diff --git a/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs b/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs
index a50f71972..eeb782d8e 100644
--- a/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs
+++ b/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs
@@ -104,27 +104,36 @@ namespace Org.BouncyCastle.Crypto.Parameters
case Ed25519.Algorithm.Ed25519:
{
if (null != ctx)
- throw new ArgumentException("ctx");
+ throw new ArgumentException(nameof(ctx));
Ed25519.Sign(data, 0, pk, 0, msg, msgOff, msgLen, sig, sigOff);
break;
}
case Ed25519.Algorithm.Ed25519ctx:
{
+ if (null == ctx)
+ throw new ArgumentNullException(nameof(ctx));
+ if (ctx.Length > 255)
+ throw new ArgumentOutOfRangeException(nameof(ctx));
+
Ed25519.Sign(data, 0, pk, 0, ctx, msg, msgOff, msgLen, sig, sigOff);
break;
}
case Ed25519.Algorithm.Ed25519ph:
{
+ if (null == ctx)
+ throw new ArgumentNullException(nameof(ctx));
+ if (ctx.Length > 255)
+ throw new ArgumentOutOfRangeException(nameof(ctx));
if (Ed25519.PrehashSize != msgLen)
- throw new ArgumentException("msgLen");
+ throw new ArgumentException(nameof(msgLen));
Ed25519.SignPrehash(data, 0, pk, 0, ctx, msg, msgOff, sig, sigOff);
break;
}
default:
{
- throw new ArgumentException("algorithm");
+ throw new ArgumentOutOfRangeException(nameof(algorithm));
}
}
}
diff --git a/crypto/src/crypto/parameters/Ed25519PublicKeyParameters.cs b/crypto/src/crypto/parameters/Ed25519PublicKeyParameters.cs
index 9b94635d5..5465543a8 100644
--- a/crypto/src/crypto/parameters/Ed25519PublicKeyParameters.cs
+++ b/crypto/src/crypto/parameters/Ed25519PublicKeyParameters.cs
@@ -60,6 +60,45 @@ namespace Org.BouncyCastle.Crypto.Parameters
return Arrays.Clone(data);
}
+ public bool Verify(Ed25519.Algorithm algorithm, byte[] ctx, byte[] msg, int msgOff, int msgLen,
+ byte[] sig, int sigOff)
+ {
+ switch (algorithm)
+ {
+ case Ed25519.Algorithm.Ed25519:
+ {
+ if (null != ctx)
+ throw new ArgumentException(nameof(ctx));
+
+ return Ed25519.Verify(sig, sigOff, data, 0, msg, msgOff, msgLen);
+ }
+ case Ed25519.Algorithm.Ed25519ctx:
+ {
+ if (null == ctx)
+ throw new ArgumentNullException(nameof(ctx));
+ if (ctx.Length > 255)
+ throw new ArgumentOutOfRangeException(nameof(ctx));
+
+ return Ed25519.Verify(sig, sigOff, data, 0, ctx, msg, msgOff, msgLen);
+ }
+ case Ed25519.Algorithm.Ed25519ph:
+ {
+ if (null == ctx)
+ throw new ArgumentNullException(nameof(ctx));
+ if (ctx.Length > 255)
+ throw new ArgumentOutOfRangeException(nameof(ctx));
+ if (Ed25519.PrehashSize != msgLen)
+ throw new ArgumentException(nameof(msgLen));
+
+ return Ed25519.VerifyPrehash(sig, sigOff, data, 0, ctx, msg, msgOff);
+ }
+ default:
+ {
+ throw new ArgumentOutOfRangeException(nameof(algorithm));
+ }
+ }
+ }
+
private static byte[] Validate(byte[] buf)
{
if (buf.Length != KeySize)
diff --git a/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs b/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs
index ac12a2f1d..a9283761b 100644
--- a/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs
+++ b/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs
@@ -103,20 +103,29 @@ namespace Org.BouncyCastle.Crypto.Parameters
{
case Ed448.Algorithm.Ed448:
{
+ if (null == ctx)
+ throw new ArgumentNullException(nameof(ctx));
+ if (ctx.Length > 255)
+ throw new ArgumentOutOfRangeException(nameof(ctx));
+
Ed448.Sign(data, 0, pk, 0, ctx, msg, msgOff, msgLen, sig, sigOff);
break;
}
case Ed448.Algorithm.Ed448ph:
{
+ if (null == ctx)
+ throw new ArgumentNullException(nameof(ctx));
+ if (ctx.Length > 255)
+ throw new ArgumentOutOfRangeException(nameof(ctx));
if (Ed448.PrehashSize != msgLen)
- throw new ArgumentException("msgLen");
+ throw new ArgumentException(nameof(msgLen));
Ed448.SignPrehash(data, 0, pk, 0, ctx, msg, msgOff, sig, sigOff);
break;
}
default:
{
- throw new ArgumentException("algorithm");
+ throw new ArgumentOutOfRangeException(nameof(algorithm));
}
}
}
diff --git a/crypto/src/crypto/parameters/Ed448PublicKeyParameters.cs b/crypto/src/crypto/parameters/Ed448PublicKeyParameters.cs
index 26f6b5ba9..2b12f37e5 100644
--- a/crypto/src/crypto/parameters/Ed448PublicKeyParameters.cs
+++ b/crypto/src/crypto/parameters/Ed448PublicKeyParameters.cs
@@ -60,6 +60,38 @@ namespace Org.BouncyCastle.Crypto.Parameters
return Arrays.Clone(data);
}
+ public bool Verify(Ed448.Algorithm algorithm, byte[] ctx, byte[] msg, int msgOff, int msgLen,
+ byte[] sig, int sigOff)
+ {
+ switch (algorithm)
+ {
+ case Ed448.Algorithm.Ed448:
+ {
+ if (null == ctx)
+ throw new ArgumentNullException(nameof(ctx));
+ if (ctx.Length > 255)
+ throw new ArgumentOutOfRangeException(nameof(ctx));
+
+ return Ed448.Verify(sig, sigOff, data, 0, ctx, msg, msgOff, msgLen);
+ }
+ case Ed448.Algorithm.Ed448ph:
+ {
+ if (null == ctx)
+ throw new ArgumentNullException(nameof(ctx));
+ if (ctx.Length > 255)
+ throw new ArgumentOutOfRangeException(nameof(ctx));
+ if (Ed448.PrehashSize != msgLen)
+ throw new ArgumentException(nameof(msgLen));
+
+ return Ed448.VerifyPrehash(sig, sigOff, data, 0, ctx, msg, msgOff);
+ }
+ default:
+ {
+ throw new ArgumentOutOfRangeException(nameof(algorithm));
+ }
+ }
+ }
+
private static byte[] Validate(byte[] buf)
{
if (buf.Length != KeySize)
diff --git a/crypto/src/crypto/signers/Ed25519Signer.cs b/crypto/src/crypto/signers/Ed25519Signer.cs
index 79a2b1202..450eb2913 100644
--- a/crypto/src/crypto/signers/Ed25519Signer.cs
+++ b/crypto/src/crypto/signers/Ed25519Signer.cs
@@ -82,7 +82,7 @@ namespace Org.BouncyCastle.Crypto.Signers
buffer.Reset();
}
- private class Buffer : MemoryStream
+ private sealed class Buffer : MemoryStream
{
internal byte[] GenerateSignature(Ed25519PrivateKeyParameters privateKey)
{
@@ -92,7 +92,7 @@ namespace Org.BouncyCastle.Crypto.Signers
int count = Convert.ToInt32(Length);
byte[] signature = new byte[Ed25519PrivateKeyParameters.SignatureSize];
- privateKey.Sign(Ed25519.Algorithm.Ed25519, null, buf, 0, count, signature, 0);
+ privateKey.Sign(Ed25519.Algorithm.Ed25519, ctx: null, buf, 0, count, signature, 0);
Reset();
return signature;
}
@@ -111,8 +111,7 @@ namespace Org.BouncyCastle.Crypto.Signers
byte[] buf = GetBuffer();
int count = Convert.ToInt32(Length);
- byte[] pk = publicKey.GetEncoded();
- bool result = Ed25519.Verify(signature, 0, pk, 0, buf, 0, count);
+ bool result = publicKey.Verify(Ed25519.Algorithm.Ed25519, ctx: null, buf, 0, count, signature, 0);
Reset();
return result;
}
diff --git a/crypto/src/crypto/signers/Ed25519ctxSigner.cs b/crypto/src/crypto/signers/Ed25519ctxSigner.cs
index 90deb84ef..af813be32 100644
--- a/crypto/src/crypto/signers/Ed25519ctxSigner.cs
