diff options
author | Peter Dettman <peter.dettman@bouncycastle.org> | 2022-11-17 00:10:42 +0700 |
---|---|---|
committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2022-11-17 00:10:42 +0700 |
commit | bc9d472a78f0780ddde00f524a07a39c9fccdf5b (patch) | |
tree | 72c5051ebd169e61ab87a5caa96d2f6e07a8de62 /crypto | |
parent | PackageValidationBaselineVersion = 2.0.0 (diff) | |
download | BouncyCastle.NET-ed25519-bc9d472a78f0780ddde00f524a07a39c9fccdf5b.tar.xz |
EdDSA improvements
- better guards on context values - add Verify method to public keys - reduced allocation during verification
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs | 15 | ||||
-rw-r--r-- | crypto/src/crypto/parameters/Ed25519PublicKeyParameters.cs | 39 | ||||
-rw-r--r-- | crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs | 13 | ||||
-rw-r--r-- | crypto/src/crypto/parameters/Ed448PublicKeyParameters.cs | 32 | ||||
-rw-r--r-- | crypto/src/crypto/signers/Ed25519Signer.cs | 7 | ||||
-rw-r--r-- | crypto/src/crypto/signers/Ed25519ctxSigner.cs | 11 | ||||
-rw-r--r-- | crypto/src/crypto/signers/Ed25519phSigner.cs | 12 | ||||
-rw-r--r-- | crypto/src/crypto/signers/Ed448Signer.cs | 10 | ||||
-rw-r--r-- | crypto/src/crypto/signers/Ed448phSigner.cs | 12 | ||||
-rw-r--r-- | crypto/src/math/ec/rfc7748/X25519Field.cs | 22 | ||||
-rw-r--r-- | crypto/src/math/ec/rfc7748/X448Field.cs | 20 | ||||
-rw-r--r-- | crypto/src/math/ec/rfc8032/Ed25519.cs | 341 | ||||
-rw-r--r-- | crypto/src/math/ec/rfc8032/Ed448.cs | 551 | ||||
-rw-r--r-- | crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs | 6 | ||||
-rw-r--r-- | crypto/test/src/math/ec/rfc8032/test/Ed448Test.cs | 6 |
15 files changed, 988 insertions, 109 deletions
diff --git a/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs b/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs index a50f71972..eeb782d8e 100644 --- a/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs +++ b/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs @@ -104,27 +104,36 @@ namespace Org.BouncyCastle.Crypto.Parameters case Ed25519.Algorithm.Ed25519: { if (null != ctx) - throw new ArgumentException("ctx"); + throw new ArgumentException(nameof(ctx)); Ed25519.Sign(data, 0, pk, 0, msg, msgOff, msgLen, sig, sigOff); break; } case Ed25519.Algorithm.Ed25519ctx: { + if (null == ctx) + throw new ArgumentNullException(nameof(ctx)); + if (ctx.Length > 255) + throw new ArgumentOutOfRangeException(nameof(ctx)); + Ed25519.Sign(data, 0, pk, 0, ctx, msg, msgOff, msgLen, sig, sigOff); break; } case Ed25519.Algorithm.Ed25519ph: { + if (null == ctx) + throw new ArgumentNullException(nameof(ctx)); + if (ctx.Length > 255) + throw new ArgumentOutOfRangeException(nameof(ctx)); if (Ed25519.PrehashSize != msgLen) - throw new ArgumentException("msgLen"); + throw new ArgumentException(nameof(msgLen)); Ed25519.SignPrehash(data, 0, pk, 0, ctx, msg, msgOff, sig, sigOff); break; } default: { - throw new ArgumentException("algorithm"); + throw new ArgumentOutOfRangeException(nameof(algorithm)); } } } diff --git a/crypto/src/crypto/parameters/Ed25519PublicKeyParameters.cs b/crypto/src/crypto/parameters/Ed25519PublicKeyParameters.cs index 9b94635d5..5465543a8 100644 --- a/crypto/src/crypto/parameters/Ed25519PublicKeyParameters.cs +++ b/crypto/src/crypto/parameters/Ed25519PublicKeyParameters.cs @@ -60,6 +60,45 @@ namespace Org.BouncyCastle.Crypto.Parameters return Arrays.Clone(data); } + public bool Verify(Ed25519.Algorithm algorithm, byte[] ctx, byte[] msg, int msgOff, int msgLen, + byte[] sig, int sigOff) + { + switch (algorithm) + { + case Ed25519.Algorithm.Ed25519: + { + if (null != ctx) + throw new ArgumentException(nameof(ctx)); + + return Ed25519.Verify(sig, sigOff, data, 0, msg, msgOff, msgLen); + } + case Ed25519.Algorithm.Ed25519ctx: + { + if (null == ctx) + throw new ArgumentNullException(nameof(ctx)); + if (ctx.Length > 255) + throw new ArgumentOutOfRangeException(nameof(ctx)); + + return Ed25519.Verify(sig, sigOff, data, 0, ctx, msg, msgOff, msgLen); + } + case Ed25519.Algorithm.Ed25519ph: + { + if (null == ctx) + throw new ArgumentNullException(nameof(ctx)); + if (ctx.Length > 255) + throw new ArgumentOutOfRangeException(nameof(ctx)); + if (Ed25519.PrehashSize != msgLen) + throw new ArgumentException(nameof(msgLen)); + + return Ed25519.VerifyPrehash(sig, sigOff, data, 0, ctx, msg, msgOff); + } + default: + { + throw new ArgumentOutOfRangeException(nameof(algorithm)); + } + } + } + private static byte[] Validate(byte[] buf) { if (buf.Length != KeySize) diff --git a/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs b/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs index ac12a2f1d..a9283761b 100644 --- a/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs +++ b/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs @@ -103,20 +103,29 @@ namespace Org.BouncyCastle.Crypto.Parameters { case Ed448.Algorithm.Ed448: { + if (null == ctx) + throw new ArgumentNullException(nameof(ctx)); + if (ctx.Length > 255) + throw new ArgumentOutOfRangeException(nameof(ctx)); + Ed448.Sign(data, 0, pk, 0, ctx, msg, msgOff, msgLen, sig, sigOff); break; } case Ed448.Algorithm.Ed448ph: { + if (null == ctx) + throw new ArgumentNullException(nameof(ctx)); + if (ctx.Length > 255) + throw new ArgumentOutOfRangeException(nameof(ctx)); if (Ed448.PrehashSize != msgLen) - throw new ArgumentException("msgLen"); + throw new ArgumentException(nameof(msgLen)); Ed448.SignPrehash(data, 0, pk, 0, ctx, msg, msgOff, sig, sigOff); break; } default: { - throw new ArgumentException("algorithm"); + throw new ArgumentOutOfRangeException(nameof(algorithm)); } } } diff --git a/crypto/src/crypto/parameters/Ed448PublicKeyParameters.cs b/crypto/src/crypto/parameters/Ed448PublicKeyParameters.cs index 26f6b5ba9..2b12f37e5 100644 --- a/crypto/src/crypto/parameters/Ed448PublicKeyParameters.cs +++ b/crypto/src/crypto/parameters/Ed448PublicKeyParameters.cs @@ -60,6 +60,38 @@ namespace Org.BouncyCastle.Crypto.Parameters return Arrays.Clone(data); } + public bool Verify(Ed448.Algorithm algorithm, byte[] ctx, byte[] msg, int msgOff, int msgLen, + byte[] sig, int sigOff) + { + switch (algorithm) + { + case Ed448.Algorithm.Ed448: + { + if (null == ctx) + throw new ArgumentNullException(nameof(ctx)); + if (ctx.Length > 255) + throw new ArgumentOutOfRangeException(nameof(ctx)); + + return Ed448.Verify(sig, sigOff, data, 0, ctx, msg, msgOff, msgLen); + } + case Ed448.Algorithm.Ed448ph: + { + if (null == ctx) + throw new ArgumentNullException(nameof(ctx)); + if (ctx.Length > 255) + throw new ArgumentOutOfRangeException(nameof(ctx)); + if (Ed448.PrehashSize != msgLen) + throw new ArgumentException(nameof(msgLen)); + + return