Merge pull request #3 from str4d/ref10

Cleanups and speedups

Author: str4d

README.md

@@ -5,10 +5,31 @@ This is an implementation of Ed25519 in Java. Structurally, it is based on the r
 
 There are no guarantees that this is secure for use. Tests against [the data from the Python implementation](http://ed25519.cr.yp.to/python/sign.input) are passing, but this has not yet been audited by a professional cryptographer. In particular, this implementation is unlikely to have the constant-time properties of ref10 (for now).
 
+The code requires Java 6 (for e.g. the `Arrays.copyOfRange()` calls in `EdDSAEngine.engineVerify()`).
+
 The JUnit4 tests require the Hamcrest library `hamcrest-all.jar`.
 
 This code is released to the public domain and can be used for any purpose.
 
+Code comparison
+---------------
+
+For ease of following, here are the main methods in ref10 and their equivalents in this codebase:
+
+| EdDSA Operation | ref10 function | Java function |
+| --------------- | -------------- | ------------- |
+| Generate keypair | `crypto_sign_keypair` | `EdDSAPrivateKeySpec` constructor |
+| Sign message | `crypto_sign` | `EdDSAEngine.engineSign` |
+| Verify signature | `crypto_sign_open` | `EdDSAEngine.engineVerify` |
+
+| EdDSA point arithmetic | ref10 function | Java function |
+| ---------------------- | -------------- | ------------- |
+| `R = b * B` | `ge_scalarmult_base` | `GroupElement.scalarMultiply` |
+| `R = a*A + b*B` | `ge_double_scalarmult_vartime` | `GroupElement.doubleScalarMultiplyVariableTime` |
+| `R = 2 * P` | `ge_p2_dbl` | `GroupElement.dbl` |
+| `R = P + Q` | `ge_madd`, `ge_add` | `GroupElement.madd`, `GroupElement.add` |
+| `R = P - Q` | `ge_msub`, `ge_sub` | `GroupElement.msub`, `GroupElement.sub` |
+
 Credits
 -------
 

src/net/i2p/crypto/eddsa/EdDSAEngine.java

@@ -137,7 +137,8 @@ protected byte[] engineSign() throws SignatureException {
         FieldElement S = curve.fromBigInteger(leEnc.decode(digest.digest(message)).multiply(a).add(rBI).mod(l));
 
         // R+S
-        ByteBuffer out = ByteBuffer.allocate(64);
+        int b = curve.getField().getb();
+        ByteBuffer out = ByteBuffer.allocate(b/4);
         out.put(Rbyte).put(S.toByteArray());
         return out.array();
     }
@@ -147,13 +148,10 @@ protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
         Curve curve = key.getParams().getCurve();
         int b = curve.getField().getb();
         if (sigBytes.length != b/4)
-            throw new IllegalArgumentException("signature length is wrong");
-
-        byte[] Rbyte = Arrays.copyOfRange(sigBytes, 0, b/8);
-        byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
+            throw new SignatureException("signature length is wrong");
 
-        // If we get to here, Rbyte is valid
-        digest.update(Rbyte);
+        // R is first b/8 bytes of sigBytes, S is second b/8 bytes
+        digest.update(sigBytes, 0, b/8);
         digest.update(((EdDSAPublicKey) key).getAbyte());
         // h = H(Rbar,Abar,M)
         byte[] message = baos.toByteArray();
@@ -163,14 +161,15 @@ protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
         LittleEndianEncoding leEnc = new LittleEndianEncoding();
         h = leEnc.encode(leEnc.decode(h).mod(key.getParams().getL()), b/8);
 
+        byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
         // R = SB - H(Rbar,Abar,M)A
         GroupElement R = key.getParams().getB().doubleScalarMultiplyVariableTime(
-                ((EdDSAPublicKey) key).getA().negate(), h, Sbyte);
+                ((EdDSAPublicKey) key).getNegativeA(), h, Sbyte);
 
         byte[] Rcalc = R.toByteArray();
         int result = 1;
         for (int i = 0; i < Rcalc.length; i++) {
-            result &= Utils.equal(Rcalc[i], Rbyte[i]);
+            result &= Utils.equal(Rcalc[i], sigBytes[i]);
         }
         return result == 1;
     }

src/net/i2p/crypto/eddsa/EdDSAPrivateKey.java

@@ -13,6 +13,7 @@
  *
  */
 public class EdDSAPrivateKey implements EdDSAKey, PrivateKey {
+    private static final long serialVersionUID = 23495873459878957L;
     private transient final byte[] seed;
     private transient final byte[] h;
     private transient final BigInteger a;
@@ -29,23 +30,19 @@ public EdDSAPrivateKey(EdDSAPrivateKeySpec spec) {
         this.edDsaSpec = spec.getParams();
     }
 
-    @Override
     public String getAlgorithm() {
         return "EdDSA";
     }
 