+++ b/crypto/src/crypto/signers/Ed25519ctxSigner.cs
@@ -3,7 +3,6 @@ using System.IO;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Math.EC.Rfc8032;
-using Org.BouncyCastle.Utilities;
namespace Org.BouncyCastle.Crypto.Signers
{
@@ -19,7 +18,10 @@ namespace Org.BouncyCastle.Crypto.Signers
public Ed25519ctxSigner(byte[] context)
{
- this.context = Arrays.Clone(context);
+ if (null == context)
+ throw new ArgumentNullException(nameof(context));
+
+ this.context = (byte[])context.Clone();
}
public virtual string AlgorithmName
@@ -85,7 +87,7 @@ namespace Org.BouncyCastle.Crypto.Signers
buffer.Reset();
}
- private class Buffer : MemoryStream
+ private sealed class Buffer : MemoryStream
{
internal byte[] GenerateSignature(Ed25519PrivateKeyParameters privateKey, byte[] ctx)
{
@@ -114,8 +116,7 @@ namespace Org.BouncyCastle.Crypto.Signers
byte[] buf = GetBuffer();
int count = Convert.ToInt32(Length);
- byte[] pk = publicKey.GetEncoded();
- bool result = Ed25519.Verify(signature, 0, pk, 0, ctx, buf, 0, count);
+ bool result = publicKey.Verify(Ed25519.Algorithm.Ed25519ctx, ctx, buf, 0, count, signature, 0);
Reset();
return result;
}
diff --git a/crypto/src/crypto/signers/Ed25519phSigner.cs b/crypto/src/crypto/signers/Ed25519phSigner.cs
index c0fb04ddf..d4ff2aae9 100644
--- a/crypto/src/crypto/signers/Ed25519phSigner.cs
+++ b/crypto/src/crypto/signers/Ed25519phSigner.cs
@@ -19,7 +19,10 @@ namespace Org.BouncyCastle.Crypto.Signers
public Ed25519phSigner(byte[] context)
{
- this.context = Arrays.Clone(context);
+ if (null == context)
+ throw new ArgumentNullException(nameof(context));
+
+ this.context = (byte[])context.Clone();
}
public virtual string AlgorithmName
@@ -88,8 +91,11 @@ namespace Org.BouncyCastle.Crypto.Signers
return false;
}
- byte[] pk = publicKey.GetEncoded();
- return Ed25519.VerifyPrehash(signature, 0, pk, 0, context, prehash);
+ byte[] msg = new byte[Ed25519.PrehashSize];
+ if (Ed25519.PrehashSize != prehash.DoFinal(msg, 0))
+ throw new InvalidOperationException("Prehash digest failed");
+
+ return publicKey.Verify(Ed25519.Algorithm.Ed25519ph, context, msg, 0, Ed25519.PrehashSize, signature, 0);
}
public void Reset()
diff --git a/crypto/src/crypto/signers/Ed448Signer.cs b/crypto/src/crypto/signers/Ed448Signer.cs
index 647a4b451..79c0fefce 100644
--- a/crypto/src/crypto/signers/Ed448Signer.cs
+++ b/crypto/src/crypto/signers/Ed448Signer.cs
@@ -19,7 +19,10 @@ namespace Org.BouncyCastle.Crypto.Signers
public Ed448Signer(byte[] context)
{
- this.context = Arrays.Clone(context);
+ if (null == context)
+ throw new ArgumentNullException(nameof(context));
+
+ this.context = (byte[])context.Clone();
}
public virtual string AlgorithmName
@@ -85,7 +88,7 @@ namespace Org.BouncyCastle.Crypto.Signers
buffer.Reset();
}
- private class Buffer : MemoryStream
+ private sealed class Buffer : MemoryStream
{
internal byte[] GenerateSignature(Ed448PrivateKeyParameters privateKey, byte[] ctx)
{
@@ -114,8 +117,7 @@ namespace Org.BouncyCastle.Crypto.Signers
byte[] buf = GetBuffer();
int count = Convert.ToInt32(Length);
- byte[] pk = publicKey.GetEncoded();
- bool result = Ed448.Verify(signature, 0, pk, 0, ctx, buf, 0, count);
+ bool result = publicKey.Verify(Ed448.Algorithm.Ed448, ctx, buf, 0, count, signature, 0);
Reset();
return result;
}
diff --git a/crypto/src/crypto/signers/Ed448phSigner.cs b/crypto/src/crypto/signers/Ed448phSigner.cs
index 197ac1aaa..75f841923 100644
--- a/crypto/src/crypto/signers/Ed448phSigner.cs
+++ b/crypto/src/crypto/signers/Ed448phSigner.cs
@@ -19,7 +19,10 @@ namespace Org.BouncyCastle.Crypto.Signers
public Ed448phSigner(byte[] context)
{
- this.context = Arrays.Clone(context);
+ if (null == context)
+ throw new ArgumentNullException(nameof(context));
+
+ this.context = (byte[])context.Clone();
}
public virtual string AlgorithmName
@@ -88,8 +91,11 @@ namespace Org.BouncyCastle.Crypto.Signers
return false;
}
- byte[] pk = publicKey.GetEncoded();
- return Ed448.VerifyPrehash(signature, 0, pk, 0, context, prehash);
+ byte[] msg = new byte[Ed448.PrehashSize];
+ if (Ed448.PrehashSize != prehash.OutputFinal(msg, 0, Ed448.PrehashSize))
+ throw new InvalidOperationException("Prehash digest failed");
+
+ return publicKey.Verify(Ed448.Algorithm.Ed448ph, context, msg, 0, Ed448.PrehashSize, signature, 0);
}
public void Reset()
diff --git a/crypto/src/math/ec/rfc7748/X25519Field.cs b/crypto/src/math/ec/rfc7748/X25519Field.cs
index cddf03faa..241710fe9 100644
--- a/crypto/src/math/ec/rfc7748/X25519Field.cs
+++ b/crypto/src/math/ec/rfc7748/X25519Field.cs
@@ -1,4 +1,7 @@
using System;
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+using System.Buffers.Binary;
+#endif
using System.Diagnostics;
#if NETSTANDARD1_0_OR_GREATER || NETCOREAPP1_0_OR_GREATER
using System.Runtime.CompilerServices;
@@ -388,21 +391,21 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748
private static uint Decode32(byte[] bs, int off)
{
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ return BinaryPrimitives.ReadUInt32LittleEndian(bs.AsSpan(off));
+#else
uint n = bs[off];
n |= (uint)bs[++off] << 8;
n |= (uint)bs[++off] << 16;
n |= (uint)bs[++off] << 24;
return n;
+#endif
}
#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
private static uint Decode32(ReadOnlySpan<byte> bs)
{
- uint n = bs[0];
- n |= (uint)bs[1] << 8;
- n |= (uint)bs[2] << 16;
- n |= (uint)bs[3] << 24;
- return n;
+ return BinaryPrimitives.ReadUInt32LittleEndian(bs);
}
#endif
@@ -485,19 +488,20 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748
private static void Encode32(uint n, byte[] bs, int off)
{
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ BinaryPrimitives.WriteUInt32LittleEndian(bs.AsSpan(off), n);
+#else
bs[ off] = (byte)(n );
bs[++off] = (byte)(n >> 8);
bs[++off] = (byte)(n >> 16);
bs[++off] = (byte)(n >> 24);
+#endif
}
#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
private static void Encode32(uint n, Span<byte> bs)
{
- bs[0] = (byte)(n );
- bs[1] = (byte)(n >> 8);
- bs[2] = (byte)(n >> 16);
- bs[3] = (byte)(n >> 24);
+ BinaryPrimitives.WriteUInt32LittleEndian(bs, n);
}
#endif
diff --git a/crypto/src/math/ec/rfc7748/X448Field.cs b/crypto/src/math/ec/rfc7748/X448Field.cs
index 67e71afa8..1df837d3a 100644
--- a/crypto/src/math/ec/rfc7748/X448Field.cs
+++ b/crypto/src/math/ec/rfc7748/X448Field.cs
@@ -4,6 +4,7 @@ using System.Diagnostics;
using System.Runtime.CompilerServices;
#endif
#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+using System.Buffers.Binary;
using System.Numerics;
#endif
#if NETCOREAPP3_0_OR_GREATER
