danicoin/src/crypto/crypto.cpp

444 lines
18 KiB
C++
Raw Normal View History

2015-07-15 12:23:00 +00:00
// Copyright (c) 2012-2015, The CryptoNote developers, The Bytecoin developers
//
// This file is part of Bytecoin.
//
// Bytecoin is free software: you can redistribute it and/or modify
// it under the terms of the GNU Lesser General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Bytecoin is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Lesser General Public License for more details.
//
// You should have received a copy of the GNU Lesser General Public License
// along with Bytecoin. If not, see <http://www.gnu.org/licenses/>.
2013-11-14 22:28:17 +00:00
#include <alloca.h>
#include <cassert>
#include <cstddef>
#include <cstdint>
#include <cstdlib>
#include <cstring>
#include <memory>
2014-03-03 22:07:58 +00:00
#include <mutex>
2013-11-14 22:28:17 +00:00
2015-07-30 15:22:07 +00:00
#include "Common/Varint.h"
2013-11-14 22:28:17 +00:00
#include "crypto.h"
2014-03-03 22:07:58 +00:00
#include "hash.h"
2013-11-14 22:28:17 +00:00
2015-07-30 15:22:07 +00:00
namespace Crypto {
2013-11-14 22:28:17 +00:00
using std::abort;
using std::int32_t;
2014-03-03 22:07:58 +00:00
using std::lock_guard;
using std::mutex;
2013-11-14 22:28:17 +00:00
extern "C" {
#include "crypto-ops.h"
2014-03-03 22:07:58 +00:00
#include "random.h"
2013-11-14 22:28:17 +00:00
}
2014-03-03 22:07:58 +00:00
mutex random_lock;
2015-07-30 15:22:07 +00:00
static inline void random_scalar(EllipticCurveScalar &res) {
2013-11-14 22:28:17 +00:00
unsigned char tmp[64];
generate_random_bytes(64, tmp);
sc_reduce(tmp);
memcpy(&res, tmp, 32);
}
2015-07-30 15:22:07 +00:00
static inline void hash_to_scalar(const void *data, size_t length, EllipticCurveScalar &res) {
cn_fast_hash(data, length, reinterpret_cast<Hash &>(res));
sc_reduce32(reinterpret_cast<unsigned char*>(&res));
2013-11-14 22:28:17 +00:00
}
2015-07-30 15:22:07 +00:00
void crypto_ops::generate_keys(PublicKey &pub, SecretKey &sec) {
2014-03-03 22:07:58 +00:00
lock_guard<mutex> lock(random_lock);
2013-11-14 22:28:17 +00:00
ge_p3 point;
2015-07-30 15:22:07 +00:00
random_scalar(reinterpret_cast<EllipticCurveScalar&>(sec));
ge_scalarmult_base(&point, reinterpret_cast<unsigned char*>(&sec));
ge_p3_tobytes(reinterpret_cast<unsigned char*>(&pub), &point);
2013-11-14 22:28:17 +00:00
}
2015-07-30 15:22:07 +00:00
bool crypto_ops::check_key(const PublicKey &key) {
2013-11-14 22:28:17 +00:00
ge_p3 point;
2015-07-30 15:22:07 +00:00
return ge_frombytes_vartime(&point, reinterpret_cast<const unsigned char*>(&key)) == 0;
2013-11-14 22:28:17 +00:00
}
2015-07-30 15:22:07 +00:00
bool crypto_ops::secret_key_to_public_key(const SecretKey &sec, PublicKey &pub) {
2014-03-03 22:07:58 +00:00
ge_p3 point;
2015-07-30 15:22:07 +00:00
if (sc_check(reinterpret_cast<const unsigned char*>(&sec)) != 0) {
2014-03-03 22:07:58 +00:00
return false;
}
2015-07-30 15:22:07 +00:00
