Refactored BigInteger-dependent code into a subpackage

Sign/verify tests fail, but all other tests pass. The problem is probably in
ScalarOps somewhere.

Author: str4d

src/net/i2p/crypto/eddsa/EdDSAEngine.java

@@ -1,7 +1,6 @@
 package net.i2p.crypto.eddsa;
 
 import java.io.ByteArrayOutputStream;
-import java.math.BigInteger;
 import java.nio.ByteBuffer;
 import java.security.InvalidKeyException;
 import java.security.MessageDigest;
@@ -13,9 +12,8 @@
 import java.util.Arrays;
 
 import net.i2p.crypto.eddsa.math.Curve;
-import net.i2p.crypto.eddsa.math.FieldElement;
 import net.i2p.crypto.eddsa.math.GroupElement;
-import net.i2p.crypto.eddsa.math.LittleEndianEncoding;
+import net.i2p.crypto.eddsa.math.ScalarOps;
 
 /**
  * @author str4d
@@ -25,7 +23,6 @@ public class EdDSAEngine extends Signature {
     private MessageDigest digest;
     private final ByteArrayOutputStream baos;
     private EdDSAKey key;
-    private static final LittleEndianEncoding leEnc = new LittleEndianEncoding();
 
     /**
      * No specific hash requested, allows any EdDSA key.
@@ -112,20 +109,16 @@ protected void engineUpdate(byte[] b, int off, int len)
     @Override
     protected byte[] engineSign() throws SignatureException {
         Curve curve = key.getParams().getCurve();
-        BigInteger l = key.getParams().getL();
-        BigInteger a = ((EdDSAPrivateKey) key).geta();
+        ScalarOps sc = key.getParams().getScalarOps();
+        byte[] a = ((EdDSAPrivateKey) key).geta();
 
         byte[] message = baos.toByteArray();
         // r = H(h_b,...,h_2b-1,M)
         byte[] r = digest.digest(message);
-        // From the Ed25519 paper:
-        // Here we interpret 2b-bit strings in little-endian form as integers in
-        // {0, 1,..., 2^(2b)-1}.
-        BigInteger rBI = leEnc.decode(r);
 
         // r mod l
         // Reduces r from 64 bytes to 32 bytes
-        r = leEnc.encode(rBI.mod(l), curve.getField().getb()/8);
+        r = sc.reduce(r);
 
         // R = rB
         GroupElement R = key.getParams().getB().scalarMultiply(r);
@@ -134,12 +127,14 @@ protected byte[] engineSign() throws SignatureException {
         // S = (r + H(Rbar,Abar,M)*a) mod l
         digest.update(Rbyte);
         digest.update(((EdDSAPrivateKey) key).getAbyte());
-        FieldElement S = curve.fromBigInteger(leEnc.decode(digest.digest(message)).multiply(a).add(rBI).mod(l));
+        byte[] h = digest.digest(message);
+        h = sc.reduce(h);
+        byte[] S = sc.multiplyAndAdd(h, a, r);
 
         // R+S
         int b = curve.getField().getb();
         ByteBuffer out = ByteBuffer.allocate(b/4);
-        out.put(Rbyte).put(S.toByteArray());
+        out.put(Rbyte).put(S);
         return out.array();
     }
 
@@ -158,7 +153,7 @@ protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
         byte[] h = digest.digest(message);
 
         // h mod l
-        h = leEnc.encode(leEnc.decode(h).mod(key.getParams().getL()), b/8);
+        h = key.getParams().getScalarOps().reduce(h);
 
         byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
         // R = SB - H(Rbar,Abar,M)A

src/net/i2p/crypto/eddsa/EdDSAPrivateKey.java

@@ -1,6 +1,5 @@
 package net.i2p.crypto.eddsa;
 
-import java.math.BigInteger;
 import java.security.PrivateKey;
 
 import net.i2p.crypto.eddsa.math.GroupElement;
@@ -16,7 +15,7 @@ public class EdDSAPrivateKey implements EdDSAKey, PrivateKey {
     private static final long serialVersionUID = 23495873459878957L;
     private transient final byte[] seed;
     private transient final byte[] h;
-    private transient final BigInteger a;
+    private transient final byte[] a;
     private transient final GroupElement A;
     private transient final byte[] Abyte;
     private transient final EdDSAParameterSpec edDsaSpec;
@@ -55,7 +54,7 @@ public byte[] getH() {
         return h;
     }
 
