core_ed25519.c (23522B)
1 #define TEST_NAME "core_ed25519" 2 #include "cmptest.h" 3 4 static const unsigned char non_canonical_p[32] = { 5 0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 6 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f 7 }; 8 static const unsigned char non_canonical_invalid_p[32] = { 9 0xf5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 10 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f 11 }; 12 static const unsigned char max_canonical_p[32] = { 13 0xe4, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 14 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f 15 }; 16 static const unsigned char L_p1[32] = { 17 0xee, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 18 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 19 }; 20 static const unsigned char L[32] = { 21 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 22 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 23 }; 24 static const unsigned char L_1[32] = { 25 0xec, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 26 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 27 }; 28 static const unsigned char sc_8[32] = { 29 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 30 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 31 }; 32 static const unsigned char sc_highbit[32] = { 33 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 34 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 35 }; 36 37 static void 38 add_P(unsigned char * const S) 39 { 40 static const unsigned char P[32] = { 41 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 42 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 43 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 44 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f 45 }; 46 47 sodium_add(S, P, sizeof P); 48 } 49 50 static void 51 add_l64(unsigned char * const S) 52 { 53 static const unsigned char l[crypto_core_ed25519_NONREDUCEDSCALARBYTES] = 54 { 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 55 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 56 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 57 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 58 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 59 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; 60 61 sodium_add(S, l, sizeof l); 62 } 63 64 int 65 main(void) 66 { 67 unsigned char *h, *r; 68 unsigned char *p, *p2, *p3; 69 unsigned char *sc, *sc2, *sc3; 70 unsigned char *sc64; 71 unsigned char *seed; 72 char *hex; 73 unsigned int i, j; 74 75 h = (unsigned char *) sodium_malloc(crypto_core_ed25519_HASHBYTES); 76 r = (unsigned char *) sodium_malloc(crypto_core_ed25519_UNIFORMBYTES); 77 p = (unsigned char *) sodium_malloc(crypto_core_ed25519_BYTES); 78 for (i = 0; i < 500; i++) { 79 randombytes_buf(r, crypto_core_ed25519_UNIFORMBYTES); 80 if (crypto_core_ed25519_from_uniform(p, r) != 0) { 81 printf("crypto_core_ed25519_from_uniform() failed\n"); 82 } 83 if (crypto_core_ed25519_is_valid_point(p) == 0) { 84 printf("crypto_core_ed25519_from_uniform() returned an invalid point\n"); 85 } 86 crypto_core_ed25519_random(p); 87 if (crypto_core_ed25519_is_valid_point(p) == 0) { 88 printf("crypto_core_ed25519_random() returned an invalid point\n"); 89 } 90 } 91 92 p2 = (unsigned char *) sodium_malloc(crypto_core_ed25519_BYTES); 93 p3 = (unsigned char *) sodium_malloc(crypto_core_ed25519_BYTES); 94 95 crypto_core_ed25519_random(p2); 96 97 j = 1 + (unsigned int) randombytes_uniform(100); 98 memcpy(p3, p, crypto_core_ed25519_BYTES); 99 for (i = 0; i < j; i++) { 100 crypto_core_ed25519_add(p, p, p2); 101 if (crypto_core_ed25519_is_valid_point(p) != 1) { 102 printf("crypto_core_add() returned an invalid point\n"); 103 } 104 } 105 if (memcmp(p, p3, crypto_core_ed25519_BYTES) == 0) { 106 printf("crypto_core_add() failed\n"); 107 } 108 for (i = 0; i < j; i++) { 109 crypto_core_ed25519_sub(p, p, p2); 110 } 111 if (memcmp(p, p3, crypto_core_ed25519_BYTES) != 0) { 112 printf("crypto_core_add() or crypto_core_sub() failed\n"); 113 } 114 sc = (unsigned char *) sodium_malloc(crypto_scalarmult_ed25519_SCALARBYTES); 115 memset(sc, 0, crypto_scalarmult_ed25519_SCALARBYTES); 116 sc[0] = 8; 117 memcpy(p2, p, crypto_core_ed25519_BYTES); 118 memcpy(p3, p, crypto_core_ed25519_BYTES); 119 120 for (i = 0; i < 254; i++) { 121 crypto_core_ed25519_add(p2, p2, p2); 122 } 123 for (i = 0; i < 8; i++) { 124 crypto_core_ed25519_add(p2, p2, p); 125 } 126 if (crypto_scalarmult_ed25519(p3, sc, p) != 0) { 127 printf("crypto_scalarmult_ed25519() failed\n"); 128 } 129 if (memcmp(p2, p3, crypto_core_ed25519_BYTES) != 0) { 130 printf("crypto_scalarmult_ed25519() is inconsistent with crypto_core_ed25519_add()\n"); 131 } 132 133 assert(crypto_core_ed25519_is_valid_point(p) == 1); 134 135 memset(p, 0, crypto_core_ed25519_BYTES); 136 assert(crypto_core_ed25519_is_valid_point(p) == 0); 137 138 p[0] = 1; 139 assert(crypto_core_ed25519_is_valid_point(p) == 0); 140 141 p[0] = 2; 142 assert(crypto_core_ed25519_is_valid_point(p) == 0); 143 144 p[0] = 9; 145 assert(crypto_core_ed25519_is_valid_point(p) == 1); 146 147 assert(crypto_core_ed25519_is_valid_point(max_canonical_p) == 1); 148 assert(crypto_core_ed25519_is_valid_point(non_canonical_invalid_p) == 0); 149 assert(crypto_core_ed25519_is_valid_point(non_canonical_p) == 0); 150 151 memcpy(p2, p, crypto_core_ed25519_BYTES); 152 add_P(p2); 153 crypto_core_ed25519_add(p3, p2, p2); 154 crypto_core_ed25519_sub(p3, p3, p2); 155 assert(memcmp(p2, p, crypto_core_ed25519_BYTES) != 0); 156 assert(memcmp(p3, p, crypto_core_ed25519_BYTES) == 0); 157 158 p[0] = 2; 159 assert(crypto_core_ed25519_add(p3, p2, p) == -1); 160 assert(crypto_core_ed25519_add(p3, p2, non_canonical_p) == 0); 161 assert(crypto_core_ed25519_add(p3, p2, non_canonical_invalid_p) == -1); 162 assert(crypto_core_ed25519_add(p3, p, p3) == -1); 163 assert(crypto_core_ed25519_add(p3, non_canonical_p, p3) == 0); 164 assert(crypto_core_ed25519_add(p3, non_canonical_invalid_p, p3) == -1); 165 166 assert(crypto_core_ed25519_sub(p3, p2, p) == -1); 167 assert(crypto_core_ed25519_sub(p3, p2, non_canonical_p) == 0); 168 assert(crypto_core_ed25519_sub(p3, p2, non_canonical_invalid_p) == -1); 169 assert(crypto_core_ed25519_sub(p3, p, p3) == -1); 170 assert(crypto_core_ed25519_sub(p3, non_canonical_p, p3) == 0); 171 assert(crypto_core_ed25519_sub(p3, non_canonical_invalid_p, p3) == -1); 172 173 for (i = 0; i < 1000; i++) { 174 crypto_core_ed25519_random(p); 175 do { 176 crypto_core_ed25519_scalar_random(sc); 177 } while (sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES)); 178 if (crypto_scalarmult_ed25519_noclamp(p2, sc, p) != 0) { 179 printf("crypto_scalarmult_ed25519_noclamp() failed\n"); 180 } 181 assert(crypto_core_ed25519_is_valid_point(p2)); 182 if (crypto_core_ed25519_scalar_invert(sc, sc) != 0) { 183 printf("crypto_core_ed25519_scalar_invert() failed\n"); 184 } 185 if (crypto_scalarmult_ed25519_noclamp(p3, sc, p2) != 0) { 186 printf("crypto_scalarmult_ed25519_noclamp() failed\n"); 187 } 188 assert(memcmp(p3, p, crypto_core_ed25519_BYTES) == 0); 189 } 190 191 sc64 = (unsigned char *) sodium_malloc(64); 192 crypto_core_ed25519_scalar_random(sc); 193 memcpy(sc64, sc, crypto_core_ed25519_BYTES); 194 memset(sc64 + crypto_core_ed25519_BYTES, 