ge_scalarmult_base(&point, reinterpret_cast<const unsigned char*>(&sec));
ge_p3_tobytes(reinterpret_cast<unsigned char*>(&pub), &point);
2014-03-03 22:07:58 +00:00
return true;
}
2015-07-30 15:22:07 +00:00
bool crypto_ops::generate_key_derivation(const PublicKey &key1, const SecretKey &key2, KeyDerivation &derivation) {
2014-03-03 22:07:58 +00:00
ge_p3 point;
ge_p2 point2;
ge_p1p1 point3;
2015-07-30 15:22:07 +00:00
assert(sc_check(reinterpret_cast<const unsigned char*>(&key2)) == 0);
if (ge_frombytes_vartime(&point, reinterpret_cast<const unsigned char*>(&key1)) != 0) {
2014-03-03 22:07:58 +00:00
return false;
}
2015-07-30 15:22:07 +00:00
ge_scalarmult(&point2, reinterpret_cast<const unsigned char*>(&key2), &point);
2014-03-03 22:07:58 +00:00
ge_mul8(&point3, &point2);
ge_p1p1_to_p2(&point2, &point3);
2015-07-30 15:22:07 +00:00
ge_tobytes(reinterpret_cast<unsigned char*>(&derivation), &point2);
2014-03-03 22:07:58 +00:00
return true;
}
2015-07-30 15:22:07 +00:00
static void derivation_to_scalar(const KeyDerivation &derivation, size_t output_index, EllipticCurveScalar &res) {
2014-03-03 22:07:58 +00:00
struct {
2015-07-30 15:22:07 +00:00
KeyDerivation derivation;
2014-03-03 22:07:58 +00:00
char output_index[(sizeof(size_t) * 8 + 6) / 7];
} buf;
char *end = buf.output_index;
buf.derivation = derivation;
2015-07-30 15:22:07 +00:00
Tools::write_varint(end, output_index);
2014-03-03 22:07:58 +00:00
assert(end <= buf.output_index + sizeof buf.output_index);
hash_to_scalar(&buf, end - reinterpret_cast<char *>(&buf), res);
}
2015-07-30 15:22:07 +00:00
static void derivation_to_scalar(const KeyDerivation &derivation, size_t output_index, const uint8_t* suffix, size_t suffixLength, EllipticCurveScalar &res) {
assert(suffixLength <= 32);
struct {
KeyDerivation derivation;
char output_index[(sizeof(size_t) * 8 + 6) / 7 + 32];
} buf;
char *end = buf.output_index;
buf.derivation = derivation;
Tools::write_varint(end, output_index);
assert(end <= buf.output_index + sizeof buf.output_index);
size_t bufSize = end - reinterpret_cast<char *>(&buf);
memcpy(end, suffix, suffixLength);
hash_to_scalar(&buf, bufSize + suffixLength, res);
}
bool crypto_ops::derive_public_key(const KeyDerivation &derivation, size_t output_index,
const PublicKey &base, PublicKey &derived_key) {
EllipticCurveScalar scalar;
2014-03-03 22:07:58 +00:00
ge_p3 point1;
ge_p3 point2;
ge_cached point3;
ge_p1p1 point4;
ge_p2 point5;
2015-07-30 15:22:07 +00:00
if (ge_frombytes_vartime(&point1, reinterpret_cast<const unsigned char*>(&base)) != 0) {
2014-03-03 22:07:58 +00:00
return false;
}
derivation_to_scalar(derivation, output_index, scalar);
2015-07-30 15:22:07 +00:00
ge_scalarmult_base(&point2, reinterpret_cast<unsigned char*>(&scalar));
ge_p3_to_cached(&point3, &point2);
ge_add(&point4, &point1, &point3);
ge_p1p1_to_p2(&point5, &point4);
ge_tobytes(reinterpret_cast<unsigned char*>(&derived_key), &point5);
