X25519_verfication8 - Wokwi ESP32, STM32, Arduino Simulator

#include <Arduino.h>
#include <avr/io.h>
#include <stdlib.h>

// Define constants and function prototypes
#define fe25519_add avrnacl_fe25519_add
#define fe25519_sub avrnacl_fe25519_sub
#define fe25519_red avrnacl_fe25519_red

typedef struct {
  unsigned char v[32];
} fe25519;

extern "C" {
  void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y);
  void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y);
  void fe25519_red(fe25519 *r, unsigned char *C);
  char bigint_subp(unsigned char *r, const unsigned char *a);
  char bigint_square256(unsigned char *r, const unsigned char *a);
  char bigint_mul256(unsigned char *r, const unsigned char *a, const unsigned char *b);
  void bigint_mul121666(unsigned char *r, const unsigned char *x);
}

void fe25519_freeze(fe25519 *r);
void fe25519_unpack(fe25519 *r, const unsigned char x[32]);
void fe25519_pack(unsigned char r[32], const fe25519 *x);
void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b);
void fe25519_setone(fe25519 *r);
void fe25519_setzero(fe25519 *r);
void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y);
void fe25519_square(fe25519 *r, const fe25519 *x);
void fe25519_invert(fe25519 *r, const fe25519 *x);
void work_cswap(fe25519 *work, char b);
void mladder(fe25519 *xr, fe25519 *zr, const unsigned char s[32]);
void fe25519_mul121666(fe25519 *r, const fe25519 *x);

int crypto_scalarmult_curve25519(unsigned char *r, const unsigned char *s, const unsigned char *p);

static const fe25519 _121666 = { { 0x42, 0xDB, 0x01, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } };

void setup() {
  Serial.begin(500000);
  // n represent the scalar multiplcation value.
  //unsigned char n[32] = {0x56,0x2c,0x1e,0xb5,0xfd,0xb2,0x81,0x29, 0xbd,0x37,0x49,0x58,0x35,0xd4,0xb1,0x30, 0x7d,0xdb,0x57,0x38,0x80,0x12,0x17,0x42, 0xf7,0x13,0xf1,0x05,0x67,0x69,0xd5,0xbf};
  unsigned char n[32] = { 0x05 };
  // p represent the x-coordinate of the base point (or the generator).
  unsigned char p[32] = { 0x09 };
  // q represent the result that we want to get.
  unsigned char q[32];

  crypto_scalarmult_curve25519(q, n, p);

  Serial.print("Result: ");
  for (int i = 0; i < 32; i++) {
    Serial.print(q[i], HEX);
    Serial.print(" ");
  }
  Serial.println();
}

void loop() {
  // Empty loop
}

//---------------------------------------Define your functions here---------------------------------------
int crypto_scalarmult_curve25519(unsigned char *r, const unsigned char *s, const unsigned char *p) {
  unsigned char e[32];
  unsigned char i;
  for (i = 0; i < 32; i++) {
    e[i] = s[i];
  }
  Serial.println();
  //e[0] &= 248;
  //e[31] &= 127;
  //e[31] |= 64;

  fe25519 t;
  fe25519 z;
  fe25519_unpack(&t, p);
  mladder(&t, &z, e);
  fe25519_invert(&z, &z);
  fe25519_mul(&t, &t, &z);
  fe25519_pack(r, &t);
  return 0;
}

void fe25519_unpack(fe25519 *r, const unsigned char x[32]) {
  unsigned char i;
  for (i = 0; i < 32; i++) {
    r->v[i] = x[i];
  }
  r->v[31] &= 127;
}

// Implement mladder function here
void mladder(fe25519 *xr, fe25519 *zr, const unsigned char s[32]) {
  Serial.println();
  fe25519 work[5];
  unsigned char bit, prevbit = 0;
  unsigned char swap;
  signed char j = 6;
  signed char i;

  work[0] = *xr;
  fe25519_setone(work + 1);
  fe25519_setzero(work + 2);
  work[3] = *xr;
  fe25519_setone(work + 4);
  Serial.println(" -----------> Start of the for loop:  ");
  for (i = 31; i >= 0; i--) {
    while (j >= 0) {
      bit = 1 & (s[i] >> j);
      swap = bit ^ prevbit;
      prevbit = bit;
      work_cswap(work, swap);
      ladderstep(work);
      j -= 1;
    }
    j = 7;
  }
  *xr = work[3];
  *zr = work[4];
}

void fe25519_setone(fe25519 *r) {
  unsigned char i;
  r->v[0] = 1;
  for (i = 1; i < 64; i++) {
    r->v[i] = 0;
  }
}

void fe25519_setzero(fe25519 *r) {
  unsigned char i;
  for (i = 0; i < 64; i++) {
    r->v[i] = 0;
  }
}

