jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Update EdDSA operations to match draft 07 from CFRG.

master
Andrew Bennett 9 years ago
parent
80c0bd5d7d
commit
ef6e74bdec
No known key found for this signature in database GPG Key ID: 4FBD353257AD0DCA
12 changed files with 395 additions and 569 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +34
    -62
      src/GENERATED/c/curve25519/eddsa.c
  2. +33
    -61
      src/GENERATED/c/ed448goldilocks/eddsa.c
  3. +22
    -34
      src/GENERATED/include/decaf/ed255.h
  4. +48
    -81
      src/GENERATED/include/decaf/ed255.hxx
  5. +22
    -34
      src/GENERATED/include/decaf/ed448.h
  6. +28
    -63
      src/GENERATED/include/decaf/ed448.hxx
  7. +4
    -4
      src/generator/curve_data.py
  8. +33
    -61
      src/per_curve/eddsa.tmpl.c
  9. +22
    -34
      src/per_curve/eddsa.tmpl.h
  10. +28
    -93
      src/per_curve/eddsa.tmpl.hxx
  11. +4
    -12
      test/test_decaf.cxx
  12. +117
    -30
      test/vectors.inc.cxx

+ 34
- 62
src/GENERATED/c/curve25519/eddsa.c View File

@@ -28,7 +28,7 @@
#define hash_destroy decaf_sha512_destroy
#define hash_hash decaf_sha512_hash

#define SUPPORTS_CONTEXTS DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
#define NO_CONTEXT DECAF_EDDSA_25519_NO_CONTEXT
#define EDDSA_USE_SIGMA_ISOGENY 1
#define COFACTOR 8

@@ -58,38 +58,33 @@ static void hash_init_with_dom(
uint8_t prehashed,
uint8_t for_prehash,
const uint8_t *context,
uint8_t context_len
uint8_t context_len,
uint8_t no_context
) {
hash_init(hash);
#if SUPPORTS_CONTEXTS
const char *dom_s = "";
#if NO_CONTEXT
if (no_context) {
(void)prehashed;
(void)for_prehash;
(void)context;
(void)context_len;
return;
}
#else
(void)no_context;
#endif
const char *dom_s = "SigEd25519 no Ed25519 collisions";
const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
hash_update(hash,dom,2);
hash_update(hash,context,context_len);
#else
(void)prehashed;
(void)for_prehash;
(void)context;
assert(context==NULL);
(void)context_len;
assert(context_len == 0);
#endif
}

void decaf_ed25519_prehash_init (
hash_ctx_t hash
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
hash_init_with_dom(hash,1,1,context,context_len);
#else
hash_init_with_dom(hash,1,1,NULL,0);
#endif
hash_init(hash);
}

void decaf_ed25519_derive_public_key (
@@ -137,16 +132,11 @@ void decaf_ed25519_sign (
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len,
uint8_t no_context
) {
#if !SUPPORTS_CONTEXTS
const uint8_t *const context = NULL;
const uint8_t context_len = 0;
#endif
API_NS(scalar_t) secret_scalar;
hash_ctx_t hash;
{
@@ -165,7 +155,7 @@ void decaf_ed25519_sign (
API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
/* Hash to create the nonce */
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
hash_update(hash,expanded.seed,sizeof(expanded.seed));
hash_update(hash,message,message_len);
decaf_bzero(&expanded, sizeof(expanded));
@@ -199,7 +189,7 @@ void decaf_ed25519_sign (
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
hash_update(hash,nonce_point,sizeof(nonce_point));
hash_update(hash,pubkey,DECAF_EDDSA_25519_PUBLIC_BYTES);
hash_update(hash,message,message_len);
@@ -227,11 +217,9 @@ void decaf_ed25519_sign_prehash (
uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const decaf_ed25519_prehash_ctx_t hash
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
const decaf_ed25519_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
#endif
) {
uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
{
@@ -240,13 +228,8 @@ void decaf_ed25519_sign_prehash (
hash_final(hash_too,hash_output,sizeof(hash_output));
hash_destroy(hash_too);
}
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
decaf_ed25519_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
#else
decaf_ed25519_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1);
#endif

decaf_ed25519_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len,0);
decaf_bzero(hash_output,sizeof(hash_output));
}

@@ -255,16 +238,11 @@ decaf_error_t decaf_ed25519_verify (
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len,
uint8_t no_context
) {
#if !SUPPORTS_CONTEXTS
const uint8_t *const context = NULL;
const uint8_t context_len = 0;
#endif
API_NS(point_t) pk_point, r_point;
decaf_error_t error = API_NS(point_decode_like_eddsa_and_ignore_cofactor)(pk_point,pubkey);
if (DECAF_SUCCESS != error) { return error; }
@@ -276,7 +254,7 @@ decaf_error_t decaf_ed25519_verify (
{
/* Compute the challenge */
hash_ctx_t hash;
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
hash_update(hash,signature,DECAF_EDDSA_25519_PUBLIC_BYTES);
hash_update(hash,pubkey,DECAF_EDDSA_25519_PUBLIC_BYTES);
hash_update(hash,message,message_len);
@@ -313,11 +291,9 @@ decaf_error_t decaf_ed25519_verify (
decaf_error_t decaf_ed25519_verify_prehash (
const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const decaf_ed25519_prehash_ctx_t hash
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
const decaf_ed25519_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
#endif
) {
decaf_error_t ret;
@@ -329,11 +305,7 @@ decaf_error_t decaf_ed25519_verify_prehash (
hash_destroy(hash_too);
}
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
ret = decaf_ed25519_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
#else
ret = decaf_ed25519_verify(signature,pubkey,hash_output,sizeof(hash_output),1);
#endif
ret = decaf_ed25519_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len,0);
return ret;
}

+ 33
- 61
src/GENERATED/c/ed448goldilocks/eddsa.c View File

@@ -28,7 +28,7 @@
#define hash_destroy decaf_shake256_destroy
#define hash_hash decaf_shake256_hash

#define SUPPORTS_CONTEXTS DECAF_EDDSA_448_SUPPORTS_CONTEXTS
#define NO_CONTEXT DECAF_EDDSA_448_NO_CONTEXT
#define EDDSA_USE_SIGMA_ISOGENY 0
#define COFACTOR 4

@@ -58,38 +58,33 @@ static void hash_init_with_dom(
uint8_t prehashed,
uint8_t for_prehash,
const uint8_t *context,
uint8_t context_len
uint8_t context_len,
uint8_t no_context
) {
hash_init(hash);
#if SUPPORTS_CONTEXTS
#if NO_CONTEXT
if (no_context) {
(void)prehashed;
(void)for_prehash;
(void)context;
(void)context_len;
return;
}
#else
(void)no_context;
#endif
const char *dom_s = "SigEd448";
const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
hash_update(hash,dom,2);
hash_update(hash,context,context_len);
#else
(void)prehashed;
(void)for_prehash;
(void)context;
assert(context==NULL);
(void)context_len;
assert(context_len == 0);
#endif
}

void decaf_ed448_prehash_init (
hash_ctx_t hash
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
hash_init_with_dom(hash,1,1,context,context_len);
#else
hash_init_with_dom(hash,1,1,NULL,0);
#endif
hash_init(hash);
}

void decaf_ed448_derive_public_key (
@@ -137,16 +132,11 @@ void decaf_ed448_sign (
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len,
uint8_t no_context
) {
#if !SUPPORTS_CONTEXTS
const uint8_t *const context = NULL;
const uint8_t context_len = 0;
#endif
API_NS(scalar_t) secret_scalar;
hash_ctx_t hash;
{
@@ -165,7 +155,7 @@ void decaf_ed448_sign (
API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
/* Hash to create the nonce */
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
hash_update(hash,expanded.seed,sizeof(expanded.seed));
hash_update(hash,message,message_len);
decaf_bzero(&expanded, sizeof(expanded));
@@ -199,7 +189,7 @@ void decaf_ed448_sign (
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
hash_update(hash,nonce_point,sizeof(nonce_point));
hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
hash_update(hash,message,message_len);
@@ -227,11 +217,9 @@ void decaf_ed448_sign_prehash (
uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const decaf_ed448_prehash_ctx_t hash
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
const decaf_ed448_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
#endif
) {
uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
{
@@ -240,13 +228,8 @@ void decaf_ed448_sign_prehash (
hash_final(hash_too,hash_output,sizeof(hash_output));
hash_destroy(hash_too);
}
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
#else
decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1);
#endif

decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len,0);
decaf_bzero(hash_output,sizeof(hash_output));
}

