2014-08-31 19:39:43 -04:00
# Copyright 2014, The Tor Project, Inc
# See LICENSE for licensing information
Reference implementations for the ed25519 tweaks that Tor uses.
Includes self-tester and test vector generator.
2014-08-31 19:45:56 -04:00
import slow_ed25519
2014-08-31 19:39:43 -04:00
from slow_ed25519 import *
import os
import random
import slownacl_curve25519
import unittest
import binascii
#define a synonym that doesn't look like 1
ell = l
# This replaces expmod above and makes it go a lot faster.
2014-08-31 19:45:56 -04:00
slow_ed25519.expmod = pow
2014-08-31 19:39:43 -04:00
def curve25519ToEd25519(c, sign):
u = decodeint(c)
y = ((u - 1) * inv(u + 1)) % q
x = xrecover(y)
if x & 1 != sign: x = q-x
return encodepoint([x,y])
def blindESK(esk, param):
h = H("Derive temporary signing key" + param)
mult = 2**(b-2) + sum(2**i * bit(h,i) for i in range(3,b-2))
s = decodeint(esk[:32])
s_prime = (s * mult) % ell
k = esk[32:]
assert(len(k) == 32)
k_prime = H("Derive temporary signing key hash input" + k)[:32]
return encodeint(s_prime) + k_prime
def blindPK(pk, param):
h = H("Derive temporary signing key" + param)
mult = 2**(b-2) + sum(2**i * bit(h,i) for i in range(3,b-2))
P = decodepoint(pk)
return encodepoint(scalarmult(P, mult))
def expandSK(sk):
h = H(sk)
a = 2**(b-2) + sum(2**i * bit(h,i) for i in range(3,b-2))
k = ''.join([h[i] for i in range(b/8,b/4)])
assert len(k) == 32
return encodeint(a)+k
def publickeyFromESK(h):
a = decodeint(h[:32])
A = scalarmult(B,a)
return encodepoint(A)
def signatureWithESK(m,h,pk):
a = decodeint(h[:32])
r = Hint(''.join([h[i] for i in range(b/8,b/4)]) + m)
R = scalarmult(B,r)
S = (r + Hint(encodepoint(R) + pk + m) * a) % l
return encodepoint(R) + encodeint(S)
def newSK():
return os.urandom(32)
# ------------------------------------------------------------
MSG = "This is extremely silly. But it is also incredibly serious business!"
class SelfTest(unittest.TestCase):
def _testSignatures(self, esk, pk):
sig = signatureWithESK(MSG, esk, pk)
checkvalid(sig, MSG, pk)
bad = False
checkvalid(sig, MSG*2, pk)
bad = True
except Exception:
def testExpand(self):
sk = newSK()
pk = publickey(sk)
esk = expandSK(sk)
sig1 = signature(MSG, sk, pk)
sig2 = signatureWithESK(MSG, esk, pk)
self.assertEquals(sig1, sig2)
def testSignatures(self):
sk = newSK()
esk = expandSK(sk)
pk = publickeyFromESK(esk)
pk2 = publickey(sk)
self.assertEquals(pk, pk2)
self._testSignatures(esk, pk)
def testDerivation(self):
priv = slownacl_curve25519.Private()
pub = priv.get_public()
ed_pub0 = publickeyFromESK(priv.private)
sign = (ord(ed_pub0[31]) & 255) >> 7
ed_pub1 = curve25519ToEd25519(pub.public, sign)
self.assertEquals(ed_pub0, ed_pub1)
def testBlinding(self):
sk = newSK()
esk = expandSK(sk)
pk = publickeyFromESK(esk)
param = os.urandom(32)
besk = blindESK(esk, param)
bpk = blindPK(pk, param)
bpk2 = publickeyFromESK(besk)
self.assertEquals(bpk, bpk2)
self._testSignatures(besk, bpk)
# ------------------------------------------------------------
# From pprint.pprint([ binascii.b2a_hex(os.urandom(32)) for _ in xrange(8) ])
# From pprint.pprint([ binascii.b2a_hex(os.urandom(16)) for _ in xrange(8) ])
PREFIX = "ED25519_"
def writeArray(name, array):
print "static const char *{prefix}{name}[] = {{".format(
for a in array:
h = binascii.b2a_hex(a)
if len(h) > 70:
h1 = h[:70]
h2 = h[70:]
print ' "{0}"\n "{1}",'.format(h1,h2)
print ' "{0}",'.format(h)
print "};\n"
def makeTestVectors():
secretKeys = [ binascii.a2b_hex(r) for r in RAND_INPUTS ]
writeArray("SECRET_KEYS", secretKeys)
expandedSecretKeys = [ expandSK(sk) for sk in secretKeys ]
writeArray("EXPANDED_SECRET_KEYS", expandedSecretKeys)
publicKeys = [ publickey(sk) for sk in secretKeys ]
writeArray("PUBLIC_KEYS", publicKeys)
for sk in expandedSecretKeys))
blindingParams = [ binascii.a2b_hex(r) for r in BLINDING_PARAMS ]
writeArray("BLINDING_PARAMS", blindingParams)
(blindESK(expandSK(sk), bp)
for sk,bp in zip(secretKeys,blindingParams)))
(blindPK(pk, bp) for pk,bp in zip(publicKeys,blindingParams)))
(signature(pk, sk, pk) for pk,sk in zip(publicKeys,secretKeys)))
if __name__ == '__main__':
import sys
if len(sys.argv) == 1 or sys.argv[1] not in ("SelfTest", "MakeVectors"):
print "You should specify one of 'SelfTest' or 'MakeVectors'"
if sys.argv[1] == 'SelfTest':