From 70113241699cfff338bbd141075923960bfaf228 Mon Sep 17 00:00:00 2001 From: Terence Ge Date: Mon, 17 Aug 2020 15:24:31 +0800 Subject: [PATCH] remove unnecessary memzero --- src/ed25519-donna/ed25519-donna-impl-base.h | 531 ++++++++++---------- src/merlin.c | 60 ++- src/ristretto255.c | 137 ----- src/sr25519.c | 141 ------ src/vrf.c | 92 ---- 5 files changed, 293 insertions(+), 668 deletions(-) diff --git a/src/ed25519-donna/ed25519-donna-impl-base.h b/src/ed25519-donna/ed25519-donna-impl-base.h index dccd9ba..da430a9 100644 --- a/src/ed25519-donna/ed25519-donna-impl-base.h +++ b/src/ed25519-donna/ed25519-donna-impl-base.h @@ -1,246 +1,246 @@ /* - conversions + conversions */ DONNA_INLINE static void ge25519_p1p1_to_partial(ge25519 *r, const ge25519_p1p1 *p) { - curve25519_mul(r->x, p->x, p->t); - curve25519_mul(r->y, p->y, p->z); - curve25519_mul(r->z, p->z, p->t); + curve25519_mul(r->x, p->x, p->t); + curve25519_mul(r->y, p->y, p->z); + curve25519_mul(r->z, p->z, p->t); } DONNA_INLINE static void ge25519_p1p1_to_full(ge25519 *r, const ge25519_p1p1 *p) { - curve25519_mul(r->x, p->x, p->t); - curve25519_mul(r->y, p->y, p->z); - curve25519_mul(r->z, p->z, p->t); - curve25519_mul(r->t, p->x, p->y); + curve25519_mul(r->x, p->x, p->t); + curve25519_mul(r->y, p->y, p->z); + curve25519_mul(r->z, p->z, p->t); + curve25519_mul(r->t, p->x, p->y); } static void ge25519_full_to_pniels(ge25519_pniels *p, const ge25519 *r) { - curve25519_sub(p->ysubx, r->y, r->x); - curve25519_add(p->xaddy, r->y, r->x); - curve25519_copy(p->z, r->z); - curve25519_mul(p->t2d, r->t, ge25519_ec2d); + curve25519_sub(p->ysubx, r->y, r->x); + curve25519_add(p->xaddy, r->y, r->x); + curve25519_copy(p->z, r->z); + curve25519_mul(p->t2d, r->t, ge25519_ec2d); } /* - adding & doubling + adding & doubling */ static void ge25519_add_p1p1(ge25519_p1p1 *r, const ge25519 *p, const ge25519 *q) { - bignum25519 a,b,c,d,t,u; - - curve25519_sub(a, p->y, p->x); - curve25519_add(b, p->y, p->x); - curve25519_sub(t, q->y, q->x); - curve25519_add(u, q->y, q->x); - curve25519_mul(a, a, t); - curve25519_mul(b, b, u); - curve25519_mul(c, p->t, q->t); - curve25519_mul(c, c, ge25519_ec2d); - curve25519_mul(d, p->z, q->z); - curve25519_add(d, d, d); - curve25519_sub(r->x, b, a); - curve25519_add(r->y, b, a); - curve25519_add_after_basic(r->z, d, c); - curve25519_sub_after_basic(r->t, d, c); + bignum25519 a,b,c,d,t,u; + + curve25519_sub(a, p->y, p->x); + curve25519_add(b, p->y, p->x); + curve25519_sub(t, q->y, q->x); + curve25519_add(u, q->y, q->x); + curve25519_mul(a, a, t); + curve25519_mul(b, b, u); + curve25519_mul(c, p->t, q->t); + curve25519_mul(c, c, ge25519_ec2d); + curve25519_mul(d, p->z, q->z); + curve25519_add(d, d, d); + curve25519_sub(r->x, b, a); + curve25519_add(r->y, b, a); + curve25519_add_after_basic(r->z, d, c); + curve25519_sub_after_basic(r->t, d, c); } static void ge25519_double_p1p1(ge25519_p1p1 *r, const ge25519 *p) { - bignum25519 a,b,c; - - curve25519_square(a, p->x); - curve25519_square(b, p->y); - curve25519_square(c, p->z); - curve25519_add_reduce(c, c, c); - curve25519_add(r->x, p->x, p->y); - curve25519_square(r->x, r->x); - curve25519_add(r->y, b, a); - curve25519_sub(r->z, b, a); - curve25519_sub_after_basic(r->x, r->x, r->y); - curve25519_sub_after_basic(r->t, c, r->z); + bignum25519 a,b,c; + + curve25519_square(a, p->x); + curve25519_square(b, p->y); + curve25519_square(c, p->z); + curve25519_add_reduce(c, c, c); + curve25519_add(r->x, p->x, p->y); + curve25519_square(r->x, r->x); + curve25519_add(r->y, b, a); + curve25519_sub(r->z, b, a); + curve25519_sub_after_basic(r->x, r->x, r->y); + curve25519_sub_after_basic(r->t, c, r->z); } static void ge25519_nielsadd2_p1p1(ge25519_p1p1 *r, const ge25519 *p, const ge25519_niels *q, unsigned char signbit) { - const bignum25519 *qb = (const bignum25519 *)q; - bignum25519 *rb = (bignum25519 *)r; - bignum25519 a,b,c; - - curve25519_sub(a, p->y, p->x); - curve25519_add(b, p->y, p->x); - curve25519_mul(a, a, qb[signbit]); /* x for +, y for - */ - curve25519_mul(r->x, b, qb[signbit^1]); /* y for +, x for - */ - curve25519_add(r->y, r->x, a); - curve25519_sub(r->x, r->x, a); - curve25519_mul(c, p->t, q->t2d); - curve25519_add_reduce(r->t, p->z, p->z); - curve25519_copy(r->z, r->t); - curve25519_add(rb[2+signbit], rb[2+signbit], c); /* z for +, t for - */ - curve25519_sub(rb[2+(signbit^1)], rb[2+(signbit^1)], c); /* t for +, z for - */ + const bignum25519 *qb = (const bignum25519 *)q; + bignum25519 *rb = (bignum25519 *)r; + bignum25519 a,b,c; + + curve25519_sub(a, p->y, p->x); + curve25519_add(b, p->y, p->x); + curve25519_mul(a, a, qb[signbit]); /* x for +, y for - */ + curve25519_mul(r->x, b, qb[signbit^1]); /* y for +, x for - */ + curve25519_add(r->y, r->x, a); + curve25519_sub(r->x, r->x, a); + curve25519_mul(c, p->t, q->t2d); + curve25519_add_reduce(r->t, p->z, p->z); + curve25519_copy(r->z, r->t); + curve25519_add(rb[2+signbit], rb[2+signbit], c); /* z for +, t for - */ + curve25519_sub(rb[2+(signbit^1)], rb[2+(signbit^1)], c); /* t for +, z for - */ } static void ge25519_pnielsadd_p1p1(ge25519_p1p1 *r, const ge25519 *p, const ge25519_pniels *q, unsigned char signbit) { - const bignum25519 *qb = (const bignum25519 *)q; - bignum25519 *rb = (bignum25519 *)r; - bignum25519 a,b,c; - - curve25519_sub(a, p->y, p->x); - curve25519_add(b, p->y, p->x); - curve25519_mul(a, a, qb[signbit]); /* ysubx for +, xaddy for - */ - curve25519_mul(r->x, b, qb[signbit^1]); /* xaddy for +, ysubx for - */ - curve25519_add(r->y, r->x, a); - curve25519_sub(r->x, r->x, a); - curve25519_mul(c, p->t, q->t2d); - curve25519_mul(r->t, p->z, q->z); - curve25519_add_reduce(r->t, r->t, r->t); - curve25519_copy(r->z, r->t); - curve25519_add(rb[2+signbit], rb[2+signbit], c); /* z for +, t for - */ - curve25519_sub(rb[2+(signbit^1)], rb[2+(signbit^1)], c); /* t for +, z for - */ + const bignum25519 *qb = (const bignum25519 *)q; + bignum25519 *rb = (bignum25519 *)r; + bignum25519 a,b,c; + + curve25519_sub(a, p->y, p->x); + curve25519_add(b, p->y, p->x); + curve25519_mul(a, a, qb[signbit]); /* ysubx for +, xaddy for - */ + curve25519_mul(r->x, b, qb[signbit^1]); /* xaddy for +, ysubx for - */ + curve25519_add(r->y, r->x, a); + curve25519_sub(r->x, r->x, a); + curve25519_mul(c, p->t, q->t2d); + curve25519_mul(r->t, p->z, q->z); + curve25519_add_reduce(r->t, r->t, r->t); + curve25519_copy(r->z, r->t); + curve25519_add(rb[2+signbit], rb[2+signbit], c); /* z for +, t for - */ + curve25519_sub(rb[2+(signbit^1)], rb[2+(signbit^1)], c); /* t for +, z for - */ } static void ge25519_double_partial(ge25519 *r, const ge25519 *p) { - ge25519_p1p1 t; - ge25519_double_p1p1(&t, p); - ge25519_p1p1_to_partial(r, &t); + ge25519_p1p1 t; + ge25519_double_p1p1(&t, p); + ge25519_p1p1_to_partial(r, &t); } static void ge25519_double(ge25519 *r, const ge25519 *p) { - ge25519_p1p1 t; - ge25519_double_p1p1(&t, p); - ge25519_p1p1_to_full(r, &t); + ge25519_p1p1 t; + ge25519_double_p1p1(&t, p); + ge25519_p1p1_to_full(r, &t); } static void ge25519_add(ge25519 *r, const ge25519 *p, const ge25519 *q) { - ge25519_p1p1 t; - ge25519_add_p1p1(&t, p, q); - ge25519_p1p1_to_full(r, &t); + ge25519_p1p1 t; + ge25519_add_p1p1(&t, p, q); + ge25519_p1p1_to_full(r, &t); } static void ge25519_nielsadd2(ge25519 *r, const ge25519_niels *q) { - bignum25519 a,b,c,e,f,g,h; - - curve25519_sub(a, r->y, r->x); - curve25519_add(b, r->y, r->x); - curve25519_mul(a, a, q->ysubx); - curve25519_mul(e, b, q->xaddy); - curve25519_add(h, e, a); - curve25519_sub(e, e, a); - curve25519_mul(c, r->t, q->t2d); - curve25519_add(f, r->z, r->z); - curve25519_add_after_basic(g, f, c); - curve25519_sub_after_basic(f, f, c); - curve25519_mul(r->x, e, f); - curve25519_mul(r->y, h, g); - curve25519_mul(r->z, g, f); - curve25519_mul(r->t, e, h); + bignum25519 a,b,c,e,f,g,h; + + curve25519_sub(a, r->y, r->x); + curve25519_add(b, r->y, r->x); + curve25519_mul(a, a, q->ysubx); + curve25519_mul(e, b, q->xaddy); + curve25519_add(h, e, a); + curve25519_sub(e, e, a); + curve25519_mul(c, r->t, q->t2d); + curve25519_add(f, r->z, r->z); + curve25519_add_after_basic(g, f, c); + curve25519_sub_after_basic(f, f, c); + curve25519_mul(r->x, e, f); + curve25519_mul(r->y, h, g); + curve25519_mul(r->z, g, f); + curve25519_mul(r->t, e, h); } static void ge25519_pnielsadd(ge25519_pniels *r, const ge25519 *p, const ge25519_pniels *q) { - bignum25519 a,b,c,x,y,z,t; - - curve25519_sub(a, p->y, p->x); - curve25519_add(b, p->y, p->x); - curve25519_mul(a, a, q->ysubx); - curve25519_mul(x, b, q->xaddy); - curve25519_add(y, x, a); - curve25519_sub(x, x, a); - curve25519_mul(c, p->t, q->t2d); - curve25519_mul(t, p->z, q->z); - curve25519_add(t, t, t); - curve25519_add_after_basic(z, t, c); - curve25519_sub_after_basic(t, t, c); - curve25519_mul(r->xaddy, x, t); - curve25519_mul(r->ysubx, y, z); - curve25519_mul(r->z, z, t); - curve25519_mul(r->t2d, x, y); - curve25519_copy(y, r->ysubx); - curve25519_sub(r->ysubx, r->ysubx, r->xaddy); - curve25519_add(r->xaddy, r->xaddy, y); - curve25519_mul(r->t2d, r->t2d, ge25519_ec2d); + bignum25519 a,b,c,x,y,z,t; + + curve25519_sub(a, p->y, p->x); + curve25519_add(b, p->y, p->x); + curve25519_mul(a, a, q->ysubx); + curve25519_mul(x, b, q->xaddy); + curve25519_add(y, x, a); + curve25519_sub(x, x, a); + curve25519_mul(c, p->t, q->t2d); + curve25519_mul(t, p->z, q->z); + curve25519_add(t, t, t); + curve25519_add_after_basic(z, t, c); + curve25519_sub_after_basic(t, t, c); + curve25519_mul(r->xaddy, x, t); + curve25519_mul(r->ysubx, y, z); + curve25519_mul(r->z, z, t); + curve25519_mul(r->t2d, x, y); + curve25519_copy(y, r->ysubx); + curve25519_sub(r->ysubx, r->ysubx, r->xaddy); + curve25519_add(r->xaddy, r->xaddy, y); + curve25519_mul(r->t2d, r->t2d, ge25519_ec2d); } /* - pack & unpack + pack & unpack */ static void ge25519_pack(unsigned char r[32], const ge25519 *p) { - bignum25519 tx, ty, zi; - unsigned char parity[32]; - curve25519_recip(zi, p->z); - curve25519_mul(tx, p->x, zi); - curve25519_mul(ty, p->y, zi); - curve25519_contract(r, ty); - curve25519_contract(parity, tx); - r[31] ^= ((parity[0] & 1) << 7); + bignum25519 tx, ty, zi; + unsigned char parity[32]; + curve25519_recip(zi, p->z); + curve25519_mul(tx, p->x, zi); + curve25519_mul(ty, p->y, zi); + curve25519_contract(r, ty); + curve25519_contract(parity, tx); + r[31] ^= ((parity[0] & 1) << 7); } static int ge25519_unpack_negative_vartime(ge25519 *r, const unsigned char p[32]) { - static const unsigned char zero[32] = {0}; - static const bignum25519 one = {1}; - unsigned char parity = p[31] >> 7; - unsigned char check[32]; - bignum25519 t, root, num, den, d3; - - curve25519_expand(r->y, p); - curve25519_copy(r->z, one); - curve25519_square(num, r->y); /* x = y^2 */ - curve25519_mul(den, num, ge25519_ecd); /* den = dy^2 */ - curve25519_sub_reduce(num, num, r->z); /* x = y^1 - 1 */ - curve25519_add(den, den, r->z); /* den = dy^2 + 1 */ - - /* Computation of sqrt(num/den) */ - /* 1.: computation of num^((p-5)/8)*den^((7p-35)/8) = (num*den^7)^((p-5)/8) */ - curve25519_square(t, den); - curve25519_mul(d3, t, den); - curve25519_square(r->x, d3); - curve25519_mul(r->x, r->x, den); - curve25519_mul(r->x, r->x, num); - curve25519_pow_two252m3(r->x, r->x); - - /* 2. computation of r->x = num * den^3 * (num*den^7)^((p-5)/8) */ - curve25519_mul(r->x, r->x, d3); - curve25519_mul(r->x, r->x, num); - - /* 3. Check if either of the roots works: */ - curve25519_square(t, r->x); - curve25519_mul(t, t, den); - curve25519_sub_reduce(root, t, num); - curve25519_contract(check, root); - if (!ed25519_verify(check, zero, 32)) { - curve25519_add_reduce(t, t, num); - curve25519_contract(check, t); - if (!ed25519_verify(check, zero, 32)) - return 0; - curve25519_mul(r->x, r->x, ge25519_sqrtneg1); - } - - curve25519_contract(check, r->x); - if ((check[0] & 1) == parity) { - curve25519_copy(t, r->x); - curve25519_neg(r->x, t); - } - curve25519_mul(r->t, r->x, r->y); - return 1; + static const unsigned char zero[32] = {0}; + static const bignum25519 one = {1}; + unsigned char parity = p[31] >> 7; + unsigned char check[32]; + bignum25519 t, root, num, den, d3; + + curve25519_expand(r->y, p); + curve25519_copy(r->z, one); + curve25519_square(num, r->y); /* x = y^2 */ + curve25519_mul(den, num, ge25519_ecd); /* den = dy^2 */ + curve25519_sub_reduce(num, num, r->z); /* x = y^1 - 1 */ + curve25519_add(den, den, r->z); /* den = dy^2 + 1 */ + + /* Computation of sqrt(num/den) */ + /* 1.: computation of num^((p-5)/8)*den^((7p-35)/8) = (num*den^7)^((p-5)/8) */ + curve25519_square(t, den); + curve25519_mul(d3, t, den); + curve25519_square(r->x, d3); + curve25519_mul(r->x, r->x, den); + curve25519_mul(r->x, r->x, num); + curve25519_pow_two252m3(r->x, r->x); + + /* 2. computation of r->x = num * den^3 * (num*den^7)^((p-5)/8) */ + curve25519_mul(r->x, r->x, d3); + curve25519_mul(r->x, r->x, num); + + /* 3. Check if either of the roots works: */ + curve25519_square(t, r->x); + curve25519_mul(t, t, den); + curve25519_sub_reduce(root, t, num); + curve25519_contract(check, root); + if (!ed25519_verify(check, zero, 32)) { + curve25519_add_reduce(t, t, num); + curve25519_contract(check, t); + if (!ed25519_verify(check, zero, 32)) + return 0; + curve25519_mul(r->x, r->x, ge25519_sqrtneg1); + } + + curve25519_contract(check, r->x); + if ((check[0] & 1) == parity) { + curve25519_copy(t, r->x); + curve25519_neg(r->x, t); + } + curve25519_mul(r->t, r->x, r->y); + return 1; } /* - scalarmults + scalarmults */ #define S1_SWINDOWSIZE 5 @@ -249,47 +249,47 @@ ge25519_unpack_negative_vartime(ge25519 *r, const unsigned char p[32]) { #define S2_TABLE_SIZE (1<<(S2_SWINDOWSIZE-2)) /* computes [s1]p1 + [s2]basepoint */ -static void +static void ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const bignum256modm s1, const bignum256modm s2) { - signed char slide1[256], slide2[256]; - ge25519_pniels pre1[S1_TABLE_SIZE]; - ge25519 d1; - ge25519_p1p1 t; - int32_t i; - - contract256_slidingwindow_modm(slide1, s1, S1_SWINDOWSIZE); - contract256_slidingwindow_modm(slide2, s2, S2_SWINDOWSIZE); - - ge25519_double(&d1, p1); - ge25519_full_to_pniels(pre1, p1); - for (i = 0; i < S1_TABLE_SIZE - 1; i++) - ge25519_pnielsadd(&pre1[i+1], &d1, &pre1[i]); - - /* set neutral */ - memset(r, 0, sizeof(ge25519)); - r->y[0] = 1; - r->z[0] = 1; - - i = 255; - while ((i >= 0) && !(slide1[i] | slide2[i])) - i--; - - for (; i >= 0; i--) { - ge25519_double_p1p1(&t, r); - - if (slide1[i]) { - ge25519_p1p1_to_full(r, &t); - ge25519_pnielsadd_p1p1(&t, r, &pre1[abs(slide1[i]) / 2], (unsigned char)slide1[i] >> 7); - } - - if (slide2[i]) { - ge25519_p1p1_to_full(r, &t); - ge25519_nielsadd2_p1p1(&t, r, &ge25519_niels_sliding_multiples[abs(slide2[i]) / 2], (unsigned char)slide2[i] >> 7); - } - - ge25519_p1p1_to_partial(r, &t); - } - curve25519_mul(r->t, t.x, t.y); + signed char slide1[256], slide2[256]; + ge25519_pniels pre1[S1_TABLE_SIZE]; + ge25519 d1; + ge25519_p1p1 t; + int32_t i; + + contract256_slidingwindow_modm(slide1, s1, S1_SWINDOWSIZE); + contract256_slidingwindow_modm(slide2, s2, S2_SWINDOWSIZE); + + ge25519_double(&d1, p1); + ge25519_full_to_pniels(pre1, p1); + for (i = 0; i < S1_TABLE_SIZE - 1; i++) + ge25519_pnielsadd(&pre1[i+1], &d1, &pre1[i]); + + /* set neutral */ + memset(r, 0, sizeof(ge25519)); + r->y[0] = 1; + r->z[0] = 1; + + i = 255; + while ((i >= 0) && !(slide1[i] | slide2[i])) + i--; + + for (; i >= 0; i--) { + ge25519_double_p1p1(&t, r); + + if (slide1[i]) { + ge25519_p1p1_to_full(r, &t); + ge25519_pnielsadd_p1p1(&t, r, &pre1[abs(slide1[i]) / 2], (unsigned char)slide1[i] >> 7); + } + + if (slide2[i]) { + ge25519_p1p1_to_full(r, &t); + ge25519_nielsadd2_p1p1(&t, r, &ge25519_niels_sliding_multiples[abs(slide2[i]) / 2], (unsigned char)slide2[i] >> 7); + } + + ge25519_p1p1_to_partial(r, &t); + } + curve25519_mul(r->t, t.x, t.y); } @@ -298,34 +298,34 @@ ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const bignum256 static uint32_t ge25519_windowb_equal(uint32_t b, uint32_t c) { - return ((b ^ c) - 1) >> 31; + return ((b ^ c) - 1) >> 31; } static void ge25519_scalarmult_base_choose_niels(ge25519_niels *t, const uint8_t table[256][96], uint32_t pos, signed char b) { - bignum25519 neg; - uint32_t sign = (uint32_t)((unsigned char)b >> 7); - uint32_t mask = ~(sign - 1); - uint32_t u = (b + mask) ^ mask; - uint32_t