return true;
}
bool crypto_ops::derive_public_key(const KeyDerivation &derivation, size_t output_index,
const PublicKey &base, const uint8_t* suffix, size_t suffixLength, PublicKey &derived_key) {
EllipticCurveScalar scalar;
ge_p3 point1;
ge_p3 point2;
ge_cached point3;
ge_p1p1 point4;
ge_p2 point5;
if (ge_frombytes_vartime(&point1, reinterpret_cast<const unsigned char*>(&base)) != 0) {
return false;
}
derivation_to_scalar(derivation, output_index, suffix, suffixLength, scalar);
ge_scalarmult_base(&point2, reinterpret_cast<unsigned char*>(&scalar));
2014-03-03 22:07:58 +00:00
ge_p3_to_cached(&point3, &point2);
ge_add(&point4, &point1, &point3);
ge_p1p1_to_p2(&point5, &point4);
2015-07-30 15:22:07 +00:00
ge_tobytes(reinterpret_cast<unsigned char*>(&derived_key), &point5);
2014-03-03 22:07:58 +00:00
return true;
}
2015-07-30 15:22:07 +00:00
bool crypto_ops::underive_public_key_and_get_scalar(const KeyDerivation &derivation, size_t output_index,
const PublicKey &derived_key, PublicKey &base, EllipticCurveScalar &hashed_derivation) {
ge_p3 point1;
ge_p3 point2;
ge_cached point3;
ge_p1p1 point4;
ge_p2 point5;
if (ge_frombytes_vartime(&point1, reinterpret_cast<const unsigned char*>(&derived_key)) != 0) {
return false;
}
derivation_to_scalar(derivation, output_index, hashed_derivation);
ge_scalarmult_base(&point2, reinterpret_cast<unsigned char*>(&hashed_derivation));
ge_p3_to_cached(&point3, &point2);
ge_sub(&point4, &point1, &point3);
ge_p1p1_to_p2(&point5, &point4);
ge_tobytes(reinterpret_cast<unsigned char*>(&base), &point5);
return true;
}
void crypto_ops::derive_secret_key(const KeyDerivation &derivation, size_t output_index,
const SecretKey &base, SecretKey &derived_key) {
EllipticCurveScalar scalar;
assert(sc_check(reinterpret_cast<const unsigned char*>(&base)) == 0);
2014-03-03 22:07:58 +00:00
derivation_to_scalar(derivation, output_index, scalar);
2015-07-30 15:22:07 +00:00
sc_add(reinterpret_cast<unsigned char*>(&derived_key), reinterpret_cast<const unsigned char*>(&base), reinterpret_cast<unsigned char*>(&scalar));
}
void crypto_ops::derive_secret_key(const KeyDerivation &derivation, size_t output_index,
const SecretKey &base, const uint8_t* suffix, size_t suffixLength, SecretKey &derived_key) {
EllipticCurveScalar scalar;
assert(sc_check(reinterpret_cast<const unsigned char*>(&base)) == 0);
derivation_to_scalar(derivation, output_index, suffix, suffixLength, scalar);
sc_add(reinterpret_cast<unsigned char*>(&derived_key), reinterpret_cast<const unsigned char*>(&base), reinterpret_cast<unsigned char*>(&scalar));
2014-03-03 22:07:58 +00:00
}
2015-07-30 15:22:07 +00:00
bool crypto_ops::underive_public_key(const KeyDerivation &derivation, size_t output_index,
const PublicKey &derived_key, PublicKey &base) {
EllipticCurveScalar scalar;
ge_p3 point1;
ge_p3 point2;
ge_cached point3;
ge_p1p1 point4;
ge_p2 point5;
2015-07-30 15:22:07 +00:00