@@ -255,16 +238,11 @@ decaf_error_t decaf_ed448_verify (
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len,
uint8_t no_context
) {
#if !SUPPORTS_CONTEXTS
const uint8_t *const context = NULL;
const uint8_t context_len = 0;
#endif
API_NS(point_t) pk_point, r_point;
decaf_error_t error = API_NS(point_decode_like_eddsa_and_ignore_cofactor)(pk_point,pubkey);
if (DECAF_SUCCESS != error) { return error; }
@@ -276,7 +254,7 @@ decaf_error_t decaf_ed448_verify (
{
/* Compute the challenge */
hash_ctx_t hash;
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
hash_update(hash,signature,DECAF_EDDSA_448_PUBLIC_BYTES);
hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
hash_update(hash,message,message_len);
@@ -313,11 +291,9 @@ decaf_error_t decaf_ed448_verify (
decaf_error_t decaf_ed448_verify_prehash (
const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const decaf_ed448_prehash_ctx_t hash
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
const decaf_ed448_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
#endif
) {
decaf_error_t ret;
@@ -329,11 +305,7 @@ decaf_error_t decaf_ed448_verify_prehash (
hash_destroy(hash_too);
}
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
ret = decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
#else
ret = decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1);
#endif
ret = decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len,0);
return ret;
}

+ 22
- 34
src/GENERATED/include/decaf/ed255.h View File

@@ -32,8 +32,8 @@ extern "C" {
/** Number of bytes in an EdDSA private key. */
#define DECAF_EDDSA_25519_SIGNATURE_BYTES (DECAF_EDDSA_25519_PUBLIC_BYTES + DECAF_EDDSA_25519_PRIVATE_BYTES)

/** Does EdDSA support contexts? */
#define DECAF_EDDSA_25519_SUPPORTS_CONTEXTS 0
/** Does EdDSA support non-contextual signatures? */
#define DECAF_EDDSA_25519_NO_CONTEXT 1
/** Prehash context renaming macros. */
#define decaf_ed25519_prehash_ctx_s decaf_sha512_ctx_s
@@ -59,11 +59,12 @@ void decaf_ed25519_derive_public_key (
* @param [out] signature The signature.
* @param [in] privkey The private key.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] message The message to sign.
* @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] no_context Nonzero if no context should be used (only Ed25519 supported).
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
@@ -76,11 +77,10 @@ void decaf_ed25519_sign (
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len,
uint8_t no_context
) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE;

/**
@@ -89,10 +89,9 @@ void decaf_ed25519_sign (
* @param [out] signature The signature.
* @param [in] privkey The private key.
* @param [in] pubkey The public key.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
@@ -103,26 +102,18 @@ void decaf_ed25519_sign_prehash (
uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const decaf_ed25519_prehash_ctx_t hash
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
const decaf_ed25519_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2,3,4))) NOINLINE;
/**
* @brief Prehash initialization, with contexts if supported.
*
* @param [out] hash The hash object to be initialized.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
*/
void decaf_ed25519_prehash_init (
decaf_ed25519_prehash_ctx_t hash
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1))) NOINLINE;

/**
@@ -132,11 +123,12 @@ void decaf_ed25519_prehash_init (
*
* @param [in] signature The signature.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] message The message to verify.
* @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] no_context Nonzero if no context should be used (only Ed25519 supported).
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
@@ -148,11 +140,10 @@ decaf_error_t decaf_ed25519_verify (
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len,
uint8_t no_context
) API_VIS __attribute__((nonnull(1,2))) NOINLINE;

/**
@@ -162,10 +153,9 @@ decaf_error_t decaf_ed25519_verify (
*
* @param [in] signature The signature.
* @param [in] pubkey The public key.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
@@ -175,11 +165,9 @@ decaf_error_t decaf_ed25519_verify (
decaf_error_t decaf_ed25519_verify_prehash (
const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const decaf_ed25519_prehash_ctx_t hash
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
const decaf_ed25519_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2))) NOINLINE;

/**


+ 48
- 81
src/GENERATED/include/decaf/ed255.hxx View File

@@ -49,22 +49,14 @@ template<> struct EdDSA<IsoEd25519> {
/** @cond internal */
template<class CRTP, Prehashed> class Signing;
template<class CRTP, Prehashed> class Verification;

template<Prehashed=PURE> class PublicKeyBase;
template<Prehashed=PURE> class PrivateKeyBase;
typedef class PublicKeyBase<PURE> PublicKey, PublicKeyPure;
typedef class PublicKeyBase<PREHASHED> PublicKeyPh;
typedef class PrivateKeyBase<PURE> PrivateKey, PrivateKeyPure;
typedef class PrivateKeyBase<PREHASHED> PrivateKeyPh;

class PublicKeyBase;
class PrivateKeyBase;
typedef class PrivateKeyBase PrivateKey, PrivateKeyPure, PrivateKeyPh;
typedef class PublicKeyBase PublicKey, PublicKeyPure, PublicKeyPh;
/** @endcond */

/** Prehash context for EdDSA. */
class Prehash : public SHA512 {
public:
/** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_25519_SUPPORTS_CONTEXTS;
private:
typedef SHA512 Super;
SecureBuffer context_;
@@ -74,17 +66,11 @@ private:
void init() throw(LengthException) {
Super::reset();
if (context_.size() > 255
|| (context_.size() != 0 && !SUPPORTS_CONTEXTS)
) {
if (context_.size() > 255) {
throw LengthException();
}

#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
decaf_ed25519_prehash_init((decaf_sha512_ctx_s *)wrapped,context_.data(),context_.size());
#else
decaf_ed25519_prehash_init(wrapped);
#endif
decaf_ed25519_prehash_init((decaf_sha512_ctx_s *)wrapped);
}
public:
@@ -126,11 +112,9 @@ public:
out.data(),
((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(),
(const decaf_ed25519_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, ph.context_.data(),
(const decaf_ed25519_prehash_ctx_s*)ph.wrapped,
ph.context_.data(),
ph.context_.size()
#endif
);
return out;
}
@@ -151,20 +135,18 @@ public:
/**
* Sign a message.
* @param [in] message The message to be signed.
* @param [in] context A context for the signature; must be at most 255 bytes;
* must be absent if SUPPORTS_CONTEXTS == false.
* @param [in] context A context for the signature; must be at most 255 bytes.
*
* @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
*/
inline SecureBuffer sign (
const Block &message,
const Block &context = Block(NULL,0)
const Block &context = Block(NULL,0),
const bool no_context = false
) const /* TODO: this exn spec tickles a Clang bug?
* throw(LengthException, std::bad_alloc)
*/ {
if (context.size() > 255
|| (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
) {
if (context.size() > 255) {
throw LengthException();
}
@@ -175,28 +157,27 @@ public:
((const CRTP*)this)->pub_.data(),
message.data(),
message.size(),
0
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, context.data(),
context.size()
#endif
0,
context.data(),
context.size(),
no_context
);
return out;
}
};

template<Prehashed ph> class PrivateKeyBase
: public Serializable<PrivateKeyBase<ph> >
, public Signing<PrivateKeyBase<ph>,ph> {
class PrivateKeyBase
: public Serializable<PrivateKeyBase>
, public Signing<PrivateKeyBase,PURE>
, public Signing<PrivateKeyBase,PREHASHED> {
public:
typedef class PublicKeyBase<ph> MyPublicKey;
typedef class PublicKeyBase MyPublicKey;
private:
/** @cond internal */
friend class PublicKeyBase<ph>;
friend class Signing<PrivateKeyBase<ph>, ph>;
friend class PublicKeyBase;
friend class Signing<PrivateKey,PURE>;
friend class Signing<PrivateKey,PREHASHED>;
/** @endcond */