Ed448.VerifyPrehash(sig, sigOff, data, 0, ctx, msg, msgOff); + } + default: + { + throw new ArgumentOutOfRangeException(nameof(algorithm)); + } + } + } + private static byte[] Validate(byte[] buf) { if (buf.Length != KeySize) diff --git a/crypto/src/crypto/signers/Ed25519Signer.cs b/crypto/src/crypto/signers/Ed25519Signer.cs index 79a2b1202..450eb2913 100644 --- a/crypto/src/crypto/signers/Ed25519Signer.cs +++ b/crypto/src/crypto/signers/Ed25519Signer.cs @@ -82,7 +82,7 @@ namespace Org.BouncyCastle.Crypto.Signers buffer.Reset(); } - private class Buffer : MemoryStream + private sealed class Buffer : MemoryStream { internal byte[] GenerateSignature(Ed25519PrivateKeyParameters privateKey) { @@ -92,7 +92,7 @@ namespace Org.BouncyCastle.Crypto.Signers int count = Convert.ToInt32(Length); byte[] signature = new byte[Ed25519PrivateKeyParameters.SignatureSize]; - privateKey.Sign(Ed25519.Algorithm.Ed25519, null, buf, 0, count, signature, 0); + privateKey.Sign(Ed25519.Algorithm.Ed25519, ctx: null, buf, 0, count, signature, 0); Reset(); return signature; } @@ -111,8 +111,7 @@ namespace Org.BouncyCastle.Crypto.Signers byte[] buf = GetBuffer(); int count = Convert.ToInt32(Length); - byte[] pk = publicKey.GetEncoded(); - bool result = Ed25519.Verify(signature, 0, pk, 0, buf, 0, count); + bool result = publicKey.Verify(Ed25519.Algorithm.Ed25519, ctx: null, buf, 0, count, signature, 0); Reset(); return result; } diff --git a/crypto/src/crypto/signers/Ed25519ctxSigner.cs b/crypto/src/crypto/signers/Ed25519ctxSigner.cs index 90deb84ef..af813be32 100644 --- a/crypto/src/crypto/signers/Ed25519ctxSigner.cs +++ b/crypto/src/crypto/signers/Ed25519ctxSigner.cs @@ -3,7 +3,6 @@ using System.IO; using Org.BouncyCastle.Crypto.Parameters; using Org.BouncyCastle.Math.EC.Rfc8032; -using Org.BouncyCastle.Utilities; namespace Org.BouncyCastle.Crypto.Signers { @@ -19,7 +18,10 @@ namespace Org.BouncyCastle.Crypto.Signers public Ed25519ctxSigner(byte[] context) { - this.context = Arrays.Clone(context); + if (null == context) + throw new ArgumentNullException(nameof(context)); + + this.context = (byte[])context.Clone(); } public virtual string AlgorithmName @@ -85,7 +87,7 @@ namespace Org.BouncyCastle.Crypto.Signers buffer.Reset(); } - private class Buffer : MemoryStream + private sealed class Buffer : MemoryStream { internal byte[] GenerateSignature(Ed25519PrivateKeyParameters privateKey, byte[] ctx) { @@ -114,8 +116,7 @@ namespace Org.BouncyCastle.Crypto.Signers byte[] buf = GetBuffer(); int count = Convert.ToInt32(Length); - byte[] pk = publicKey.GetEncoded(); - bool result = Ed25519.Verify(signature, 0, pk, 0, ctx, buf, 0, count); + bool result = publicKey.Verify(Ed25519.Algorithm.Ed25519ctx, ctx, buf, 0, count, signature, 0); Reset(); return result; } diff --git a/crypto/src/crypto/signers/Ed25519phSigner.cs b/crypto/src/crypto/signers/Ed25519phSigner.cs index c0fb04ddf..d4ff2aae9 100644 --- a/crypto/src/crypto/signers/Ed25519phSigner.cs +++ b/crypto/src/crypto/signers/Ed25519phSigner.cs @@ -19,7 +19,10 @@ namespace Org.BouncyCastle.Crypto.Signers public Ed25519phSigner(byte[] context) { - this.context = Arrays.Clone(context); + if (null == context) + throw new ArgumentNullException(nameof(context)); + + this.context = (byte[])context.Clone(); } public virtual string AlgorithmName @@ -88,8 +91,11 @@ namespace Org.BouncyCastle.Crypto.Signers return false; } - byte[] pk = publicKey.GetEncoded(); - return Ed25519.VerifyPrehash(signature, 0, pk, 0, context, prehash); + byte[] msg = new byte[Ed25519.PrehashSize]; + if (Ed25519.PrehashSize != prehash.DoFinal(msg, 0)) + throw new InvalidOperationException("Prehash digest failed"); + + return publicKey.Verify(Ed25519.Algorithm.Ed25519ph, context, msg, 0, Ed25519.PrehashSize, signature, 0); } public void Reset() diff --git a/crypto/src/crypto/signers/Ed448Signer.cs b/crypto/src/crypto/signers/Ed448Signer.cs index 647a4b451..79c0fefce 100644 --- a/crypto/src/crypto/signers/Ed448Signer.cs +++ b/crypto/src/crypto/signers/Ed448Signer.cs @@ -19,7 +19,10 @@ namespace Org.BouncyCastle.Crypto.Signers public Ed448Signer(byte[] context) { - this.context = Arrays.Clone(context); + if (null == context) + throw new ArgumentNullException(nameof(context)); + + this.context = (byte[])context.Clone(); } public virtual string AlgorithmName @@ -85,7 +88,7 @@ namespace Org.BouncyCastle.Crypto.Signers buffer.Reset(); } - private class Buffer : MemoryStream + private sealed class Buffer : MemoryStream { internal byte[] GenerateSignature(Ed448PrivateKeyParameters privateKey, byte[] ctx) { @@ -114,8 +117,7 @@ namespace Org.BouncyCastle.Crypto.Signers byte[] buf = GetBuffer(); int count = Convert.ToInt32(Length); - byte[] pk = publicKey.GetEncoded(); - bool result = Ed448.Verify(signature, 0, pk, 0, ctx, buf, 0, count); + bool result = publicKey.Verify(Ed448.Algorithm.Ed448, ctx, buf, 0, count, signature, 0); Reset(); return result; } diff --git a/crypto/src/crypto/signers/Ed448phSigner.cs b/crypto/src/crypto/signers/Ed448phSigner.cs index 197ac1aaa..75f841923 100644 --- a/crypto/src/crypto/signers/Ed448phSigner.cs +++ b/crypto/src/crypto/signers/Ed448phSigner.cs @@ -19,7 +19,10 @@ namespace Org.BouncyCastle.Crypto.Signers public Ed448phSigner(byte[] context) { - this.context = Arrays.Clone(context); + if (null == context) + throw new ArgumentNullException(nameof(context)); + + this.context = (byte[])context.Clone(); } public virtual string AlgorithmName @@ -88,8 +91,11 @@ namespace Org.BouncyCastle.Crypto.Signers return false; } - byte[] pk = publicKey.GetEncoded(); - return Ed448.VerifyPrehash(signature, 0, pk, 0, context, prehash); + byte[] msg = new byte[Ed448.PrehashSize]; + if (Ed448.PrehashSize != prehash.OutputFinal(msg, 0, Ed448.PrehashSize)) + throw new InvalidOperationException("Prehash digest failed"); + + return publicKey.Verify(Ed448.Algorithm.Ed448ph, context, msg, 0, Ed448.PrehashSize, signature, 0); } public void Reset() diff --git a/crypto/src/math/ec/rfc7748/X25519Field.cs b/crypto/src/math/ec/rfc7748/X25519Field.cs index cddf03faa..241710fe9 100644 --- a/crypto/src/math/ec/rfc7748/X25519Field.cs +++ b/crypto/src/math/ec/rfc7748/X25519Field.cs @@ -1,4 +1,7 @@ using System; +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER +using System.Buffers.Binary; +#endif using System.Diagnostics; #if NETSTANDARD1_0_OR_GREATER || NETCOREAPP1_0_OR_GREATER using System.Runtime.CompilerServices; @@ -388,21 +391,21 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748 private static uint Decode32(byte[] bs, int off) { +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + return BinaryPrimitives.ReadUInt32LittleEndian(bs.AsSpan(off)); +#else