0, 195 64 - crypto_core_ed25519_BYTES); 196 i = (unsigned int) randombytes_uniform(100); 197 do { 198 add_l64(sc64); 199 } while (i-- > 0); 200 crypto_core_ed25519_scalar_reduce(sc64, sc64); 201 if (memcmp(sc64, sc, crypto_core_ed25519_BYTES) != 0) { 202 printf("crypto_core_ed25519_scalar_reduce() failed\n"); 203 } 204 205 randombytes_buf(r, crypto_core_ed25519_UNIFORMBYTES); 206 crypto_core_ed25519_from_uniform(p, r); 207 memcpy(p2, p, crypto_core_ed25519_BYTES); 208 crypto_core_ed25519_scalar_random(sc); 209 if (crypto_scalarmult_ed25519_noclamp(p, sc, p) != 0) { 210 printf("crypto_scalarmult_ed25519_noclamp() failed (1)\n"); 211 } 212 crypto_core_ed25519_scalar_complement(sc, sc); 213 if (crypto_scalarmult_ed25519_noclamp(p2, sc, p2) != 0) { 214 printf("crypto_scalarmult_ed25519_noclamp() failed (2)\n"); 215 } 216 crypto_core_ed25519_add(p3, p, p2); 217 crypto_core_ed25519_from_uniform(p, r); 218 crypto_core_ed25519_sub(p, p, p3); 219 assert(p[0] == 0x01); 220 for (i = 1; i < crypto_core_ed25519_BYTES; i++) { 221 assert(p[i] == 0); 222 } 223 224 crypto_core_ed25519_random(p); 225 memcpy(p2, p, crypto_core_ed25519_BYTES); 226 crypto_core_ed25519_scalar_random(sc); 227 if (crypto_scalarmult_ed25519_noclamp(p, sc, p) != 0) { 228 printf("crypto_scalarmult_ed25519_noclamp() failed (3)\n"); 229 } 230 crypto_core_ed25519_scalar_negate(sc, sc); 231 if (crypto_scalarmult_ed25519_noclamp(p2, sc, p2) != 0) { 232 printf("crypto_scalarmult_ed25519_noclamp() failed (4)\n"); 233 } 234 crypto_core_ed25519_add(p, p, p2); 235 assert(p[0] == 0x01); 236 for (i = 1; i < crypto_core_ed25519_BYTES; i++) { 237 assert(p[i] == 0); 238 } 239 240 hex = (char *) sodium_malloc(crypto_core_ed25519_SCALARBYTES * 2 + 1); 241 242 for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) { 243 sc[i] = 255 - i; 244 } 245 if (crypto_core_ed25519_scalar_invert(sc, sc) != 0) { 246 printf("crypto_core_ed25519_scalar_invert() failed\n"); 247 } 248 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 249 sc, crypto_core_ed25519_SCALARBYTES); 250 printf("inv1: %s\n", hex); 251 if (crypto_core_ed25519_scalar_invert(sc, sc) != 0) { 252 printf("crypto_core_ed25519_scalar_invert() failed\n"); 253 } 254 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 255 sc, crypto_core_ed25519_SCALARBYTES); 256 printf("inv2: %s\n", hex); 257 for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) { 258 sc[i] = 32 - i; 259 } 260 if (crypto_core_ed25519_scalar_invert(sc, sc) != 0) { 261 printf("crypto_core_ed25519_scalar_invert() failed\n"); 262 } 263 264 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 265 sc, crypto_core_ed25519_SCALARBYTES); 266 printf("inv3: %s\n", hex); 267 if (crypto_core_ed25519_scalar_invert(sc, sc) != 0) { 268 printf("crypto_core_ed25519_scalar_invert() failed\n"); 269 } 270 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 271 sc, crypto_core_ed25519_SCALARBYTES); 272 printf("inv4: %s\n", hex); 273 274 for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) { 275 sc[i] = 255 - i; 276 } 277 crypto_core_ed25519_scalar_negate(sc, sc); 278 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 279 sc, crypto_core_ed25519_SCALARBYTES); 280 printf("neg1: %s\n", hex); 281 crypto_core_ed25519_scalar_negate(sc, sc); 282 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 283 sc, crypto_core_ed25519_SCALARBYTES); 284 printf("neg2: %s\n", hex); 285 for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) { 286 sc[i] = 32 - i; 287 } 288 crypto_core_ed25519_scalar_negate(sc, sc); 289 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 290 sc, crypto_core_ed25519_SCALARBYTES); 291 printf("neg3: %s\n", hex); 292 crypto_core_ed25519_scalar_negate(sc, sc); 293 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 294 sc, crypto_core_ed25519_SCALARBYTES); 295 printf("neg4: %s\n", hex); 296 297 for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) { 298 sc[i] = 255 - i; 299 } 300 crypto_core_ed25519_scalar_complement(sc, sc); 301 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 302 sc, crypto_core_ed25519_SCALARBYTES); 303 printf("comp1: %s\n", hex); 304 crypto_core_ed25519_scalar_complement(sc, sc); 305 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 306 sc, crypto_core_ed25519_SCALARBYTES); 307 printf("comp2: %s\n", hex); 308 for (i = 0; i < crypto_core_ed25519_SCALARBYTES; i++) { 309 sc[i] = 32 - i; 310 } 311 crypto_core_ed25519_scalar_complement(sc, sc); 312 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 313 sc, crypto_core_ed25519_SCALARBYTES); 314 printf("comp3: %s\n", hex); 315 crypto_core_ed25519_scalar_complement(sc, sc); 316 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 317 sc, crypto_core_ed25519_SCALARBYTES); 318 printf("comp4: %s\n", hex); 319 320 sc2 = (unsigned char *) sodium_malloc(crypto_core_ed25519_SCALARBYTES); 321 sc3 = (unsigned char *) sodium_malloc(crypto_core_ed25519_SCALARBYTES); 322 for (i = 0; i < 1000; i++) { 323 randombytes_buf(sc, crypto_core_ed25519_SCALARBYTES); 324 randombytes_buf(sc2, crypto_core_ed25519_SCALARBYTES); 325 sc[crypto_core_ed25519_SCALARBYTES - 1] &= 0x7f; 326 sc2[crypto_core_ed25519_SCALARBYTES - 1] &= 0x7f; 327 crypto_core_ed25519_scalar_add(sc3, sc, sc2); 328 assert(!sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES)); 329 crypto_core_ed25519_scalar_sub(sc3, sc3, sc2); 330 assert(!sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES)); 331 crypto_core_ed25519_scalar_sub(sc3, sc3, sc); 332 assert(sodium_is_zero(sc3, crypto_core_ed25519_SCALARBYTES)); 333 } 334 335 memset(sc, 0x69, crypto_core_ed25519_SCALARBYTES); 336 memset(sc2, 0x42, crypto_core_ed25519_SCALARBYTES); 337 crypto_core_ed25519_scalar_add(sc, sc, sc2); 338 crypto_core_ed25519_scalar_add(sc, sc2, sc); 339 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 340 sc, crypto_core_ed25519_SCALARBYTES); 341 printf("add1: %s\n", hex); 342 343 crypto_core_ed25519_scalar_sub(sc, sc2, sc); 344 crypto_core_ed25519_scalar_sub(sc, sc, sc2); 345 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 346 sc, crypto_core_ed25519_SCALARBYTES); 347 printf("sub1: %s\n", hex); 348 349 memset(sc, 0xcd, crypto_core_ed25519_SCALARBYTES); 350 memset(sc2, 0x42, crypto_core_ed25519_SCALARBYTES); 351 crypto_core_ed25519_scalar_add(sc, sc, sc2); 352 crypto_core_ed25519_scalar_add(sc, sc2, sc); 353 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 354 sc, crypto_core_ed25519_SCALARBYTES); 355 printf("add2: %s\n", hex); 356 357 crypto_core_ed25519_scalar_sub(sc, sc2, sc); 358 crypto_core_ed25519_scalar_sub(sc, sc, sc2); 359 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 360 sc, crypto_core_ed25519_SCALARBYTES); 361 printf("sub2: %s\n", hex); 362 363 memset(sc, 0x69, crypto_core_ed25519_SCALARBYTES); 364 memset(sc2, 0x42, crypto_core_ed25519_SCALARBYTES); 365 for (i = 0; i < 100; i++) { 366 crypto_core_ed25519_scalar_mul(sc, sc, sc2); 367 crypto_core_ed25519_scalar_mul(sc2, sc, sc2); 368 } 369 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 370 sc2, crypto_core_ed25519_SCALARBYTES); 371 printf("mul: %s\n", hex); 372 for (i = 0; i < 1000; i++) { 373 crypto_core_ed25519_scalar_random(sc); 374 memset(sc2, 0, crypto_core_ed25519_SCALARBYTES); 375 crypto_core_ed25519_scalar_mul(sc3, sc, sc2); 376 