// Implement work_cswap and ladderstep functions here
void work_cswap(fe25519 *work, unsigned char b) {
  fe25519 t = {{0x00}};
  fe25519_cmov(&t, work + 1, b);
  fe25519_cmov(work + 1, work + 3, b);
  fe25519_cmov(work + 3, &t, b);
  fe25519_cmov(&t, work + 2, b);
  fe25519_cmov(work + 2, work + 4, b);
  fe25519_cmov(work + 4, &t, b);
}

void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b) {
  unsigned char i;
  unsigned long mask = b;
  mask = -mask;
  for (i = 0; i < 32; i++) {
    r->v[i] ^= mask & (x->v[i] ^ r->v[i]);
  }
}

void fe25519_pack(unsigned char r[32], const fe25519 *x) {
  unsigned char i;
  fe25519 y = *x;
  fe25519_freeze(&y);
  for (i = 0; i < 32; i++) {
    r[i] = y.v[i];
  }
}

/* reduction modulo 2^255-19 */
void fe25519_freeze(fe25519 *r) {
  unsigned char c;
  fe25519 rt;
  c = bigint_subp(rt.v, r->v);
  fe25519_cmov(r, &rt, 1 - c);
  c = bigint_subp(rt.v, r->v);
  fe25519_cmov(r, &rt, 1 - c);
}

void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y) {
  unsigned char t[64] = { 0x00 };
  cli();  // Disable interrupts
  bigint_mul256(t, x->v, y->v);
  sei();  // Enable interrupts
  fe25519_red(r, t);
  fe25519_freeze(r);  // Apply freeze if needed
  fe25519_freeze(r);  // Apply freeze if needed
}

void fe25519_square(fe25519 *r, const fe25519 *x) {
  unsigned char t[64];
  cli();  // Disable interrupts
  bigint_square256(t, x->v);
  sei();  // Enable interrupts
  fe25519_red(r, t);
  fe25519_freeze(r);  // Apply freeze if needed
}

void ladderstep(fe25519 *work) {
  fe25519 t[2];
  fe25519 *t1 = &t[0];
  fe25519 *t2 = &t[1];

  // Initialize t1 and t2 to zero
  fe25519_setzero(t1);
  fe25519_setzero(t2);

  fe25519 *x0 = work;
  fe25519 *xp = work + 1;
  fe25519 *zp = work + 2;
  fe25519 *xq = work + 3;
  fe25519 *zq = work + 4;

  fe25519_add(t1, xq, zq);
  fe25519_freeze(t1);  // Apply freeze if needed

  fe25519_sub(xq, xq, zq);
  fe25519_freeze(xq);  // Apply freeze if needed

  fe25519_add(zq, xp, zp);
  fe25519_freeze(zq);  // Apply freeze if needed

  fe25519_sub(xp, xp, zp);

  fe25519_mul(t1, t1, xp);

  fe25519_mul(xq, xq, zq);
  fe25519_freeze(xq);

  fe25519_square(zq, zq);

  fe25519_square(xp, xp);

  fe25519_sub(t2, zq, xp);
  fe25519_red(t2, t2->v);
  fe25519_freeze(t2);  // Apply freeze if needed

  fe25519_mul121666(zp, t2);

  fe25519_add(zp, zp, xp);
  fe25519_freeze(zp);  // Apply freeze if needed

  fe25519_mul(zp, zp, t2);

  fe25519_mul(xp, zq, xp);

  fe25519_sub(zq, xq, t1);
  fe25519_freeze(zq);  // Apply freeze if needed

  fe25519_square(zq, zq);
  fe25519_freeze(zq);  // Apply freeze if needed

  fe25519_mul(zq, zq, x0);

  fe25519_add(xq, t1, xq);

  fe25519_square(xq, xq);
  fe25519_freeze(xq);  // Apply freeze if needed
}

void print_fe25519(const char *name, const fe25519 *f) {
  Serial.print(name);
  Serial.print("= ");
  for (int i = 0; i < 32; i++) {
    Serial.print(f->v[i], HEX);
    Serial.print(" ");
  }
  Serial.println();
}

void print_fe25519_64(const char *name, const fe25519 *f) {
  Serial.print(name);
  Serial.print(": ");
  for (int i = 0; i < 64; i++) {
    Serial.print(f->v[i], HEX);
    Serial.print(" ");
  }
  Serial.println();
}

void print_fe25519_64(const char *name, const unsigned char *f) {
  Serial.print(name);
  Serial.print(": ");
  for (int i = 0; i < 64; i++) {
    Serial.print(*(f + i), HEX);
    Serial.print(" ");
  }
  Serial.println();
}

void fe25519_mul121666(fe25519 *r, const fe25519 *x) {
  unsigned char t[64];
  cli();  // Disable interrupts
  bigint_mul256(t, x->v, _121666.v);
  sei();  // Enable interrupts
  //bigint_mul121666(t,x->v);
  //bigint_mul121666(t,_121666.v);
  fe25519_red(r, t);
}

void fe25519_invert(fe25519 *r, const fe25519 *x) {
  fe25519 z2;
  fe25519 z11;
  fe25519 z2_10_0;
  fe25519 z2_50_0;
  fe25519 z2_100_0;
  fe25519 t0;
  fe25519 t1;
  unsigned char i;