if (ge_frombytes_vartime(&point1, reinterpret_cast<const unsigned char*>(&derived_key)) != 0) {
return false;
}
derivation_to_scalar(derivation, output_index, scalar);
2015-07-30 15:22:07 +00:00
ge_scalarmult_base(&point2, reinterpret_cast<unsigned char*>(&scalar));
ge_p3_to_cached(&point3, &point2);
ge_sub(&point4, &point1, &point3);
ge_p1p1_to_p2(&point5, &point4);
2015-07-30 15:22:07 +00:00
ge_tobytes(reinterpret_cast<unsigned char*>(&base), &point5);
return true;
}
2015-07-30 15:22:07 +00:00
bool crypto_ops::underive_public_key(const KeyDerivation &derivation, size_t output_index,
const PublicKey &derived_key, const uint8_t* suffix, size_t suffixLength, PublicKey &base) {
EllipticCurveScalar scalar;
ge_p3 point1;
ge_p3 point2;
ge_cached point3;
ge_p1p1 point4;
ge_p2 point5;
if (ge_frombytes_vartime(&point1, reinterpret_cast<const unsigned char*>(&derived_key)) != 0) {
return false;
}
derivation_to_scalar(derivation, output_index, suffix, suffixLength, scalar);
ge_scalarmult_base(&point2, reinterpret_cast<unsigned char*>(&scalar));
ge_p3_to_cached(&point3, &point2);
ge_sub(&point4, &point1, &point3);
ge_p1p1_to_p2(&point5, &point4);
ge_tobytes(reinterpret_cast<unsigned char*>(&base), &point5);
return true;
}
2013-11-14 22:28:17 +00:00
struct s_comm {
2015-07-30 15:22:07 +00:00
Hash h;
EllipticCurvePoint key;
EllipticCurvePoint comm;
2013-11-14 22:28:17 +00:00
};
2015-07-30 15:22:07 +00:00
void crypto_ops::generate_signature(const Hash &prefix_hash, const PublicKey &pub, const SecretKey &sec, Signature &sig) {
2014-03-03 22:07:58 +00:00
lock_guard<mutex> lock(random_lock);
2013-11-14 22:28:17 +00:00
ge_p3 tmp3;
2015-07-30 15:22:07 +00:00
EllipticCurveScalar k;
2013-11-14 22:28:17 +00:00
s_comm buf;
#if !defined(NDEBUG)
{
ge_p3 t;
2015-07-30 15:22:07 +00:00
PublicKey t2;
assert(sc_check(reinterpret_cast<const unsigned char*>(&sec)) == 0);
ge_scalarmult_base(&t, reinterpret_cast<const unsigned char*>(&sec));
ge_p3_tobytes(reinterpret_cast<unsigned char*>(&t2), &t);
2013-11-14 22:28:17 +00:00
assert(pub == t2);
}
#endif
2014-03-03 22:07:58 +00:00
buf.h = prefix_hash;
2015-07-30 15:22:07 +00:00
buf.key = reinterpret_cast<const EllipticCurvePoint&>(pub);
2013-11-14 22:28:17 +00:00
random_scalar(k);
2015-07-30 15:22:07 +00:00
ge_scalarmult_base(&tmp3, reinterpret_cast<unsigned char*>(&k));
ge_p3_tobytes(reinterpret_cast<unsigned char*>(&buf.comm), &tmp3);
hash_to_scalar(&buf, sizeof(s_comm), reinterpret_cast<EllipticCurveScalar&>(sig));
sc_mulsub(reinterpret_cast<unsigned char*>(&sig) + 32, reinterpret_cast<unsigned char*>(&sig), reinterpret_cast<const unsigned char*>(&sec), reinterpret_cast<unsigned char*>(&k));
2013-11-14 22:28:17 +00:00
}
2015-07-30 15:22:07 +00:00
bool crypto_ops::check_signature(const Hash &prefix_hash, const PublicKey &pub, const Signature &sig) {
2013-11-14 22:28:17 +00:00
ge_p2 tmp2;
ge_p3 tmp3;
2015-07-30 15:22:07 +00:00
EllipticCurveScalar c;