/** The pre-expansion form of the signing key. */
FixedArrayBuffer<DECAF_EDDSA_25519_PRIVATE_BYTES> priv_;
@@ -214,9 +195,6 @@ public:
/** Serialization size. */
static const size_t SER_BYTES = DECAF_EDDSA_25519_PRIVATE_BYTES;
/** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_25519_SUPPORTS_CONTEXTS;
/** Create but don't initialize */
inline explicit PrivateKeyBase(const NOINIT&) NOEXCEPT : priv_((NOINIT())), pub_((NOINIT())) { }
@@ -269,11 +247,10 @@ public:
inline decaf_error_t WARN_UNUSED verify_noexcept (
const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = Block(NULL,0)
const Block &context = Block(NULL,0),
const bool no_context = false
) const /*NOEXCEPT*/ {
if (context.size() > 255
|| (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
) {
if (context.size() > 255) {
return DECAF_FAILURE;
}
@@ -282,34 +259,31 @@ public:
((const CRTP*)this)->pub_.data(),
message.data(),
message.size(),
0
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, context.data(),
context.size()
#endif
0,
context.data(),
context.size(),
no_context
);
}
/** Verify a signature, throwing an exception if verification fails
* @param [in] sig The signature.
* @param [in] message The signed message.
* @param [in] context A context for the signature; must be at most 255 bytes;
* must be absent if SUPPORTS_CONTEXTS == false.
* @param [in] context A context for the signature; must be at most 255 bytes.
*
* @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
*/
inline void verify (
const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = Block(NULL,0)
const Block &context = Block(NULL,0),
const bool no_context = false
) const /*throw(LengthException,CryptoException)*/ {
if (context.size() > 255
|| (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
) {
if (context.size() > 255) {
throw LengthException();
}
if (DECAF_SUCCESS != verify_noexcept( sig, message, context )) {
if (DECAF_SUCCESS != verify_noexcept( sig, message, context, no_context )) {
throw CryptoException();
}
}
@@ -326,11 +300,9 @@ public:
return decaf_ed25519_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
(const decaf_ed25519_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, ph.context_.data(),
(const decaf_ed25519_prehash_ctx_s*)ph.wrapped,
ph.context_.data(),
ph.context_.size()
#endif
);
}
@@ -342,11 +314,9 @@ public:
if (DECAF_SUCCESS != decaf_ed25519_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
(const decaf_ed25519_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, ph.context_.data(),
(const decaf_ed25519_prehash_ctx_s*)ph.wrapped,
ph.context_.data(),
ph.context_.size()
#endif
)) {
throw CryptoException();
}
@@ -365,20 +335,20 @@ public:
};


template<Prehashed ph> class PublicKeyBase
: public Serializable<PublicKeyBase<ph> >
, public Verification<PublicKeyBase<ph>,ph> {
class PublicKeyBase
: public Serializable<PublicKeyBase>
, public Verification<PublicKeyBase,PURE>
, public Verification<PublicKeyBase,PREHASHED> {
public:
typedef class PrivateKeyBase<ph> MyPrivateKey;
typedef class PrivateKeyBase MyPrivateKey;
private:
/** @cond internal */
friend class PrivateKeyBase<ph>;
friend class Verification<PublicKeyBase<ph>, ph>;
friend class PrivateKeyBase;
friend class Verification<PublicKey,PURE>;
friend class Verification<PublicKey,PREHASHED>;
/** @endcond */


private:
/** The pre-expansion form of the signature */
FixedArrayBuffer<DECAF_EDDSA_25519_PUBLIC_BYTES> pub_;
@@ -395,9 +365,6 @@ public:
/** Serialization size. */
static const size_t SER_BYTES = DECAF_EDDSA_25519_PRIVATE_BYTES;
/** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_25519_SUPPORTS_CONTEXTS;
/** Create but don't initialize */
inline explicit PublicKeyBase(const NOINIT&) NOEXCEPT : pub_((NOINIT())) { }


+ 22
- 34
src/GENERATED/include/decaf/ed448.h View File

@@ -32,8 +32,8 @@ extern "C" {
/** Number of bytes in an EdDSA private key. */
#define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + DECAF_EDDSA_448_PRIVATE_BYTES)

/** Does EdDSA support contexts? */
#define DECAF_EDDSA_448_SUPPORTS_CONTEXTS 1
/** Does EdDSA support non-contextual signatures? */
#define DECAF_EDDSA_448_NO_CONTEXT 0
/** Prehash context renaming macros. */
#define decaf_ed448_prehash_ctx_s decaf_shake256_ctx_s
@@ -59,11 +59,12 @@ void decaf_ed448_derive_public_key (
* @param [out] signature The signature.
* @param [in] privkey The private key.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] message The message to sign.
* @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] no_context Nonzero if no context should be used (only Ed25519 supported).
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
@@ -76,11 +77,10 @@ void decaf_ed448_sign (
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len,
uint8_t no_context
) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE;

/**
@@ -89,10 +89,9 @@ void decaf_ed448_sign (
* @param [out] signature The signature.
* @param [in] privkey The private key.
* @param [in] pubkey The public key.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
@@ -103,26 +102,18 @@ void decaf_ed448_sign_prehash (
uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const decaf_ed448_prehash_ctx_t hash
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
const decaf_ed448_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2,3,4))) NOINLINE;
/**
* @brief Prehash initialization, with contexts if supported.
*
* @param [out] hash The hash object to be initialized.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
*/
void decaf_ed448_prehash_init (
decaf_ed448_prehash_ctx_t hash
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1))) NOINLINE;

/**
@@ -132,11 +123,12 @@ void decaf_ed448_prehash_init (
*
* @param [in] signature The signature.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] message The message to verify.
* @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] no_context Nonzero if no context should be used (only Ed25519 supported).
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
@@ -148,11 +140,10 @@ decaf_error_t decaf_ed448_verify (
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len,
uint8_t no_context
) API_VIS __attribute__((nonnull(1,2))) NOINLINE;

/**
@@ -162,10 +153,9 @@ decaf_error_t decaf_ed448_verify (
*
* @param [in] signature The signature.
* @param [in] pubkey The public key.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
@@ -175,11 +165,9 @@ decaf_error_t decaf_ed448_verify (
decaf_error_t decaf_ed448_verify_prehash (
const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const decaf_ed448_prehash_ctx_t hash
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
const decaf_ed448_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2))) NOINLINE;

