Skip to content

Instantly share code, notes, and snippets.

View CodesInChaos's full-sized avatar


  • Frankfurt, Germany
View GitHub Profile
CodesInChaos / Hkdf.cs
Created January 30, 2014 14:57
HKDF in C#
class Hkdf
Func<byte[],byte[],byte[]> keyedHash;
public Hkdf()
var hmac = new HMACSHA256();
keyedHash = (key, message)=>
CodesInChaos / gist:8374632
Created January 11, 2014 18:20
Ed25519 amd64 bug

While visiting 30c3, I attended the You-broke-the-Internet workshop on NaCl.

One thing mentioned in the talk was that auditing crypto code is a lot of work, and that this is one of the reasons why Ed25519 isn't included in NaCl yet (they promised a version including it for 2014). The speakers mentioned a bug in the amd64 assembly implementation of Ed25519 as an example of a bug that can only be found by auditing, not by randomized tests. This bug is caused by a carry being added in the wrong place, but since that carry is usually zero, the bug is hard to fint (occurs with probability 2^{-60} or so).

The TweetNaCl paper briefly mentions this bug as well:

Partial audits have revealed a bug in this software (r1 += 0 + carry should be r2 += 0 + carry in amd64-64-24k) that would not be caught by random tests; this illustrates the importance of audits.

CodesInChaos / Code
Last active December 20, 2015 17:59
function LoginHash(string password, byte[] salt, int memSize, int queryCount, int maxParallelism)
return KDF(password, salt, memSize, queryCount, maxParallelism, "LoginVerification", 16)
function KDF(string password, byte[] salt, int memSize, int queryCount, int maxParallelism, string info, int outputSize)
masterKey = ComputeMasterKey(password, salt, memSize, queryCount, maxParallelism)
return HKDF-Expand(masterKey, info, outputSize) // For short outputs this is simply HMAC-SHA-256(masterKey, info || 0x01).Truncate(outputSize)
function ComputeMasterKey(string password, byte[] salt, int memSize, int queryCount, int maxParallelism)
requires memSize mod 16 = 0
requires memSize > 0
CodesInChaos / ArrayHelpers.cs
Created July 25, 2012 12:43
Base58 encoding in C# (Used for BitCoin addresses)
using System;
using System.Diagnostics.Contracts;
using System.Linq;
namespace Merkator.Tools
public class ArrayHelpers
public static T[] ConcatArrays<T>(params T[][] arrays)
CodesInChaos / Curve25519Donna.cs
Created July 13, 2012 20:19
C# implementation of Curve25519
using System;
using limb = System.Int64;
/* C# port by CodesInChaos
* ported from
* The original c code is BSD licensed (original license reproduced below)
* I put my contributions from porting in the public domain
* /
/* Copyright 2008, Google Inc.