-    @Override
     public String getFormat() {
         return "PKCS#8";
     }
 
-    @Override
     public byte[] getEncoded() {
         // TODO Auto-generated method stub
         return null;
     }
 
-    @Override
     public EdDSAParameterSpec getParams() {
         return edDsaSpec;
     }

src/net/i2p/crypto/eddsa/EdDSAPublicKey.java

@@ -12,33 +12,32 @@
  *
  */
 public class EdDSAPublicKey implements EdDSAKey, PublicKey {
-    private transient final GroupElement A;
-    private transient final byte[] Abyte;
-    private transient final EdDSAParameterSpec edDsaSpec;
+    private static final long serialVersionUID = 9837459837498475L;
+    private final GroupElement A;
+    private final GroupElement Aneg;
+    private final byte[] Abyte;
+    private final EdDSAParameterSpec edDsaSpec;
 
     public EdDSAPublicKey(EdDSAPublicKeySpec spec) {
         this.A = spec.getA();
+        this.Aneg = spec.getNegativeA();
         this.Abyte = this.A.toByteArray();
         this.edDsaSpec = spec.getParams();
     }
 
-    @Override
     public String getAlgorithm() {
         return "EdDSA";
     }
 
-    @Override
     public String getFormat() {
         return "X.509";
     }
 
-    @Override
     public byte[] getEncoded() {
         // TODO Auto-generated method stub
         return null;
     }
 
-    @Override
     public EdDSAParameterSpec getParams() {
         return edDsaSpec;
     }
@@ -47,6 +46,10 @@ public GroupElement getA() {
         return A;
     }
 
+    public GroupElement getNegativeA() {
+        return Aneg;
+    }
+
     public byte[] getAbyte() {
         return Abyte;
     }

src/net/i2p/crypto/eddsa/KeyFactory.java

@@ -16,7 +16,7 @@
  *
  */
 public class KeyFactory extends KeyFactorySpi {
-    @Override
+
     protected PrivateKey engineGeneratePrivate(KeySpec keySpec)
             throws InvalidKeySpecException {
         if (keySpec instanceof EdDSAPrivateKeySpec) {
@@ -25,7 +25,6 @@ protected PrivateKey engineGeneratePrivate(KeySpec keySpec)
         throw new InvalidKeySpecException("key spec not recognised");
     }
 
-    @Override
     protected PublicKey engineGeneratePublic(KeySpec keySpec)
             throws InvalidKeySpecException {
         if (keySpec instanceof EdDSAPublicKeySpec) {
@@ -35,7 +34,6 @@ protected PublicKey engineGeneratePublic(KeySpec keySpec)
     }
 
     @SuppressWarnings("unchecked")
-    @Override
     protected <T extends KeySpec> T engineGetKeySpec(Key key, Class<T> keySpec)
             throws InvalidKeySpecException {
         if (keySpec.isAssignableFrom(EdDSAPublicKeySpec.class) && key instanceof EdDSAPublicKey) {
@@ -52,7 +50,6 @@ protected <T extends KeySpec> T engineGetKeySpec(Key key, Class<T> keySpec)
         throw new InvalidKeySpecException("not implemented yet " + key + " " + keySpec);
     }
 
-    @Override
     protected Key engineTranslateKey(Key key) throws InvalidKeyException {
         throw new InvalidKeyException("No other EdDSA key providers known");
     }

src/net/i2p/crypto/eddsa/KeyPairGenerator.java

@@ -15,8 +15,11 @@
 import net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec;
 import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec;
 
+/**
+ *  Default strength is 256
+ */
 public class KeyPairGenerator extends KeyPairGeneratorSpi {
-    private int strength = 256;
+    private static final int DEFAULT_STRENGTH = 256;
     private EdDSAParameterSpec edParams;
     private SecureRandom random;
     private boolean initialized;
@@ -26,10 +29,9 @@ public class KeyPairGenerator extends KeyPairGeneratorSpi {
     static {
         edParameters = new Hashtable<Integer, AlgorithmParameterSpec>();
 
-        edParameters.put(Integer.valueOf(256), new EdDSAGenParameterSpec("ed25519-sha-512"));
+        edParameters.put(Integer.valueOf(DEFAULT_STRENGTH), new EdDSAGenParameterSpec(EdDSANamedCurveTable.CURVE_ED25519_SHA512));
     }
 
-    @Override
     public void initialize(int strength, SecureRandom random) {
         AlgorithmParameterSpec edParams = edParameters.get(Integer.valueOf(strength));
         if (edParams == null)
@@ -54,10 +56,9 @@ public void initialize(AlgorithmParameterSpec params, SecureRandom random) throw
         initialized = true;
     }
 