@@ -318,21 +319,21 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748
private static uint Decode32(byte[] bs, int off)
{
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ return BinaryPrimitives.ReadUInt32LittleEndian(bs.AsSpan(off));
+#else
uint n = bs[off];
n |= (uint)bs[++off] << 8;
n |= (uint)bs[++off] << 16;
n |= (uint)bs[++off] << 24;
return n;
+#endif
}
#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
private static uint Decode32(ReadOnlySpan<byte> bs)
{
- uint n = bs[0];
- n |= (uint)bs[1] << 8;
- n |= (uint)bs[2] << 16;
- n |= (uint)bs[3] << 24;
- return n;
+ return BinaryPrimitives.ReadUInt32LittleEndian(bs);
}
#endif
@@ -442,19 +443,20 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748
private static void Encode32(uint n, byte[] bs, int off)
{
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ BinaryPrimitives.WriteUInt32LittleEndian(bs.AsSpan(off), n);
+#else
bs[ off] = (byte)(n );
bs[++off] = (byte)(n >> 8);
bs[++off] = (byte)(n >> 16);
bs[++off] = (byte)(n >> 24);
+#endif
}
#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
private static void Encode32(uint n, Span<byte> bs)
{
- bs[0] = (byte)(n );
- bs[1] = (byte)(n >> 8);
- bs[2] = (byte)(n >> 16);
- bs[3] = (byte)(n >> 24);
+ BinaryPrimitives.WriteUInt32LittleEndian(bs, n);
}
#endif
diff --git a/crypto/src/math/ec/rfc8032/Ed25519.cs b/crypto/src/math/ec/rfc8032/Ed25519.cs
index f3b63f3b3..82e46aa1f 100644
--- a/crypto/src/math/ec/rfc8032/Ed25519.cs
+++ b/crypto/src/math/ec/rfc8032/Ed25519.cs
@@ -1,4 +1,7 @@
using System;
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+using System.Buffers.Binary;
+#endif
using System.Diagnostics;
using Org.BouncyCastle.Crypto;
@@ -190,12 +193,35 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
return F.IsZero(t);
}
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static bool CheckPointVar(ReadOnlySpan<byte> p)
+ {
+ if ((Decode32(p[28..]) & 0x7FFFFFFFU) < P[7])
+ return true;
+ for (int i = CoordUints - 2; i >= 0; --i)
+ {
+ if (Decode32(p[(i * 4)..]) < P[i])
+ return true;
+ }
+ return false;
+ }
+
+ private static bool CheckScalarVar(ReadOnlySpan<byte> s, Span<uint> n)
+ {
+ DecodeScalar(s, n);
+ return !Nat.Gte(ScalarUints, n, L);
+ }
+#else
private static bool CheckPointVar(byte[] p)
{
- uint[] t = new uint[CoordUints];
- Decode32(p, 0, t, 0, CoordUints);
- t[CoordUints - 1] &= 0x7FFFFFFFU;
- return !Nat256.Gte(t, P);
+ if ((Decode32(p, 28) & 0x7FFFFFFFU) < P[7])
+ return true;
+ for (int i = CoordUints - 2; i >= 0; --i)
+ {
+ if (Decode32(p, i * 4) < P[i])
+ return true;
+ }
+ return false;
}
private static bool CheckScalarVar(byte[] s, uint[] n)
@@ -203,6 +229,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
DecodeScalar(s, 0, n);
return !Nat256.Gte(n, L);
}
+#endif
private static byte[] Copy(byte[] buf, int off, int len)
{
@@ -213,7 +240,10 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
private static IDigest CreateDigest()
{
- return new Sha512Digest();
+ var d = new Sha512Digest();
+ if (d.GetDigestSize() != 64)
+ throw new InvalidOperationException();
+ return d;
}
public static IDigest CreatePrehash()
@@ -229,23 +259,33 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
return n;
}
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static uint Decode24(ReadOnlySpan<byte> bs)
+ {
+ uint n = bs[0];
+ n |= (uint)bs[1] << 8;
+ n |= (uint)bs[2] << 16;
+ return n;
+ }
+#endif
+
private static uint Decode32(byte[] bs, int off)
{
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ return BinaryPrimitives.ReadUInt32LittleEndian(bs.AsSpan(off));
+#else
uint n = bs[off];
n |= (uint)bs[++off] << 8;
n |= (uint)bs[++off] << 16;
n |= (uint)bs[++off] << 24;
return n;
+#endif
}
#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
private static uint Decode32(ReadOnlySpan<byte> bs)
{
- uint n = bs[0];
- n |= (uint)bs[1] << 8;
- n |= (uint)bs[2] << 16;
- n |= (uint)bs[3] << 24;
- return n;
+ return BinaryPrimitives.ReadUInt32LittleEndian(bs);
}
#endif
@@ -335,20 +375,48 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
bs[++off] = (byte)(n >> 16);
}
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static void Encode24(uint n, Span<byte> bs)
+ {
+ bs[0] = (byte)(n);
+ bs[1] = (byte)(n >> 8);
+ bs[2] = (byte)(n >> 16);
+ }
+#endif
+
private static void Encode32(uint n, byte[] bs, int off)
{
- bs[off] = (byte)(n);
- bs[++off] = (byte)(n >> 8);
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ BinaryPrimitives.WriteUInt32LittleEndian(bs.AsSpan(off), n);
+#else
+ bs[ off] = (byte)(n );
+ bs[++off] = (byte)(n >> 8);
bs[++off] = (byte)(n >> 16);
bs[++off] = (byte)(n >> 24);
+#endif
}
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static void Encode32(uint n, Span<byte> bs)
+ {
+ BinaryPrimitives.WriteUInt32LittleEndian(bs, n);
+ }
+#endif
+
private static void Encode56(ulong n, byte[] bs, int off)
{
Encode32((uint)n, bs, off);
Encode24((uint)(n >> 32), bs, off + 4);
}
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static void Encode56(ulong n, Span<byte> bs)
+ {
+ Encode32((uint)n, bs);
+ Encode24((uint)(n >> 32), bs[4..]);
+ }
+#endif
+
private static int EncodePoint(ref PointAccum p, byte[] r, int rOff)
{
#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
@@ -417,7 +485,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
GeneratePublicKey(sk.AsSpan(skOff), pk.AsSpan(pkOff));
#else
IDigest d = CreateDigest();
- byte[] h = new byte[d.GetDigestSize()];
+ byte[] h = new byte[64];
d.BlockUpdate(sk, skOff, SecretKeySize);
d.DoFinal(h, 0);
@@ -433,10 +501,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
public static void GeneratePublicKey(ReadOnlySpan<byte> sk, Span<byte> pk)
{
IDigest d = CreateDigest();
- int digestSize = d.GetDigestSize();
- Span<byte> h = digestSize <= 128
- ? stackalloc byte[digestSize]
- : new byte[digestSize];
+ Span<byte> h = stackalloc byte[64];
d.BlockUpdate(sk[..SecretKeySize]);
d.DoFinal(h);
@@ -458,7 +523,11 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
return (x[w] >> b) & 15U;
}
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static sbyte[] GetWnafVar(ReadOnlySpan<uint> n, int width)
+#else
private static sbyte[] GetWnafVar(uint[] n, int width)
+#endif
{
Debug.Assert(n[ScalarUints - 1] <= L[ScalarUints - 1]);
Debug.Assert(2 <= width && width <= 8);
@@ -541,7 +610,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
throw new ArgumentException("ctx");
IDigest d = CreateDigest();
- byte[] h = new byte[d.GetDigestSize()];
+ byte[] h = new byte[64];
d.BlockUpdate(sk, skOff, SecretKeySize);
d.DoFinal(h, 0);
