1 #include "crypto_sign.h"
3 #include "crypto_verify_32.h"
4 #include "crypto_hash_sha512.h"
5 #include "randombytes.h"
12 int crypto_sign_open_batch(
13 unsigned char* const m
[],unsigned long long mlen
[],
14 unsigned char* const sm
[],const unsigned long long smlen
[],
15 unsigned char* const pk
[],
16 unsigned long long num
20 unsigned long long i
, j
;
21 shortsc25519 r
[MAXBATCH
];
22 sc25519 scalars
[2*MAXBATCH
+1];
23 ge25519 points
[2*MAXBATCH
+1];
24 unsigned char hram
[crypto_hash_sha512_BYTES
];
25 unsigned long long batchsize
;
27 for (i
= 0;i
< num
;++i
) mlen
[i
] = -1;
31 if (batchsize
> MAXBATCH
) batchsize
= MAXBATCH
;
33 for (i
= 0;i
< batchsize
;++i
)
34 if (smlen
[i
] < 64) goto fallback
;
36 randombytes((unsigned char*)r
,sizeof(shortsc25519
) * batchsize
);
38 /* Computing scalars[0] = ((r1s1 + r2s2 + ...)) */
39 for(i
=0;i
<batchsize
;i
++)
41 sc25519_from32bytes(&scalars
[i
], sm
[i
]+32);
42 sc25519_mul_shortsc(&scalars
[i
], &scalars
[i
], &r
[i
]);
44 for(i
=1;i
<batchsize
;i
++)
45 sc25519_add(&scalars
[0], &scalars
[0], &scalars
[i
]);
47 /* Computing scalars[1] ... scalars[batchsize] as r[i]*H(R[i],A[i],m[i]) */
48 for(i
=0;i
<batchsize
;i
++)
50 get_hram(hram
, sm
[i
], pk
[i
], m
[i
], smlen
[i
]);
51 sc25519_from64bytes(&scalars
[i
+1],hram
);
52 sc25519_mul_shortsc(&scalars
[i
+1],&scalars
[i
+1],&r
[i
]);
54 /* Setting scalars[batchsize+1] ... scalars[2*batchsize] to r[i] */
55 for(i
=0;i
<batchsize
;i
++)
56 sc25519_from_shortsc(&scalars
[batchsize
+i
+1],&r
[i
]);
58 /* Computing points */
59 points
[0] = ge25519_base
;
61 for(i
=0;i
<batchsize
;i
++)
62 if (ge25519_unpackneg_vartime(&points
[i
+1], pk
[i
])) goto fallback
;
63 for(i
=0;i
<batchsize
;i
++)
64 if (ge25519_unpackneg_vartime(&points
[batchsize
+i
+1], sm
[i
])) goto fallback
;
66 ge25519_multi_scalarmult_vartime(points
, points
, scalars
, 2*batchsize
+1);
68 if (ge25519_isneutral_vartime(points
)) {
69 for(i
=0;i
<batchsize
;i
++)
71 for(j
=0;j
<smlen
[i
]-64;j
++)
72 m
[i
][j
] = sm
[i
][j
+ 64];
73 mlen
[i
] = smlen
[i
]-64;
78 for (i
= 0;i
< batchsize
;++i
)
79 ret
|= crypto_sign_open(m
[i
], &mlen
[i
], sm
[i
], smlen
[i
], pk
[i
]);
90 for (i
= 0;i
< num
;++i
)
91 ret
|= crypto_sign_open(m
[i
], &mlen
[i
], sm
[i
], smlen
[i
], pk
[i
]);