost is a very small bias in @@ -2331,7 +2331,7 @@ void crypto_elligator2_direct(uint8_t curve[32], const uint8_t hash[32]) // discrete logarithm, which is conjecturally intractable). // // In practice, this means the bias is impossible to detect. -int crypto_elligator2_inverse(u8 hash[32], const u8 secret_key[32], u8 tweak) +int crypto_private_to_hidden(u8 hidden[32], const u8 secret_key[32], u8 tweak) { static const fe lop_x = { 21352778, 5345713, 4660180, -8347857, 24143090, @@ -2433,10 +2433,10 @@ int crypto_elligator2_inverse(u8 hash[32], const u8 secret_key[32], u8 tweak) fe_add (t1, t3, t3); fe_neg (t2, t3); fe_ccopy(t3, t2, fe_isodd(t1)); - fe_tobytes(hash, t3); + fe_tobytes(hidden, t3); // Pad with two random bits - hash[31] |= tweak & 0xc0; + hidden[31] |= tweak & 0xc0; WIPE_BUFFER(t1); WIPE_BUFFER(scalar); WIPE_BUFFER(t2); WIPE_CTX(&pk); @@ -2444,22 +2444,22 @@ int crypto_elligator2_inverse(u8 hash[32], const u8 secret_key[32], u8 tweak) return 0; } -void crypto_elligator2_key_pair(u8 hash[32], u8 secret_key[32], u8 seed[32]) +void crypto_hidden_key_pair(u8 hidden[32], u8 secret_key[32], u8 seed[32]) { u8 buf[64]; COPY(buf + 32, seed, 32); do { crypto_chacha20(buf, 0, 64, buf+32, zero); - } while(crypto_elligator2_inverse(buf+32, buf, buf[32])); + } while(crypto_private_to_hidden(buf+32, buf, buf[32])); // Note that buf[32] is not actually reused. Either we loop one // more time and buf[32] is used for the new seed, or we succeeded, // and buf[32] is used as a tweak parameter. // - // This is because the return value of crypto_elligator2_inverse() + // This is because the return value of crypto_private_to_hidden() // is independent from its tweak parameter. crypto_wipe(seed, 32); - COPY(hash , buf + 32, 32); + COPY(hidden , buf + 32, 32); COPY(secret_key, buf , 32); WIPE_BUFFER(buf); } diff --git a/src/monocypher.h b/src/monocypher.h index c90cd10..b03c2b6 100644 --- a/src/monocypher.h +++ b/src/monocypher.h @@ -254,11 +254,12 @@ void crypto_check_init_custom_hash(crypto_check_ctx_abstract *ctx, // Elligator 2 // ----------- -void crypto_elligator2_direct(uint8_t curve[32], const uint8_t hash[32]); -int crypto_elligator2_inverse(uint8_t hash[32], const uint8_t secret_key[32], - uint8_t tweak); -void crypto_elligator2_key_pair(uint8_t hash[32], uint8_t secret_key[32], - uint8_t seed[32]); +void crypto_hidden_to_curve(uint8_t curve[32], const uint8_t hidden[32]); +void crypto_hidden_key_pair(uint8_t hidden[32], uint8_t secret_key[32], + uint8_t seed[32]); +// Low level primitive +int crypto_private_to_hidden(uint8_t hidden[32], const uint8_t secret_key[32], + uint8_t tweak); //////////////////////////// /// Low level primitives /// diff --git a/tests/test.c b/tests/test.c index de2ffd2..28d1dc7 100644 --- a/tests/test.c +++ b/tests/test.c @@ -289,7 +289,7 @@ static int test_x25519() static void elligator_dir(const vector in[], vector *out) { - crypto_elligator2_direct(out->buf, in->buf); + crypto_hidden_to_curve(out->buf, in->buf); } static void elligator_inv(const vector in[], vector *out) @@ -297,7 +297,7 @@ static void elligator_inv(const vector in[], vector *out) const vector *sk = in; u8 tweak = in[1].buf[0]; u8 failure = in[2].buf[0]; - int