@@ -562,7 +631,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
throw new ArgumentException("ctx");
IDigest d = CreateDigest();
- byte[] h = new byte[d.GetDigestSize()];
+ byte[] h = new byte[64];
d.BlockUpdate(sk, skOff, SecretKeySize);
d.DoFinal(h, 0);
@@ -579,6 +648,45 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
if (!CheckContextVar(ctx, phflag))
throw new ArgumentException("ctx");
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ Span<byte> RS = stackalloc byte[PointBytes + ScalarBytes];
+ RS.CopyFrom(sig.AsSpan(sigOff, PointBytes + ScalarBytes));
+
+ var R = RS[..PointBytes];
+ var S = RS[PointBytes..];
+
+ if (!CheckPointVar(R))
+ return false;
+
+ Span<uint> nS = stackalloc uint[ScalarUints];
+ if (!CheckScalarVar(S, nS))
+ return false;
+
+ Init(out PointAffine pA);
+ if (!DecodePointVar(pk, pkOff, true, ref pA))
+ return false;
+
+ IDigest d = CreateDigest();
+ Span<byte> h = stackalloc byte[64];
+
+ Dom2(d, phflag, ctx);
+ d.BlockUpdate(R);
+ d.BlockUpdate(pk.AsSpan(pkOff, PointBytes));
+ d.BlockUpdate(m.AsSpan(mOff, mLen));
+ d.DoFinal(h);
+
+ Span<byte> k = stackalloc byte[ScalarBytes];
+ ReduceScalar(h, k);
+
+ Span<uint> nA = stackalloc uint[ScalarUints];
+ DecodeScalar(k, nA);
+
+ Init(out PointAccum pR);
+ ScalarMultStrausVar(nS, nA, ref pA, ref pR);
+
+ Span<byte> check = stackalloc byte[PointBytes];
+ return 0 != EncodePoint(ref pR, check) && check.SequenceEqual(R);
+#else
byte[] R = Copy(sig, sigOff, PointBytes);
byte[] S = Copy(sig, sigOff + PointBytes, ScalarBytes);
@@ -594,7 +702,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
return false;
IDigest d = CreateDigest();
- byte[] h = new byte[d.GetDigestSize()];
+ byte[] h = new byte[64];
Dom2(d, phflag, ctx);
d.BlockUpdate(R, 0, PointBytes);
@@ -612,6 +720,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
byte[] check = new byte[PointBytes];
return 0 != EncodePoint(ref pR, check, 0) && Arrays.AreEqual(check, R);
+#endif
}
private static void Init(out PointAccum r)
@@ -1203,6 +1312,11 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
private static byte[] ReduceScalar(byte[] n)
{
+ byte[] r = new byte[ScalarBytes];
+
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ ReduceScalar(n, r);
+#else
long x00 = Decode32(n, 0) & M32L; // x00:32/--
long x01 = (Decode24(n, 4) << 4) & M32L; // x01:28/--
long x02 = Decode32(n, 7) & M32L; // x02:32/--
@@ -1328,15 +1442,152 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
x07 += (x06 >> 28); x06 &= M28L;
x08 += (x07 >> 28); x07 &= M28L;
- byte[] r = new byte[ScalarBytes];
Encode56((ulong)(x00 | (x01 << 28)), r, 0);
Encode56((ulong)(x02 | (x03 << 28)), r, 7);
Encode56((ulong)(x04 | (x05 << 28)), r, 14);
Encode56((ulong)(x06 | (x07 << 28)), r, 21);
Encode32((uint)x08, r, 28);
+#endif
+
return r;
}
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static void ReduceScalar(ReadOnlySpan<byte> n, Span<byte> r)
+ {
+ long x00 = Decode32(n[0..]) & M32L; // x00:32/--
+ long x01 = (Decode24(n[4..]) << 4) & M32L; // x01:28/--
+ long x02 = Decode32(n[7..]) & M32L; // x02:32/--
+ long x03 = (Decode24(n[11..]) << 4) & M32L; // x03:28/--
+ long x04 = Decode32(n[14..]) & M32L; // x04:32/--
+ long x05 = (Decode24(n[18..]) << 4) & M32L; // x05:28/--
+ long x06 = Decode32(n[21..]) & M32L; // x06:32/--
+ long x07 = (Decode24(n[25..]) << 4) & M32L; // x07:28/--
+ long x08 = Decode32(n[28..]) & M32L; // x08:32/--
+ long x09 = (Decode24(n[32..]) << 4) & M32L; // x09:28/--
+ long x10 = Decode32(n[35..]) & M32L; // x10:32/--
+ long x11 = (Decode24(n[39..]) << 4) & M32L; // x11:28/--
+ long x12 = Decode32(n[42..]) & M32L; // x12:32/--
+ long x13 = (Decode24(n[46..]) << 4) & M32L; // x13:28/--
+ long x14 = Decode32(n[49..]) & M32L; // x14:32/--
+ long x15 = (Decode24(n[53..]) << 4) & M32L; // x15:28/--
+ long x16 = Decode32(n[56..]) & M32L; // x16:32/--
+ long x17 = (Decode24(n[60..]) << 4) & M32L; // x17:28/--
+ long x18 = n[63] & M08L; // x18:08/--
+ long t;
+
+ //x18 += (x17 >> 28); x17 &= M28L;
+ x09 -= x18 * L0; // x09:34/28
+ x10 -= x18 * L1; // x10:33/30
+ x11 -= x18 * L2; // x11:35/28
+ x12 -= x18 * L3; // x12:32/31
+ x13 -= x18 * L4; // x13:28/21
+
+ x17 += (x16 >> 28); x16 &= M28L; // x17:28/--, x16:28/--
+ x08 -= x17 * L0; // x08:54/32
+ x09 -= x17 * L1; // x09:52/51
+ x10 -= x17 * L2; // x10:55/34
+ x11 -= x17 * L3; // x11:51/36
+ x12 -= x17 * L4; // x12:41/--
+
+ //x16 += (x15 >> 28); x15 &= M28L;
+ x07 -= x16 * L0; // x07:54/28
+ x08 -= x16 * L1; // x08:54/53
+ x09 -= x16 * L2; // x09:55/53
+ x10 -= x16 * L3; // x10:55/52
+ x11 -= x16 * L4; // x11:51/41
+
+ x15 += (x14 >> 28); x14 &= M28L; // x15:28/--, x14:28/--
+ x06 -= x15 * L0; // x06:54/32
+ x07 -= x15 * L1; // x07:54/53
+ x08 -= x15 * L2; // x08:56/--
+ x09 -= x15 * L3; // x09:55/54
+ x10 -= x15 * L4; // x10:55/53
+
+ //x14 += (x13 >> 28); x13 &= M28L;
+ x05 -= x14 * L0; // x05:54/28
+ x06 -= x14 * L1; // x06:54/53
+ x07 -= x14 * L2; // x07:56/--
+ x08 -= x14 * L3; // x08:56/51
+ x09 -= x14 * L4; // x09:56/--
+
+ x13 += (x12 >> 28); x12 &= M28L; // x13:28/22, x12:28/--
+ x04 -= x13 * L0; // x04:54/49
+ x05 -= x13 * L1; // x05:54/53
+ x06 -= x13 * L2; // x06:56/--
+ x07 -= x13 * L3; // x07:56/52
+ x08 -= x13 * L4; // x08:56/52
+
+ x12 += (x11 >> 28); x11 &= M28L; // x12:28/24, x11:28/--
+ x03 -= x12 * L0; // x03:54/49
+ x04 -= x12 * L1; // x04:54/51
+ x05 -= x12 * L2; // x05:56/--
+ x06 -= x12 * L3; // x06:56/52
+ x07 -= x12 * L4; // x07:56/53
+
+ x11 += (x10 >> 28); x10 &= M28L; // x11:29/--, x10:28/--
+ x02 -= x11 * L0; // x02:55/32
+ x03 -= x11 * L1; // x03:55/--
+ x04 -= x11 * L2; // x04:56/55
+ x05 -= x11 * L3; // x05:56/52
+ x06 -= x11 * L4; // x06:56/53
+
+ x10 += (x09 >> 28); x09 &= M28L; // x10:29/--, x09:28/--
+ x01 -= x10 * L0; // x01:55/28
+ x02 -= x10 * L1; // x02:55/54
+ x03 -= x10 * L2; // x03:56/55
+ x04 -= x10 * L3; // x04:57/--
+ x05 -= x10 * L4; // x05:56/53
+
+ x08 += (x07 >> 28); x07 &= M28L; // x08:56/53, x07:28/--
+ x09 += (x08 >> 28); x08 &= M28L; // x09:29/25, x08:28/--
+
+ t = (x08 >> 27) & 1L;
+ x09 += t; // x09:29/26
+
+ x00 -= x09 * L0; // x00:55/53
+ x01 -= x09 * L1; // x01:55/54
+ x02 -= x09 * L2; // x02:57/--
+ x03 -= x09 * L3; // x03:57/--
+ x04 -= x09 * L4; // x04:57/42
+
+ x01 += (x00 >> 28); x00 &= M28L;
+ x02 += (x01 >> 28); x01 &= M28L;
+ x03 += (x02 >> 28); x02 &= M28L;
+ x04 += (x03 >> 28); x03 &= M28L;
+ x05 += (x04 >> 28); x04 &= M28L;
+ x06 += (x05 >> 28); x05 &= M28L;
+ x07 += (x06 >> 28); x06 &= M28L;
+ x08 += (x07 >> 28); x07 &= M28L;
+ x09 = (x08 >> 28); x08 &= M28L;
+
+ x09 -= t;
+
+ Debug.Assert(x09 == 0L || x09 == -1L);