/**


+ 28
- 63
src/GENERATED/include/decaf/ed448.hxx View File

@@ -49,20 +49,14 @@ template<> struct EdDSA<Ed448Goldilocks> {
/** @cond internal */
template<class CRTP, Prehashed> class Signing;
template<class CRTP, Prehashed> class Verification;

class PublicKeyBase;
class PrivateKeyBase;
typedef class PrivateKeyBase PrivateKey, PrivateKeyPure, PrivateKeyPh;
typedef class PublicKeyBase PublicKey, PublicKeyPure, PublicKeyPh;
/** @endcond */

/** Prehash context for EdDSA. */
class Prehash : public SHAKE<256> {
public:
/** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_448_SUPPORTS_CONTEXTS;
private:
typedef SHAKE<256> Super;
SecureBuffer context_;
@@ -72,17 +66,11 @@ private:
void init() throw(LengthException) {
Super::reset();
if (context_.size() > 255
|| (context_.size() != 0 && !SUPPORTS_CONTEXTS)
) {
if (context_.size() > 255) {
throw LengthException();
}

#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
decaf_ed448_prehash_init((decaf_shake256_ctx_s *)wrapped,context_.data(),context_.size());
#else
decaf_ed448_prehash_init(wrapped);
#endif
decaf_ed448_prehash_init((decaf_shake256_ctx_s *)wrapped);
}
public:
@@ -124,11 +112,9 @@ public:
out.data(),
((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(),
(const decaf_ed448_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, ph.context_.data(),
(const decaf_ed448_prehash_ctx_s*)ph.wrapped,
ph.context_.data(),
ph.context_.size()
#endif
);
return out;
}
@@ -149,20 +135,18 @@ public:
/**
* Sign a message.
* @param [in] message The message to be signed.
* @param [in] context A context for the signature; must be at most 255 bytes;
* must be absent if SUPPORTS_CONTEXTS == false.
* @param [in] context A context for the signature; must be at most 255 bytes.
*
* @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
*/
inline SecureBuffer sign (
const Block &message,
const Block &context = Block(NULL,0)
const Block &context = Block(NULL,0),
const bool no_context = false
) const /* TODO: this exn spec tickles a Clang bug?
* throw(LengthException, std::bad_alloc)
*/ {
if (context.size() > 255
|| (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
) {
if (context.size() > 255) {
throw LengthException();
}
@@ -173,17 +157,15 @@ public:
((const CRTP*)this)->pub_.data(),
message.data(),
message.size(),
0
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, context.data(),
context.size()
#endif
0,
context.data(),
context.size(),
no_context
);
return out;
}
};


class PrivateKeyBase
: public Serializable<PrivateKeyBase>
, public Signing<PrivateKeyBase,PURE>
@@ -196,7 +178,6 @@ private:
friend class Signing<PrivateKey,PURE>;
friend class Signing<PrivateKey,PREHASHED>;
/** @endcond */

/** The pre-expansion form of the signing key. */
FixedArrayBuffer<DECAF_EDDSA_448_PRIVATE_BYTES> priv_;
@@ -214,9 +195,6 @@ public:
/** Serialization size. */
static const size_t SER_BYTES = DECAF_EDDSA_448_PRIVATE_BYTES;
/** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_448_SUPPORTS_CONTEXTS;
/** Create but don't initialize */
inline explicit PrivateKeyBase(const NOINIT&) NOEXCEPT : priv_((NOINIT())), pub_((NOINIT())) { }
@@ -269,11 +247,10 @@ public:
inline decaf_error_t WARN_UNUSED verify_noexcept (
const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = Block(NULL,0)
const Block &context = Block(NULL,0),
const bool no_context = false
) const /*NOEXCEPT*/ {
if (context.size() > 255
|| (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
) {
if (context.size() > 255) {
return DECAF_FAILURE;
}
@@ -282,34 +259,31 @@ public:
((const CRTP*)this)->pub_.data(),
message.data(),
message.size(),
0
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, context.data(),
context.size()
#endif
0,
context.data(),
context.size(),
no_context
);
}
/** Verify a signature, throwing an exception if verification fails
* @param [in] sig The signature.
* @param [in] message The signed message.
* @param [in] context A context for the signature; must be at most 255 bytes;
* must be absent if SUPPORTS_CONTEXTS == false.
* @param [in] context A context for the signature; must be at most 255 bytes.
*
* @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
*/
inline void verify (
const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = Block(NULL,0)
const Block &context = Block(NULL,0),
const bool no_context = false
) const /*throw(LengthException,CryptoException)*/ {
if (context.size() > 255
|| (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
) {
if (context.size() > 255) {
throw LengthException();
}
if (DECAF_SUCCESS != verify_noexcept( sig, message, context )) {
if (DECAF_SUCCESS != verify_noexcept( sig, message, context, no_context )) {
throw CryptoException();
}
}
@@ -326,11 +300,9 @@ public:
return decaf_ed448_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
(const decaf_ed448_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, ph.context_.data(),
(const decaf_ed448_prehash_ctx_s*)ph.wrapped,
ph.context_.data(),
ph.context_.size()
#endif
);
}
@@ -342,11 +314,9 @@ public:
if (DECAF_SUCCESS != decaf_ed448_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
(const decaf_ed448_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, ph.context_.data(),
(const decaf_ed448_prehash_ctx_s*)ph.wrapped,
ph.context_.data(),
ph.context_.size()
#endif
)) {
throw CryptoException();
}
@@ -365,7 +335,6 @@ public:
};



class PublicKeyBase
: public Serializable<PublicKeyBase>
, public Verification<PublicKeyBase,PURE>
@@ -380,7 +349,6 @@ private:
friend class Verification<PublicKey,PREHASHED>;
/** @endcond */


private:
/** The pre-expansion form of the signature */
FixedArrayBuffer<DECAF_EDDSA_448_PUBLIC_BYTES> pub_;
@@ -397,9 +365,6 @@ public:
/** Serialization size. */
static const size_t SER_BYTES = DECAF_EDDSA_448_PRIVATE_BYTES;
/** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_448_SUPPORTS_CONTEXTS;
/** Create but don't initialize */
inline explicit PublicKeyBase(const NOINIT&) NOEXCEPT : pub_((NOINIT())) { }


+ 4
- 4
src/generator/curve_data.py View File

@@ -36,8 +36,8 @@ curve_data = {
"window_bits":4,
"eddsa_hash": "sha512",
"eddsa_supports_contexts": 0,
"eddsa_dom": "",
"eddsa_no_context": 1,
"eddsa_dom": "SigEd25519 no Ed25519 collisions",
"eddsa_sigma_iso": 1
},
"ed448goldilocks" : {
@@ -112,8 +112,8 @@ for curve,data in curve_data.iteritems():
if "eddsa_hash" not in data:
data["eddsa_hash"] = "shake256"
if "eddsa_supports_contexts" not in data:
data["eddsa_supports_contexts"] = 1
if "eddsa_no_context" not in data:
data["eddsa_no_context"] = 0
if "cxx_ns" not in data:
data["cxx_ns"] = data["name"].replace("-","")


+ 33
- 61
src/per_curve/eddsa.tmpl.c View File

@@ -19,7 +19,7 @@
#define hash_destroy decaf_$(eddsa_hash)_destroy
#define hash_hash decaf_$(eddsa_hash)_hash

#define SUPPORTS_CONTEXTS DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
#define NO_CONTEXT DECAF_EDDSA_$(gf_shortname)_NO_CONTEXT
#define EDDSA_USE_SIGMA_ISOGENY $(eddsa_sigma_iso)
#define COFACTOR $(cofactor)

