From f85d3cb5c2e76bfbf73c831675056d66a2661716 Mon Sep 17 00:00:00 2001 From: jeffro256 Date: Thu, 9 Jan 2025 00:27:27 -0600 Subject: [PATCH] remove unused X25519 conversion functions --- src/crypto/crypto-ops.c | 111 +----------------------------------- src/crypto/crypto-ops.h | 6 -- tests/unit_tests/crypto.cpp | 20 ------- 3 files changed, 2 insertions(+), 135 deletions(-) diff --git a/src/crypto/crypto-ops.c b/src/crypto/crypto-ops.c index ee053b628..df28a1903 100644 --- a/src/crypto/crypto-ops.c +++ b/src/crypto/crypto-ops.c @@ -3844,11 +3844,6 @@ static void edwardsYZ_to_x25519(unsigned char *xbytes, const fe Y, const fe Z) { fe_tobytes(xbytes, tmp0); // tobytes((Z + Y) / (Z - Y)) } -void ge_p2_to_x25519(unsigned char *xbytes, const ge_p2 *h) -{ - edwardsYZ_to_x25519(xbytes, h->Y, h->Z); -} - void ge_p3_to_x25519(unsigned char *xbytes, const ge_p3 *h) { edwardsYZ_to_x25519(xbytes, h->Y, h->Z); @@ -3910,6 +3905,8 @@ int edwards_bytes_to_x25519_vartime(unsigned char *xbytes, const unsigned char * Y[8] = h8; Y[9] = h9; + /* End fe_frombytes.c */ + fe Z; fe_1(Z); @@ -3918,110 +3915,6 @@ int edwards_bytes_to_x25519_vartime(unsigned char *xbytes, const unsigned char * return 0; } -int ge_fromx25519_vartime(ge_p3 *h, const unsigned char *s) { - fe u; - fe v; - fe vxx; - fe check; - - /* From fe_frombytes.c */ - - int64_t h0 = load_4(s); - int64_t h1 = load_3(s + 4) << 6; - int64_t h2 = load_3(s + 7) << 5; - int64_t h3 = load_3(s + 10) << 3; - int64_t h4 = load_3(s + 13) << 2; - int64_t h5 = load_4(s + 16); - int64_t h6 = load_3(s + 20) << 7; - int64_t h7 = load_3(s + 23) << 5; - int64_t h8 = load_3(s + 26) << 4; - int64_t h9 = (load_3(s + 29) & 8388607) << 2; - int64_t carry0; - int64_t carry1; - int64_t carry2; - int64_t carry3; - int64_t carry4; - int64_t carry5; - int64_t carry6; - int64_t carry7; - int64_t carry8; - int64_t carry9; - - /* Validate the number to be canonical */ - if (h9 == 33554428 && h8 == 268435440 && h7 == 536870880 && h6 == 2147483520 && - h5 == 4294967295 && h4 == 67108860 && h3 == 134217720 && h2 == 536870880 && - h1 == 1073741760 && h0 >= 4294967277) { - return -1; - } - - carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; - carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; - carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; - carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; - carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; - - carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; - carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; - carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; - carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; - carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; - - /* End fe_frombytes.c */ - - /* Start ge_fromx25519_vartime specific code */ - - check[0] = h0; - check[1] = h1; - check[2] = h2; - check[3] = h3; - check[4] = h4; - check[5] = h5; - check[6] = h6; - check[7] = h7; - check[8] = h8; - check[9] = h9; /* load s into `check`, where s is the X coordinate of the X25519 point */ - - fe_1(v); /* v = 1 */ - fe_copy(u, v); /* u = 1 */ - u[0] = -1; /* u = -1 */ - fe_add(u, u, check); /* u = s - 1 */ - fe_add(v, v, check); /* v = s + 1 */ - fe_invert(v, v); /* v = 1 / (s + 1) */ - fe_mul(h->Y, u, v); /* Y = (s - 1) / (s + 1) */ - - /* End ge_fromx25519_vartime specific code */ - - fe_1(h->Z); - fe_sq(u, h->Y); - fe_mul(v, u, fe_d); - fe_sub(u, u, h->Z); /* u = y^2-1 */ - fe_add(v, v, h->Z); /* v = dy^2+1 */ - - fe_divpowm1(h->X, u, v); /* x = uv^3(uv^7)^((q-5)/8) */ - - fe_sq(vxx, h->X); - fe_mul(vxx, vxx, v); - fe_sub(check, vxx, u); /* vx^2-u */ - if (fe_isnonzero(check)) { - fe_add(check, vxx, u); /* vx^2+u */ - if (fe_isnonzero(check)) { - return -1; - } - fe_mul(h->X, h->X, fe_sqrtm1); - } - - if (fe_isnegative(h->X)) { - /* If x = 0, the sign must be positive */ - if (!fe_isnonzero(h->X)) { - return -1; - } - fe_neg(h->X, h->X); - } - - fe_mul(h->T, h->X, h->Y); - return 0; -} - int ge_p3_is_point_at_infinity_vartime(const ge_p3 *p) { // https://eprint.iacr.org/2008/522 // X == T == 0 and Y/Z == 1 diff --git a/src/crypto/crypto-ops.h b/src/crypto/crypto-ops.h index a9a52338d..569a446c7 100644 --- a/src/crypto/crypto-ops.h +++ b/src/crypto/crypto-ops.h @@ -159,15 +159,9 @@ int sc_isnonzero(const unsigned char *); /* Doesn't normalize */ /** * brief: Convert Ed25519 y-coord to X25519 x-coord, AKA "ConvertPointE()" in the Carrot spec */ -void ge_p2_to_x25519(unsigned char *xbytes, const ge_p2 *h); void ge_p3_to_x25519(unsigned char *xbytes, const ge_p3 *h); int edwards_bytes_to_x25519_vartime(unsigned char *xbytes, const unsigned char *s); -/** - * brief: Convert X25519 x-coord to Ed25519 point with positive sign - */ -int ge_fromx25519_vartime(ge_p3 *h, const unsigned char *s); - // internal uint64_t load_3(const unsigned char *in); uint64_t load_4(const unsigned char *in); diff --git a/tests/unit_tests/crypto.cpp b/tests/unit_tests/crypto.cpp index 1b1a6397f..27c992a23 100644 --- a/tests/unit_tests/crypto.cpp +++ b/tests/unit_tests/crypto.cpp @@ -616,23 +616,3 @@ TEST(Crypto, ConvertPointE_EraseSign) EXPECT_EQ(P_mont, negP_mont); } - -TEST(Crypto, ge_fromx25519_vartime_Base) -{ - const crypto::x25519_pubkey B = {{9}}; - - crypto::public_key G_actual; - ge_p3 G_actual_p3; - ge_fromx25519_vartime(&G_actual_p3, B.data); - ge_p3_tobytes(to_bytes(G_actual), &G_actual_p3); - - EXPECT_EQ(crypto::get_G(), G_actual); -} - -TEST(Crypto, ge_fromx25519_vartime_RandomPointNominalSuccess) -{ - const crypto::x25519_pubkey P = crypto::x25519_pubkey_gen(); - - ge_p3 h; - EXPECT_EQ(0, ge_fromx25519_vartime(&h, P.data)); -}