2013-11-14 22:28:17 +00:00
s_comm buf;
assert(check_key(pub));
2014-03-03 22:07:58 +00:00
buf.h = prefix_hash;
2015-07-30 15:22:07 +00:00
buf.key = reinterpret_cast<const EllipticCurvePoint&>(pub);
if (ge_frombytes_vartime(&tmp3, reinterpret_cast<const unsigned char*>(&pub)) != 0) {
2013-11-14 22:28:17 +00:00
abort();
}
2015-07-30 15:22:07 +00:00
if (sc_check(reinterpret_cast<const unsigned char*>(&sig)) != 0 || sc_check(reinterpret_cast<const unsigned char*>(&sig) + 32) != 0) {
2013-11-14 22:28:17 +00:00
return false;
}
2015-07-30 15:22:07 +00:00
ge_double_scalarmult_base_vartime(&tmp2, reinterpret_cast<const unsigned char*>(&sig), &tmp3, reinterpret_cast<const unsigned char*>(&sig) + 32);
ge_tobytes(reinterpret_cast<unsigned char*>(&buf.comm), &tmp2);
2013-11-14 22:28:17 +00:00
hash_to_scalar(&buf, sizeof(s_comm), c);
2015-07-30 15:22:07 +00:00
sc_sub(reinterpret_cast<unsigned char*>(&c), reinterpret_cast<unsigned char*>(&c), reinterpret_cast<const unsigned char*>(&sig));
return sc_isnonzero(reinterpret_cast<unsigned char*>(&c)) == 0;
2013-11-14 22:28:17 +00:00
}
2015-07-30 15:22:07 +00:00
static void hash_to_ec(const PublicKey &key, ge_p3 &res) {
Hash h;
2013-11-14 22:28:17 +00:00
ge_p2 point;
ge_p1p1 point2;
2015-07-30 15:22:07 +00:00
cn_fast_hash(std::addressof(key), sizeof(PublicKey), h);
2013-11-14 22:28:17 +00:00
ge_fromfe_frombytes_vartime(&point, reinterpret_cast<const unsigned char *>(&h));
ge_mul8(&point2, &point);
ge_p1p1_to_p3(&res, &point2);
}
2015-07-30 15:22:07 +00:00
void crypto_ops::hash_data_to_ec(const uint8_t* data, std::size_t len, PublicKey& key) {
Hash h;
ge_p2 point;
ge_p1p1 point2;
cn_fast_hash(data, len, h);
ge_fromfe_frombytes_vartime(&point, reinterpret_cast<const unsigned char *>(&h));
ge_mul8(&point2, &point);
ge_p1p1_to_p2(&point, &point2);
ge_tobytes(reinterpret_cast<unsigned char*>(&key), &point);
}
void crypto_ops::generate_key_image(const PublicKey &pub, const SecretKey &sec, KeyImage &image) {
2013-11-14 22:28:17 +00:00
ge_p3 point;
ge_p2 point2;
2015-07-30 15:22:07 +00:00
assert(sc_check(reinterpret_cast<const unsigned char*>(&sec)) == 0);
hash_to_ec(pub, point);
ge_scalarmult(&point2, reinterpret_cast<const unsigned char*>(&sec), &point);
ge_tobytes(reinterpret_cast<unsigned char*>(&image), &point2);
}
void crypto_ops::generate_incomplete_key_image(const PublicKey &pub, EllipticCurvePoint &incomplete_key_image) {
ge_p3 point;
2013-11-14 22:28:17 +00:00
hash_to_ec(pub, point);
2015-07-30 15:22:07 +00:00
ge_p3_tobytes(reinterpret_cast<unsigned char*>(&incomplete_key_image), &point);
2013-11-14 22:28:17 +00:00
}
2015-05-27 12:08:46 +00:00
#ifdef _MSC_VER
#pragma warning(disable: 4200)
#endif
2013-11-14 22:28:17 +00:00
struct rs_comm {
2015-07-30 15:22:07 +00:00
Hash h;
2013-11-14 22:28:17 +00:00
struct {
2015-07-30 15:22:07 +00:00
EllipticCurvePoint a, b;
2013-11-14 22:28:17 +00:00
} ab[];
};
static inline size_t rs_comm_size(size_t pubs_count) {