@@ -49,38 +49,33 @@ static void hash_init_with_dom(
uint8_t prehashed,
uint8_t for_prehash,
const uint8_t *context,
uint8_t context_len
uint8_t context_len,
uint8_t no_context
) {
hash_init(hash);
#if SUPPORTS_CONTEXTS
#if NO_CONTEXT
if (no_context) {
(void)prehashed;
(void)for_prehash;
(void)context;
(void)context_len;
return;
}
#else
(void)no_context;
#endif
const char *dom_s = "$(eddsa_dom)";
const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
hash_update(hash,dom,2);
hash_update(hash,context,context_len);
#else
(void)prehashed;
(void)for_prehash;
(void)context;
assert(context==NULL);
(void)context_len;
assert(context_len == 0);
#endif
}

void decaf_ed$(gf_shortname)_prehash_init (
hash_ctx_t hash
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
hash_init_with_dom(hash,1,1,context,context_len);
#else
hash_init_with_dom(hash,1,1,NULL,0);
#endif
hash_init(hash);
}

void decaf_ed$(gf_shortname)_derive_public_key (
@@ -128,16 +123,11 @@ void decaf_ed$(gf_shortname)_sign (
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len,
uint8_t no_context
) {
#if !SUPPORTS_CONTEXTS
const uint8_t *const context = NULL;
const uint8_t context_len = 0;
#endif
API_NS(scalar_t) secret_scalar;
hash_ctx_t hash;
{
@@ -156,7 +146,7 @@ void decaf_ed$(gf_shortname)_sign (
API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
/* Hash to create the nonce */
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
hash_update(hash,expanded.seed,sizeof(expanded.seed));
hash_update(hash,message,message_len);
decaf_bzero(&expanded, sizeof(expanded));
@@ -190,7 +180,7 @@ void decaf_ed$(gf_shortname)_sign (
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
hash_update(hash,nonce_point,sizeof(nonce_point));
hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
hash_update(hash,message,message_len);
@@ -218,11 +208,9 @@ void decaf_ed$(gf_shortname)_sign_prehash (
uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const decaf_ed$(gf_shortname)_prehash_ctx_t hash
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context,
const decaf_ed$(gf_shortname)_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
#endif
) {
uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
{
@@ -231,13 +219,8 @@ void decaf_ed$(gf_shortname)_sign_prehash (
hash_final(hash_too,hash_output,sizeof(hash_output));
hash_destroy(hash_too);
}
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
decaf_ed$(gf_shortname)_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
#else
decaf_ed$(gf_shortname)_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1);
#endif

decaf_ed$(gf_shortname)_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len,0);
decaf_bzero(hash_output,sizeof(hash_output));
}

@@ -246,16 +229,11 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len,
uint8_t no_context
) {
#if !SUPPORTS_CONTEXTS
const uint8_t *const context = NULL;
const uint8_t context_len = 0;
#endif
API_NS(point_t) pk_point, r_point;
decaf_error_t error = API_NS(point_decode_like_eddsa_and_ignore_cofactor)(pk_point,pubkey);
if (DECAF_SUCCESS != error) { return error; }
@@ -267,7 +245,7 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
{
/* Compute the challenge */
hash_ctx_t hash;
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
hash_update(hash,signature,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
hash_update(hash,message,message_len);
@@ -304,11 +282,9 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
decaf_error_t decaf_ed$(gf_shortname)_verify_prehash (
const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const decaf_ed$(gf_shortname)_prehash_ctx_t hash
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context,
const decaf_ed$(gf_shortname)_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
#endif
) {
decaf_error_t ret;
@@ -320,11 +296,7 @@ decaf_error_t decaf_ed$(gf_shortname)_verify_prehash (
hash_destroy(hash_too);
}
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
ret = decaf_ed$(gf_shortname)_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
#else
ret = decaf_ed$(gf_shortname)_verify(signature,pubkey,hash_output,sizeof(hash_output),1);
#endif
ret = decaf_ed$(gf_shortname)_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len,0);
return ret;
}

+ 22
- 34
src/per_curve/eddsa.tmpl.h View File

@@ -17,8 +17,8 @@ extern "C" {
/** Number of bytes in an EdDSA private key. */
#define DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES (DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES + DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES)

/** Does EdDSA support contexts? */
#define DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS $(eddsa_supports_contexts)
/** Does EdDSA support non-contextual signatures? */
#define DECAF_EDDSA_$(gf_shortname)_NO_CONTEXT $(eddsa_no_context)
/** Prehash context renaming macros. */
#define decaf_ed$(gf_shortname)_prehash_ctx_s decaf_$(eddsa_hash)_ctx_s
@@ -44,11 +44,12 @@ void decaf_ed$(gf_shortname)_derive_public_key (
* @param [out] signature The signature.
* @param [in] privkey The private key.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] message The message to sign.
* @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] no_context Nonzero if no context should be used (only Ed25519 supported).
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
@@ -61,11 +62,10 @@ void decaf_ed$(gf_shortname)_sign (
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len,
uint8_t no_context
) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE;

/**
@@ -74,10 +74,9 @@ void decaf_ed$(gf_shortname)_sign (
* @param [out] signature The signature.
* @param [in] privkey The private key.
* @param [in] pubkey The public key.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
@@ -88,26 +87,18 @@ void decaf_ed$(gf_shortname)_sign_prehash (
uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const decaf_ed$(gf_shortname)_prehash_ctx_t hash
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context,
const decaf_ed$(gf_shortname)_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2,3,4))) NOINLINE;
/**
* @brief Prehash initialization, with contexts if supported.
*
* @param [out] hash The hash object to be initialized.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
*/
void decaf_ed$(gf_shortname)_prehash_init (
decaf_ed$(gf_shortname)_prehash_ctx_t hash
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1))) NOINLINE;

/**
@@ -117,11 +108,12 @@ void decaf_ed$(gf_shortname)_prehash_init (
*
* @param [in] signature The signature.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] message The message to verify.
* @param [in] message_len The length of the message.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
* @param [in] no_context Nonzero if no context should be used (only Ed25519 supported).
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
@@ -133,11 +125,10 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len,
uint8_t no_context
) API_VIS __attribute__((nonnull(1,2))) NOINLINE;

/**
@@ -147,10 +138,9 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
*
* @param [in] signature The signature.
* @param [in] pubkey The public key.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
@@ -160,11 +150,9 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
decaf_error_t decaf_ed$(gf_shortname)_verify_prehash (
const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const decaf_ed$(gf_shortname)_prehash_ctx_t hash
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context,
const decaf_ed$(gf_shortname)_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2))) NOINLINE;

/**


+ 28
- 93
src/per_curve/eddsa.tmpl.hxx View File

@@ -33,27 +33,14 @@ template<> struct EdDSA<$(cxx_ns)> {
/** @cond internal */
template<class CRTP, Prehashed> class Signing;
template<class CRTP, Prehashed> class Verification;
$("""
class PublicKeyBase;
class PrivateKeyBase;
typedef class PrivateKeyBase PrivateKey, PrivateKeyPure, PrivateKeyPh;
typedef class PublicKeyBase PublicKey, PublicKeyPure, PublicKeyPh;
""" if eddsa_supports_contexts else """
template<Prehashed=PURE> class PublicKeyBase;
template<Prehashed=PURE> class PrivateKeyBase;
typedef class PublicKeyBase<PURE> PublicKey, PublicKeyPure;
typedef class PublicKeyBase<PREHASHED> PublicKeyPh;
typedef class PrivateKeyBase<PURE> PrivateKey, PrivateKeyPure;
typedef class PrivateKeyBase<PREHASHED> PrivateKeyPh;
""")
/** @endcond */