assert(sodium_is_zero(sc3, crypto_core_ed25519_SCALARBYTES)); 377 378 sc2[0]++; 379 crypto_core_ed25519_scalar_mul(sc3, sc, sc2); 380 assert(memcmp(sc3, sc, crypto_core_ed25519_SCALARBYTES) == 0); 381 382 sc2[0]++; 383 crypto_core_ed25519_scalar_mul(sc3, sc, sc2); 384 crypto_core_ed25519_scalar_sub(sc3, sc3, sc); 385 crypto_core_ed25519_scalar_sub(sc3, sc3, sc); 386 assert(sodium_is_zero(sc3, crypto_core_ed25519_SCALARBYTES)); 387 388 do { 389 crypto_core_ed25519_scalar_random(sc2); 390 } while (sodium_is_zero(sc2, crypto_core_ed25519_SCALARBYTES)); 391 crypto_core_ed25519_scalar_mul(sc3, sc, sc2); 392 crypto_core_ed25519_scalar_invert(sc2, sc2); 393 crypto_core_ed25519_scalar_mul(sc3, sc3, sc2); 394 assert(memcmp(sc3, sc, crypto_core_ed25519_SCALARBYTES) == 0); 395 396 sc[31] |= 0x11; 397 memset(sc2, 0, crypto_core_ed25519_SCALARBYTES); 398 sc2[0] = 1; 399 crypto_core_ed25519_scalar_mul(sc3, sc, sc2); 400 assert(memcmp(sc3, sc, crypto_core_ed25519_SCALARBYTES) != 0); 401 } 402 403 seed = (unsigned char *) sodium_malloc(randombytes_SEEDBYTES); 404 for (i = 0; i < 15; i++) { 405 randombytes_buf_deterministic(r, crypto_core_ed25519_UNIFORMBYTES, seed); 406 if (crypto_core_ed25519_from_uniform(p, r) != 0) { 407 printf("crypto_core_ed25519_from_uniform() failed\n"); 408 } 409 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 410 p, crypto_core_ed25519_BYTES); 411 printf("from_uniform_deterministic (%u): %s\n", i, hex); 412 sodium_increment(seed, randombytes_SEEDBYTES); 413 } 414 crypto_core_ed25519_scalar_mul(sc, L_1, sc_8); 415 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 416 sc, crypto_core_ed25519_SCALARBYTES); 417 printf("(L-1)*8: %s\n", hex); 418 crypto_core_ed25519_scalar_mul(sc, sc_8, L_1); 419 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 420 sc, crypto_core_ed25519_SCALARBYTES); 421 printf("8(L-1): %s\n", hex); 422 crypto_core_ed25519_scalar_mul(sc, L_1, L_1); 423 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 424 sc, crypto_core_ed25519_SCALARBYTES); 425 printf("(L-1)^2: %s\n", hex); 426 crypto_core_ed25519_scalar_mul(sc, L, sc_8); 427 428 crypto_core_ed25519_scalar_mul(sc, L_p1, sc_8); 429 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 430 sc, crypto_core_ed25519_SCALARBYTES); 431 printf("(L+1)*8: %s\n", hex); 432 crypto_core_ed25519_scalar_mul(sc, sc_8, L_p1); 433 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 434 sc, crypto_core_ed25519_SCALARBYTES); 435 printf("8(L+1): %s\n", hex); 436 crypto_core_ed25519_scalar_mul(sc, L_p1, L_p1); 437 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 438 sc, crypto_core_ed25519_SCALARBYTES); 439 printf("(L+1)^2: %s\n", hex); 440 441 crypto_core_ed25519_scalar_mul(sc, L_1, sc_highbit); 442 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 443 sc, crypto_core_ed25519_SCALARBYTES); 444 printf("(L-1)h: %s\n", hex); 445 crypto_core_ed25519_scalar_mul(sc, sc_highbit, L_1); 446 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 447 sc, crypto_core_ed25519_SCALARBYTES); 448 printf("h(L-1): %s\n", hex); 449 crypto_core_ed25519_scalar_mul(sc, L_p1, sc_highbit); 450 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 451 sc, crypto_core_ed25519_SCALARBYTES); 452 printf("(L+1)h: %s\n", hex); 453 crypto_core_ed25519_scalar_mul(sc, sc_highbit, L_p1); 454 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 455 sc, crypto_core_ed25519_SCALARBYTES); 456 printf("h(L+1): %s\n", hex); 457 crypto_core_ed25519_scalar_mul(sc, sc_highbit, sc_highbit); 458 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 459 sc, crypto_core_ed25519_SCALARBYTES); 460 printf("h^2: %s\n", hex); 461 462 crypto_core_ed25519_scalar_mul(sc, L, sc_8); 