uint n = bs[off]; n |= (uint)bs[++off] << 8; n |= (uint)bs[++off] << 16; n |= (uint)bs[++off] << 24; return n; +#endif } #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER private static uint Decode32(ReadOnlySpan<byte> bs) { - uint n = bs[0]; - n |= (uint)bs[1] << 8; - n |= (uint)bs[2] << 16; - n |= (uint)bs[3] << 24; - return n; + return BinaryPrimitives.ReadUInt32LittleEndian(bs); } #endif @@ -485,19 +488,20 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748 private static void Encode32(uint n, byte[] bs, int off) { +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + BinaryPrimitives.WriteUInt32LittleEndian(bs.AsSpan(off), n); +#else bs[ off] = (byte)(n ); bs[++off] = (byte)(n >> 8); bs[++off] = (byte)(n >> 16); bs[++off] = (byte)(n >> 24); +#endif } #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER private static void Encode32(uint n, Span<byte> bs) { - bs[0] = (byte)(n ); - bs[1] = (byte)(n >> 8); - bs[2] = (byte)(n >> 16); - bs[3] = (byte)(n >> 24); + BinaryPrimitives.WriteUInt32LittleEndian(bs, n); } #endif diff --git a/crypto/src/math/ec/rfc7748/X448Field.cs b/crypto/src/math/ec/rfc7748/X448Field.cs index 67e71afa8..1df837d3a 100644 --- a/crypto/src/math/ec/rfc7748/X448Field.cs +++ b/crypto/src/math/ec/rfc7748/X448Field.cs @@ -4,6 +4,7 @@ using System.Diagnostics; using System.Runtime.CompilerServices; #endif #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER +using System.Buffers.Binary; using System.Numerics; #endif #if NETCOREAPP3_0_OR_GREATER @@ -318,21 +319,21 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748 private static uint Decode32(byte[] bs, int off) { +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + return BinaryPrimitives.ReadUInt32LittleEndian(bs.AsSpan(off)); +#else uint n = bs[off]; n |= (uint)bs[++off] << 8; n |= (uint)bs[++off] << 16; n |= (uint)bs[++off] << 24; return n; +#endif } #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER private static uint Decode32(ReadOnlySpan<byte> bs) { - uint n = bs[0]; - n |= (uint)bs[1] << 8; - n |= (uint)bs[2] << 16; - n |= (uint)bs[3] << 24; - return n; + return BinaryPrimitives.ReadUInt32LittleEndian(bs); } #endif @@ -442,19 +443,20 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748 private static void Encode32(uint n, byte[] bs, int off) { +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + BinaryPrimitives.WriteUInt32LittleEndian(bs.AsSpan(off), n); +#else bs[ off] = (byte)(n ); bs[++off] = (byte)(n >> 8); bs[++off] = (byte)(n >> 16); bs[++off] = (byte)(n >> 24); +#endif } #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER private static void Encode32(uint n, Span<byte> bs) { - bs[0] = (byte)(n ); - bs[1] = (byte)(n >> 8); - bs[2] = (byte)(n >> 16); - bs[3] = (byte)(n >> 24); + BinaryPrimitives.WriteUInt32LittleEndian(bs, n); } #endif diff --git a/crypto/src/math/ec/rfc8032/Ed25519.cs b/crypto/src/math/ec/rfc8032/Ed25519.cs index f3b63f3b3..82e46aa1f 100644 --- a/crypto/src/math/ec/rfc8032/Ed25519.cs +++ b/crypto/src/math/ec/rfc8032/Ed25519.cs @@ -1,4 +1,7 @@ using System; +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER +using System.Buffers.Binary; +#endif using System.Diagnostics; using Org.BouncyCastle.Crypto; @@ -190,12 +193,35 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 return F.IsZero(t); } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static bool CheckPointVar(ReadOnlySpan<byte> p) + { + if ((Decode32(p[28..]) & 0x7FFFFFFFU) < P[7]) + return true; + for (int i = CoordUints - 2; i >= 0; --i) + { + if (Decode32(p[(i * 4)..]) < P[i]) + return true; + } + return false; + } + + private static bool CheckScalarVar(ReadOnlySpan<byte> s, Span<uint> n) + { + DecodeScalar(s, n); + return !Nat.Gte(ScalarUints, n, L); + } +#else private static bool CheckPointVar(byte[] p) { - uint[] t = new uint[CoordUints]; - Decode32(p, 0, t, 0, CoordUints); - t[CoordUints - 1] &= 0x7FFFFFFFU; - return !Nat256.Gte(t, P); + if ((Decode32(p, 28) & 0x7FFFFFFFU) < P[7]) + return true; + for (int i = CoordUints - 2; i >= 0; --i) + { + if (Decode32(p, i * 4) < P[i]) + return true; + } + return false; } private static bool CheckScalarVar(byte[] s, uint[] n) @@ -203,6 +229,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 DecodeScalar(s, 0, n); return !Nat256.Gte(n, L); } +#endif private static byte[] Copy(byte[] buf, int off, int len) { @@ -213,7 +240,10 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 private static IDigest CreateDigest() { - return new Sha512Digest(); + var d = new Sha512Digest(); + if (d.GetDigestSize() != 64) + throw new InvalidOperationException(); + return d; } public static IDigest CreatePrehash() @@ -229,23 +259,33 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 return n; } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static uint Decode24(ReadOnlySpan<byte> bs) + { + uint n = bs[0]; + n |= (uint)bs[1] << 8; + n |= (uint)bs[2] << 16; + return n; + } +#endif + private static uint Decode32(byte[] bs, int off) { +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + return BinaryPrimitives.ReadUInt32LittleEndian(bs.AsSpan(off)); +#else uint n = bs[off]; n |= (uint)bs[++off] << 8; n |= (uint)bs[++off] << 16; n |= (uint)bs[++off] << 24; return n; +#endif } #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER private static uint Decode32(ReadOnlySpan<byte> bs) { - uint n = bs[0]; - n |= (uint)bs[1] << 8; - n |= (uint)bs[2] << 16; - n |= (uint)bs[3] << 24; - return n; + return BinaryPrimitives.ReadUInt32LittleEndian(bs); } #endif @@ -335,20 +375,48 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 bs[++off] = (byte)(n >> 16); } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static void Encode24(uint n, Span<byte> bs) + { + bs[0] = (byte)(n); + bs[1] = (byte)(n >> 8); + bs[2] = (byte)(n >> 16); + } +#endif + private static void Encode32(uint n, byte[] bs, int off) { - bs[off] = (byte)(n); - bs[++off] = (byte)(n >> 8); +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + BinaryPrimitives.WriteUInt32LittleEndian(bs.AsSpan(off), n); +#else + bs[ off] = (byte)(n ); + bs[++off] = (byte)(n >> 8); bs[++off] = (byte)(n >> 16); bs[++off] = (byte)(n >> 24); +#endif } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static void Encode32(uint n, Span<byte> bs) + { + BinaryPrimitives.WriteUInt32LittleEndian(bs, n); + } +#endif + private static void Encode56(ulong n, byte[] bs, int off) { Encode32((uint)n, bs, off); Encode24((uint)(n >> 32), bs, off + 4); } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static void Encode56(ulong n, Span<byte> bs) + { + Encode32((uint)n, bs); + Encode24((uint)(n >> 32), bs[4..]); + } +#endif + private static int