i; - - /* ysubx, xaddy, t2d in packed form. initialize to ysubx = 1, xaddy = 1, t2d = 0 */ - uint8_t packed[96] = {0}; - packed[0] = 1; - packed[32] = 1; - - for (i = 0; i < 8; i++) - curve25519_move_conditional_bytes(packed, table[(pos * 8) + i], ge25519_windowb_equal(u, i + 1)); - - /* expand in to t */ - curve25519_expand(t->ysubx, packed + 0); - curve25519_expand(t->xaddy, packed + 32); - curve25519_expand(t->t2d , packed + 64); - - /* adjust for sign */ - curve25519_swap_conditional(t->ysubx, t->xaddy, sign); - curve25519_neg(neg, t->t2d); - curve25519_swap_conditional(t->t2d, neg, sign); + bignum25519 neg; + uint32_t sign = (uint32_t)((unsigned char)b >> 7); + uint32_t mask = ~(sign - 1); + uint32_t u = (b + mask) ^ mask; + uint32_t i; + + /* ysubx, xaddy, t2d in packed form. initialize to ysubx = 1, xaddy = 1, t2d = 0 */ + uint8_t packed[96] = {0}; + packed[0] = 1; + packed[32] = 1; + + for (i = 0; i < 8; i++) + curve25519_move_conditional_bytes(packed, table[(pos * 8) + i], ge25519_windowb_equal(u, i + 1)); + + /* expand in to t */ + curve25519_expand(t->ysubx, packed + 0); + curve25519_expand(t->xaddy, packed + 32); + curve25519_expand(t->t2d , packed + 64); + + /* adjust for sign */ + curve25519_swap_conditional(t->ysubx, t->xaddy, sign); + curve25519_neg(neg, t->t2d); + curve25519_swap_conditional(t->t2d, neg, sign); } #endif /* HAVE_GE25519_SCALARMULT_BASE_CHOOSE_NIELS */ @@ -334,32 +334,31 @@ ge25519_scalarmult_base_choose_niels(ge25519_niels *t, const uint8_t table[256][ /* computes [s]basepoint */ static void ge25519_scalarmult_base_niels(ge25519 *r, const uint8_t basepoint_table[256][96], const bignum256modm s) { - signed char b[64]; - uint32_t i; - ge25519_niels t; - - contract256_window4_modm(b, s); - - ge25519_scalarmult_base_choose_niels(&t, basepoint_table, 0, b[1]); - curve25519_sub_reduce(r->x, t.xaddy, t.ysubx); - curve25519_add_reduce(r->y, t.xaddy, t.ysubx); - memset(r->z, 0, sizeof(bignum25519)); - curve25519_copy(r->t, t.t2d); - r->z[0] = 2; - for (i = 3; i < 64; i += 2) { - ge25519_scalarmult_base_choose_niels(&t, basepoint_table, i / 2, b[i]); - ge25519_nielsadd2(r, &t); - } - ge25519_double_partial(r, r); - ge25519_double_partial(r, r); - ge25519_double_partial(r, r); - ge25519_double(r, r); - ge25519_scalarmult_base_choose_niels(&t, basepoint_table, 0, b[0]); - curve25519_mul(t.t2d, t.t2d, ge25519_ecd); - ge25519_nielsadd2(r, &t); - for(i = 2; i < 64; i += 2) { - ge25519_scalarmult_base_choose_niels(&t, basepoint_table, i / 2, b[i]); - ge25519_nielsadd2(r, &t); - } + signed char b[64]; + uint32_t i; + ge25519_niels t; + + contract256_window4_modm(b, s); + + ge25519_scalarmult_base_choose_niels(&t, basepoint_table, 0, b[1]); + curve25519_sub_reduce(r->x, t.xaddy, t.ysubx); + curve25519_add_reduce(r->y, t.xaddy, t.ysubx); + memset(r->z, 0, sizeof(bignum25519)); + curve25519_copy(r->t, t.t2d); + r->z[0] = 2; + for (i = 3; i < 64; i += 2) { + ge25519_scalarmult_base_choose_niels(&t, basepoint_table, i / 2, b[i]); + ge25519_nielsadd2(r, &t); + } + ge25519_double_partial(r, r); + ge25519_double_partial(r, r); + ge25519_double_partial(r, r); + ge25519_double(r, r); + ge25519_scalarmult_base_choose_niels(&t, basepoint_table, 0, b[0]); + curve25519_mul(t.t2d, t.t2d, ge25519_ecd); + ge25519_nielsadd2(r, &t); + for(i = 2; i < 64; i += 2) { + ge25519_scalarmult_base_choose_niels(&t, basepoint_table, i / 2, b[i]); + ge25519_nielsadd2(r, &t); + } } - diff --git a/src/merlin.c b/src/merlin.c index 3a45a99..b2501cd 100644 --- a/src/merlin.c +++ b/src/merlin.c @@ -4,40 +4,39 @@ #include #include #include "merlin.h" -#include "memzero.h" #include "sr25519-randombytes.h" /******** The Keccak-f[1600] permutation ********/ /*** Constants. ***/ -static const uint8_t rho[24] = {1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, - 27, 41, 56, 8, 25, 43, 62, 18, 39, 61, 20, 44}; -static const uint8_t pi[24] = {10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, - 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1}; -static const uint64_t RC[24] = {1ULL, - 0x8082ULL, - 0x800000000000808aULL, - 0x8000000080008000ULL, - 0x808bULL, - 0x80000001ULL, - 0x8000000080008081ULL, - 0x8000000000008009ULL, - 0x8aULL, - 0x88ULL, - 0x80008009ULL, - 0x8000000aULL, - 0x8000808bULL, - 0x800000000000008bULL, - 0x8000000000008089ULL, - 0x8000000000008003ULL, - 0x8000000000008002ULL, - 0x8000000000000080ULL, - 0x800aULL, - 0x800000008000000aULL, - 0x8000000080008081ULL, - 0x8000000000008080ULL, - 0x80000001ULL, - 0x8000000080008008ULL}; +static const uint8_t rho[24] = {1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, 27, 41, 56, 8, 25, 43, 62, 18, 39, 61, 20, 44}; +static const uint8_t pi[24] = {10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1}; +static const uint64_t RC[24] = { + 1ULL, + 0x8082ULL, + 0x800000000000808aULL, + 0x8000000080008000ULL, + 0x808bULL, + 0x80000001ULL, + 0x8000000080008081ULL, + 0x8000000000008009ULL, + 0x8aULL, + 0x88ULL, + 0x80008009ULL, + 0x8000000aULL, + 0x8000808bULL, + 0x800000000000008bULL, + 0x8000000000008089ULL, + 0x8000000000008003ULL, + 0x8000000000008002ULL, + 0x8000000000000080ULL, + 0x800aULL, + 0x800000008000000aULL, + 0x8000000080008081ULL, + 0x8000000000008080ULL, + 0x80000001ULL, + 0x8000000080008008ULL +}; /*** Helper macros to unroll the permutation. ***/ #define rol(x, s) (((x) << s) | ((x) >> (64 - s))) @@ -238,9 +237,6 @@ void merlin_commit_witness_bytes(merlin_transcript* mctx, uint8_t* dest, size_t