463 assert(sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES)); 464 crypto_core_ed25519_scalar_mul(sc, sc_8, L); 465 assert(sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES)); 466 crypto_core_ed25519_scalar_mul(sc, L, L); 467 assert(sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES)); 468 crypto_core_ed25519_scalar_mul(sc, L, L_1); 469 assert(sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES)); 470 crypto_core_ed25519_scalar_mul(sc, L_1, L); 471 assert(sodium_is_zero(sc, crypto_core_ed25519_SCALARBYTES)); 472 473 crypto_core_ed25519_scalar_add(sc, L_1, sc_8); 474 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 475 sc, crypto_core_ed25519_SCALARBYTES); 476 printf("(L-1)+8: %s\n", hex); 477 crypto_core_ed25519_scalar_add(sc, sc_8, L_1); 478 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 479 sc, crypto_core_ed25519_SCALARBYTES); 480 printf("8+(L-1): %s\n", hex); 481 crypto_core_ed25519_scalar_add(sc, L_1, L_1); 482 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 483 sc, crypto_core_ed25519_SCALARBYTES); 484 printf("(L-1)*2: %s\n", hex); 485 crypto_core_ed25519_scalar_add(sc, L, sc_8); 486 487 crypto_core_ed25519_scalar_add(sc, L_p1, sc_8); 488 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 489 sc, crypto_core_ed25519_SCALARBYTES); 490 printf("(L+1)+8: %s\n", hex); 491 crypto_core_ed25519_scalar_add(sc, sc_8, L_p1); 492 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 493 sc, crypto_core_ed25519_SCALARBYTES); 494 printf("8+(L+1): %s\n", hex); 495 crypto_core_ed25519_scalar_add(sc, L_p1, L_p1); 496 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 497 sc, crypto_core_ed25519_SCALARBYTES); 498 printf("(L+1)*2: %s\n", hex); 499 500 crypto_core_ed25519_scalar_add(sc, L_1, sc_highbit); 501 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 502 sc, crypto_core_ed25519_SCALARBYTES); 503 printf("(L-1)+h: %s\n", hex); 504 crypto_core_ed25519_scalar_add(sc, sc_highbit, L_1); 505 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 506 sc, crypto_core_ed25519_SCALARBYTES); 507 printf("h+(L-1): %s\n", hex); 508 crypto_core_ed25519_scalar_add(sc, L_p1, sc_highbit); 509 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 510 sc, crypto_core_ed25519_SCALARBYTES); 511 printf("(L+1)+h: %s\n", hex); 512 crypto_core_ed25519_scalar_add(sc, sc_highbit, L_p1); 513 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 514 sc, crypto_core_ed25519_SCALARBYTES); 515 printf("h+(L+1): %s\n", hex); 516 crypto_core_ed25519_scalar_add(sc, sc_highbit, sc_highbit); 517 sodium_bin2hex(hex, crypto_core_ed25519_SCALARBYTES * 2 + 1, 518 sc, crypto_core_ed25519_SCALARBYTES); 519 printf("h*2: %s\n", hex); 520 521 sodium_free(seed); 522 sodium_free(hex); 523 sodium_free(sc64); 524 sodium_free(sc3); 525 sodium_free(sc2); 526 sodium_free(sc); 527 sodium_free(p3); 528 sodium_free(p2); 529 sodium_free(p); 530 sodium_free(r); 531 sodium_free(h); 532 533 assert(crypto_core_ed25519_BYTES == crypto_core_ed25519_bytes()); 534 assert(crypto_core_ed25519_SCALARBYTES == crypto_core_ed25519_scalarbytes()); 535 assert(crypto_core_ed25519_NONREDUCEDSCALARBYTES == crypto_core_ed25519_nonreducedscalarbytes()); 536 assert(crypto_core_ed25519_NONREDUCEDSCALARBYTES >= crypto_core_ed25519_SCALARBYTES); 537 assert(crypto_core_ed25519_UNIFORMBYTES == crypto_core_ed25519_uniformbytes()); 538 assert(crypto_core_ed25519_UNIFORMBYTES >= crypto_core_ed25519_BYTES); 539 assert(crypto_core_ed25519_HASHBYTES == crypto_core_ed25519_hashbytes()); 540 assert(crypto_core_ed25519_HASHBYTES >= 2 * crypto_core_ed25519_BYTES); 541 542 printf("OK\n"); 543 544 return 0; 545 }