+
+ x00 += x09 & L0;
+ x01 += x09 & L1;
+ x02 += x09 & L2;
+ x03 += x09 & L3;
+ x04 += x09 & L4;
+
+ x01 += (x00 >> 28); x00 &= M28L;
+ x02 += (x01 >> 28); x01 &= M28L;
+ x03 += (x02 >> 28); x02 &= M28L;
+ x04 += (x03 >> 28); x03 &= M28L;
+ x05 += (x04 >> 28); x04 &= M28L;
+ x06 += (x05 >> 28); x05 &= M28L;
+ x07 += (x06 >> 28); x06 &= M28L;
+ x08 += (x07 >> 28); x07 &= M28L;
+
+ Encode56((ulong)(x00 | (x01 << 28)), r);
+ Encode56((ulong)(x02 | (x03 << 28)), r[7..]);
+ Encode56((ulong)(x04 | (x05 << 28)), r[14..]);
+ Encode56((ulong)(x06 | (x07 << 28)), r[21..]);
+ Encode32((uint)x08, r[28..]);
+ }
+#endif
+
private static void ScalarMult(byte[] k, ref PointAffine p, ref PointAccum r)
{
#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
@@ -1634,6 +1885,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
private static void ScalarMultStrausVar(uint[] nb, uint[] np, ref PointAffine p, ref PointAccum r)
{
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ ScalarMultStrausVar(nb.AsSpan(), np.AsSpan(), ref p, ref r);
+#else
Precompute();
sbyte[] ws_b = GetWnafVar(nb, WnafWidthBase);
@@ -1671,7 +1925,52 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
PointDouble(ref r);
}
+#endif
+ }
+
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static void ScalarMultStrausVar(ReadOnlySpan<uint> nb, ReadOnlySpan<uint> np, ref PointAffine p,
+ ref PointAccum r)
+ {
+ Precompute();
+
+ sbyte[] ws_b = GetWnafVar(nb, WnafWidthBase);
+ sbyte[] ws_p = GetWnafVar(np, WnafWidth);
+
+ int count = 1 << (WnafWidth - 2);
+ PointPrecompZ[] tp = new PointPrecompZ[count];
+ Init(out PointTemp t);
+ PointPrecomputeZ(ref p, tp, count, ref t);
+
+ PointSetNeutral(ref r);
+
+ for (int bit = 252; ;)
+ {
+ int wb = ws_b[bit];
+ if (wb != 0)
+ {
+ int sign = wb >> 31;
+ int index = (wb ^ sign) >> 1;
+
+ PointAddVar(sign != 0, ref PrecompBaseWnaf[index], ref r, ref t);
+ }
+
+ int wp = ws_p[bit];
+ if (wp != 0)
+ {
+ int sign = wp >> 31;
+ int index = (wp ^ sign) >> 1;
+
+ PointAddVar(sign != 0, ref tp[index], ref r, ref t);
+ }
+
+ if (--bit < 0)
+ break;
+
+ PointDouble(ref r);
+ }
}
+#endif
public static void Sign(byte[] sk, int skOff, byte[] m, int mOff, int mLen, byte[] sig, int sigOff)
{
diff --git a/crypto/src/math/ec/rfc8032/Ed448.cs b/crypto/src/math/ec/rfc8032/Ed448.cs
index b73aaa7f8..aadb974e4 100644
--- a/crypto/src/math/ec/rfc8032/Ed448.cs
+++ b/crypto/src/math/ec/rfc8032/Ed448.cs
@@ -1,4 +1,7 @@
using System;
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+using System.Buffers.Binary;
+#endif
using System.Diagnostics;
using Org.BouncyCastle.Crypto;
@@ -162,14 +165,46 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
return F.IsZero(t);
}
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static bool CheckPointVar(ReadOnlySpan<byte> p)
+ {
+ if ((p[PointBytes - 1] & 0x7F) != 0x00)
+ return false;
+ if (Decode32(p[52..]) < P[13])
+ return true;
+
+ int last = p[28] == 0xFF ? 7 : 0;
+ for (int i = CoordUints - 2; i >= last; --i)
+ {
+ if (Decode32(p[(i * 4)..]) < P[i])
+ return true;
+ }
+ return false;
+ }
+
+ private static bool CheckScalarVar(ReadOnlySpan<byte> s, Span<uint> n)
+ {
+ if (s[ScalarBytes - 1] != 0x00)
+ return false;
+
+ DecodeScalar(s, n);
+ return !Nat.Gte(ScalarUints, n, L);
+ }
+#else
private static bool CheckPointVar(byte[] p)
{
if ((p[PointBytes - 1] & 0x7F) != 0x00)
return false;
+ if (Decode32(p, 52) < P[13])
+ return true;
- uint[] t = new uint[CoordUints];
- Decode32(p, 0, t, 0, CoordUints);
- return !Nat.Gte(CoordUints, t, P);
+ int last = p[28] == 0xFF ? 7 : 0;
+ for (int i = CoordUints - 2; i >= last; --i)
+ {
+ if (Decode32(p, i * 4) < P[i])
+ return true;
+ }
+ return false;
}
private static bool CheckScalarVar(byte[] s, uint[] n)
@@ -180,6 +215,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
DecodeScalar(s, 0, n);
return !Nat.Gte(ScalarUints, n, L);
}
+#endif
private static byte[] Copy(byte[] buf, int off, int len)
{
@@ -200,11 +236,22 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
private static uint Decode16(byte[] bs, int off)
{
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ return BinaryPrimitives.ReadUInt16LittleEndian(bs.AsSpan(off));
+#else
uint n = bs[off];
n |= (uint)bs[++off] << 8;
return n;
+#endif
}
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static uint Decode16(ReadOnlySpan<byte> bs)
+ {
+ return BinaryPrimitives.ReadUInt16LittleEndian(bs);
+ }
+#endif
+
private static uint Decode24(byte[] bs, int off)
{
uint n = bs[off];
@@ -213,23 +260,33 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
return n;
}
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static uint Decode24(ReadOnlySpan<byte> bs)
+ {
+ uint n = bs[0];
+ n |= (uint)bs[1] << 8;
+ n |= (uint)bs[2] << 16;
+ return n;
+ }
+#endif
+
private static uint Decode32(byte[] bs, int off)
{
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ return BinaryPrimitives.ReadUInt32LittleEndian(bs.AsSpan(off));
+#else
uint n = bs[off];
n |= (uint)bs[++off] << 8;
n |= (uint)bs[++off] << 16;
n |= (uint)bs[++off] << 24;
return n;
+#endif
}
#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
private static uint Decode32(ReadOnlySpan<byte> bs)
{
- uint n = bs[0];
- n |= (uint)bs[1] << 8;
- n |= (uint)bs[2] << 16;
- n |= (uint)bs[3] << 24;
- return n;
+ return BinaryPrimitives.ReadUInt32LittleEndian(bs);
}
#endif
@@ -322,13 +379,33 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
bs[++off] = (byte)(n >> 16);
}
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static void Encode24(uint n, Span<byte> bs)
+ {
+ bs[0] = (byte)(n);
+ bs[1] = (byte)(n >> 8);
+ bs[2] = (byte)(n >> 16);
+ }
+#endif
+
private static void Encode32(uint n, byte[] bs, int off)
{
- bs[off] = (byte)(n);
- bs[++off] = (byte)(n >> 8);
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ BinaryPrimitives.WriteUInt32LittleEndian(bs.AsSpan(off), n);
+#else
+ bs[ off] = (byte)(n );
+ bs[++off] = (byte)(n >> 8);
bs[++off] = (byte)(n >> 16);
bs[++off] = (byte)(n >> 24);
+#endif
+ }
+
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static void Encode32(uint n, Span<byte> bs)
+ {
+ BinaryPrimitives.WriteUInt32LittleEndian(bs, n);
}
+#endif
private static void Encode56(ulong n, byte[] bs, int off)
{
@@ -336,6 +413,14 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
Encode24((uint)(n >> 32), bs, off + 4);
}
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static void Encode56(ulong n, Span<byte> bs)
+ {
+ Encode32((uint)n, bs);
+ Encode24((uint)(n >> 32), bs[4..]);
+ }
+#endif
+
private static int EncodePoint(ref PointProjective p, byte[] r, int rOff)