sr25519_randombytes(entropy, 32); merlin_rng_finalize(&mrng, entropy); merlin_rng_random_bytes(&mrng, dest, dest_len); - - memzero(&mrng, sizeof(mrng)); - memzero(entropy, sizeof(entropy)); } void merlin_rng_init(merlin_rng* mrng, const merlin_transcript* mctx) { diff --git a/src/ristretto255.c b/src/ristretto255.c index 3030303..806b956 100644 --- a/src/ristretto255.c +++ b/src/ristretto255.c @@ -130,9 +130,6 @@ uint8_t bignum25519_ct_eq(const bignum25519 a, const bignum25519 b) { uint8_t result = uint8_32_ct_eq(c, d); - memzero(c, sizeof(c)); - memzero(d, sizeof(d)); - return result; } @@ -189,18 +186,6 @@ uint8_t curve25519_sqrt_ratio_i(bignum25519 out, const bignum25519 u, const bign curve25519_copy(out, r); - memzero(tmp, sizeof(tmp)); - memzero(v3, sizeof(v3)); - memzero(v7, sizeof(v7)); - memzero(r, sizeof(r)); - memzero(r_prime, sizeof(r_prime)); - memzero(r_negative, sizeof(r_negative)); - memzero(check, sizeof(check)); - memzero(i, sizeof(i)); - memzero(u_neg, sizeof(u_neg)); - memzero(u_neg_i, sizeof(u_neg_i)); - memzero(r_bytes, sizeof(r_bytes)); - return was_nonzero_square; } @@ -245,25 +230,6 @@ int ristretto_decode(ge25519 *element, const unsigned char bytes[32]) { // Bail out if the field element encoding was non-canonical or negative if (s_encoding_is_canonical == 0 || s_is_negative == 1) { - memzero(s, sizeof(s)); - memzero(ss, sizeof(ss)); - memzero(u1, sizeof(u1)); - memzero(u1_sqr, sizeof(u1_sqr)); - memzero(u2, sizeof(u2)); - memzero(u2_sqr, sizeof(u2_sqr)); - memzero(v, sizeof(v)); - memzero(i, sizeof(i)); - memzero(minus_d, sizeof(minus_d)); - memzero(dx, sizeof(dx)); - memzero(dy, sizeof(dy)); - memzero(tmp, sizeof(tmp)); - memzero(s_bytes_check, sizeof(s_bytes_check)); - memzero(x_bytes, sizeof(x_bytes)); - memzero(t_bytes, sizeof(t_bytes)); - memzero(x, sizeof(x)); - memzero(y, sizeof(y)); - memzero(t, sizeof(t)); - return 0; } @@ -304,25 +270,6 @@ int ristretto_decode(ge25519 *element, const unsigned char bytes[32]) { y_is_zero = bignum25519_ct_eq(zero, y); if (ok == 0 || t_is_negative == 1 || y_is_zero == 1) { - memzero(s, sizeof(s)); - memzero(ss, sizeof(ss)); - memzero(u1, sizeof(u1)); - memzero(u1_sqr, sizeof(u1_sqr)); - memzero(u2, sizeof(u2)); - memzero(u2_sqr, sizeof(u2_sqr)); - memzero(v, sizeof(v)); - memzero(i, sizeof(i)); - memzero(minus_d, sizeof(minus_d)); - memzero(dx, sizeof(dx)); - memzero(dy, sizeof(dy)); - memzero(tmp, sizeof(tmp)); - memzero(s_bytes_check, sizeof(s_bytes_check)); - memzero(x_bytes, sizeof(x_bytes)); - memzero(t_bytes, sizeof(t_bytes)); - memzero(x, sizeof(x)); - memzero(y, sizeof(y)); - memzero(t, sizeof(t)); - return 0; } @@ -331,25 +278,6 @@ int ristretto_decode(ge25519 *element, const unsigned char bytes[32]) { curve25519_copy(element->z, one); curve25519_copy(element->t, t); - memzero(s, sizeof(s)); - memzero(ss, sizeof(ss)); - memzero(u1, sizeof(u1)); - memzero(u1_sqr, sizeof(u1_sqr)); - memzero(u2, sizeof(u2)); - memzero(u2_sqr, sizeof(u2_sqr)); - memzero(v, sizeof(v)); - memzero(i, sizeof(i)); - memzero(minus_d, sizeof(minus_d)); - memzero(dx, sizeof(dx)); - memzero(dy, sizeof(dy)); - memzero(tmp, sizeof(tmp)); - memzero(s_bytes_check, sizeof(s_bytes_check)); - memzero(x_bytes, sizeof(x_bytes)); - memzero(t_bytes, sizeof(t_bytes)); - memzero(x, sizeof(x)); - memzero(y, sizeof(y)); - memzero(t, sizeof(t)); - return 1; } @@ -416,26 +344,6 @@ void ristretto_encode(unsigned char bytes[32], const ge25519 element) { // Output the compressed form of s curve25519_contract(bytes, s); - - memzero(u1, sizeof(u1)); - memzero(u2, sizeof(u2)); - memzero(u22, sizeof(u22)); - memzero(i1, sizeof(i1)); - memzero(i2, sizeof(i2)); - memzero(z_inv, sizeof(z_inv)); - memzero(den_inv, sizeof(den_inv)); - memzero(ix, sizeof(ix)); - memzero(iy, sizeof(iy)); - memzero(invsqrt, sizeof(invsqrt)); - memzero(tmp1, sizeof(tmp1)); - memzero(tmp2, sizeof(tmp2)); - memzero(x, sizeof(x)); - memzero(y, sizeof(y)); - memzero(y_neg, sizeof(y_neg)); - memzero(s, sizeof(s)); - memzero(s_neg, sizeof(s_neg)); - memzero(enchanted_denominator, sizeof(enchanted_denominator)); - memzero(contracted, sizeof(contracted)); } /** @@ -455,11 +363,6 @@ int ristretto_ct_eq(const ge25519 *a, const ge25519 *b) { check_one = bignum25519_ct_eq(x1y2, y1x2); check_two = bignum25519_ct_eq(x1x2, y1y2); - memzero(x1y2, sizeof(x1y2)); - memzero(y1x2, sizeof(y1x2)); - memzero(x1x2, sizeof(x1x2)); - memzero(y1y2, sizeof(y1y2)); - return check_one | check_two; } @@ -504,33 +407,6 @@ void elligator_ristretto_flavor(ge25519 *P, const bignum25519 r0) { curve25519_copy(P->y, py); curve25519_copy(P->z, pz); curve25519_copy(P->t, pt); - - memzero(r, sizeof(r)); - memzero(r02, sizeof(r02)); - memzero(rOne, sizeof(rOne)); - memzero(Ns, sizeof(Ns)); - memzero(d_mul_r, sizeof(d_mul_r)); - memzero(c_min_d_mul_r, sizeof(c_min_d_mul_r)); - memzero(r_add_d, sizeof(r_add_d)); - memzero(D, sizeof(D)); - memzero(s, sizeof(s)); - memzero(s_prime, sizeof(s_prime)); - memzero(s_prime_neg, sizeof(s_prime_neg)); - memzero(c, sizeof(c)); - memzero(r_min_one, sizeof(r_min_one)); - memzero(c_mul_r_min_one, sizeof(c_mul_r_min_one)); - memzero(c_mul_r_min_one_mul_d, sizeof(c_mul_r_min_one_mul_d)); - memzero(Nt, sizeof(Nt)); - memzero(s2, sizeof(s2)); - memzero(s_add_s, sizeof(s_add_s)); - memzero(x, sizeof(x)); - memzero(y, sizeof(y)); - memzero(z, sizeof(z)); - memzero(t, sizeof(t)); - memzero(px, sizeof(px)); - memzero(py, sizeof(py)); - memzero(pz, sizeof(pz)); - memzero(pt, sizeof(pt)); } void