/** Prehash context for EdDSA. */
class Prehash : public $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) {
public:
/** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS;
private:
typedef $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) Super;
SecureBuffer context_;
@@ -63,17 +50,11 @@ private:
void init() throw(LengthException) {
Super::reset();
if (context_.size() > 255
|| (context_.size() != 0 && !SUPPORTS_CONTEXTS)
) {
if (context_.size() > 255) {
throw LengthException();
}

#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
decaf_ed$(gf_shortname)_prehash_init((decaf_$(eddsa_hash)_ctx_s *)wrapped,context_.data(),context_.size());
#else
decaf_ed$(gf_shortname)_prehash_init(wrapped);
#endif
decaf_ed$(gf_shortname)_prehash_init((decaf_$(eddsa_hash)_ctx_s *)wrapped);
}
public:
@@ -115,11 +96,9 @@ public:
out.data(),
((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(),
(const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, ph.context_.data(),
(const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped,
ph.context_.data(),
ph.context_.size()
#endif
);
return out;
}
@@ -140,20 +119,18 @@ public:
/**
* Sign a message.
* @param [in] message The message to be signed.
* @param [in] context A context for the signature; must be at most 255 bytes;
* must be absent if SUPPORTS_CONTEXTS == false.
* @param [in] context A context for the signature; must be at most 255 bytes.
*
* @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
*/
inline SecureBuffer sign (
const Block &message,
const Block &context = Block(NULL,0)
const Block &context = Block(NULL,0),
const bool no_context = false
) const /* TODO: this exn spec tickles a Clang bug?
* throw(LengthException, std::bad_alloc)
*/ {
if (context.size() > 255
|| (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
) {
if (context.size() > 255) {
throw LengthException();
}
@@ -164,17 +141,15 @@ public:
((const CRTP*)this)->pub_.data(),
message.data(),
message.size(),
0
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, context.data(),
context.size()
#endif
0,
context.data(),
context.size(),
no_context
);
return out;
}
};

$("""
class PrivateKeyBase
: public Serializable<PrivateKeyBase>
, public Signing<PrivateKeyBase,PURE>
@@ -187,18 +162,6 @@ private:
friend class Signing<PrivateKey,PURE>;
friend class Signing<PrivateKey,PREHASHED>;
/** @endcond */
""" if eddsa_supports_contexts else """
template<Prehashed ph> class PrivateKeyBase
: public Serializable<PrivateKeyBase<ph> >
, public Signing<PrivateKeyBase<ph>,ph> {
public:
typedef class PublicKeyBase<ph> MyPublicKey;
private:
/** @cond internal */
friend class PublicKeyBase<ph>;
friend class Signing<PrivateKeyBase<ph>, ph>;
/** @endcond */
""")
/** The pre-expansion form of the signing key. */
FixedArrayBuffer<DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES> priv_;
@@ -216,9 +179,6 @@ public:
/** Serialization size. */
static const size_t SER_BYTES = DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES;
/** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS;
/** Create but don't initialize */
inline explicit PrivateKeyBase(const NOINIT&) NOEXCEPT : priv_((NOINIT())), pub_((NOINIT())) { }
@@ -271,11 +231,10 @@ public:
inline decaf_error_t WARN_UNUSED verify_noexcept (
const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = Block(NULL,0)
const Block &context = Block(NULL,0),
const bool no_context = false
) const /*NOEXCEPT*/ {
if (context.size() > 255
|| (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
) {
if (context.size() > 255) {
return DECAF_FAILURE;
}
@@ -284,34 +243,31 @@ public:
((const CRTP*)this)->pub_.data(),
message.data(),
message.size(),
0
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, context.data(),
context.size()
#endif
0,
context.data(),
context.size(),
no_context
);
}
/** Verify a signature, throwing an exception if verification fails
* @param [in] sig The signature.
* @param [in] message The signed message.
* @param [in] context A context for the signature; must be at most 255 bytes;
* must be absent if SUPPORTS_CONTEXTS == false.
* @param [in] context A context for the signature; must be at most 255 bytes.
*
* @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
*/
inline void verify (
const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
const Block &message,
const Block &context = Block(NULL,0)
const Block &context = Block(NULL,0),
const bool no_context = false
) const /*throw(LengthException,CryptoException)*/ {
if (context.size() > 255
|| (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
) {
if (context.size() > 255) {
throw LengthException();
}
if (DECAF_SUCCESS != verify_noexcept( sig, message, context )) {
if (DECAF_SUCCESS != verify_noexcept( sig, message, context, no_context )) {
throw CryptoException();
}
}
@@ -328,11 +284,9 @@ public:
return decaf_ed$(gf_shortname)_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
(const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, ph.context_.data(),
(const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped,
ph.context_.data(),
ph.context_.size()
#endif
);
}
@@ -344,11 +298,9 @@ public:
if (DECAF_SUCCESS != decaf_ed$(gf_shortname)_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
(const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, ph.context_.data(),
(const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped,
ph.context_.data(),
ph.context_.size()
#endif
)) {
throw CryptoException();
}
@@ -367,7 +319,6 @@ public:
};


$("""
class PublicKeyBase
: public Serializable<PublicKeyBase>
, public Verification<PublicKeyBase,PURE>
@@ -381,19 +332,6 @@ private:
friend class Verification<PublicKey,PURE>;
friend class Verification<PublicKey,PREHASHED>;
/** @endcond */
""" if eddsa_supports_contexts else """
template<Prehashed ph> class PublicKeyBase
: public Serializable<PublicKeyBase<ph> >
, public Verification<PublicKeyBase<ph>,ph> {
public:
typedef class PrivateKeyBase<ph> MyPrivateKey;
private:
/** @cond internal */
friend class PrivateKeyBase<ph>;
friend class Verification<PublicKeyBase<ph>, ph>;
/** @endcond */
""")

private:
/** The pre-expansion form of the signature */
@@ -411,9 +349,6 @@ public:
/** Serialization size. */
static const size_t SER_BYTES = DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES;
/** Do we support contexts for signatures? If not, they must always be NULL */
static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS;
/** Create but don't initialize */
inline explicit PublicKeyBase(const NOINIT&) NOEXCEPT : pub_((NOINIT())) { }


+ 4
- 12
test/test_decaf.cxx View File

@@ -469,7 +469,7 @@ static void test_cfrg_crypto() {
}
}

static const bool eddsa_prehashed[];
static const bool eddsa_prehashed[], eddsa_no_context[];
static const Block eddsa_sk[], eddsa_pk[], eddsa_message[], eddsa_context[], eddsa_sig[];

static void test_cfrg_vectors() {
@@ -497,17 +497,9 @@ static void test_cfrg_vectors() {
if (eddsa_prehashed[t]) {
typename EdDSA<Group>::PrivateKeyPh priv2(eddsa_sk[t]);
if (priv2.SUPPORTS_CONTEXTS) {
sig = priv2.sign_with_prehash(eddsa_message[t],eddsa_context[t]);
} else {
sig = priv2.sign_with_prehash(eddsa_message[t]);
}
sig = priv2.sign_with_prehash(eddsa_message[t],eddsa_context[t]);
} else {
if (priv.SUPPORTS_CONTEXTS) {
sig = priv.sign(eddsa_message[t],eddsa_context[t]);
} else {
sig = priv.sign(eddsa_message[t]);
}
sig = priv.sign(eddsa_message[t],eddsa_context[t],eddsa_no_context[t]);
}

if (!memeq(SecureBuffer(eddsa_sig[t]),sig)) {
@@ -557,7 +549,7 @@ static void test_eddsa() {
SecureBuffer message(i);
rng.read(message);
SecureBuffer context(priv.SUPPORTS_CONTEXTS ? i%256 : 0);
SecureBuffer context(i%256);
rng.read(message);
SecureBuffer sig = priv.sign(message,context);