check = crypto_elligator2_inverse(out->buf, sk->buf, tweak); + int check = crypto_private_to_hidden(out->buf, sk->buf, tweak); if ((u8)check != failure) { fprintf(stderr, "Elligator inverse map: failure mismatch\n"); } @@ -864,11 +864,11 @@ static int p_elligator_direct_msb() u8 r2[32]; memcpy(r2, r, 32); r2[31] = (r[31] & 0x3f) | 0x40; u8 r3[32]; memcpy(r3, r, 32); r3[31] = (r[31] & 0x3f) | 0x80; u8 r4[32]; memcpy(r4, r, 32); r4[31] = (r[31] & 0x3f) | 0xc0; - u8 u [32]; crypto_elligator2_direct(u , r ); - u8 u1[32]; crypto_elligator2_direct(u1, r1); - u8 u2[32]; crypto_elligator2_direct(u2, r2); - u8 u3[32]; crypto_elligator2_direct(u3, r3); - u8 u4[32]; crypto_elligator2_direct(u4, r4); + u8 u [32]; crypto_hidden_to_curve(u , r ); + u8 u1[32]; crypto_hidden_to_curve(u1, r1); + u8 u2[32]; crypto_hidden_to_curve(u2, r2); + u8 u3[32]; crypto_hidden_to_curve(u3, r3); + u8 u4[32]; crypto_hidden_to_curve(u4, r4); status |= memcmp(u, u1, 32); status |= memcmp(u, u2, 32); status |= memcmp(u, u3, 32); @@ -886,8 +886,8 @@ static int p_elligator_direct_overlap() u8 separate[32]; RANDOM_INPUT(r, 32); memcpy(overlapping + 31, r, 32); - crypto_elligator2_direct(overlapping + i, overlapping + 31); - crypto_elligator2_direct(separate, r); + crypto_hidden_to_curve(overlapping + i, overlapping + 31); + crypto_hidden_to_curve(separate, r); status |= memcmp(separate, overlapping + i, 32); } printf("%s: elligator direct (overlapping i/o)\n", @@ -904,8 +904,8 @@ static int p_elligator_inverse_overlap() RANDOM_INPUT(sk, 33); u8 tweak = sk[32]; memcpy(overlapping + 31, sk, 32); - int a = crypto_elligator2_inverse(overlapping+i, overlapping+31, tweak); - int b = crypto_elligator2_inverse(separate, sk, tweak); + int a = crypto_private_to_hidden(overlapping+i, overlapping+31, tweak); + int b = crypto_private_to_hidden(separate, sk, tweak); status |= a - b; if (a == 0) { // The buffers are the same only if written to to begin with @@ -925,10 +925,10 @@ static int p_elligator_x25519() RANDOM_INPUT(sk1, 32); RANDOM_INPUT(sk2, 32); u8 r[32]; - if (crypto_elligator2_inverse(r, sk1, i)) { + if (crypto_private_to_hidden(r, sk1, i)) { continue; } - u8 pkr[32]; crypto_elligator2_direct(pkr, r); + u8 pkr[32]; crypto_hidden_to_curve(pkr, r); u8 pk1[32]; crypto_x25519_public_key(pk1, sk1); u8 e1 [32]; crypto_x25519(e1, sk2, pk1); u8 e2 [32]; crypto_x25519(e2, sk2, pkr); @@ -946,8 +946,8 @@ static int p_elligator_key_pair() RANDOM_INPUT(seed, 32); RANDOM_INPUT(sk2 , 32); u8 r [32]; - u8 sk1[32]; crypto_elligator2_key_pair(r, sk1, seed); - u8 pkr[32]; crypto_elligator2_direct(pkr, r); + u8 sk1[32]; crypto_hidden_key_pair(r, sk1, seed); + u8 pkr[32]; crypto_hidden_to_curve(pkr, r); u8 pk1[32]; crypto_x25519_public_key(pk1, sk1); u8 e1 [32]; crypto_x25519(e1, sk2, pk1); u8 e2 [32]; crypto_x25519(e2, sk2, pkr); @@ -967,8 +967,8 @@ static int p_elligator_key_pair_overlap() RANDOM_INPUT(s1, 32); u8 *s2 = over + 63; memcpy(s2, s1, 32); - crypto_elligator2_key_pair(sep , sep + 32, s1); - crypto_elligator2_key_pair(over + i, over + i + 32, s2); + crypto_hidden_key_pair(sep , sep + 32, s1); + crypto_hidden_key_pair(over + i, over + i + 32, s2); status |= memcmp(sep, over + i, 64); } -- 2.47.3