{
uint[] x = F.Create();
@@ -438,7 +523,11 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
return (x[w] >> b) & 15U;
}
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static sbyte[] GetWnafVar(ReadOnlySpan<uint> n, int width)
+#else
private static sbyte[] GetWnafVar(uint[] n, int width)
+#endif
{
Debug.Assert(n[ScalarUints - 1] <= L[ScalarUints - 1]);
Debug.Assert(2 <= width && width <= 8);
@@ -559,6 +648,45 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
if (!CheckContextVar(ctx))
throw new ArgumentException("ctx");
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ Span<byte> RS = stackalloc byte[PointBytes + ScalarBytes];
+ RS.CopyFrom(sig.AsSpan(sigOff, PointBytes + ScalarBytes));
+
+ var R = RS[..PointBytes];
+ var S = RS[PointBytes..];
+
+ if (!CheckPointVar(R))
+ return false;
+
+ Span<uint> nS = stackalloc uint[ScalarUints];
+ if (!CheckScalarVar(S, nS))
+ return false;
+
+ Init(out PointProjective pA);
+ if (!DecodePointVar(pk, pkOff, true, ref pA))
+ return false;
+
+ IXof d = CreateXof();
+ Span<byte> h = stackalloc byte[ScalarBytes * 2];
+
+ Dom4(d, phflag, ctx);
+ d.BlockUpdate(R);
+ d.BlockUpdate(pk.AsSpan(pkOff, PointBytes));
+ d.BlockUpdate(m.AsSpan(mOff, mLen));
+ d.OutputFinal(h);
+
+ Span<byte> k = stackalloc byte[ScalarBytes];
+ ReduceScalar(h, k);
+
+ Span<uint> nA = stackalloc uint[ScalarUints];
+ DecodeScalar(k, nA);
+
+ Init(out PointProjective pR);
+ ScalarMultStrausVar(nS, nA, ref pA, ref pR);
+
+ Span<byte> check = stackalloc byte[PointBytes];
+ return 0 != EncodePoint(ref pR, check) && check.SequenceEqual(R);
+#else
byte[] R = Copy(sig, sigOff, PointBytes);
byte[] S = Copy(sig, sigOff + PointBytes, ScalarBytes);
@@ -592,6 +720,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
byte[] check = new byte[PointBytes];
return 0 != EncodePoint(ref pR, check, 0) && Arrays.AreEqual(check, R);
+#endif
}
private static void Init(out PointAffine r)
@@ -1086,41 +1215,46 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
private static byte[] ReduceScalar(byte[] n)
{
- ulong x00 = Decode32(n, 0); // x00:32/--
- ulong x01 = (Decode24(n, 4) << 4); // x01:28/--
- ulong x02 = Decode32(n, 7); // x02:32/--
- ulong x03 = (Decode24(n, 11) << 4); // x03:28/--
- ulong x04 = Decode32(n, 14); // x04:32/--
- ulong x05 = (Decode24(n, 18) << 4); // x05:28/--
- ulong x06 = Decode32(n, 21); // x06:32/--
- ulong x07 = (Decode24(n, 25) << 4); // x07:28/--
- ulong x08 = Decode32(n, 28); // x08:32/--
- ulong x09 = (Decode24(n, 32) << 4); // x09:28/--
- ulong x10 = Decode32(n, 35); // x10:32/--
- ulong x11 = (Decode24(n, 39) << 4); // x11:28/--
- ulong x12 = Decode32(n, 42); // x12:32/--
- ulong x13 = (Decode24(n, 46) << 4); // x13:28/--
- ulong x14 = Decode32(n, 49); // x14:32/--
- ulong x15 = (Decode24(n, 53) << 4); // x15:28/--
- ulong x16 = Decode32(n, 56); // x16:32/--
- ulong x17 = (Decode24(n, 60) << 4); // x17:28/--
- ulong x18 = Decode32(n, 63); // x18:32/--
- ulong x19 = (Decode24(n, 67) << 4); // x19:28/--
- ulong x20 = Decode32(n, 70); // x20:32/--
- ulong x21 = (Decode24(n, 74) << 4); // x21:28/--
- ulong x22 = Decode32(n, 77); // x22:32/--
- ulong x23 = (Decode24(n, 81) << 4); // x23:28/--
- ulong x24 = Decode32(n, 84); // x24:32/--
- ulong x25 = (Decode24(n, 88) << 4); // x25:28/--
- ulong x26 = Decode32(n, 91); // x26:32/--
- ulong x27 = (Decode24(n, 95) << 4); // x27:28/--
- ulong x28 = Decode32(n, 98); // x28:32/--
- ulong x29 = (Decode24(n, 102) << 4); // x29:28/--
- ulong x30 = Decode32(n, 105); // x30:32/--
- ulong x31 = (Decode24(n, 109) << 4); // x31:28/--
- ulong x32 = Decode16(n, 112); // x32:16/--
-
- // x32 += (x31 >> 28); x31 &= M28UL;
+ byte[] r = new byte[ScalarBytes];
+
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ ReduceScalar(n, r);
+#else
+ ulong x00 = Decode32(n, 0); // x00:32/--
+ ulong x01 = (Decode24(n, 4) << 4); // x01:28/--
+ ulong x02 = Decode32(n, 7); // x02:32/--
+ ulong x03 = (Decode24(n, 11) << 4); // x03:28/--
+ ulong x04 = Decode32(n, 14); // x04:32/--
+ ulong x05 = (Decode24(n, 18) << 4); // x05:28/--
+ ulong x06 = Decode32(n, 21); // x06:32/--
+ ulong x07 = (Decode24(n, 25) << 4); // x07:28/--
+ ulong x08 = Decode32(n, 28); // x08:32/--
+ ulong x09 = (Decode24(n, 32) << 4); // x09:28/--
+ ulong x10 = Decode32(n, 35); // x10:32/--
+ ulong x11 = (Decode24(n, 39) << 4); // x11:28/--
+ ulong x12 = Decode32(n, 42); // x12:32/--
+ ulong x13 = (Decode24(n, 46) << 4); // x13:28/--
+ ulong x14 = Decode32(n, 49); // x14:32/--
+ ulong x15 = (Decode24(n, 53) << 4); // x15:28/--
+ ulong x16 = Decode32(n, 56); // x16:32/--
+ ulong x17 = (Decode24(n, 60) << 4); // x17:28/--
+ ulong x18 = Decode32(n, 63); // x18:32/--
+ ulong x19 = (Decode24(n, 67) << 4); // x19:28/--
+ ulong x20 = Decode32(n, 70); // x20:32/--
+ ulong x21 = (Decode24(n, 74) << 4); // x21:28/--
+ ulong x22 = Decode32(n, 77); // x22:32/--
+ ulong x23 = (Decode24(n, 81) << 4); // x23:28/--
+ ulong x24 = Decode32(n, 84); // x24:32/--
+ ulong x25 = (Decode24(n, 88) << 4); // x25:28/--
+ ulong x26 = Decode32(n, 91); // x26:32/--
+ ulong x27 = (Decode24(n, 95) << 4); // x27:28/--
+ ulong x28 = Decode32(n, 98); // x28:32/--
+ ulong x29 = (Decode24(n, 102) << 4); // x29:28/--
+ ulong x30 = Decode32(n, 105); // x30:32/--
+ ulong x31 = (Decode24(n, 109) << 4); // x31:28/--
+ ulong x32 = Decode16(n, 112); // x32:16/--
+
+ //x32 += (x31 >> 28); x31 &= M28UL;
x16 += x32 * L4_0; // x16:42/--
x17 += x32 * L4_1; // x17:41/28
x18 += x32 * L4_2; // x18:43/42
@@ -1348,7 +1482,6 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
Debug.Assert(x15 >> 26 == 0UL);
- byte[] r = new byte[ScalarBytes];
Encode56(x00 | (x01 << 28), r, 0);
Encode56(x02 | (x03 << 28), r, 7);
Encode56(x04 | (x05 << 28), r, 14);
@@ -1358,9 +1491,288 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
Encode56(x12 | (x13 << 28), r, 42);
Encode56(x14 | (x15 << 28), r, 49);
//r[ScalarBytes - 1] = 0;
+#endif
+
return r;
}
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static void ReduceScalar(ReadOnlySpan<byte> n, Span<byte> r)
+ {
+ ulong x00 = Decode32(n[ 0..]); // x00:32/--
+ ulong x01 = (Decode24(n[ 4..]) << 4); // x01:28/--
+ ulong x02 = Decode32(n[ 7..]); // x02:32/--
+ ulong x03 = (Decode24(n[11..]) << 4); // x03:28/--
+ ulong x04 = Decode32(n[14..]); // x04:32/--
+ ulong x05 = (Decode24(n[18..]) << 4); // x05:28/--
+ ulong x06 = Decode32(n[21..]); // x06:32/--
+ ulong x07 = (Decode24(n[25..]) << 4); // x07:28/--
+ ulong x08 = Decode32(n[28..]); // x08:32/--
+ ulong x09 = (Decode24(n[32..]) << 4); // x09:28/--