+ 117
- 30
test/vectors.inc.cxx View File

@@ -189,6 +189,7 @@ template<> const bool Tests<Ed448Goldilocks>::eddsa_prehashed[] = {
false,
false,
false,
true,
true
};

@@ -276,21 +277,37 @@ const uint8_t ed448_eddsa_sig[][114] = {{
0xa4,0x91,0x55,0xc1,0x37,0x64,0xe6,0x6c,
0x3c,0x00
}, {
0x86,0xa6,0xbf,0x52,0xf9,0xe8,0xf8,0x4f,
0x45,0x1b,0x2f,0x39,0x2a,0x8d,0x1c,0x3a,
0x41,0x44,0x25,0xfa,0xc0,0x06,0x8f,0x74,
0xae,0xea,0xd5,0x3b,0x0e,0x6b,0x53,0xd4,
0x55,0x5c,0xea,0x17,0x26,0xda,0x4a,0x65,
0x20,0x28,0x80,0xd4,0x07,0x26,0x70,0x87,
0x9e,0x8e,0x6f,0xa4,0xd9,0x69,0x4c,0x06,
0x00,0x54,0xf2,0x06,0x5d,0xc2,0x06,0xa6,
0xe6,0x15,0xd0,0xd8,0xc9,0x9b,0x95,0x20,
0x9b,0x69,0x6c,0x81,0x25,0xc5,0xfb,0xb9,
0xbc,0x82,0xa0,0xf7,0xed,0x3d,0x99,0xc4,
0xc1,0x1c,0x47,0x79,0x8e,0xf0,0xf7,0xeb,
0x97,0xb3,0xb7,0x2a,0xb4,0xac,0x86,0xea,
0xf8,0xb4,0x34,0x49,0xe8,0xac,0x30,0xff,
0x3f,0x00
0x82,0x2f,0x69,0x01,0xf7,0x48,0x0f,0x3d,
0x5f,0x56,0x2c,0x59,0x29,0x94,0xd9,0x69,
0x36,0x02,0x87,0x56,0x14,0x48,0x32,0x56,
0x50,0x56,0x00,0xbb,0xc2,0x81,0xae,0x38,
0x1f,0x54,0xd6,0xbc,0xe2,0xea,0x91,0x15,
0x74,0x93,0x2f,0x52,0xa4,0xe6,0xca,0xdd,
0x78,0x76,0x93,0x75,0xec,0x3f,0xfd,0x1b,
0x80,0x1a,0x0d,0x9b,0x3f,0x40,0x30,0xcd,
0x43,0x39,0x64,0xb6,0x45,0x7e,0xa3,0x94,
0x76,0x51,0x12,0x14,0xf9,0x74,0x69,0xb5,
0x7d,0xd3,0x2d,0xbc,0x56,0x0a,0x9a,0x94,
0xd0,0x0b,0xff,0x07,0x62,0x04,0x64,0xa3,
0xad,0x20,0x3d,0xf7,0xdc,0x7c,0xe3,0x60,
0xc3,0xcd,0x36,0x96,0xd9,0xd9,0xfa,0xb9,
0x0f,0x00
}, {
0xc3,0x22,0x99,0xd4,0x6e,0xc8,0xff,0x02,
0xb5,0x45,0x40,0x98,0x28,0x14,0xdc,0xe9,
0xa0,0x58,0x12,0xf8,0x19,0x62,0xb6,0x49,
0xd5,0x28,0x09,0x59,0x16,0xa2,0xaa,0x48,
0x10,0x65,0xb1,0x58,0x04,0x23,0xef,0x92,
0x7e,0xcf,0x0a,0xf5,0x88,0x8f,0x90,0xda,
0x0f,0x6a,0x9a,0x85,0xad,0x5d,0xc3,0xf2,
0x80,0xd9,0x12,0x24,0xba,0x99,0x11,0xa3,
0x65,0x3d,0x00,0xe4,0x84,0xe2,0xce,0x23,
0x25,0x21,0x48,0x1c,0x86,0x58,0xdf,0x30,
0x4b,0xb7,0x74,0x5a,0x73,0x51,0x4c,0xdb,
0x9b,0xf3,0xe1,0x57,0x84,0xab,0x71,0x28,
0x4f,0x8d,0x07,0x04,0xa6,0x08,0xc5,0x4a,
0x6b,0x62,0xd9,0x7b,0xeb,0x51,0x1d,0x13,
0x21,0x00
}};
template<> const Block Tests<Ed448Goldilocks>::eddsa_sk[] = {
Block(ed448_eddsa_sk[0],57),
@@ -299,6 +316,7 @@ template<> const Block Tests<Ed448Goldilocks>::eddsa_sk[] = {
Block(ed448_eddsa_sk[2],57),
Block(ed448_eddsa_sk[3],57),
Block(ed448_eddsa_sk[4],57),
Block(ed448_eddsa_sk[4],57),
Block(NULL,0)
};
template<> const Block Tests<Ed448Goldilocks>::eddsa_pk[] = {
@@ -307,6 +325,7 @@ template<> const Block Tests<Ed448Goldilocks>::eddsa_pk[] = {
Block(ed448_eddsa_pk[1],57),
Block(ed448_eddsa_pk[2],57),
Block(ed448_eddsa_pk[3],57),
Block(ed448_eddsa_pk[4],57),
Block(ed448_eddsa_pk[4],57)
};
template<> const Block Tests<Ed448Goldilocks>::eddsa_message[] = {
@@ -315,6 +334,7 @@ template<> const Block Tests<Ed448Goldilocks>::eddsa_message[] = {
Block(ed448_eddsa_message[1],1),
Block(ed448_eddsa_message[2],11),
Block(ed448_eddsa_message[3],12),
Block(ed448_eddsa_message[4],3),
Block(ed448_eddsa_message[4],3)
};
template<> const Block Tests<Ed448Goldilocks>::eddsa_context[] = {
@@ -323,15 +343,26 @@ template<> const Block Tests<Ed448Goldilocks>::eddsa_context[] = {
Block(ed448_eddsa_context[0],3),
Block(NULL,0),
Block(NULL,0),
Block(NULL,0),
Block(ed448_eddsa_context[0],3)
};
template<> const bool Tests<Ed448Goldilocks>::eddsa_no_context[] = {
false,
false,
false,
false,
false,
false,
false
};
template<> const Block Tests<Ed448Goldilocks>::eddsa_sig[] = {
Block(ed448_eddsa_sig[0],114),
Block(ed448_eddsa_sig[1],114),
Block(ed448_eddsa_sig[4],114),
Block(ed448_eddsa_sig[2],114),
Block(ed448_eddsa_sig[3],114),
Block(ed448_eddsa_sig[5],114)
Block(ed448_eddsa_sig[5],114),
Block(ed448_eddsa_sig[6],114)
};