return sizeof(rs_comm) + pubs_count * sizeof(rs_comm().ab[0]);
}
2015-07-30 15:22:07 +00:00
void crypto_ops::generate_ring_signature(const Hash &prefix_hash, const KeyImage &image,
const PublicKey *const *pubs, size_t pubs_count,
const SecretKey &sec, size_t sec_index,
Signature *sig) {
2014-03-03 22:07:58 +00:00
lock_guard<mutex> lock(random_lock);
2013-11-14 22:28:17 +00:00
size_t i;
ge_p3 image_unp;
ge_dsmp image_pre;
2015-07-30 15:22:07 +00:00
EllipticCurveScalar sum, k, h;
2013-11-14 22:28:17 +00:00
rs_comm *const buf = reinterpret_cast<rs_comm *>(alloca(rs_comm_size(pubs_count)));
assert(sec_index < pubs_count);
#if !defined(NDEBUG)
{
ge_p3 t;
2015-07-30 15:22:07 +00:00
PublicKey t2;
KeyImage t3;
assert(sc_check(reinterpret_cast<const unsigned char*>(&sec)) == 0);
ge_scalarmult_base(&t, reinterpret_cast<const unsigned char*>(&sec));
ge_p3_tobytes(reinterpret_cast<unsigned char*>(&t2), &t);
2013-11-14 22:28:17 +00:00
assert(*pubs[sec_index] == t2);
generate_key_image(*pubs[sec_index], sec, t3);
assert(image == t3);
for (i = 0; i < pubs_count; i++) {
assert(check_key(*pubs[i]));
}
}
#endif
2015-07-30 15:22:07 +00:00
if (ge_frombytes_vartime(&image_unp, reinterpret_cast<const unsigned char*>(&image)) != 0) {
2013-11-14 22:28:17 +00:00
abort();
}
ge_dsm_precomp(image_pre, &image_unp);
2015-07-30 15:22:07 +00:00
sc_0(reinterpret_cast<unsigned char*>(&sum));
2014-03-03 22:07:58 +00:00
buf->h = prefix_hash;
2013-11-14 22:28:17 +00:00
for (i = 0; i < pubs_count; i++) {
ge_p2 tmp2;
ge_p3 tmp3;
if (i == sec_index) {
random_scalar(k);
2015-07-30 15:22:07 +00:00
ge_scalarmult_base(&tmp3, reinterpret_cast<unsigned char*>(&k));
ge_p3_tobytes(reinterpret_cast<unsigned char*>(&buf->ab[i].a), &tmp3);
2013-11-14 22:28:17 +00:00
hash_to_ec(*pubs[i], tmp3);
2015-07-30 15:22:07 +00:00
ge_scalarmult(&tmp2, reinterpret_cast<unsigned char*>(&k), &tmp3);
ge_tobytes(reinterpret_cast<unsigned char*>(&buf->ab[i].b), &tmp2);
2013-11-14 22:28:17 +00:00
} else {
2015-07-30 15:22:07 +00:00
random_scalar(reinterpret_cast<EllipticCurveScalar&>(sig[i]));
random_scalar(*reinterpret_cast<EllipticCurveScalar*>(reinterpret_cast<unsigned char*>(&sig[i]) + 32));
if (ge_frombytes_vartime(&tmp3, reinterpret_cast<const unsigned char*>(&*pubs[i])) != 0) {
2013-11-14 22:28:17 +00:00
abort();
}
2015-07-30 15:22:07 +00:00
ge_double_scalarmult_base_vartime(&tmp2, reinterpret_cast<unsigned char*>(&sig[i]), &tmp3, reinterpret_cast<unsigned char*>(&sig[i]) + 32);
ge_tobytes(reinterpret_cast<unsigned char*>(&buf->ab[i].a), &tmp2);
2013-11-14 22:28:17 +00:00
hash_to_ec(*pubs[i], tmp3);
2015-07-30 15:22:07 +00:00
ge_double_scalarmult_precomp_vartime(&tmp2, reinterpret_cast<unsigned char*>(&sig[i]) + 32, &tmp3, reinterpret_cast<unsigned char*>(&sig[i]), image_pre);
ge_tobytes(reinterpret_cast<unsigned char*>(&buf->ab[i].b), &tmp2);