-    public BigInteger geta() {
+    public byte[] geta() {
         return a;
     }
 

src/net/i2p/crypto/eddsa/Utils.java

@@ -36,4 +36,19 @@ public static int negative(int b) {
     public static int bit(byte[] h, int i) {
         return (h[i/8] >> (i%8)) & 1;
     }
+
+    /**
+     * Converts a hex string to bytes.
+     * @param s the hex string to be converted.
+     * @return the byte[]
+     */
+    public static byte[] hexToBytes(String s) {
+        int len = s.length();
+        byte[] data = new byte[len / 2];
+        for (int i = 0; i < len; i += 2) {
+            data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4)
+                    + Character.digit(s.charAt(i+1), 16));
+        }
+        return data;
+    }
 }

src/net/i2p/crypto/eddsa/math/Constants.java

@@ -1,12 +1,12 @@
 package net.i2p.crypto.eddsa.math;
 
-import java.math.BigInteger;
+import net.i2p.crypto.eddsa.Utils;
 
 public class Constants {
-    public static final BigInteger ZERO = BigInteger.ZERO;
-    public static final BigInteger ONE = BigInteger.ONE;
-    public static final BigInteger TWO = BigInteger.valueOf(2);
-    public static final BigInteger FOUR = BigInteger.valueOf(4);
-    public static final BigInteger FIVE = BigInteger.valueOf(5);
-    public static final BigInteger EIGHT = BigInteger.valueOf(8);
+    public static final byte[] ZERO = Utils.hexToBytes("0000000000000000000000000000000000000000000000000000000000000000");
+    public static final byte[] ONE = Utils.hexToBytes("0100000000000000000000000000000000000000000000000000000000000000");
+    public static final byte[] TWO = Utils.hexToBytes("0200000000000000000000000000000000000000000000000000000000000000");
+    public static final byte[] FOUR = Utils.hexToBytes("0400000000000000000000000000000000000000000000000000000000000000");
+    public static final byte[] FIVE = Utils.hexToBytes("0500000000000000000000000000000000000000000000000000000000000000");
+    public static final byte[] EIGHT = Utils.hexToBytes("0800000000000000000000000000000000000000000000000000000000000000");
 }

src/net/i2p/crypto/eddsa/math/Curve.java

@@ -1,7 +1,6 @@
 package net.i2p.crypto.eddsa.math;
 
 import java.io.Serializable;
-import java.math.BigInteger;
 
 /**
  * A twisted Edwards curve.
@@ -14,23 +13,20 @@ public class Curve implements Serializable {
     private final Field f;
     private final FieldElement d;
     private final FieldElement d2;
-    private final FieldElement I;
-    private final FieldElement one;
 
     private final GroupElement zeroP2;
     private final GroupElement zeroP3;
     private final GroupElement zeroPrecomp;
 
-    public Curve(Field f, BigInteger d) {
+    public Curve(Field f, byte[] d) {
         this.f = f;
-        this.d = fromBigInteger(d);
+        this.d = f.fromByteArray(d);
         this.d2 = this.d.add(this.d);
-        this.I = fromBigInteger(Constants.TWO).modPow(f.getQ().subtract(Constants.ONE).divide(Constants.FOUR), f.getQ());
 
-        FieldElement zero = fromBigInteger(Constants.ZERO);
-        one = fromBigInteger(Constants.ONE);
+        FieldElement zero = f.zero;
+        FieldElement one = f.one;
         zeroP2 = GroupElement.p2(this, zero, one, one);
-        zeroP3 = createPoint(Constants.ZERO, Constants.ONE);
+        zeroP3 = GroupElement.p3(this, zero, one, one, zero);
         zeroPrecomp = GroupElement.precomp(this, one, one, zero);
     }
 
@@ -46,14 +42,6 @@ public FieldElement get2D() {
         return d2;
     }
 
-    public FieldElement getI() {
-        return I;
-    }
-
-    public FieldElement getOne() {
-        return one;
-    }
-
     public GroupElement getZero(GroupElement.Representation repr) {
         switch (repr) {
         case P2:
@@ -67,22 +55,8 @@ public GroupElement getZero(GroupElement.Representation repr) {
         }
     }
 
-    public FieldElement fromBigInteger(BigInteger x) {
-        return new FieldElement(f, x);
-    }
-
-    public FieldElement fromByteArray(byte[] x) {
-        return new FieldElement(f, x);
-    }
-
-    public GroupElement createPoint(BigInteger x, BigInteger y) {
-        return createPoint(x, y, false);
-    }
-
-    public GroupElement createPoint(BigInteger x, BigInteger y, boolean precompute) {
-        FieldElement X = fromBigInteger(x);
-        FieldElement Y = fromBigInteger(y);
-        GroupElement ge = GroupElement.p3(this, X, Y, one, X.multiply(Y));
+    public GroupElement createPoint(byte[] P, boolean precompute) {
+        GroupElement ge = new GroupElement(this, P);
         if (precompute)
             ge.precompute(true);
         return ge;

src/net/i2p/crypto/eddsa/math/Encoding.java

@@ -1,16 +1,31 @@
 package net.i2p.crypto.eddsa.math;
 