const uint8_t ed25519_eddsa_sk[][32] = {{
@@ -354,6 +385,11 @@ const uint8_t ed25519_eddsa_sk[][32] = {{
0x62,0xec,0x77,0x58,0x75,0x20,0x91,0x1e,
0x9a,0x75,0x9c,0xec,0x1d,0x19,0x75,0x5b,
0x7d,0xa9,0x01,0xb9,0x6d,0xca,0x3d,0x42
}, {
0x03,0x05,0x33,0x4e,0x38,0x1a,0xf7,0x8f,
0x14,0x1c,0xb6,0x66,0xf6,0x19,0x9f,0x57,
0xbc,0x34,0x95,0x33,0x5a,0x25,0x6a,0x95,
0xbd,0x2a,0x55,0xbf,0x54,0x66,0x63,0xf6
}};
const uint8_t ed25519_eddsa_pk[][32] = {{
0xd7,0x5a,0x98,0x01,0x82,0xb1,0x0a,0xb7,
@@ -375,8 +411,13 @@ const uint8_t ed25519_eddsa_pk[][32] = {{
0xf4,0x93,0x2c,0x70,0xe1,0x24,0x50,0x34,
0xc3,0x54,0x67,0xef,0x2e,0xfd,0x4d,0x64,
0xeb,0xf8,0x19,0x68,0x34,0x67,0xe2,0xbf
}, {
0xdf,0xc9,0x42,0x5e,0x4f,0x96,0x8f,0x7f,
0x0c,0x29,0xf0,0x25,0x9c,0xf5,0xf9,0xae,
0xd6,0x85,0x1c,0x2b,0xb4,0xad,0x8b,0xfb,
0x86,0x0c,0xfe,0xe0,0xab,0x24,0x82,0x92
}};
const uint8_t ed25519_eddsa_message[][3] = {{
const uint8_t ed25519_eddsa_message[][16] = {{
0
}, {
0x72
@@ -384,6 +425,14 @@ const uint8_t ed25519_eddsa_message[][3] = {{
0xaf,0x82
}, {
0x61,0x62,0x63
}, {
0xf7,0x26,0x93,0x6d,0x19,0xc8,0x00,0x49,
0x4e,0x3f,0xda,0xff,0x20,0xb2,0x76,0xa8
}};
const uint8_t ed25519_eddsa_context[][3] = {{
0x66,0x6f,0x6f
}, {
0x62,0x61,0x72
}};
const uint8_t ed25519_eddsa_sig[][64] = {{
0xe5,0x56,0x43,0x00,0xc3,0x60,0xac,0x72,
@@ -413,50 +462,88 @@ const uint8_t ed25519_eddsa_sig[][64] = {{
0x4a,0x7c,0x15,0xe9,0x71,0x6e,0xd2,0x8d,
0xc0,0x27,0xbe,0xce,0xea,0x1e,0xc4,0x0a
}, {
0xdc,0x2a,0x44,0x59,0xe7,0x36,0x96,0x33,
0xa5,0x2b,0x1b,0xf2,0x77,0x83,0x9a,0x00,
0x20,0x10,0x09,0xa3,0xef,0xbf,0x3e,0xcb,
0x69,0xbe,0xa2,0x18,0x6c,0x26,0xb5,0x89,
0x09,0x35,0x1f,0xc9,0xac,0x90,0xb3,0xec,
0xfd,0xfb,0xc7,0xc6,0x64,0x31,0xe0,0x30,
0x3d,0xca,0x17,0x9c,0x13,0x8a,0xc1,0x7a,
0xd9,0xbe,0xf1,0x17,0x73,0x31,0xa7,0x04
0x98,0xa7,0x02,0x22,0xf0,0xb8,0x12,0x1a,
0xa9,0xd3,0x0f,0x81,0x3d,0x68,0x3f,0x80,
0x9e,0x46,0x2b,0x46,0x9c,0x7f,0xf8,0x76,
0x39,0x49,0x9b,0xb9,0x4e,0x6d,0xae,0x41,
0x31,0xf8,0x50,0x42,0x46,0x3c,0x2a,0x35,
0x5a,0x20,0x03,0xd0,0x62,0xad,0xf5,0xaa,
0xa1,0x0b,0x8c,0x61,0xe6,0x36,0x06,0x2a,
0xaa,0xd1,0x1c,0x2a,0x26,0x08,0x34,0x06
}, {
0x55,0xa4,0xcc,0x2f,0x70,0xa5,0x4e,0x04,
0x28,0x8c,0x5f,0x4c,0xd1,0xe4,0x5a,0x7b,
0xb5,0x20,0xb3,0x62,0x92,0x91,0x18,0x76,
0xca,0xda,0x73,0x23,0x19,0x8d,0xd8,0x7a,
0x8b,0x36,0x95,0x0b,0x95,0x13,0x00,0x22,
0x90,0x7a,0x7f,0xb7,0xc4,0xe9,0xb2,0xd5,
0xf6,0xcc,0xa6,0x85,0xa5,0x87,0xb4,0xb2,
0x1f,0x4b,0x88,0x8e,0x4e,0x7e,0xdb,0x0d
}, {
0xfc,0x60,0xd5,0x87,0x2f,0xc4,0x6b,0x3a,
0xa6,0x9f,0x8b,0x5b,0x43,0x51,0xd5,0x80,
0x8f,0x92,0xbc,0xc0,0x44,0x60,0x6d,0xb0,
0x97,0xab,0xab,0x6d,0xbc,0xb1,0xae,0xe3,
0x21,0x6c,0x48,0xe8,0xb3,0xb6,0x64,0x31,
0xb5,0xb1,0x86,0xd1,0xd2,0x8f,0x8e,0xe1,
0x5a,0x5c,0xa2,0xdf,0x66,0x68,0x34,0x62,
0x91,0xc2,0x04,0x3d,0x4e,0xb3,0xe9,0x0d
}};

template<> const bool Tests<IsoEd25519>::eddsa_prehashed[] = {
false,
false,
false,
true
true,
false,
false
};
template<> const Block Tests<IsoEd25519>::eddsa_sk[] = {
Block(ed25519_eddsa_sk[0],32),
Block(ed25519_eddsa_sk[1],32),
Block(ed25519_eddsa_sk[2],32),
Block(ed25519_eddsa_sk[3],32),
Block(ed25519_eddsa_sk[4],32),
Block(ed25519_eddsa_sk[4],32),
Block(NULL,0)
};
template<> const Block Tests<IsoEd25519>::eddsa_pk[] = {
Block(ed25519_eddsa_pk[0],32),
Block(ed25519_eddsa_pk[1],32),
Block(ed25519_eddsa_pk[2],32),
Block(ed25519_eddsa_pk[3],32)
Block(ed25519_eddsa_pk[3],32),
Block(ed25519_eddsa_pk[4],32),
Block(ed25519_eddsa_pk[4],32)
};
template<> const Block Tests<IsoEd25519>::eddsa_context[] = {
Block(NULL,0),
Block(NULL,0),
Block(NULL,0),
Block(NULL,0)
Block(NULL,0),
Block(ed25519_eddsa_context[0],3),
Block(ed25519_eddsa_context[1],3)
};
template<> const bool Tests<IsoEd25519>::eddsa_no_context[] = {
true,
true,
true,
false,
false,
false
};
template<> const Block Tests<IsoEd25519>::eddsa_message[] = {
Block(ed25519_eddsa_message[0],0),
Block(ed25519_eddsa_message[1],1),
Block(ed25519_eddsa_message[2],2),
Block(ed25519_eddsa_message[3],3)
Block(ed25519_eddsa_message[3],3),
Block(ed25519_eddsa_message[4],16),
Block(ed25519_eddsa_message[4],16)
};
template<> const Block Tests<IsoEd25519>::eddsa_sig[] = {
Block(ed25519_eddsa_sig[0],64),
Block(ed25519_eddsa_sig[1],64),
Block(ed25519_eddsa_sig[2],64),
Block(ed25519_eddsa_sig[3],64)
Block(ed25519_eddsa_sig[3],64),
Block(ed25519_eddsa_sig[4],64),
Block(ed25519_eddsa_sig[5],64)
};

Write Preview
Loading…
Cancel
Save