sc_add(reinterpret_cast<unsigned char*>(&sum), reinterpret_cast<unsigned char*>(&sum), reinterpret_cast<unsigned char*>(&sig[i]));
2013-11-14 22:28:17 +00:00
}
}
hash_to_scalar(buf, rs_comm_size(pubs_count), h);
2015-07-30 15:22:07 +00:00
sc_sub(reinterpret_cast<unsigned char*>(&sig[sec_index]), reinterpret_cast<unsigned char*>(&h), reinterpret_cast<unsigned char*>(&sum));
sc_mulsub(reinterpret_cast<unsigned char*>(&sig[sec_index]) + 32, reinterpret_cast<unsigned char*>(&sig[sec_index]), reinterpret_cast<const unsigned char*>(&sec), reinterpret_cast<unsigned char*>(&k));
2013-11-14 22:28:17 +00:00
}
2015-07-30 15:22:07 +00:00
bool crypto_ops::check_ring_signature(const Hash &prefix_hash, const KeyImage &image,
const PublicKey *const *pubs, size_t pubs_count,
const Signature *sig) {
2013-11-14 22:28:17 +00:00
size_t i;
ge_p3 image_unp;
ge_dsmp image_pre;
2015-07-30 15:22:07 +00:00
EllipticCurveScalar sum, h;
2013-11-14 22:28:17 +00:00
rs_comm *const buf = reinterpret_cast<rs_comm *>(alloca(rs_comm_size(pubs_count)));
#if !defined(NDEBUG)
for (i = 0; i < pubs_count; i++) {
assert(check_key(*pubs[i]));
}
#endif
2015-07-30 15:22:07 +00:00
if (ge_frombytes_vartime(&image_unp, reinterpret_cast<const unsigned char*>(&image)) != 0) {
2013-11-14 22:28:17 +00:00
return false;
}
ge_dsm_precomp(image_pre, &image_unp);
2015-07-30 15:22:07 +00:00
sc_0(reinterpret_cast<unsigned char*>(&sum));
2014-03-03 22:07:58 +00:00
buf->h = prefix_hash;
2013-11-14 22:28:17 +00:00
for (i = 0; i < pubs_count; i++) {
ge_p2 tmp2;
ge_p3 tmp3;
2015-07-30 15:22:07 +00:00
if (sc_check(reinterpret_cast<const unsigned char*>(&sig[i])) != 0 || sc_check(reinterpret_cast<const unsigned char*>(&sig[i]) + 32) != 0) {
2013-11-14 22:28:17 +00:00
return false;
}
2015-07-30 15:22:07 +00:00
if (ge_frombytes_vartime(&tmp3, reinterpret_cast<const unsigned char*>(&*pubs[i])) != 0) {
2013-11-14 22:28:17 +00:00
abort();
}
2015-07-30 15:22:07 +00:00
ge_double_scalarmult_base_vartime(&tmp2, reinterpret_cast<const unsigned char*>(&sig[i]), &tmp3, reinterpret_cast<const unsigned char*>(&sig[i]) + 32);
ge_tobytes(reinterpret_cast<unsigned char*>(&buf->ab[i].a), &tmp2);
2013-11-14 22:28:17 +00:00
hash_to_ec(*pubs[i], tmp3);
2015-07-30 15:22:07 +00:00
ge_double_scalarmult_precomp_vartime(&tmp2, reinterpret_cast<const unsigned char*>(&sig[i]) + 32, &tmp3, reinterpret_cast<const unsigned char*>(&sig[i]), image_pre);
ge_tobytes(reinterpret_cast<unsigned char*>(&buf->ab[i].b), &tmp2);
sc_add(reinterpret_cast<unsigned char*>(&sum), reinterpret_cast<unsigned char*>(&sum), reinterpret_cast<const unsigned char*>(&sig[i]));
2013-11-14 22:28:17 +00:00
}
hash_to_scalar(buf, rs_comm_size(pubs_count), h);
2015-07-30 15:22:07 +00:00
sc_sub(reinterpret_cast<unsigned char*>(&h), reinterpret_cast<unsigned char*>(&h), reinterpret_cast<unsigned char*>(&sum));
return sc_isnonzero(reinterpret_cast<unsigned char*>(&h)) == 0;
2013-11-14 22:28:17 +00:00
}
2014-03-03 22:07:58 +00:00
}