2 * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright 2015-2016 Cryptography Research, Inc.
5 * Licensed under the OpenSSL license (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
10 * Originally written by Mike Hamburg
13 #ifndef __DECAF_ED448_H__
14 # define __DECAF_ED448_H__ 1
16 # include "point_448.h"
22 /* Number of bytes in an EdDSA public key. */
23 # define DECAF_EDDSA_448_PUBLIC_BYTES 57
25 /* Number of bytes in an EdDSA private key. */
26 # define DECAF_EDDSA_448_PRIVATE_BYTES DECAF_EDDSA_448_PUBLIC_BYTES
28 /* Number of bytes in an EdDSA private key. */
29 # define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + \
30 DECAF_EDDSA_448_PRIVATE_BYTES)
32 /* Does EdDSA support non-contextual signatures? */
33 # define DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS 0
35 /* EdDSA encoding ratio. */
36 # define DECAF_448_EDDSA_ENCODE_RATIO 4
38 /* EdDSA decoding ratio. */
39 # define DECAF_448_EDDSA_DECODE_RATIO (4 / 4)
42 * EdDSA key generation. This function uses a different (non-Decaf) encoding.
44 * pubkey (out): The public key.
45 * privkey (in): The private key.
47 decaf_error_t decaf_ed448_derive_public_key(
48 uint8_t pubkey [DECAF_EDDSA_448_PUBLIC_BYTES],
49 const uint8_t privkey [DECAF_EDDSA_448_PRIVATE_BYTES]);
54 * signature (out): The signature.
55 * privkey (in): The private key.
56 * pubkey (in): The public key.
57 * message (in): The message to sign.
58 * message_len (in): The length of the message.
59 * prehashed (in): Nonzero if the message is actually the hash of something
61 * context (in): A "context" for this signature of up to 255 bytes.
62 * context_len (in): Length of the context.
64 * For Ed25519, it is unsafe to use the same key for both prehashed and
65 * non-prehashed messages, at least without some very careful protocol-level
66 * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make
67 * it harder to screw this up, but this C code gives you no seat belt.
69 decaf_error_t decaf_ed448_sign(
70 uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
71 const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
72 const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
73 const uint8_t *message, size_t message_len,
74 uint8_t prehashed, const uint8_t *context,
76 __attribute__ ((nonnull(1, 2, 3)));
79 * EdDSA signing with prehash.
81 * signature (out): The signature.
82 * privkey (in): The private key.
83 * pubkey (in): The public key.
84 * hash (in): The hash of the message. This object will not be modified by the
86 * context (in): A "context" for this signature of up to 255 bytes. Must be the
87 * same as what was used for the prehash.
88 * context_len (in): Length of the context.
90 * For Ed25519, it is unsafe to use the same key for both prehashed and
91 * non-prehashed messages, at least without some very careful protocol-level
92 * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make
93 * it harder to screw this up, but this C code gives you no seat belt.
95 decaf_error_t decaf_ed448_sign_prehash(
96 uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
97 const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
98 const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
99 const uint8_t hash[64],
100 const uint8_t *context,
102 __attribute__ ((nonnull(1, 2, 3, 4)));
105 * EdDSA signature verification.
107 * Uses the standard (i.e. less-strict) verification formula.
109 * signature (in): The signature.
110 * pubkey (in): The public key.
111 * message (in): The message to verify.
112 * message_len (in): The length of the message.
113 * prehashed (in): Nonzero if the message is actually the hash of something you
115 * context (in): A "context" for this signature of up to 255 bytes.
116 * context_len (in): Length of the context.
118 * For Ed25519, it is unsafe to use the same key for both prehashed and
119 * non-prehashed messages, at least without some very careful protocol-level
120 * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make
121 * it harder to screw this up, but this C code gives you no seat belt.
123 decaf_error_t decaf_ed448_verify(const uint8_t
124 signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
126 pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
127 const uint8_t *message, size_t message_len,
128 uint8_t prehashed, const uint8_t *context,
130 __attribute__ ((nonnull(1, 2)));
133 * EdDSA signature verification.
135 * Uses the standard (i.e. less-strict) verification formula.
137 * signature (in): The signature.
138 * pubkey (in): The public key.
139 * hash (in): The hash of the message. This object will not be modified by the
141 * context (in): A "context" for this signature of up to 255 bytes. Must be the
142 * same as what was used for the prehash.
143 * context_len (in): Length of the context.
145 * For Ed25519, it is unsafe to use the same key for both prehashed and
146 * non-prehashed messages, at least without some very careful protocol-level
147 * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make
148 * it harder to screw this up, but this C code gives you no seat belt.
150 decaf_error_t decaf_ed448_verify_prehash(
151 const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
152 const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
153 const uint8_t hash[64],
154 const uint8_t *context,
156 __attribute__ ((nonnull(1, 2)));
159 * EdDSA point encoding. Used internally, exposed externally.
160 * Multiplies by DECAF_448_EDDSA_ENCODE_RATIO first.
162 * The multiplication is required because the EdDSA encoding represents
163 * the cofactor information, but the Decaf encoding ignores it (which
164 * is the whole point). So if you decode from EdDSA and re-encode to
165 * EdDSA, the cofactor info must get cleared, because the intermediate
166 * representation doesn't track it.
168 * The way libdecaf handles this is to multiply by
169 * DECAF_448_EDDSA_DECODE_RATIO when decoding, and by
170 * DECAF_448_EDDSA_ENCODE_RATIO when encoding. The product of these
171 * ratios is always exactly the cofactor 4, so the cofactor
172 * ends up cleared one way or another. But exactly how that shakes
173 * out depends on the base points specified in RFC 8032.
175 * The upshot is that if you pass the Decaf/Ristretto base point to
176 * this function, you will get DECAF_448_EDDSA_ENCODE_RATIO times the
179 * enc (out): The encoded point.
182 void curve448_point_mul_by_ratio_and_encode_like_eddsa(
183 uint8_t enc [DECAF_EDDSA_448_PUBLIC_BYTES],
184 const curve448_point_t p);
187 * EdDSA point decoding. Multiplies by DECAF_448_EDDSA_DECODE_RATIO, and
188 * ignores cofactor information.
190 * See notes on curve448_point_mul_by_ratio_and_encode_like_eddsa
192 * enc (out): The encoded point.
195 decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio(
197 const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]);
200 * EdDSA to ECDH public key conversion
201 * Deserialize the point to get y on Edwards curve,
202 * Convert it to u coordinate on Montgomery curve.
204 * This function does not check that the public key being converted is a valid
205 * EdDSA public key (FUTURE?)
207 * x (out): The ECDH public key as in RFC7748(point on Montgomery curve)
208 * ed (in): The EdDSA public key(point on Edwards curve)
210 void decaf_ed448_convert_public_key_to_x448(
211 uint8_t x[DECAF_X448_PUBLIC_BYTES],
212 const uint8_t ed[DECAF_EDDSA_448_PUBLIC_BYTES]);
215 * EdDSA to ECDH private key conversion
216 * Using the appropriate hash function, hash the EdDSA private key
217 * and keep only the lower bytes to get the ECDH private key
219 * x (out): The ECDH private key as in RFC7748
220 * ed (in): The EdDSA private key
222 decaf_error_t decaf_ed448_convert_private_key_to_x448(
223 uint8_t x[DECAF_X448_PRIVATE_BYTES],
224 const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES]);
230 #endif /* __DECAF_ED448_H__ */