Merge pull request #3 from lukechampine/filippo

Use filippo.io/edwards25519
tac0turtle · Dec 4, 2020 · 7d6b649 · 7d6b649
2 parents 1694d75 + cf5b610
commit 7d6b649
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 3,283 deletions.
diff --git a/ed25519.go b/ed25519.go
@@ -10,7 +10,7 @@ import (
 	"crypto/ed25519"
 	"crypto/sha512"
 
-	"github.com/hdevalence/ed25519consensus/internal/edwards25519"
+	"filippo.io/edwards25519"
 )
 
 // Verify reports whether sig is a valid signature of message by
@@ -25,15 +25,12 @@ func Verify(publicKey ed25519.PublicKey, message, sig []byte) bool {
 		return false
 	}
 
-	var A edwards25519.ExtendedGroupElement
-	var publicKeyBytes [32]byte
-	copy(publicKeyBytes[:], publicKey)
-	// ZIP215: this works because FromBytes does not check that encodings are canonical.
-	if !A.FromBytes(&publicKeyBytes) {
+	// ZIP215: this works because SetBytes does not check that encodings are canonical.
+	A, err := new(edwards25519.Point).SetBytes(publicKey)
+	if err != nil {
 		return false
 	}
-	edwards25519.FeNeg(&A.X, &A.X)
-	edwards25519.FeNeg(&A.T, &A.T)
+	A.Negate(A)
 
 	h := sha512.New()
 	h.Write(sig[:32])
@@ -42,32 +39,28 @@ func Verify(publicKey ed25519.PublicKey, message, sig []byte) bool {
 	var digest [64]byte
 	h.Sum(digest[:0])
 
-	var hReduced [32]byte
-	edwards25519.ScReduce(&hReduced, &digest)
+	hReduced := new(edwards25519.Scalar).SetUniformBytes(digest[:])
 
-	var r [32]byte
-	copy(r[:], sig[:32])
-	var checkR edwards25519.ExtendedGroupElement
-	// ZIP215: this works because FromBytes does not check that encodings are canonical.
-	if !checkR.FromBytes(&r) {
+	// ZIP215: this works because SetBytes does not check that encodings are canonical.
+	checkR, err := new(edwards25519.Point).SetBytes(sig[:32])
+	if err != nil {
 		return false
 	}
 
-	var s [32]byte
-	copy(s[:], sig[32:])
-
 	// https://tools.ietf.org/html/rfc8032#section-5.1.7 requires that s be in
 	// the range [0, order) in order to prevent signature malleability.
 	// ZIP215: This is also required by ZIP215.
-	if !edwards25519.ScMinimal(&s) {
+	s, err := new(edwards25519.Scalar).SetCanonicalBytes(sig[32:])
+	if err != nil {
 		return false
 	}
 
-	var Rproj edwards25519.ProjectiveGroupElement
-	var R edwards25519.ExtendedGroupElement
-	edwards25519.GeDoubleScalarMultVartime(&Rproj, &hReduced, &A, &s)
-	Rproj.ToExtended(&R)
+	R := new(edwards25519.Point).VarTimeDoubleScalarBaseMult(hReduced, A, s)
 
-	// ZIP215: We want to check [8](R - R') == 0
-	return edwards25519.CofactorEqual(&R, &checkR)
+	// ZIP215: We want to check [8](R - checkR) == 0
+	p := new(edwards25519.Point).Subtract(R, checkR)     // p = R - checkR
+	p.Add(p, p)                                          // p = [2]p
+	p.Add(p, p)                                          // p = [4]p
+	p.Add(p, p)                                          // p = [8]p
+	return p.Equal(edwards25519.NewIdentityPoint()) == 1 // p == 0
 }
diff --git a/go.mod b/go.mod
@@ -1,3 +1,5 @@
 module github.com/hdevalence/ed25519consensus
 
 go 1.14
+
+require filippo.io/edwards25519 v1.0.0-alpha.2
diff --git a/go.sum b/go.sum
@@ -0,0 +1,2 @@
+filippo.io/edwards25519 v1.0.0-alpha.2 h1:EWbZLqGEPSIj2W69gx04KtNVkyPIfe3uj0DhDQJonbQ=
+filippo.io/edwards25519 v1.0.0-alpha.2/go.mod h1:X+pm78QAUPtFLi1z9PYIlS/bdDnvbCOGKtZ+ACWEf7o=
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		filippo.io/edwards25519 v1.0.0-alpha.2 h1:EWbZLqGEPSIj2W69gx04KtNVkyPIfe3uj0DhDQJonbQ=
		filippo.io/edwards25519 v1.0.0-alpha.2/go.mod h1:X+pm78QAUPtFLi1z9PYIlS/bdDnvbCOGKtZ+ACWEf7o=