-    @Override
     public KeyPair generateKeyPair() {
         if (!initialized)
-            initialize(strength, new SecureRandom());
+            initialize(DEFAULT_STRENGTH, new SecureRandom());
 
         byte[] seed = new byte[edParams.getCurve().getField().getb()/8];
         random.nextBytes(seed);

src/net/i2p/crypto/eddsa/Utils.java

@@ -10,7 +10,12 @@ public class Utils {
      * @return 1 if b and c are equal, 0 otherwise.
      */
     public static int equal(int b, int c) {
-        return b == c ? 1 : 0;
+        int result = 0;
+        int xor = b ^ c;
+        for (int i = 0; i < 8; i++) {
+            result |= xor >> i;
+        }
+        return (result ^ 0x01) & 0x01;
     }
 
     /**
@@ -22,112 +27,13 @@ public static int negative(int b) {
         return (b >> 8) & 1;
     }
 
-    /**
-     * Convert a to radix 16.
-     * @param a = a[0]+256*a[1]+...+256^31 a[31]
-     * @return
-     */
-    public static byte[] toRadix16(byte[] a) {
-        byte[] e = new byte[64];
-        int i;
-        // Radix 16 notation
-        for (i = 0; i < 32; i++) {
-            e[2*i+0] = (byte) ((a[i] >> 0) & 15);
-            e[2*i+1] = (byte) ((a[i] >> 4) & 15);
-        }
-        /* each e[i] is between 0 and 15 */
-        /* e[63] is between 0 and 7 */
-        int carry = 0;
-        for (i = 0; i < 63; i++) {
-            e[i] += carry;
-            carry = e[i] + 8;
-            carry >>= 4;
-        e[i] -= carry << 4;
-        }
-        e[63] += carry;
-        /* each e[i] is between -8 and 8 */
-        return e;
-    }
-
-    /**
-     * I don't really know what this method does.
-     * @param a
-     * @return
-     */
-    public static byte[] slide(byte[] a) {
-        byte[] r = new byte[256];
-        int i;
-        int b;
-        int k;
-
-        for (i = 0;i < 256;++i) {
-            r[i] = (byte) (1 & (a[i >> 3] >> (i & 7)));
-        }
-
-        for (i = 0;i < 256;++i) {
-            if (r[i] != 0) {
-                for (b = 1; b <= 6 && i + b < 256; ++b) {
-                    if (r[i + b] != 0) {
-                        if (r[i] + (r[i + b] << b) <= 15) {
-                            r[i] += r[i + b] << b; r[i + b] = 0;
-                        } else if (r[i] - (r[i + b] << b) >= -15) {
-                            r[i] -= r[i + b] << b;
-                            for (k = i + b; k < 256; ++k) {
-                                if (r[k] == 0) {
-                                    r[k] = 1;
-                                    break;
-                                }
-                                r[k] = 0;
-                            }
-                        } else
-                            break;
-                    }
-                }
-            }
-        }
-
-        return r;
-    }
-
     /**
      * Get the i'th bit of a byte array.
      * @param h the byte array.
      * @param i the bit index.
-     * @return the value of the i'th bit in h.
+     * @return 0 or 1, the value of the i'th bit in h
      */
     public static int bit(byte[] h, int i) {
-        return h[i/8] >> (i%8) & 1;
-    }
-
-    /**
-     * Converts bytes to a hex string.
-     * @param raw the byte[] to be converted.
-     * @return the hex representation as a string.
-     */
-    public static String getHex(byte[] raw) {
-        if ( raw == null ) {
-            return null;
-        }
-        final StringBuilder hex = new StringBuilder(2 * raw.length);
-        for (final byte b : raw) {
-            hex.append(Character.forDigit((b & 0xF0) >> 4, 16))
-            .append(Character.forDigit((b & 0x0F), 16));
-        }
-        return hex.toString();
-    }
-
-    /**
-     * Converts a hex string to bytes.
-     * @param s the hex string to be converted.
-     * @return the byte[]
-     */
-    public static byte[] hexToBytes(String s) {
-        int len = s.length();
-        byte[] data = new byte[len / 2];
-        for (int i = 0; i < len; i += 2) {
-            data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4)
-                    + Character.digit(s.charAt(i+1), 16));
-        }
-        return data;
+        return (h[i/8] >> (i%8)) & 1;
     }
 }

src/net/i2p/crypto/eddsa/math/Constants.java

@@ -3,10 +3,9 @@
 import java.math.BigInteger;
 
 public class Constants {
-    public static final BigInteger ZERO = BigInteger.valueOf(0);
-    public static final BigInteger ONE = BigInteger.valueOf(1);
+    public static final BigInteger ZERO = BigInteger.ZERO;
+    public static final BigInteger ONE = BigInteger.ONE;
     public static final BigInteger TWO = BigInteger.valueOf(2);
-    public static final BigInteger THREE = BigInteger.valueOf(3);
     public static final BigInteger FOUR = BigInteger.valueOf(4);
     public static final BigInteger FIVE = BigInteger.valueOf(5);
     public static final BigInteger EIGHT = BigInteger.valueOf(8);