+ ulong x10 = Decode32(n[35..]); // x10:32/--
+ ulong x11 = (Decode24(n[39..]) << 4); // x11:28/--
+ ulong x12 = Decode32(n[42..]); // x12:32/--
+ ulong x13 = (Decode24(n[46..]) << 4); // x13:28/--
+ ulong x14 = Decode32(n[49..]); // x14:32/--
+ ulong x15 = (Decode24(n[53..]) << 4); // x15:28/--
+ ulong x16 = Decode32(n[56..]); // x16:32/--
+ ulong x17 = (Decode24(n[60..]) << 4); // x17:28/--
+ ulong x18 = Decode32(n[63..]); // x18:32/--
+ ulong x19 = (Decode24(n[67..]) << 4); // x19:28/--
+ ulong x20 = Decode32(n[70..]); // x20:32/--
+ ulong x21 = (Decode24(n[74..]) << 4); // x21:28/--
+ ulong x22 = Decode32(n[77..]); // x22:32/--
+ ulong x23 = (Decode24(n[81..]) << 4); // x23:28/--
+ ulong x24 = Decode32(n[84..]); // x24:32/--
+ ulong x25 = (Decode24(n[88..]) << 4); // x25:28/--
+ ulong x26 = Decode32(n[91..]); // x26:32/--
+ ulong x27 = (Decode24(n[95..]) << 4); // x27:28/--
+ ulong x28 = Decode32(n[98..]); // x28:32/--
+ ulong x29 = (Decode24(n[102..]) << 4); // x29:28/--
+ ulong x30 = Decode32(n[105..]); // x30:32/--
+ ulong x31 = (Decode24(n[109..]) << 4); // x31:28/--
+ ulong x32 = Decode16(n[112..]); // x32:16/--
+
+ //x32 += (x31 >> 28); x31 &= M28UL;
+ x16 += x32 * L4_0; // x16:42/--
+ x17 += x32 * L4_1; // x17:41/28
+ x18 += x32 * L4_2; // x18:43/42
+ x19 += x32 * L4_3; // x19:44/28
+ x20 += x32 * L4_4; // x20:43/--
+ x21 += x32 * L4_5; // x21:44/28
+ x22 += x32 * L4_6; // x22:43/41
+ x23 += x32 * L4_7; // x23:45/41
+
+ x31 += (x30 >> 28); x30 &= M28UL; // x31:28/--, x30:28/--
+ x15 += x31 * L4_0; // x15:54/--
+ x16 += x31 * L4_1; // x16:53/42
+ x17 += x31 * L4_2; // x17:55/54
+ x18 += x31 * L4_3; // x18:56/44
+ x19 += x31 * L4_4; // x19:55/--
+ x20 += x31 * L4_5; // x20:56/43
+ x21 += x31 * L4_6; // x21:55/53
+ x22 += x31 * L4_7; // x22:57/53
+
+ //x30 += (x29 >> 28); x29 &= M28UL;
+ x14 += x30 * L4_0; // x14:54/--
+ x15 += x30 * L4_1; // x15:54/53
+ x16 += x30 * L4_2; // x16:56/--
+ x17 += x30 * L4_3; // x17:57/--
+ x18 += x30 * L4_4; // x18:56/55
+ x19 += x30 * L4_5; // x19:56/55
+ x20 += x30 * L4_6; // x20:57/--
+ x21 += x30 * L4_7; // x21:57/56
+
+ x29 += (x28 >> 28); x28 &= M28UL; // x29:28/--, x28:28/--
+ x13 += x29 * L4_0; // x13:54/--
+ x14 += x29 * L4_1; // x14:54/53
+ x15 += x29 * L4_2; // x15:56/--
+ x16 += x29 * L4_3; // x16:57/--
+ x17 += x29 * L4_4; // x17:57/55
+ x18 += x29 * L4_5; // x18:57/55
+ x19 += x29 * L4_6; // x19:57/52
+ x20 += x29 * L4_7; // x20:58/52
+
+ //x28 += (x27 >> 28); x27 &= M28UL;
+ x12 += x28 * L4_0; // x12:54/--
+ x13 += x28 * L4_1; // x13:54/53
+ x14 += x28 * L4_2; // x14:56/--
+ x15 += x28 * L4_3; // x15:57/--
+ x16 += x28 * L4_4; // x16:57/55
+ x17 += x28 * L4_5; // x17:58/--
+ x18 += x28 * L4_6; // x18:58/--
+ x19 += x28 * L4_7; // x19:58/53
+
+ x27 += (x26 >> 28); x26 &= M28UL; // x27:28/--, x26:28/--
+ x11 += x27 * L4_0; // x11:54/--
+ x12 += x27 * L4_1; // x12:54/53
+ x13 += x27 * L4_2; // x13:56/--
+ x14 += x27 * L4_3; // x14:57/--
+ x15 += x27 * L4_4; // x15:57/55
+ x16 += x27 * L4_5; // x16:58/--
+ x17 += x27 * L4_6; // x17:58/56
+ x18 += x27 * L4_7; // x18:59/--
+
+ //x26 += (x25 >> 28); x25 &= M28UL;
+ x10 += x26 * L4_0; // x10:54/--
+ x11 += x26 * L4_1; // x11:54/53
+ x12 += x26 * L4_2; // x12:56/--
+ x13 += x26 * L4_3; // x13:57/--
+ x14 += x26 * L4_4; // x14:57/55
+ x15 += x26 * L4_5; // x15:58/--
+ x16 += x26 * L4_6; // x16:58/56
+ x17 += x26 * L4_7; // x17:59/--
+
+ x25 += (x24 >> 28); x24 &= M28UL; // x25:28/--, x24:28/--
+ x09 += x25 * L4_0; // x09:54/--
+ x10 += x25 * L4_1; // x10:54/53
+ x11 += x25 * L4_2; // x11:56/--
+ x12 += x25 * L4_3; // x12:57/--
+ x13 += x25 * L4_4; // x13:57/55
+ x14 += x25 * L4_5; // x14:58/--
+ x15 += x25 * L4_6; // x15:58/56
+ x16 += x25 * L4_7; // x16:59/--
+
+ x21 += (x20 >> 28); x20 &= M28UL; // x21:58/--, x20:28/--
+ x22 += (x21 >> 28); x21 &= M28UL; // x22:57/54, x21:28/--
+ x23 += (x22 >> 28); x22 &= M28UL; // x23:45/42, x22:28/--
+ x24 += (x23 >> 28); x23 &= M28UL; // x24:28/18, x23:28/--
+
+ x08 += x24 * L4_0; // x08:54/--
+ x09 += x24 * L4_1; // x09:55/--
+ x10 += x24 * L4_2; // x10:56/46
+ x11 += x24 * L4_3; // x11:57/46
+ x12 += x24 * L4_4; // x12:57/55
+ x13 += x24 * L4_5; // x13:58/--
+ x14 += x24 * L4_6; // x14:58/56
+ x15 += x24 * L4_7; // x15:59/--
+
+ x07 += x23 * L4_0; // x07:54/--
+ x08 += x23 * L4_1; // x08:54/53
+ x09 += x23 * L4_2; // x09:56/53
+ x10 += x23 * L4_3; // x10:57/46
+ x11 += x23 * L4_4; // x11:57/55
+ x12 += x23 * L4_5; // x12:58/--
+ x13 += x23 * L4_6; // x13:58/56
+ x14 += x23 * L4_7; // x14:59/--
+
+ x06 += x22 * L4_0; // x06:54/--
+ x07 += x22 * L4_1; // x07:54/53
+ x08 += x22 * L4_2; // x08:56/--
+ x09 += x22 * L4_3; // x09:57/53
+ x10 += x22 * L4_4; // x10:57/55
+ x11 += x22 * L4_5; // x11:58/--
+ x12 += x22 * L4_6; // x12:58/56
+ x13 += x22 * L4_7; // x13:59/--
+
+ x18 += (x17 >> 28); x17 &= M28UL; // x18:59/31, x17:28/--
+ x19 += (x18 >> 28); x18 &= M28UL; // x19:58/54, x18:28/--
+ x20 += (x19 >> 28); x19 &= M28UL; // x20:30/29, x19:28/--
+ x21 += (x20 >> 28); x20 &= M28UL; // x21:28/03, x20:28/--
+
+ x05 += x21 * L4_0; // x05:54/--
+ x06 += x21 * L4_1; // x06:55/--
+ x07 += x21 * L4_2; // x07:56/31
+ x08 += x21 * L4_3; // x08:57/31
+ x09 += x21 * L4_4; // x09:57/56
+ x10 += x21 * L4_5; // x10:58/--
+ x11 += x21 * L4_6; // x11:58/56
+ x12 += x21 * L4_7; // x12:59/--
+
+ x04 += x20 * L4_0; // x04:54/--
+ x05 += x20 * L4_1; // x05:54/53
+ x06 += x20 * L4_2; // x06:56/53
+ x07 += x20 * L4_3; // x07:57/31
+ x08 += x20 * L4_4; // x08:57/55
+ x09 += x20 * L4_5; // x09:58/--
+ x10 += x20 * L4_6; // x10:58/56
+ x11 += x20 * L4_7; // x11:59/--
+
+ x03 += x19 * L4_0; // x03:54/--
+ x04 += x19 * L4_1; // x04:54/53
+ x05 += x19 * L4_2; // x05:56/--
+ x06 += x19 * L4_3; // x06:57/53
+ x07 += x19 * L4_4; // x07:57/55
+ x08 += x19 * L4_5; // x08:58/--
+ x09 += x19 * L4_6; // x09:58/56
+ x10 += x19 * L4_7; // x10:59/--
+
+ x15 += (x14 >> 28); x14 &= M28UL; // x15:59/31, x14:28/--
+ x16 += (x15 >> 28); x15 &= M28UL; // x16:59/32, x15:28/--
+ x17 += (x16 >> 28); x16 &= M28UL; // x17:31/29, x16:28/--
+ x18 += (x17 >> 28); x17 &= M28UL; // x18:28/04, x17:28/--
+
+ x02 += x18 * L4_0; // x02:54/--
+ x03 += x18 * L4_1; // x03:55/--
+ x04 += x18 * L4_2; // x04:56/32
+ x05 += x18 * L4_3; // x05:57/32
+ x06 += x18 * L4_4; // x06:57/56
+ x07 += x18 * L4_5; // x07:58/--
+ x08 += x18 * L4_6; // x08:58/56
+ x09 += x18 * L4_7; // x09:59/--
+
+ x01 += x17 * L4_0; // x01:54/--
+ x02 += x17 * L4_1; // x02:54/53
+ x03 += x17 * L4_2; // x03:56/53
+ x04 += x17 * L4_3; // x04:57/32
+ x05 += x17 * L4_4; // x05:57/55
+ x06 += x17 * L4_5; // x06:58/--