-import java.math.BigInteger;
-
 /**
  * Common interface for all (b-1)-bit encodings of elements
  * of EdDSA finite fields.
  * @author str4d
  *
  */
-public interface Encoding {
-    public byte[] encode(BigInteger x, int len);
-    public BigInteger decode(byte[] in);
+public abstract class Encoding {
+    protected Field f;
+
+    public void setField(Field f) {
+        this.f = f;
+    }
+
+    /**
+     * Encode a FieldElement in its (b-1)-bit encoding.
+     * @return the (b-1)-bit encoding of this FieldElement.
+     */
+    public abstract byte[] encode(FieldElement x);
+
+    /**
+     * Decode a FieldElement from its (b-1)-bit encoding.
+     * The highest bit is masked out.
+     * @param val the (b-1)-bit encoding of a FieldElement.
+     * @return the FieldElement represented by 'val'.
+     */
+    public abstract FieldElement decode(byte[] in);
 
     /**
      * From the Ed25519 paper:
@@ -20,5 +35,5 @@ public interface Encoding {
      * elements of F_q are {1, 3, 5,..., q-2}.
      * @return
      */
-    public boolean isNegative(BigInteger x);
+    public abstract boolean isNegative(FieldElement x);
 }

src/net/i2p/crypto/eddsa/math/Field.java

@@ -1,7 +1,6 @@
 package net.i2p.crypto.eddsa.math;
 
 import java.io.Serializable;
-import java.math.BigInteger;
 
 /**
  * An EdDSA finite field. Includes several pre-computed values.
@@ -10,55 +9,76 @@
  */
 public class Field implements Serializable {
     private static final long serialVersionUID = 8746587465875676L;
+
+    public final FieldElement zero;
+    public final FieldElement one;
+    public final FieldElement two;
+    public final FieldElement four;
+    public final FieldElement five;
+    public final FieldElement eight;
+
     private final int b;
-    private final BigInteger q;
+    private final FieldElement q;
     /**
      * q-2
      */
-    private final BigInteger qm2;
+    private final FieldElement qm2;
     /**
      * (q-5) / 8
      */
-    private final BigInteger qm5d8;
-    /**
-     * Mask where only the first b-1 bits are set.
-     */
-    private final BigInteger mask;
+    private final FieldElement qm5d8;
     private final Encoding enc;
+    private final FieldElement I;
 
-    public Field(int b, BigInteger q, Encoding enc) {
+    public Field(int b, byte[] q, Encoding enc) {
         this.b = b;
-        this.q = q;
-        this.qm2 = q.subtract(Constants.TWO);
-        this.qm5d8 = q.subtract(Constants.FIVE).divide(Constants.EIGHT);
-        this.mask = Constants.ONE.shiftLeft(b-1).subtract(Constants.ONE);
         this.enc = enc;
+        this.enc.setField(this);
+
+        this.q = fromByteArray(q);
+
+        // Set up constants
+        zero = fromByteArray(Constants.ZERO);
+        one = fromByteArray(Constants.ONE);
+        two = fromByteArray(Constants.TWO);
+        four = fromByteArray(Constants.FOUR);
+        five = fromByteArray(Constants.FIVE);
+        eight = fromByteArray(Constants.EIGHT);
+
+        // Precompute values
+        qm2 = this.q.subtract(two);
+        qm5d8 = this.q.subtract(five).divide(eight);
+        I = two.pow(this.q.subtract(one).divide(four));
+    }
+
+    public FieldElement fromByteArray(byte[] x) {
+        return enc.decode(x);
     }
 
     public int getb() {
         return b;
     }
 
-    public BigInteger getQ() {
+    public FieldElement getQ() {
         return q;
     }
 
-    public BigInteger getQm2() {
+    public FieldElement getQm2() {
         return qm2;
     }
 
-    public BigInteger getQm5d8() {
+    public FieldElement getQm5d8() {
         return qm5d8;
     }
 
-    public BigInteger getMask() {
-        return mask;
-    }
-
     public Encoding getEncoding(){
         return enc;
     }
 
+    public FieldElement getI() {
+        return I;
+    }
+
     @Override
     public int hashCode() {
         return q.hashCode();