  /* 2 */ fe25519_square(&z2, x);
  /* 4 */ fe25519_square(&t1, &z2);
  /* 8 */ fe25519_square(&t0, &t1);
  /* 9 */ fe25519_mul(&z2_10_0, &t0, x);
  /* 11 */ fe25519_mul(&z11, &z2_10_0, &z2);
  /* 22 */ fe25519_square(&t0, &z11);
  /* 2^5 - 2^0 = 31 */ fe25519_mul(&z2_10_0, &t0, &z2_10_0);

  /* 2^6 - 2^1 */ fe25519_square(&t0, &z2_10_0);
  /* 2^7 - 2^2 */ fe25519_square(&t1, &t0);
  /* 2^8 - 2^3 */ fe25519_square(&t0, &t1);
  /* 2^9 - 2^4 */ fe25519_square(&t1, &t0);
  /* 2^10 - 2^5 */ fe25519_square(&t0, &t1);
  /* 2^10 - 2^0 */ fe25519_mul(&z2_10_0, &t0, &z2_10_0);

  /* 2^11 - 2^1 */ fe25519_square(&t0, &z2_10_0);
  /* 2^12 - 2^2 */ fe25519_square(&t1, &t0);
  /* 2^20 - 2^10 */ for (i = 2; i < 10; i += 2) {
    fe25519_square(&t0, &t1);
    fe25519_square(&t1, &t0);
  }
  /* 2^20 - 2^0 */ fe25519_mul(&z2_50_0, &t1, &z2_10_0);

  /* 2^21 - 2^1 */ fe25519_square(&t0, &z2_50_0);
  /* 2^22 - 2^2 */ fe25519_square(&t1, &t0);
  /* 2^40 - 2^20 */ for (i = 2; i < 20; i += 2) {
    fe25519_square(&t0, &t1);
    fe25519_square(&t1, &t0);
  }
  /* 2^40 - 2^0 */ fe25519_mul(&t0, &t1, &z2_50_0);

  /* 2^41 - 2^1 */ fe25519_square(&t1, &t0);
  /* 2^42 - 2^2 */ fe25519_square(&t0, &t1);
  /* 2^50 - 2^10 */ for (i = 2; i < 10; i += 2) {
    fe25519_square(&t1, &t0);
    fe25519_square(&t0, &t1);
  }
  /* 2^50 - 2^0 */ fe25519_mul(&z2_50_0, &t0, &z2_10_0);

  /* 2^51 - 2^1 */ fe25519_square(&t0, &z2_50_0);
  /* 2^52 - 2^2 */ fe25519_square(&t1, &t0);
  /* 2^100 - 2^50 */ for (i = 2; i < 50; i += 2) {
    fe25519_square(&t0, &t1);
    fe25519_square(&t1, &t0);
  }
  /* 2^100 - 2^0 */ fe25519_mul(&z2_100_0, &t1, &z2_50_0);

  /* 2^101 - 2^1 */ fe25519_square(&t1, &z2_100_0);
  /* 2^102 - 2^2 */ fe25519_square(&t0, &t1);
  /* 2^200 - 2^100 */ for (i = 2; i < 100; i += 2) {
    fe25519_square(&t1, &t0);
    fe25519_square(&t0, &t1);
  }
  /* 2^200 - 2^0 */ fe25519_mul(&t1, &t0, &z2_100_0);

  /* 2^201 - 2^1 */ fe25519_square(&t0, &t1);
  /* 2^202 - 2^2 */ fe25519_square(&t1, &t0);
  /* 2^250 - 2^50 */ for (i = 2; i < 50; i += 2) {
    fe25519_square(&t0, &t1);
    fe25519_square(&t1, &t0);
  }
  /* 2^250 - 2^0 */ fe25519_mul(&t0, &t1, &z2_50_0);

  /* 2^251 - 2^1 */ fe25519_square(&t1, &t0);
  /* 2^252 - 2^2 */ fe25519_square(&t0, &t1);
  /* 2^253 - 2^3 */ fe25519_square(&t1, &t0);
  /* 2^254 - 2^4 */ fe25519_square(&t0, &t1);
  /* 2^255 - 2^5 */ fe25519_square(&t1, &t0);
  /* 2^255 - 21 */ fe25519_mul(r, &t1, &z11);
}