+ x07 += x17 * L4_6; // x07:58/56
+ x08 += x17 * L4_7; // x08:59/--
+
+ x16 *= 4;
+ x16 += (x15 >> 26); x15 &= M26UL;
+ x16 += 1; // x16:30/01
+
+ x00 += x16 * L_0;
+ x01 += x16 * L_1;
+ x02 += x16 * L_2;
+ x03 += x16 * L_3;
+ x04 += x16 * L_4;
+ x05 += x16 * L_5;
+ x06 += x16 * L_6;
+ x07 += x16 * L_7;
+
+ x01 += (x00 >> 28); x00 &= M28UL;
+ x02 += (x01 >> 28); x01 &= M28UL;
+ x03 += (x02 >> 28); x02 &= M28UL;
+ x04 += (x03 >> 28); x03 &= M28UL;
+ x05 += (x04 >> 28); x04 &= M28UL;
+ x06 += (x05 >> 28); x05 &= M28UL;
+ x07 += (x06 >> 28); x06 &= M28UL;
+ x08 += (x07 >> 28); x07 &= M28UL;
+ x09 += (x08 >> 28); x08 &= M28UL;
+ x10 += (x09 >> 28); x09 &= M28UL;
+ x11 += (x10 >> 28); x10 &= M28UL;
+ x12 += (x11 >> 28); x11 &= M28UL;
+ x13 += (x12 >> 28); x12 &= M28UL;
+ x14 += (x13 >> 28); x13 &= M28UL;
+ x15 += (x14 >> 28); x14 &= M28UL;
+ x16 = (x15 >> 26); x15 &= M26UL;
+
+ x16 -= 1;
+
+ Debug.Assert(x16 == 0UL || x16 == ulong.MaxValue);
+
+ x00 -= x16 & L_0;
+ x01 -= x16 & L_1;
+ x02 -= x16 & L_2;
+ x03 -= x16 & L_3;
+ x04 -= x16 & L_4;
+ x05 -= x16 & L_5;
+ x06 -= x16 & L_6;
+ x07 -= x16 & L_7;
+
+ x01 += (ulong)((long)x00 >> 28); x00 &= M28UL;
+ x02 += (ulong)((long)x01 >> 28); x01 &= M28UL;
+ x03 += (ulong)((long)x02 >> 28); x02 &= M28UL;
+ x04 += (ulong)((long)x03 >> 28); x03 &= M28UL;
+ x05 += (ulong)((long)x04 >> 28); x04 &= M28UL;
+ x06 += (ulong)((long)x05 >> 28); x05 &= M28UL;
+ x07 += (ulong)((long)x06 >> 28); x06 &= M28UL;
+ x08 += (ulong)((long)x07 >> 28); x07 &= M28UL;
+ x09 += (ulong)((long)x08 >> 28); x08 &= M28UL;
+ x10 += (ulong)((long)x09 >> 28); x09 &= M28UL;
+ x11 += (ulong)((long)x10 >> 28); x10 &= M28UL;
+ x12 += (ulong)((long)x11 >> 28); x11 &= M28UL;
+ x13 += (ulong)((long)x12 >> 28); x12 &= M28UL;
+ x14 += (ulong)((long)x13 >> 28); x13 &= M28UL;
+ x15 += (ulong)((long)x14 >> 28); x14 &= M28UL;
+
+ Debug.Assert(x15 >> 26 == 0UL);
+
+ Encode56(x00 | (x01 << 28), r);
+ Encode56(x02 | (x03 << 28), r[7..]);
+ Encode56(x04 | (x05 << 28), r[14..]);
+ Encode56(x06 | (x07 << 28), r[21..]);
+ Encode56(x08 | (x09 << 28), r[28..]);
+ Encode56(x10 | (x11 << 28), r[35..]);
+ Encode56(x12 | (x13 << 28), r[42..]);
+ Encode56(x14 | (x15 << 28), r[49..]);
+ //r[ScalarBytes - 1] = 0;
+ }
+#endif
+
private static void ScalarMult(byte[] k, ref PointProjective p, ref PointProjective r)
{
#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
@@ -1657,6 +2069,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
private static void ScalarMultStrausVar(uint[] nb, uint[] np, ref PointProjective p, ref PointProjective r)
{
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ ScalarMultStrausVar(nb.AsSpan(), np.AsSpan(), ref p, ref r);
+#else
Precompute();
sbyte[] ws_b = GetWnafVar(nb, WnafWidthBase);
@@ -1693,8 +2108,52 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
PointDouble(ref r);
}
+#endif
}
+#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER
+ private static void ScalarMultStrausVar(ReadOnlySpan<uint> nb, ReadOnlySpan<uint> np, ref PointProjective p,
+ ref PointProjective r)
+ {
+ Precompute();
+
+ sbyte[] ws_b = GetWnafVar(nb, WnafWidthBase);
+ sbyte[] ws_p = GetWnafVar(np, WnafWidth);
+
+ int count = 1 << (WnafWidth - 2);
+ PointProjective[] tp = new PointProjective[count];
+ PointPrecomputeVar(ref p, tp, count);
+
+ PointSetNeutral(ref r);
+
+ for (int bit = 446;;)
+ {
+ int wb = ws_b[bit];
+ if (wb != 0)
+ {
+ int sign = wb >> 31;
+ int index = (wb ^ sign) >> 1;
+
+ PointAddVar(sign != 0, ref PrecompBaseWnaf[index], ref r);
+ }
+
+ int wp = ws_p[bit];
+ if (wp != 0)
+ {
+ int sign = wp >> 31;
+ int index = (wp ^ sign) >> 1;
+
+ PointAddVar(sign != 0, ref tp[index], ref r);
+ }
+
+ if (--bit < 0)
+ break;
+
+ PointDouble(ref r);
+ }
+ }
+#endif
+
public static void Sign(byte[] sk, int skOff, byte[] ctx, byte[] m, int mOff, int mLen, byte[] sig, int sigOff)
{
byte phflag = 0x00;
diff --git a/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs b/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs
index 29ff67191..db468a046 100644
--- a/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs
+++ b/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs
@@ -384,6 +384,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests
Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("0100000000000000000000000000000000000000000000000000000000000080"), 0));
+ Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0));
+ Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0));
+ Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0));
Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0));
Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0));
@@ -427,6 +430,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests
Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("0100000000000000000000000000000000000000000000000000000000000080"), 0));
+ Assert.IsTrue (Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0));
+ Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0));
+ Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0));
Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0));
Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0));
diff --git a/crypto/test/src/math/ec/rfc8032/test/Ed448Test.cs b/crypto/test/src/math/ec/rfc8032/test/Ed448Test.cs
index 2cfc57016..b4797af26 100644
--- a/crypto/test/src/math/ec/rfc8032/test/Ed448Test.cs
+++ b/crypto/test/src/math/ec/rfc8032/test/Ed448Test.cs
@@ -481,6 +481,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests
Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080"), 0));
+ Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0));
+ Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0));
+ Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0));
Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0));
Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0));
Assert.IsFalse(Ed448.ValidatePublicKeyFull(Hex.DecodeStrict("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001"), 0));
@@ -526,6 +529,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests
Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080"), 0));
+ Assert.IsTrue (Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0));
+ Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0));
+ Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0));
Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00"), 0));
Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80"), 0));
Assert.IsFalse(Ed448.ValidatePublicKeyPartial(Hex.DecodeStrict("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001"), 0));
|