EncodePoint(ref PointAccum p, byte[] r, int rOff) { #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER @@ -417,7 +485,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 GeneratePublicKey(sk.AsSpan(skOff), pk.AsSpan(pkOff)); #else IDigest d = CreateDigest(); - byte[] h = new byte[d.GetDigestSize()]; + byte[] h = new byte[64]; d.BlockUpdate(sk, skOff, SecretKeySize); d.DoFinal(h, 0); @@ -433,10 +501,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 public static void GeneratePublicKey(ReadOnlySpan<byte> sk, Span<byte> pk) { IDigest d = CreateDigest(); - int digestSize = d.GetDigestSize(); - Span<byte> h = digestSize <= 128 - ? stackalloc byte[digestSize] - : new byte[digestSize]; + Span<byte> h = stackalloc byte[64]; d.BlockUpdate(sk[..SecretKeySize]); d.DoFinal(h); @@ -458,7 +523,11 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 return (x[w] >> b) & 15U; } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static sbyte[] GetWnafVar(ReadOnlySpan<uint> n, int width) +#else private static sbyte[] GetWnafVar(uint[] n, int width) +#endif { Debug.Assert(n[ScalarUints - 1] <= L[ScalarUints - 1]); Debug.Assert(2 <= width && width <= 8); @@ -541,7 +610,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 throw new ArgumentException("ctx"); IDigest d = CreateDigest(); - byte[] h = new byte[d.GetDigestSize()]; + byte[] h = new byte[64]; d.BlockUpdate(sk, skOff, SecretKeySize); d.DoFinal(h, 0); @@ -562,7 +631,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 throw new ArgumentException("ctx"); IDigest d = CreateDigest(); - byte[] h = new byte[d.GetDigestSize()]; + byte[] h = new byte[64]; d.BlockUpdate(sk, skOff, SecretKeySize); d.DoFinal(h, 0); @@ -579,6 +648,45 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 if (!CheckContextVar(ctx, phflag)) throw new ArgumentException("ctx"); +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + Span<byte> RS = stackalloc byte[PointBytes + ScalarBytes]; + RS.CopyFrom(sig.AsSpan(sigOff, PointBytes + ScalarBytes)); + + var R = RS[..PointBytes]; + var S = RS[PointBytes..]; + + if (!CheckPointVar(R)) + return false; + + Span<uint> nS = stackalloc uint[ScalarUints]; + if (!CheckScalarVar(S, nS)) + return false; + + Init(out PointAffine pA); + if (!DecodePointVar(pk, pkOff, true, ref pA)) + return false; + + IDigest d = CreateDigest(); + Span<byte> h = stackalloc byte[64]; + + Dom2(d, phflag, ctx); + d.BlockUpdate(R); + d.BlockUpdate(pk.AsSpan(pkOff, PointBytes)); + d.BlockUpdate(m.AsSpan(mOff, mLen)); + d.DoFinal(h); + + Span<byte> k = stackalloc byte[ScalarBytes]; + ReduceScalar(h, k); + + Span<uint> nA = stackalloc uint[ScalarUints]; + DecodeScalar(k, nA); + + Init(out PointAccum pR); + ScalarMultStrausVar(nS, nA, ref pA, ref pR); + + Span<byte> check = stackalloc byte[PointBytes]; + return 0 != EncodePoint(ref pR, check) && check.SequenceEqual(R); +#else byte[] R = Copy(sig, sigOff, PointBytes); byte[] S = Copy(sig, sigOff + PointBytes, ScalarBytes); @@ -594,7 +702,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 return false; IDigest d = CreateDigest(); - byte[] h = new byte[d.GetDigestSize()]; + byte[] h = new byte[64]; Dom2(d, phflag, ctx); d.BlockUpdate(R, 0, PointBytes); @@ -612,6 +720,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 byte[] check = new byte[PointBytes]; return 0 != EncodePoint(ref pR, check, 0) && Arrays.AreEqual(check, R); +#endif } private static void Init(out PointAccum r) @@ -1203,6 +1312,11 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 private static byte[] ReduceScalar(byte[] n) { + byte[] r = new byte[ScalarBytes]; + +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + ReduceScalar(n, r); +#else long x00 = Decode32(n, 0) & M32L; // x00:32/-- long x01 = (Decode24(n, 4) << 4) & M32L; // x01:28/-- long x02 = Decode32(n, 7) & M32L; // x02:32/-- @@ -1328,15 +1442,152 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 x07 += (x06 >> 28); x06 &= M28L; x08 += (x07 >> 28); x07 &= M28L; - byte[] r = new byte[ScalarBytes]; Encode56((ulong)(x00 | (x01 << 28)), r, 0); Encode56((ulong)(x02 | (x03 << 28)), r, 7); Encode56((ulong)(x04 | (x05 << 28)), r, 14); Encode56((ulong)(x06 | (x07 << 28)), r, 21); Encode32((uint)x08, r, 28); +#endif + return r; } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static void ReduceScalar(ReadOnlySpan<byte> n, Span<byte> r) + { + long x00 = Decode32(n[0..]) & M32L; // x00:32/-- + long x01 = (Decode24(n[4..]) << 4) & M32L; // x01:28/-- + long x02 = Decode32(n[7..]) & M32L; // x02:32/-- + long x03 = (Decode24(n[11..]) << 4) & M32L; // x03:28/-- + long x04 = Decode32(n[14..]) & M32L; // x04:32/-- + long x05 = (Decode24(n[18..]) << 4) & M32L; // x05:28/-- + long x06 = Decode32(n[21..]) & M32L; // x06:32/-- + long x07 = (Decode24(n[25..]) << 4) & M32L; // x07:28/-- + long x08 = Decode32(n[28..]) & M32L; // x08:32/-- + long x09 = (Decode24(n[32..]) << 4) & M32L; // x09:28/-- + long x10 = Decode32(n[35..]) & M32L; // x10:32/-- + long x11 = (Decode24(n[39..]) << 4) & M32L; // x11:28/-- + long x12 = Decode32(n[42..]) & M32L; // x12:32/-- + long x13 = (Decode24(n[46..]) << 4) & M32L; // x13:28/-- + long x14 = Decode32(n[49..]) & M32L; // x14:32/-- + long x15 = (Decode24(n[53..]) << 4) & M32L; // x15:28/-- + long x16 = Decode32(n[56..]) & M32L; // x16:32/-- + long x17 = (Decode24(n[60..]) << 4) & M32L; // x17:28/-- + long x18 = n[63] & M08L; // x18:08/-- + long t; + + //x18 += (x17 >> 28); x17 &= M28L; + x09 -= x18 * L0; // x09:34/28 + x10 -= x18 * L1; // x10:33/30 + x11 -= x18 * L2; // x11:35/28 + x12 -= x18 * L3; // x12:32/31 + x13 -= x18 * L4; // x13:28/21 + + x17 += (x16 >> 28); x16 &= M28L; // x17:28/--, x16:28/-- + x08 -= x17 * L0; // x08:54/32 + x09 -= x17 * L1; // x09:52/51 + x10 -= x17 * L2; // x10:55/34 + x11 -= x17 * L3; // x11:51/36 + x12 -= x17 * L4; // x12:41/-- + + //x16 += (x15 >> 28); x15 &= M28L; + x07 -= x16 * L0; // x07:54/28 + x08 -= x16 * L1; // x08:54/53 + x09 -= x16 * L2; // x09:55/53 + x10 -= x16 * L3; // x10:55/52 + x11 -= x16 * L4; // x11:51/41 + + x15 += (x14 >> 28); x14 &= M28L; // x15:28/--, x14:28/-- + x06 -= x15 * L0; // x06:54/32 + x07 -= x15 * L1; // x07:54/53 + x08 -= x15 * L2; // x08:56/-- + x09 -= x15 * L3; // x09:55/54 + x10 -= x15 * L4; // x10:55/53 + + //x14 += (x13 >> 28); x13 &= M28L; + x05 -= x14 * L0; // x05:54/28 + x06 -= x14 * L1; // x06:54/53 + x07 -= x14 * L2; // x07:56/-- + x08 -= x14 * L3; // x08:56/51 + x09 -= x14 * L4; // x09:56/-- + + x13 += (x12 >> 28); x12 &= M28L; // x13:28/22, x12:28/-- + x04 -= x13 * L0; // x04:54/49 + x05 -= x13 * L1; // x05:54/53 + x06 -= x13 * L2; // x06:56/-- + x07 -= x13 * L3; // x07:56/52 + x08 -= x13 * L4; // x08:56/52 + + x12 += (x11 >> 28); x11 &= M28L; // x12:28/24, x11:28/-- + x03 -= x12 * L0; // x03:54/49 + x04 -= x12 * L1; // x04:54/51 + x05 -= x12 * L2; // x05:56/-- + x06 -= x12 * L3; // x06:56/52 + x07 -= x12 * L4; // x07:56/53 + + x11 += (x10 >> 28); x10 &= M28L; // x11:29/--, x10:28/-- + x02 -= x11 * L0; // x02:55/32 + x03 -= x11 * L1; // x03:55/-- + x04 -= x11 * L2; // x04:56/55 + x05 -= x11 * L3; // x05:56/52 + x06 -= x11 * L4; // x06:56/53 + + x10 += (x09 >> 28); x09 &= M28L; // x10:29/--, x09:28/-- + x01 -= x10 * L0; // x01:55/28 + x02 -= x10 * L1; // x02:55/54 + x03 -= x10 * L2; // x03:56/55 + x04 -= x10 * L3; // x04:57/-- + x05 -= x10 * L4; // x05:56/53 + + x08 += (x07 >> 28); x07 &= M28L; // x08:56/53, x07:28/-- + x09 += (x08 >> 28); x08 &= M28L; // x09:29/25, x08:28/-- + + t = (x08 >> 27) & 1L; + x09 += t; // x09:29/26 + + x00 -= x09 * L0; // x00:55/53 + x01 -= x09 * L1; // x01:55/54 + x02 -= x09 * L2; // x02:57/-- + x03 -= x09 * L3; // x03:57/-- + x04 -= x09 * L4; // x04:57/42 + + x01 += (x00 >> 28); x00 &= M28L; + x02 += (x01 >> 28); x01 &= M28L; + x03 += (x02 >> 28); x02 &= M28L; + x04 += (x03 >> 28); x03 &= M28L; + x05 += (x04 >> 28); x04 &= M28L; + x06 += (x05 >> 28); x05 &= M28L; + x07 += (x06 >> 28); x06 &= M28L; + x08 += (x07 >> 28); x07 &= M28L; + x09 = (x08 >> 28); x08 &= M28L; + + x09 -= t; + + Debug.Assert(x09 == 0L || x09 == -1L); + + x00 += x09 & L0; + x01 += x09 & L1; + x02 += x09 & L2; + x03 += x09 & L3; + x04 += x09 & L4; + + x01 += (x00 >> 28); x00 &= M28L; + x02 += (x01 >> 28); x01 &= M28L; + x03 += (x02 >> 28); x02 &= M28L; + x04 += (x03 >> 28); x03 &= M28L; + x05 += (x04 >> 28); x04 &= M28L; + x06 += (x05 >> 28); x05 &= M28L; + x07 += (x06 >> 28); x06 &= M28L; + x08 += (x07 >> 28); x07 &= M28L; + + Encode56((ulong)(x00 | (x01 << 28)), r); + Encode56((ulong)(x02 | (x03 << 28)), r[7..]); + Encode56((ulong)(x04 | (x05 << 28)), r[14..]); + Encode56((ulong)(x06 | (x07 << 28)), r[21..]); + Encode32((uint)x08, r[28..]); + } +#endif + private static void ScalarMult(byte[] k, ref PointAffine p, ref PointAccum r) { #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER @@ -1634,6 +1885,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 private static void ScalarMultStrausVar(uint[] nb, uint[] np, ref PointAffine p, ref PointAccum r) { +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + ScalarMultStrausVar(nb.AsSpan(), np.AsSpan(), ref p, ref r); +#else Precompute(); sbyte[] ws_b = GetWnafVar(nb, WnafWidthBase); @@ -1671,7 +1925,52 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 PointDouble(ref r); } +#endif + } + +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static void ScalarMultStrausVar(ReadOnlySpan<uint> nb, ReadOnlySpan<uint> np, ref PointAffine p, + ref PointAccum r) + { + Precompute(); + + sbyte[] ws_b = GetWnafVar(nb, WnafWidthBase); + sbyte[] ws_p = GetWnafVar(np, WnafWidth); + + int count = 1 << (WnafWidth - 2); + PointPrecompZ[] tp = new PointPrecompZ[count]; + Init(out PointTemp t); + PointPrecomputeZ(ref p, tp, count, ref t); + + PointSetNeutral(ref r); + + for (int bit = 252; ;) + { + int wb = ws_b[bit]; + if (wb != 0) + { + int sign = wb >> 31; + int index = (wb ^ sign) >> 1; + + PointAddVar(sign != 0, ref PrecompBaseWnaf[index], ref r, ref t); + } + + int wp = ws_p[bit]; + if (wp != 0) + { + int sign = wp >> 31; + int index = (wp ^ sign) >> 1; + + PointAddVar(sign != 0, ref tp[index], ref r, ref t); + } + + if (--bit < 0) + break; + + PointDouble(ref r); + } } +#endif public static void Sign(byte[] sk, int skOff, byte[] m, int mOff, int mLen, byte[] sig, int sigOff) { diff --git a/crypto/src/math/ec/rfc8032/Ed448.cs b/crypto/src/math/ec/rfc8032/Ed448.cs index b73aaa7f8..aadb974e4 100644 --- a/crypto/src/math/ec/rfc8032/Ed448.cs +++ b/crypto/src/math/ec/rfc8032/Ed448.cs @@ -1,4 +1,7 @@ using System; +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER +using System.Buffers.Binary; +#endif using System.Diagnostics; using Org.BouncyCastle.Crypto; @@ -162,14 +165,46 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 return F.IsZero(t); } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static bool CheckPointVar(ReadOnlySpan<byte> p) + { + if ((p[PointBytes - 1] & 0x7F) != 0x00) + return false; + if (Decode32(p[52..]) < P[13]) + return true; + + int last = p[28] == 0xFF ? 7 : 0; + for (int i = CoordUints - 2; i >= last; --i) + { + if (Decode32(p[(i * 4)..]) < P[i]) + return true; + } + return false; + } + + private static bool CheckScalarVar(ReadOnlySpan<byte> s, Span<uint> n) + { + if (s[ScalarBytes - 1] != 0x00) + return false; + + DecodeScalar(s, n); + return !Nat.Gte(ScalarUints, n, L); + } +#else private static bool CheckPointVar(byte[] p) { if ((p[PointBytes - 1] & 0x7F) != 0x00) return false; + if (Decode32(p, 52) < P[13]) + return true; - uint[] t = new uint[CoordUints]; - Decode32(p, 0, t, 0, CoordUints); - return !Nat.Gte(CoordUints, t, P); + int last = p[28] == 0xFF ? 7 : 0; + for (int i = CoordUints - 2; i >= last; --i) + { + if (Decode32(p, i * 4) < P[i]) + return true; + } + return false; } private static bool CheckScalarVar(byte[] s, uint[] n) @@ -180,6 +215,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 DecodeScalar(s, 0, n); return !Nat.Gte(ScalarUints, n, L); } +#endif private static byte[] Copy(byte[] buf, int off, int len) { @@ -200,11 +236,22 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 private static uint Decode16(byte[] bs, int off) { +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + return BinaryPrimitives.ReadUInt16LittleEndian(bs.AsSpan(off)); +#else uint n = bs[off]; n |= (uint)bs[++off] << 8; return n; +#endif } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static uint Decode16(ReadOnlySpan<byte> bs) + { + return BinaryPrimitives.ReadUInt16LittleEndian(bs); + } +#endif + private static uint Decode24(byte[] bs, int off) { uint n = bs[off]; @@ -213,23 +260,33 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 return n; } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static uint Decode24(ReadOnlySpan<byte> bs) + { + uint n = bs[0]; + n |= (uint)bs[1] << 8; + n |= (uint)bs[2] << 16; + return n; + } +#endif + private static uint Decode32(byte[] bs, int off) { +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + return BinaryPrimitives.ReadUInt32LittleEndian(bs.AsSpan(off)); +#else uint n = bs[off]; n |= (uint)bs[++off] << 8; n |= (uint)bs[++off] << 16; n |= (uint)bs[++off] << 24; return n; +#endif } #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER private static uint Decode32(ReadOnlySpan<byte> bs) { - uint n = bs[0]; - n |= (uint)bs[1] << 8; - n |= (uint)bs[2] << 16; - n |= (uint)bs[3] << 24; - return n; + return BinaryPrimitives.ReadUInt32LittleEndian(bs); } #endif @@ -322,13 +379,33 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 bs[++off] = (byte)(n >> 16); } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static void Encode24(uint n, Span<byte> bs) + { + bs[0] = (byte)(n); + bs[1] = (byte)(n >> 8); + bs[2] = (byte)(n >> 16); + } +#endif + private static void Encode32(uint n, byte[] bs, int off) { - bs[off] = (byte)(n); - bs[++off] = (byte)(n >> 8); +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + BinaryPrimitives.WriteUInt32LittleEndian(bs.AsSpan(off), n); +#else + bs[ off] = (byte)(n ); + bs[++off] = (byte)(n >> 8); bs[++off] = (byte)(n >> 16); bs[++off] = (byte)(n >> 24); +#endif + } + +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static void Encode32(uint n, Span<byte> bs) + { + BinaryPrimitives.WriteUInt32LittleEndian(bs, n); } +#endif private static void Encode56(ulong n, byte[] bs, int off) { @@ -336,6 +413,14 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 Encode24((uint)(n >> 32), bs, off + 4); } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static void Encode56(ulong n, Span<byte> bs) + { + Encode32((uint)n, bs); + Encode24((uint)(n >> 32), bs[4..]); + } +#endif + private static int EncodePoint(ref PointProjective p, byte[] r, int rOff) { uint[] x = F.Create(); @@ -438,7 +523,11 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 return (x[w] >> b) & 15U; } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static sbyte[] GetWnafVar(ReadOnlySpan<uint> n, int width) +#else private static sbyte[] GetWnafVar(uint[] n, int width) +#endif { Debug.Assert(n[ScalarUints - 1] <= L[ScalarUints - 1]); Debug.Assert(2 <= width && width <= 8); @@ -559,6 +648,45 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 if (!CheckContextVar(ctx)) throw new ArgumentException("ctx"); +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + Span<byte> RS = stackalloc byte[PointBytes + ScalarBytes]; + RS.CopyFrom(sig.AsSpan(sigOff, PointBytes + ScalarBytes)); + + var R = RS[..PointBytes]; + var S = RS[PointBytes..]; + + if (!CheckPointVar(R)) + return false; + + Span<uint> nS = stackalloc uint[ScalarUints]; + if (!CheckScalarVar(S, nS)) + return false; + + Init(out PointProjective pA); + if (!DecodePointVar(pk, pkOff, true, ref pA)) + return false; + + IXof d = CreateXof(); + Span<byte> h = stackalloc byte[ScalarBytes * 2]; + + Dom4(d, phflag, ctx); + d.BlockUpdate(R); + d.BlockUpdate(pk.AsSpan(pkOff, PointBytes)); + d.BlockUpdate(m.AsSpan(mOff, mLen)); + d.OutputFinal(h); + + Span<byte> k = stackalloc byte[ScalarBytes]; + ReduceScalar(h, k); + + Span<uint> nA = stackalloc uint[ScalarUints]; + DecodeScalar(k, nA); + + Init(out PointProjective pR); + ScalarMultStrausVar(nS, nA, ref pA, ref pR); + + Span<byte> check = stackalloc byte[PointBytes]; + return 0 != EncodePoint(ref pR, check) && check.SequenceEqual(R); +#else byte[] R = Copy(sig, sigOff, PointBytes); byte[] S = Copy(sig, sigOff + PointBytes, ScalarBytes); @@ -592,6 +720,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 byte[] check = new byte[PointBytes]; return 0 != EncodePoint(ref pR, check, 0) && Arrays.AreEqual(check, R); +#endif } private static void Init(out PointAffine r) @@ -1086,41 +1215,46 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 private static byte[] ReduceScalar(byte[] n) { - ulong x00 = Decode32(n, 0); // x00:32/-- - ulong x01 = (Decode24(n, 4) << 4); // x01:28/-- - ulong x02 = Decode32(n, 7); // x02:32/-- - ulong x03 = (Decode24(n, 11) << 4); // x03:28/-- - ulong x04 = Decode32(n, 14); // x04:32/-- - ulong x05 = (Decode24(n, 18) << 4); // x05:28/-- - ulong x06 = Decode32(n, 21); // x06:32/-- - ulong x07 = (Decode24(n, 25) << 4); // x07:28/-- - ulong x08 = Decode32(n, 28); // x08:32/-- - ulong x09 = (Decode24(n, 32) << 4); // x09:28/-- - ulong x10 = Decode32(n, 35); // x10:32/-- - ulong x11 = (Decode24(n, 39) << 4); // x11:28/-- - ulong x12 = Decode32(n, 42); // x12:32/-- - ulong x13 = (Decode24(n, 46) << 4); // x13:28/-- - ulong x14 = Decode32(n, 49); // x14:32/-- - ulong x15 = (Decode24(n, 53) << 4); // x15:28/-- - ulong x16 = Decode32(n, 56); // x16:32/-- - ulong x17 = (Decode24(n, 60) << 4); // x17:28/-- - ulong x18 = Decode32(n, 63); // x18:32/-- - ulong x19 = (Decode24(n, 67) << 4); // x19:28/-- - ulong x20 = Decode32(n, 70); // x20:32/-- - ulong x21 = (Decode24(n, 74) << 4); // x21:28/-- - ulong x22 = Decode32(n, 77); // x22:32/-- - ulong x23 = (Decode24(n, 81) << 4); // x23:28/-- - ulong x24 = Decode32(n, 84); // x24:32/-- - ulong x25 = (Decode24(n, 88) << 4); // x25:28/-- - ulong x26 = Decode32(n, 91); // x26:32/-- - ulong x27 = (Decode24(n, 95) << 4); // x27:28/-- - ulong x28 = Decode32(n, 98); // x28:32/-- - ulong x29 = (Decode24(n, 102) << 4); // x29:28/-- - ulong x30 = Decode32(n, 105); // x30:32/-- - ulong x31 = (Decode24(n, 109) << 4); // x31:28/-- - ulong x32 = Decode16(n, 112); // x32:16/-- - - // x32 += (x31 >> 28); x31 &= M28UL; + byte[] r = new byte[ScalarBytes]; + +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + ReduceScalar(n, r); +#else + ulong x00 = Decode32(n, 0); // x00:32/-- + ulong x01 = (Decode24(n, 4) << 4); // x01:28/-- + ulong x02 = Decode32(n, 7); // x02:32/-- + ulong x03 = (Decode24(n, 11) << 4); // x03:28/-- + ulong x04 = Decode32(n, 14); // x04:32/-- + ulong x05 = (Decode24(n, 18) << 4); // x05:28/-- + ulong x06 = Decode32(n, 21); // x06:32/-- + ulong x07 = (Decode24(n, 25) << 4); // x07:28/-- + ulong x08 = Decode32(n, 28); // x08:32/-- + ulong x09 = (Decode24(n, 32) << 4); // x09:28/-- + ulong x10 = Decode32(n, 35); // x10:32/-- + ulong x11 = (Decode24(n, 39) << 4); // x11:28/-- + ulong x12 = Decode32(n, 42); // x12:32/-- + ulong x13 = (Decode24(n, 46) << 4); // x13:28/-- + ulong x14 = Decode32(n, 49); // x14:32/-- + ulong x15 = (Decode24(n, 53) << 4); // x15:28/-- + ulong x16 = Decode32(n, 56); // x16:32/-- + ulong x17 = (Decode24(n, 60) << 4); // x17:28/-- + ulong x18 = Decode32(n, 63); // x18:32/-- + ulong x19 = (Decode24(n, 67) << 4); // x19:28/-- + ulong x20 = Decode32(n, 70); // x20:32/-- + ulong x21 = (Decode24(n, 74) << 4); // x21:28/-- + ulong x22 = Decode32(n, 77); // x22:32/-- + ulong x23 = (Decode24(n, 81) << 4); // x23:28/-- + ulong x24 = Decode32(n, 84); // x24:32/-- + ulong x25 = (Decode24(n, 88) << 4); // x25:28/-- + ulong x26 = Decode32(n, 91); // x26:32/-- + ulong x27 = (Decode24(n, 95) << 4); // x27:28/-- + ulong x28 = Decode32(n, 98); // x28:32/-- + ulong x29 = (Decode24(n, 102) << 4); // x29:28/-- + ulong x30 = Decode32(n, 105); // x30:32/-- + ulong x31 = (Decode24(n, 109) << 4); // x31:28/-- + ulong x32 = Decode16(n, 112); // x32:16/-- + + //x32 += (x31 >> 28); x31 &= M28UL; x16 += x32 * L4_0; // x16:42/-- x17 += x32 * L4_1; // x17:41/28 x18 += x32 * L4_2; // x18:43/42 @@ -1348,7 +1482,6 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 Debug.Assert(x15 >> 26 == 0UL); - byte[] r = new byte[ScalarBytes]; Encode56(x00 | (x01 << 28), r, 0); Encode56(x02 | (x03 << 28), r, 7); Encode56(x04 | (x05 << 28), r, 14); @@ -1358,9 +1491,288 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 Encode56(x12 | (x13 << 28), r, 42); Encode56(x14 | (x15 << 28), r, 49); //r[ScalarBytes - 1] = 0; +#endif + return r; } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static void ReduceScalar(ReadOnlySpan<byte> n, Span<byte> r) + { + ulong x00 = Decode32(n[ 0..]); // x00:32/-- + ulong x01 = (Decode24(n[ 4..]) << 4); // x01:28/-- + ulong x02 = Decode32(n[ 7..]); // x02:32/-- + ulong x03 = (Decode24(n[11..]) << 4); // x03:28/-- + ulong x04 = Decode32(n[14..]); // x04:32/-- + ulong x05 = (Decode24(n[18..]) << 4); // x05:28/-- + ulong x06 = Decode32(n[21..]); // x06:32/-- + ulong x07 = (Decode24(n[25..]) << 4); // x07:28/-- + ulong x08 = Decode32(n[28..]); // x08:32/-- + ulong x09 = (Decode24(n[32..]) << 4); // x09:28/-- + ulong x10 = Decode32(n[35..]); // x10:32/-- + ulong x11 = (Decode24(n[39..]) << 4); // x11:28/-- + ulong x12 = Decode32(n[42..]); // x12:32/-- + ulong x13 = (Decode24(n[46..]) << 4); // x13:28/-- + ulong x14 = Decode32(n[49..]); // x14:32/-- + ulong x15 = (Decode24(n[53..]) << 4); // x15:28/-- + ulong x16 = Decode32(n[56..]); // x16:32/-- + ulong x17 = (Decode24(n[60..]) << 4); // x17:28/-- + ulong x18 = Decode32(n[63..]); // x18:32/-- + ulong x19 = (Decode24(n[67..]) << 4); // x19:28/-- + ulong x20 = Decode32(n[70..]); // x20:32/-- + ulong x21 = (Decode24(n[74..]) << 4); // x21:28/-- + ulong x22 = Decode32(n[77..]); // x22:32/-- + ulong x23 = (Decode24(n[81..]) << 4); // x23:28/-- + ulong x24 = Decode32(n[84..]); // x24:32/-- + ulong x25 = (Decode24(n[88..]) << 4); // x25:28/-- + ulong x26 = Decode32(n[91..]); // x26:32/-- + ulong x27 = (Decode24(n[95..]) << 4); // x27:28/-- + ulong x28 = Decode32(n[98..]); // x28:32/-- + ulong x29 = (Decode24(n[102..]) << 4); // x29:28/-- + ulong x30 = Decode32(n[105..]); // x30:32/-- + ulong x31 = (Decode24(n[109..]) << 4); // x31:28/-- + ulong x32 = Decode16(n[112..]); // x32:16/-- + + //x32 += (x31 >> 28); x31 &= M28UL; + x16 += x32 * L4_0; // x16:42/-- + x17 += x32 * L4_1; // x17:41/28 + x18 += x32 * L4_2; // x18:43/42 + x19 += x32 * L4_3; // x19:44/28 + x20 += x32 * L4_4; // x20:43/-- + x21 += x32 * L4_5; // x21:44/28 + x22 += x32 * L4_6; // x22:43/41 + x23 += x32 * L4_7; // x23:45/41 + + x31 += (x30 >> 28); x30 &= M28UL; // x31:28/--, x30:28/-- + x15 += x31 * L4_0; // x15:54/-- + x16 += x31 * L4_1; // x16:53/42 + x17 += x31 * L4_2; // x17:55/54 + x18 += x31 * L4_3; // x18:56/44 + x19 += x31 * L4_4; // x19:55/-- + x20 += x31 * L4_5; // x20:56/43 + x21 += x31 * L4_6; // x21:55/53 + x22 += x31 * L4_7; // x22:57/53 + + //x30 += (x29 >> 28); x29 &= M28UL; + x14 += x30 * L4_0; // x14:54/-- + x15 += x30 * L4_1; // x15:54/53 + x16 += x30 * L4_2; // x16:56/-- + x17 += x30 * L4_3; // x17:57/-- + x18 += x30 * L4_4; // x18:56/55 + x19 += x30 * L4_5; // x19:56/55 + x20 += x30 * L4_6; // x20:57/-- + x21 += x30 * L4_7; // x21:57/56 + + x29 += (x28 >> 28); x28 &= M28UL; // x29:28/--, x28:28/-- + x13 += x29 * L4_0; // x13:54/-- + x14 += x29 * L4_1; // x14:54/53 + x15 += x29 * L4_2; // x15:56/-- + x16 += x29 * L4_3; // x16:57/-- + x17 += x29 * L4_4; // x17:57/55 + x18 += x29 * L4_5; // x18:57/55 + x19 += x29 * L4_6; // x19:57/52 + x20 += x29 * L4_7; // x20:58/52 + + //x28 += (x27 >> 28); x27 &= M28UL; + x12 += x28 * L4_0; // x12:54/-- + x13 += x28 * L4_1; // x13:54/53 + x14 += x28 * L4_2; // x14:56/-- + x15 += x28 * L4_3; // x15:57/-- + x16 += x28 * L4_4; // x16:57/55 + x17 += x28 * L4_5; // x17:58/-- + x18 += x28 * L4_6; // x18:58/-- + x19 += x28 * L4_7; // x19:58/53 + + x27 += (x26 >> 28); x26 &= M28UL; // x27:28/--, x26:28/-- + x11 += x27 * L4_0; // x11:54/-- + x12 += x27 * L4_1; // x12:54/53 + x13 += x27 * L4_2; // x13:56/-- + x14 += x27 * L4_3; // x14:57/-- + x15 += x27 * L4_4; // x15:57/55 + x16 += x27 * L4_5; // x16:58/-- + x17 += x27 * L4_6; // x17:58/56 + x18 += x27 * L4_7; // x18:59/-- + + //x26 += (x25 >> 28); x25 &= M28UL; + x10 += x26 * L4_0; // x10:54/-- + x11 += x26 * L4_1; // x11:54/53 + x12 += x26 * L4_2; // x12:56/-- + x13 += x26 * L4_3; // x13:57/-- + x14 += x26 * L4_4; // x14:57/55 + x15 += x26 * L4_5; // x15:58/-- + x16 += x26 * L4_6; // x16:58/56 + x17 += x26 * L4_7; // x17:59/-- + + x25 += (x24 >> 28); x24 &= M28UL; // x25:28/--, x24:28/-- + x09 += x25 * L4_0; // x09:54/-- + x10 += x25 * L4_1; // x10:54/53 + x11 += x25 * L4_2; // x11:56/-- + x12 += x25 * L4_3; // x12:57/-- + x13 += x25 * L4_4; // x13:57/55 + x14 += x25 * L4_5; // x14:58/-- + x15 += x25 * L4_6; // x15:58/56 + x16 += x25 * L4_7; // x16:59/-- + + x21 += (x20 >> 28); x20 &= M28UL; // x21:58/--, x20:28/-- + x22 += (x21 >> 28); x21 &= M28UL; // x22:57/54, x21:28/-- + x23 += (x22 >> 28); x22 &= M28UL; // x23:45/42, x22:28/-- + x24 += (x23 >> 28); x23 &= M28UL; // x24:28/18, x23:28/-- + + x08 += x24 * L4_0; // x08:54/-- + x09 += x24 * L4_1; // x09:55/-- + x10 += x24 * L4_2; // x10:56/46 + x11 += x24 * L4_3; // x11:57/46 + x12 += x24 * L4_4; // x12:57/55 + x13 += x24 * L4_5; // x13:58/-- + x14 += x24 * L4_6; // x14:58/56 + x15 += x24 * L4_7; // x15:59/-- + + x07 += x23 * L4_0; // x07:54/-- + x08 += x23 * L4_1; // x08:54/53 + x09 += x23 * L4_2; // x09:56/53 + x10 += x23 * L4_3; // x10:57/46 + x11 += x23 * L4_4; // x11:57/55 + x12 += x23 * L4_5; // x12:58/-- + x13 += x23 * L4_6; // x13:58/56 + x14 += x23 * L4_7; // x14:59/-- + + x06 += x22 * L4_0; // x06:54/-- + x07 += x22 * L4_1; // x07:54/53 + x08 += x22 * L4_2; // x08:56/-- + x09 += x22 * L4_3; // x09:57/53 + x10 += x22 * L4_4; // x10:57/55 + x11 += x22 * L4_5; // x11:58/-- + x12 += x22 * L4_6; // x12:58/56 + x13 += x22 * L4_7; // x13:59/-- + + x18 += (x17 >> 28); x17 &= M28UL; // x18:59/31, x17:28/-- + x19 += (x18 >> 28); x18 &= M28UL; // x19:58/54, x18:28/-- + x20 += (x19 >> 28); x19 &= M28UL; // x20:30/29, x19:28/-- + x21 += (x20 >> 28); x20 &= M28UL; // x21:28/03, x20:28/-- + + x05 += x21 * L4_0; // x05:54/-- + x06 += x21 * L4_1; // x06:55/-- + x07 += x21 * L4_2; // x07:56/31 + x08 += x21 * L4_3; // x08:57/31 + x09 += x21 * L4_4; // x09:57/56 + x10 += x21 * L4_5; // x10:58/-- + x11 += x21 * L4_6; // x11:58/56 + x12 += x21 * L4_7; // x12:59/-- + + x04 += x20 * L4_0; // x04:54/-- + x05 += x20 * L4_1; // x05:54/53 + x06 += x20 * L4_2; // x06:56/53 + x07 += x20 * L4_3; // x07:57/31 + x08 += x20 * L4_4; // x08:57/55 + x09 += x20 * L4_5; // x09:58/-- + x10 += x20 * L4_6; // x10:58/56 + x11 += x20 * L4_7; // x11:59/-- + + x03 += x19 * L4_0; // x03:54/-- + x04 += x19 * L4_1; // x04:54/53 + x05 += x19 * L4_2; // x05:56/-- + x06 += x19 * L4_3; // x06:57/53 + x07 += x19 * L4_4; // x07:57/55 + x08 += x19 * L4_5; // x08:58/-- + x09 += x19 * L4_6; // x09:58/56 + x10 += x19 * L4_7; // x10:59/-- + + x15 += (x14 >> 28); x14 &= M28UL; // x15:59/31, x14:28/-- + x16 += (x15 >> 28); x15 &= M28UL; // x16:59/32, x15:28/-- + x17 += (x16 >> 28); x16 &= M28UL; // x17:31/29, x16:28/-- + x18 += (x17 >> 28); x17 &= M28UL; // x18:28/04, x17:28/-- + + x02 += x18 * L4_0; // x02:54/-- + x03 += x18 * L4_1; // x03:55/-- + x04 += x18 * L4_2; // x04:56/32 + x05 += x18 * L4_3; // x05:57/32 + x06 += x18 * L4_4; // x06:57/56 + x07 += x18 * L4_5; // x07:58/-- + x08 += x18 * L4_6; // x08:58/56 + x09 += x18 * L4_7; // x09:59/-- + + x01 += x17 * L4_0; // x01:54/-- + x02 += x17 * L4_1; // x02:54/53 + x03 += x17 * L4_2; // x03:56/53 + x04 += x17 * L4_3; // x04:57/32 + x05 += x17 * L4_4; // x05:57/55 + x06 += x17 * L4_5; // x06:58/-- + x07 += x17 * L4_6; // x07:58/56 + x08 += x17 * L4_7; // x08:59/-- + + x16 *= 4; + x16 += (x15 >> 26); x15 &= M26UL; + x16 += 1; // x16:30/01 + + x00 += x16 * L_0; + x01 += x16 * L_1; + x02 += x16 * L_2; + x03 += x16 * L_3; + x04 += x16 * L_4; + x05 += x16 * L_5; + x06 += x16 * L_6; + x07 += x16 * L_7; + + x01 += (x00 >> 28); x00 &= M28UL; + x02 += (x01 >> 28); x01 &= M28UL; + x03 += (x02 >> 28); x02 &= M28UL; + x04 += (x03 >> 28); x03 &= M28UL; + x05 += (x04 >> 28); x04 &= M28UL; + x06 += (x05 >> 28); x05 &= M28UL; + x07 += (x06 >> 28); x06 &= M28UL; + x08 += (x07 >> 28); x07 &= M28UL; + x09 += (x08 >> 28); x08 &= M28UL; + x10 += (x09 >> 28); x09 &= M28UL; + x11 += (x10 >> 28); x10 &= M28UL; + x12 += (x11 >> 28); x11 &= M28UL; + x13 += (x12 >> 28); x12 &= M28UL; + x14 += (x13 >> 28); x13 &= M28UL; + x15 += (x14 >> 28); x14 &= M28UL; + x16 = (x15 >> 26); x15 &= M26UL; + + x16 -= 1; + + Debug.Assert(x16 == 0UL || x16 == ulong.MaxValue); + + x00 -= x16 & L_0; + x01 -= x16 & L_1; + x02 -= x16 & L_2; + x03 -= x16 & L_3; + x04 -= x16 & L_4; + x05 -= x16 & L_5; + x06 -= x16 & L_6; + x07 -= x16 & L_7; + + x01 += (ulong)((long)x00 >> 28); x00 &= M28UL; + x02 += (ulong)((long)x01 >> 28); x01 &= M28UL; + x03 += (ulong)((long)x02 >> 28); x02 &= M28UL; + x04 += (ulong)((long)x03 >> 28); x03 &= M28UL; + x05 += (ulong)((long)x04 >> 28); x04 &= M28UL; + x06 += (ulong)((long)x05 >> 28); x05 &= M28UL; + x07 += (ulong)((long)x06 >> 28); x06 &= M28UL; + x08 += (ulong)((long)x07 >> 28); x07 &= M28UL; + x09 += (ulong)((long)x08 >> 28); x08 &= M28UL; + x10 += (ulong)((long)x09 >> 28); x09 &= M28UL; + x11 += (ulong)((long)x10 >> 28); x10 &= M28UL; + x12 += (ulong)((long)x11 >> 28); x11 &= M28UL; + x13 += (ulong)((long)x12 >> 28); x12 &= M28UL; + x14 += (ulong)((long)x13 >> 28); x13 &= M28UL; + x15 += (ulong)((long)x14 >> 28); x14 &= M28UL; + + Debug.Assert(x15 >> 26 == 0UL); + + Encode56(x00 | (x01 << 28), r); + Encode56(x02 | (x03 << 28), r[7..]); + Encode56(x04 | (x05 << 28), r[14..]); + Encode56(x06 | (x07 << 28), r[21..]); + Encode56(x08 | (x09 << 28), r[28..]); + Encode56(x10 | (x11 << 28), r[35..]); + Encode56(x12 | (x13 << 28), r[42..]); + Encode56(x14 | (x15 << 28), r[49..]); + //r[ScalarBytes - 1] = 0; + } +#endif + private static void ScalarMult(byte[] k, ref PointProjective p, ref PointProjective r) { #if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER @@ -1657,6 +2069,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 private static void ScalarMultStrausVar(uint[] nb, uint[] np, ref PointProjective p, ref PointProjective r) { +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + ScalarMultStrausVar(nb.AsSpan(), np.AsSpan(), ref p, ref r); +#else Precompute(); sbyte[] ws_b = GetWnafVar(nb, WnafWidthBase); @@ -1693,8 +2108,52 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 PointDouble(ref r); } +#endif } +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static void ScalarMultStrausVar(ReadOnlySpan<uint> nb, ReadOnlySpan<uint> np, ref PointProjective p, + ref PointProjective r) + { + Precompute(); + + sbyte[] ws_b = GetWnafVar(nb, WnafWidthBase); + sbyte[] ws_p = GetWnafVar(np, WnafWidth); + + int count = 1 << (WnafWidth - 2); + PointProjective[] tp = new PointProjective[count]; + PointPrecomputeVar(ref p, tp, count); + + PointSetNeutral(ref r); + + for (int bit = 446;;) + { + int wb = ws_b[bit]; + if (wb != 0) + { + int sign = wb >> 31; + int index = (wb ^ sign) >> 1; + + PointAddVar(sign != 0, ref PrecompBaseWnaf[index], ref r); + } + + int wp = ws_p[bit]; + if (wp != 0) + { + int sign = wp >> 31; + int index = (wp ^ sign) >> 1; + + PointAddVar(sign != 0, ref tp[index], ref r); + } + + if (--bit < 0) + break; + + PointDouble(ref r); + } + } +#endif + public static void Sign(byte[] sk, int skOff, byte[] ctx, byte[] m, int mOff, int mLen, byte[] sig, int sigOff) { byte phflag = 0x00; diff --git a/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs b/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs index 29ff67191..db468a046 100644 --- a/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs +++ b/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs @@ -384,6 +384,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("0100000000000000000000000000000000000000000000000000000000000080"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); @@ -427,6 +430,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("0100000000000000000000000000000000000000000000000000000000000080"), 0)); + Assert.IsTrue (Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); diff --git a/crypto/test/src/math/ec/rfc8032/test/Ed448Test.cs b/crypto/test/src/math/ec/rfc8032/test/Ed448Test.cs index 2cfc57016..b4797af26 100644 --- a/crypto/test/src/math/ec/rfc8032/test/Ed448Test.cs +++ b/crypto/test/src/math/ec/rfc8032/test/Ed448Test.cs @@ -481,6 +481,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080"), 0)); + Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); + Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); + Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0)); Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0)); Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001"), 0)); @@ -526,6 +529,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080"), 0)); + Assert.IsTrue (Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); + Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); + Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0)); Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0)); Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0)); Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001"), 0)); |