ristretto_from_uniform_bytes(ge25519 *element, const unsigned char bytes[64]) { @@ -549,13 +425,6 @@ void ristretto_from_uniform_bytes(ge25519 *element, const unsigned char bytes[64 elligator_ristretto_flavor(&R_2, r_2); ge25519_add(element, &R_1, &R_2); - - memzero(r_1_bytes, sizeof(r_1_bytes)); - memzero(r_2_bytes, sizeof(r_2_bytes)); - memzero(r_1, sizeof(r_1)); - memzero(r_1, sizeof(r_1)); - memzero(&R_1, sizeof(R_1)); - memzero(&R_2, sizeof(R_2)); } /* @@ -641,10 +510,4 @@ void ge25519_scalarmult(ge25519 *r, const ge25519 *p1, const bignum256modm s1) { ge25519_p1p1_to_partial(r, &t); } curve25519_mul(r->t, t.x, t.y); - - memzero(slide1, sizeof(slide1)); - memzero(&pre1, sizeof(pre1)); - memzero(&pre, sizeof(pre)); - memzero(&d1, sizeof(d1)); - memzero(&t, sizeof(t)); } diff --git a/src/sr25519.c b/src/sr25519.c index 0a789ff..c5a7f2c 100644 --- a/src/sr25519.c +++ b/src/sr25519.c @@ -4,7 +4,6 @@ #include "sr25519-hash.h" #include "ristretto255.h" #include "merlin.h" -#include "memzero.h" #include "vrf.h" void divide_scalar_bytes_by_cofactor(uint8_t *scalar, size_t scalar_len) { @@ -39,7 +38,6 @@ void expand_ed25519(sr25519_secret_key_key key, sr25519_secret_key_nonce nonce, divide_scalar_bytes_by_cofactor(key, 32); key[31] &= 0b1111111; memcpy(nonce, hash + 32, 32); - memzero(hash, sizeof(hash)); } void expand_uniform(sr25519_secret_key_key key, sr25519_secret_key_nonce nonce, sr25519_mini_secret_key mini_secret_key) { @@ -54,8 +52,6 @@ void expand_uniform(sr25519_secret_key_key key, sr25519_secret_key_nonce nonce, expand256_modm(scalar, scalar_bytes, 64); contract256_modm(key, scalar); merlin_transcript_challenge_bytes(&t, (uint8_t *)"no", 2, nonce, 32); - - memzero(&t, sizeof(t)); } void hard_derive_mini_secret_key(sr25519_mini_secret_key key_out, sr25519_chain_code chain_code_out, const sr25519_mini_secret_key key_in, const sr25519_chain_code chain_code_in) { @@ -67,8 +63,6 @@ void hard_derive_mini_secret_key(sr25519_mini_secret_key key_out, sr25519_chain_ merlin_transcript_commit_bytes(&t, (uint8_t *)"secret-key", 10, key_in, 32); merlin_transcript_challenge_bytes(&t, (uint8_t *)"HDKD-hard", 9, key_out, 32); merlin_transcript_challenge_bytes(&t, (uint8_t *)"HDKD-chaincode", 14, chain_code_out, 32); - - memzero(&t, sizeof(t)); } void derive_scalar_and_chaincode(merlin_transcript *t, bignum256modm *scalar, sr25519_chain_code chain_code_out, const sr25519_public_key public, const sr25519_chain_code chain_code_in) { @@ -80,8 +74,6 @@ void derive_scalar_and_chaincode(merlin_transcript *t, bignum256modm *scalar, sr expand256_modm(scalar, buf, 64); merlin_transcript_challenge_bytes(t, (uint8_t *)"HDKD-chaincode", 14, chain_code_out, 32); - - memzero(buf, sizeof(buf)); } void derived_secret_key_simple(sr25519_secret_key_key key_out, sr25519_secret_key_nonce nonce_out, sr25519_chain_code chain_code_out, const sr25519_public_key public, const sr25519_secret_key_key key_in, const sr25519_secret_key_nonce nonce_in, const sr25519_chain_code chain_code_in) { @@ -113,14 +105,6 @@ void derived_secret_key_simple(sr25519_secret_key_key key_out, sr25519_secret_ke sr25519_randombytes(entropy, 32); merlin_rng_finalize(&mrng, entropy); merlin_rng_random_bytes(&mrng, nonce_out, 32); - - memzero(scalar, sizeof(scalar)); - memzero(original_scalar, sizeof(original_scalar)); - memzero(final_scalar, sizeof(final_scalar)); - memzero(&mrng, sizeof(mrng)); - memzero(entropy, sizeof(entropy)); - memzero(witness_data, sizeof(witness_data)); - memzero(&t, sizeof(t)); } void private_key_to_publuc_key(sr25519_public_key public_key, sr25519_secret_key private_key) { @@ -130,9 +114,6 @@ void private_key_to_publuc_key(sr25519_public_key public_key, sr25519_secret_key ge25519_scalarmult_base_niels(&P, ge25519_niels_base_multiples, s); ristretto_encode(public_key, P); - - memzero(&P, sizeof(P)); - memzero(s, sizeof(s)); } void sr25519_keypair_from_seed(sr25519_keypair keypair, const sr25519_mini_secret_key mini_secret_key) { @@ -146,10 +127,6 @@ void sr25519_keypair_from_seed(sr25519_keypair keypair, const sr25519_mini_secre memcpy(keypair, secret_key_key, 32); memcpy(keypair + 32, secret_key_nonce, 32); memcpy(keypair + 64, public_key, 32); - - memzero(secret_key_key, sizeof(secret_key_key)); - memzero(secret_key_nonce, sizeof(secret_key_nonce)); - memzero(public_key, sizeof(public_key)); } void sr25519_uniform_keypair_from_seed(sr25519_keypair keypair, const sr25519_mini_secret_key mini_secret_key) { @@ -162,10 +139,6 @@ void sr25519_uniform_keypair_from_seed(sr25519_keypair keypair, const sr25519_mi memcpy(keypair, secret_key_key, 32); memcpy(keypair + 32, secret_key_nonce, 32); memcpy(keypair + 64, public_key, 32); - - memzero(secret_key_key, sizeof(secret_key_key)); - memzero(secret_key_nonce, sizeof(secret_key_nonce)); - memzero(public_key, sizeof(public_key)); } void sr25519_keypair_ed25519_to_uniform(sr25519_keypair uniform_keypair, const sr25519_keypair ed25519_keypair) { @@ -175,8 +148,6 @@ void sr25519_keypair_ed25519_to_uniform(sr25519_keypair uniform_keypair, const s memcpy(uniform_keypair, secret_key_key, 32); memcpy(uniform_keypair + 32, ed25519_keypair + 32, 64); - - memzero(secret_key_key, sizeof(secret_key_key)); } void sr25519_derive_keypair_hard(sr25519_keypair keypair_out, const sr25519_keypair keypair_in, const sr25519_chain_code chain_code_in) { @@ -190,10 +161,6 @@ void sr25519_derive_keypair_hard(sr25519_keypair keypair_out, const sr25519_keyp hard_derive_mini_secret_key(key_out, chain_code_out, key_in, chain_code_in); sr25519_keypair_from_seed(keypair_out, key_out); - - memzero(key_in, sizeof(key_in)); - memzero(key_out, sizeof(key_out)); - memzero(chain_code_out, sizeof(chain_code_out)); } void sr25519_derive_keypair_soft(sr25519_keypair keypair_out, const sr25519_keypair keypair_in, const sr25519_chain_code chain_code_in) { @@ -218,14 +185,6 @@ void sr25519_derive_keypair_soft(sr25519_keypair keypair_out, const sr25519_keyp memcpy(keypair_out, key_out, 32); memcpy(keypair_out + 32, nonce_out, 32); memcpy(keypair_out + 64, public_out, 32); - - memzero(key_in, sizeof(key_in)); - memzero(nonce_in, sizeof(nonce_in)); - memzero(public, sizeof(public)); - memzero(key_out, sizeof(key_out)); - memzero(public_out, sizeof(public_out)); - memzero(nonce_out, sizeof(nonce_out)); - memzero(chain_code_out, sizeof(chain_code_out)); } void sr25519_derive_public_soft(sr25519_public_key public_out, const sr25519_public_key public_in, const sr25519_chain_code chain_code_in) { @@ -243,13 +202,6 @@ void sr25519_derive_public_soft(sr25519_public_key public_out, const sr25519_pub ristretto_decode(&P2, public_in); ge25519_add(&P, &P1, &P2); ristretto_encode(public_out, P); - - memzero(scalar, sizeof(scalar)); - memzero(chain_code_out, sizeof(chain_code_out)); - memzero(&t, sizeof(t)); - memzero(&P, sizeof(P)); - memzero(&P1, sizeof(P1)); - memzero(&P2, sizeof(P2)); } void sr25519_sign(sr25519_signature signature_out, const sr25519_public_key public, const sr25519_secret_key secret, const uint8_t *message, unsigned long message_length) { @@ -304,22 +256,6 @@ void sr25519_sign(sr25519_signature signature_out, const sr25519_public_key publ memcpy(signature_out, R_compressed, 32); memcpy(signature_out + 32, s_bytes, 32); signature_out[63] |= 128; - - memzero(&t, sizeof(t)); - memzero(secret_key, sizeof(secret_key)); - memzero(secret_nonce, sizeof(secret_nonce)); - memzero(r, sizeof(r)); - memzero(scalar_bytes, sizeof(scalar_bytes)); - memzero(&mrng, sizeof(mrng)); - memzero(entropy, sizeof(entropy)); - memzero(&R, sizeof(R)); - memzero(R_compressed, sizeof(R_compressed)); - memzero(k, sizeof(k)); - memzero(buf, sizeof(buf)); - memzero(secret_key_scalar, sizeof(secret_key_scalar)); - memzero(k_secret_key_scalar, sizeof(k_secret_key_scalar)); - memzero(s, sizeof(s)); - memzero(s_bytes, sizeof(s_bytes)); } bool sr25519_verify(const sr25519_signature signature, const uint8_t *message, unsigned long message_length, const sr25519_public_key public) { @@ -327,8 +263,6 @@ bool sr25519_verify(const sr25519_signature signature, const uint8_t *message, u memcpy(signature_s, signature + 32, 32); if ((signature_s[31] & 128) == 0) { - memzero(signature_s, sizeof(signature_s)); - return false; } @@ -338,8 +272,6 @@ bool sr25519_verify(const sr25519_signature signature, const uint8_t *message, u } if ((signature_s[31] >> 7) != 0) { - memzero(signature_s, sizeof(signature_s)); - return false; } @@ -366,13 +298,6 @@ bool sr25519_verify(const sr25519_signature signature, const uint8_t *message, u int is_canonical = is_reduced256_modm(s); if (!is_canonical) { - memzero(&t, sizeof(t)); - memzero(signature_R, sizeof(signature_R)); - memzero(signature_s, sizeof(signature_s)); - memzero(k, sizeof(k)); - memzero(s, sizeof(s)); - memzero(buf, sizeof(buf)); - return false; } @@ -386,16 +311,6 @@ bool sr25519_verify(const sr25519_signature signature, const uint8_t *message, u ristretto_encode(R_compressed, R); uint8_t valid = uint8_32_ct_eq(R_compressed, signature_R); - memzero(&t, sizeof(t)); - memzero(signature_R, sizeof(signature_R)); - memzero(signature_s, sizeof(signature_s)); - memzero(k, sizeof(k)); - memzero(s, sizeof(s)); - memzero(buf, sizeof(buf)); - memzero(&A, sizeof(A)); - memzero(&R, sizeof(R)); - memzero(R_compressed, sizeof(R_compressed)); - return valid; } @@ -419,12 +334,6 @@ VrfResult sr25519_vrf_sign_if_less(sr25519_vrf_out_and_proof out_and_proof, cons VrfResult vrf_result = {0}; vrf_result.result = sign_result; vrf_result.is_less = false; - - memzero(&t, sizeof(merlin_transcript)); - memzero(io, 64); - memzero(proof, 64); - memzero(proof_batchable, 96); - return vrf_result; } @@ -446,28 +355,12 @@ VrfResult sr25519_vrf_sign_if_less(sr25519_vrf_out_and_proof out_and_proof, cons vrf_result.result = Ok; vrf_result.is_less = true; - memzero(&t, sizeof(merlin_transcript)); - memzero(io, 64); - memzero(proof, 64); - memzero(proof_batchable, 96); - memzero(raw_output, 16); - memzero(raw_output_le, 16); - memzero(threshold_le, 16); - return vrf_result; } else { VrfResult vrf_result = {0}; vrf_result.result = Ok; vrf_result.is_less = false; - memzero(&t, sizeof(merlin_transcript)); - memzero(io, 64); - memzero(proof, 64); - memzero(proof_batchable, 96); - memzero(raw_output, 16); - memzero(raw_output_le, 16); - memzero(threshold_le, 16); - return vrf_result; } } @@ -487,10 +380,6 @@ VrfResult sr25519_vrf_verify(const sr25519_public_key public, const uint8_t *mes vrf_result.result = verify_result; vrf_result.is_less = false; - memzero(&t1, sizeof(merlin_transcript)); - memzero(inout, 64); - memzero(proof_batchable, 96); - return vrf_result; } @@ -519,16 +408,6 @@ VrfResult sr25519_vrf_verify(const sr25519_public_key public, const uint8_t *mes vrf_result.result = shorten_result; vrf_result.is_less = false; - memzero(&t1, sizeof(merlin_transcript)); - memzero(&t2, sizeof(merlin_transcript)); - memzero(inout, 64); - memzero(proof_batchable, 96); - memzero(raw_output, 16); - memzero(raw_output_le, 16); - memzero(threshold_le, 16); - memzero(verify_output, 32); - memzero(decomp_proof, 64); - return vrf_result; } @@ -537,32 +416,12 @@ VrfResult sr25519_vrf_verify(const sr25519_public_key public, const uint8_t *mes vrf_result.result = Ok; vrf_result.is_less = check; - memzero(&t1, sizeof(merlin_transcript)); - memzero(&t2, sizeof(merlin_transcript)); - memzero(inout, 64); - memzero(proof_batchable, 96); - memzero(raw_output, 16); - memzero(raw_output_le, 16); - memzero(threshold_le, 16); - memzero(verify_output, 32); - memzero(decomp_proof, 64); - return vrf_result; } else { VrfResult vrf_result = {0}; vrf_result.result = EquationFalse; vrf_result.is_less = false; - memzero(&t1, sizeof(merlin_transcript)); - memzero(&t2, sizeof(merlin_transcript)); - memzero(inout, 64); - memzero(proof_batchable, 96); - memzero(raw_output, 16); - memzero(raw_output_le, 16); - memzero(threshold_le, 16); - memzero(verify_output, 32); - memzero(decomp_proof, 64); - return vrf_result; } } diff --git a/src/vrf.c b/src/vrf.c index 8c9bcd1..320e7f7 100644 --- a/src/vrf.c +++ b/src/vrf.c @@ -2,7 +2,6 @@ #include "vrf.h" #include "ristretto255.h" #include "sr25519-randombytes.h" -#include "memzero.h" #define KUSAMA_VRF 1 @@ -29,15 +28,6 @@ Sr25519SignatureResult vrf_sign(sr25519_vrf_io inout, sr25519_vrf_proof proof, s int is_canonical = is_reduced256_modm(secret_key_scalar); if (!is_canonical) { - memzero(secret_key, 32); - memzero(secret_nonce, 32); - memzero(public, 32); - memzero(b, 64); - memzero(&input, sizeof(ge25519)); - memzero(&output, sizeof(ge25519)); - memzero(&secret_key_scalar, sizeof(bignum256modm)); - memzero(&input_compressed, 32); - Sr25519SignatureResult result = ScalarFormatError; return result; } @@ -113,31 +103,6 @@ Sr25519SignatureResult vrf_sign(sr25519_vrf_io inout, sr25519_vrf_proof proof, s memcpy(proof_batchable + 32, Hr_compressed, 32); memcpy(proof_batchable + 64, s, 32); - memzero(secret_key, 32); - memzero(secret_nonce, 32); - memzero(public, 32); - memzero(b, 64); - memzero(&input, sizeof(ge25519)); - memzero(&output, sizeof(ge25519)); - memzero(&secret_key_scalar, sizeof(bignum256modm)); - memzero(&input_compressed, 32); - memzero(&output_compressed, 32); - memzero(&e, sizeof(merlin_transcript)); - memzero(&r_scalar, sizeof(bignum256modm)); - memzero(scalar_bytes, 64); - memzero(&mrng, sizeof(merlin_rng)); - memzero(entropy, 32); - memzero(&R, sizeof(ge25519)); - memzero(R_compressed, 32); - memzero(&Hr, sizeof(ge25519)); - memzero(Hr_compressed, 32); - memzero(&c_scalar, sizeof(bignum256modm)); - memzero(buf, 64); - memzero(&c_secret_key_scalar, sizeof(bignum256modm)); - memzero(&s_scalar, sizeof(bignum256modm)); - memzero(c, 32); - memzero(s, 32); - Sr25519SignatureResult result = Ok; return result; } @@ -187,18 +152,6 @@ Sr25519SignatureResult shorten_vrf(sr25519_vrf_proof proof, const sr25519_vrf_pr memcpy(proof, c, 32); memcpy(proof + 32, s, 32); - memzero(b, 64); - memzero(&input, sizeof(ge25519)); - memzero(input_compressed, 32); - memzero(output_compressed, 32); - memzero(&e, sizeof(merlin_transcript)); - memzero(R, 32); - memzero(Hr, 32); - memzero(s, 32); - memzero(&c_scalar, sizeof(bignum256modm)); - memzero(buf, 64); - memzero(c, 32); - Sr25519SignatureResult result = Ok; return result; } @@ -270,50 +223,9 @@ Sr25519SignatureResult vrf_verify(sr25519_vrf_io inout, sr25519_vrf_proof_batcha memcpy(proof_batchable + 32, Hr_compressed, 32); memcpy(proof_batchable + 64, s, 32); - memzero(c, 32); - memzero(s, 32); - memzero(b, 64); - memzero(&input, sizeof(ge25519)); - memzero(input_compressed, 32); - memzero(output_compressed, 32); - memzero(&e, sizeof(merlin_transcript)); - memzero(&R, sizeof(ge25519)); - memzero(&P, sizeof(ge25519)); - memzero(&c_scalar, sizeof(bignum256modm)); - memzero(&s_scalar, sizeof(bignum256modm)); - memzero(R_compressed, 32); - memzero(&Hr, sizeof(ge25519)); - memzero(&CP, sizeof(ge25519)); - memzero(&SP, sizeof(ge25519)); - memzero(&output, sizeof(ge25519)); - memzero(Hr_compressed, 32); - memzero(&verify_c_scalar, sizeof(bignum256modm)); - memzero(buf, 64); - memzero(verify_c, 32); - Sr25519SignatureResult result = Ok; return result; } else { - memzero(c, 32); - memzero(s, 32); - memzero(b, 64); - memzero(&input, sizeof(ge25519)); - memzero(input_compressed, 32); - memzero(output_compressed, 32); - memzero(&e, sizeof(merlin_transcript)); - memzero(&R, sizeof(ge25519)); - memzero(&P, sizeof(ge25519)); - memzero(&c_scalar, sizeof(bignum256modm)); - memzero(&s_scalar, sizeof(bignum256modm)); - memzero(R_compressed, 32); - memzero(&Hr, sizeof(ge25519)); - memzero(&CP, sizeof(ge25519)); - memzero(&SP, sizeof(ge25519)); - memzero(&output, sizeof(ge25519)); - memzero(Hr_compressed, 32); - memzero(&verify_c_scalar, sizeof(bignum256modm)); - memzero(buf, 64); - memzero(verify_c, 32); Sr25519SignatureResult result = EquationFalse; return result; @@ -331,8 +243,4 @@ void io_make_bytes(sr25519_vrf_raw_output raw_output, const sr25519_vrf_io inout merlin_transcript_commit_bytes(&t, (uint8_t *)"vrf-in", 6, input, 32); merlin_transcript_commit_bytes(&t, (uint8_t *)"vrf-out", 7, output, 32); merlin_transcript_challenge_bytes(&t, (uint8_t *)"", 0, raw_output, 16); - - memzero(&t, sizeof(merlin_transcript)); - memzero(input, 32); - memzero(output, 32); }