X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fec%2Fcurve448%2Fed448.h;h=8cb2a4b790e038ddc67dd3305faed9930794cfba;hp=915908270b75be5ff3425e764d906c7bd832b30c;hb=bce310816138f2fbd3f34450a48136132d968e58;hpb=a242839f75846b9bfa87774a85090651d2ec17c6 diff --git a/crypto/ec/curve448/ed448.h b/crypto/ec/curve448/ed448.h index 915908270b..8cb2a4b790 100644 --- a/crypto/ec/curve448/ed448.h +++ b/crypto/ec/curve448/ed448.h @@ -1,179 +1,156 @@ -/** - * @file decaf/ed448.h - * @author Mike Hamburg +/* + * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2016 Cryptography Research, Inc. * - * @copyright - * Copyright (c) 2015-2016 Cryptography Research, Inc. \n - * Released under the MIT License. See LICENSE.txt for license information. + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html * - * @brief A group of prime order p, based on Ed448-Goldilocks. - * - * @warning This file was automatically generated in Python. - * Please do not edit it. + * Originally written by Mike Hamburg */ -#ifndef __DECAF_ED448_H__ -#define __DECAF_ED448_H__ 1 +#ifndef __C448_ED448_H__ +# define __C448_ED448_H__ 1 -#include "point_448.h" -#include "shake.h" +# include "point_448.h" #ifdef __cplusplus extern "C" { #endif -/** Number of bytes in an EdDSA public key. */ -#define DECAF_EDDSA_448_PUBLIC_BYTES 57 - -/** Number of bytes in an EdDSA private key. */ -#define DECAF_EDDSA_448_PRIVATE_BYTES DECAF_EDDSA_448_PUBLIC_BYTES - -/** Number of bytes in an EdDSA private key. */ -#define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + DECAF_EDDSA_448_PRIVATE_BYTES) - -/** Does EdDSA support non-contextual signatures? */ -#define DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS 0 - -/** Prehash context renaming macros. */ -#define decaf_ed448_prehash_ctx_s decaf_shake256_ctx_s -#define decaf_ed448_prehash_ctx_t decaf_shake256_ctx_t -#define decaf_ed448_prehash_update decaf_shake256_update -#define decaf_ed448_prehash_destroy decaf_shake256_destroy - -/** EdDSA encoding ratio. */ -#define DECAF_448_EDDSA_ENCODE_RATIO 4 - -/** EdDSA decoding ratio. */ -#define DECAF_448_EDDSA_DECODE_RATIO (4 / 4) - -/** - * @brief EdDSA key generation. This function uses a different (non-Decaf) - * encoding. - * - * @param [out] pubkey The public key. - * @param [in] privkey The private key. - */ -decaf_error_t decaf_ed448_derive_public_key ( - uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES] -); - -/** - * @brief EdDSA signing. - * - * @param [out] signature The signature. - * @param [in] privkey The private key. - * @param [in] pubkey The public key. - * @param [in] message The message to sign. - * @param [in] message_len The length of the message. - * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign. - * @param [in] context A "context" for this signature of up to 255 bytes. - * @param [in] context_len Length of the context. - * - * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed - * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is - * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives - * you no seat belt. - */ -decaf_error_t decaf_ed448_sign ( - uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t *message, - size_t message_len, - uint8_t prehashed, - const uint8_t *context, - size_t context_len -) __attribute__((nonnull(1,2,3))); - -/** - * @brief EdDSA signing with prehash. - * - * @param [out] signature The signature. - * @param [in] privkey The private key. - * @param [in] pubkey The public key. - * @param [in] hash The hash of the message. This object will not be modified by the call. - * @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash. - * @param [in] context_len Length of the context. - * - * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed - * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is - * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives - * you no seat belt. - */ -decaf_error_t decaf_ed448_sign_prehash ( - uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t hash[64], - const uint8_t *context, - size_t context_len -) __attribute__((nonnull(1,2,3,4))); - -/** - * @brief Prehash initialization, with contexts if supported. - * - * @param [out] hash The hash object to be initialized. +/* Number of bytes in an EdDSA public key. */ +# define EDDSA_448_PUBLIC_BYTES 57 + +/* Number of bytes in an EdDSA private key. */ +# define EDDSA_448_PRIVATE_BYTES EDDSA_448_PUBLIC_BYTES + +/* Number of bytes in an EdDSA private key. */ +# define EDDSA_448_SIGNATURE_BYTES (EDDSA_448_PUBLIC_BYTES + \ + EDDSA_448_PRIVATE_BYTES) + +/* EdDSA encoding ratio. */ +# define C448_EDDSA_ENCODE_RATIO 4 + +/* EdDSA decoding ratio. */ +# define C448_EDDSA_DECODE_RATIO (4 / 4) + +/* + * EdDSA key generation. This function uses a different (non-Decaf) encoding. + * + * pubkey (out): The public key. + * privkey (in): The private key. + */ +c448_error_t c448_ed448_derive_public_key( + uint8_t pubkey [EDDSA_448_PUBLIC_BYTES], + const uint8_t privkey [EDDSA_448_PRIVATE_BYTES]); + +/* + * EdDSA signing. + * + * signature (out): The signature. + * privkey (in): The private key. + * pubkey (in): The public key. + * message (in): The message to sign. + * message_len (in): The length of the message. + * prehashed (in): Nonzero if the message is actually the hash of something + * you want to sign. + * context (in): A "context" for this signature of up to 255 bytes. + * context_len (in): Length of the context. + * + * For Ed25519, it is unsafe to use the same key for both prehashed and + * non-prehashed messages, at least without some very careful protocol-level + * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make + * it harder to screw this up, but this C code gives you no seat belt. */ -void decaf_ed448_prehash_init ( - decaf_ed448_prehash_ctx_t hash -) __attribute__((nonnull(1))); +c448_error_t c448_ed448_sign( + uint8_t signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], + const uint8_t *message, size_t message_len, + uint8_t prehashed, const uint8_t *context, + size_t context_len); + +/* + * EdDSA signing with prehash. + * + * signature (out): The signature. + * privkey (in): The private key. + * pubkey (in): The public key. + * hash (in): The hash of the message. This object will not be modified by the + * call. + * context (in): A "context" for this signature of up to 255 bytes. Must be the + * same as what was used for the prehash. + * context_len (in): Length of the context. + * + * For Ed25519, it is unsafe to use the same key for both prehashed and + * non-prehashed messages, at least without some very careful protocol-level + * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make + * it harder to screw this up, but this C code gives you no seat belt. + */ +c448_error_t c448_ed448_sign_prehash( + uint8_t signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], + const uint8_t hash[64], + const uint8_t *context, + size_t context_len); -/** - * @brief EdDSA signature verification. +/* + * EdDSA signature verification. * * Uses the standard (i.e. less-strict) verification formula. * - * @param [in] signature The signature. - * @param [in] pubkey The public key. - * @param [in] message The message to verify. - * @param [in] message_len The length of the message. - * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify. - * @param [in] context A "context" for this signature of up to 255 bytes. - * @param [in] context_len Length of the context. - * - * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed - * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is - * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives - * you no seat belt. + * signature (in): The signature. + * pubkey (in): The public key. + * message (in): The message to verify. + * message_len (in): The length of the message. + * prehashed (in): Nonzero if the message is actually the hash of something you + * want to verify. + * context (in): A "context" for this signature of up to 255 bytes. + * context_len (in): Length of the context. + * + * For Ed25519, it is unsafe to use the same key for both prehashed and + * non-prehashed messages, at least without some very careful protocol-level + * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make + * it harder to screw this up, but this C code gives you no seat belt. */ -decaf_error_t decaf_ed448_verify ( - const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t *message, - size_t message_len, - uint8_t prehashed, - const uint8_t *context, - uint8_t context_len -) __attribute__((nonnull(1,2))); - -/** - * @brief EdDSA signature verification. +c448_error_t c448_ed448_verify(const uint8_t + signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t + pubkey[EDDSA_448_PUBLIC_BYTES], + const uint8_t *message, size_t message_len, + uint8_t prehashed, const uint8_t *context, + uint8_t context_len); + +/* + * EdDSA signature verification. * * Uses the standard (i.e. less-strict) verification formula. * - * @param [in] signature The signature. - * @param [in] pubkey The public key. - * @param [in] hash The hash of the message. This object will not be modified by the call. - * @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash. - * @param [in] context_len Length of the context. - * - * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed - * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is - * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives - * you no seat belt. + * signature (in): The signature. + * pubkey (in): The public key. + * hash (in): The hash of the message. This object will not be modified by the + * call. + * context (in): A "context" for this signature of up to 255 bytes. Must be the + * same as what was used for the prehash. + * context_len (in): Length of the context. + * + * For Ed25519, it is unsafe to use the same key for both prehashed and + * non-prehashed messages, at least without some very careful protocol-level + * disambiguation. For Ed448 it is safe. The C++ wrapper is designed to make + * it harder to screw this up, but this C code gives you no seat belt. */ -decaf_error_t decaf_ed448_verify_prehash ( - const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t hash[64], - const uint8_t *context, - uint8_t context_len -) __attribute__((nonnull(1,2))); - -/** - * @brief EdDSA point encoding. Used internally, exposed externally. - * Multiplies by DECAF_448_EDDSA_ENCODE_RATIO first. +c448_error_t c448_ed448_verify_prehash( + const uint8_t signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], + const uint8_t hash[64], + const uint8_t *context, + uint8_t context_len); + +/* + * EdDSA point encoding. Used internally, exposed externally. + * Multiplies by C448_EDDSA_ENCODE_RATIO first. * * The multiplication is required because the EdDSA encoding represents * the cofactor information, but the Decaf encoding ignores it (which @@ -181,70 +158,50 @@ decaf_error_t decaf_ed448_verify_prehash ( * EdDSA, the cofactor info must get cleared, because the intermediate * representation doesn't track it. * - * The way libdecaf handles this is to multiply by - * DECAF_448_EDDSA_DECODE_RATIO when decoding, and by - * DECAF_448_EDDSA_ENCODE_RATIO when encoding. The product of these - * ratios is always exactly the cofactor 4, so the cofactor - * ends up cleared one way or another. But exactly how that shakes - * out depends on the base points specified in RFC 8032. + * The way we handle this is to multiply by C448_EDDSA_DECODE_RATIO when + * decoding, and by C448_EDDSA_ENCODE_RATIO when encoding. The product of + * these ratios is always exactly the cofactor 4, so the cofactor ends up + * cleared one way or another. But exactly how that shakes out depends on the + * base points specified in RFC 8032. * * The upshot is that if you pass the Decaf/Ristretto base point to - * this function, you will get DECAF_448_EDDSA_ENCODE_RATIO times the + * this function, you will get C448_EDDSA_ENCODE_RATIO times the * EdDSA base point. * - * @param [out] enc The encoded point. - * @param [in] p The point. - */ -void curve448_point_mul_by_ratio_and_encode_like_eddsa ( - uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES], - const curve448_point_t p -); + * enc (out): The encoded point. + * p (in): The point. + */ +void curve448_point_mul_by_ratio_and_encode_like_eddsa( + uint8_t enc [EDDSA_448_PUBLIC_BYTES], + const curve448_point_t p); -/** - * @brief EdDSA point decoding. Multiplies by DECAF_448_EDDSA_DECODE_RATIO, - * and ignores cofactor information. +/* + * EdDSA point decoding. Multiplies by C448_EDDSA_DECODE_RATIO, and + * ignores cofactor information. * * See notes on curve448_point_mul_by_ratio_and_encode_like_eddsa * - * @param [out] enc The encoded point. - * @param [in] p The point. - */ -decaf_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio ( - curve448_point_t p, - const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES] -); - -/** - * @brief EdDSA to ECDH public key conversion - * Deserialize the point to get y on Edwards curve, - * Convert it to u coordinate on Montgomery curve. - * - * @warning This function does not check that the public key being converted - * is a valid EdDSA public key (FUTURE?) - * - * @param[out] x The ECDH public key as in RFC7748(point on Montgomery curve) - * @param[in] ed The EdDSA public key(point on Edwards curve) + * enc (out): The encoded point. + * p (in): The point. */ -void decaf_ed448_convert_public_key_to_x448 ( - uint8_t x[DECAF_X448_PUBLIC_BYTES], - const uint8_t ed[DECAF_EDDSA_448_PUBLIC_BYTES] -); +c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( + curve448_point_t p, + const uint8_t enc[EDDSA_448_PUBLIC_BYTES]); -/** - * @brief EdDSA to ECDH private key conversion +/* + * EdDSA to ECDH private key conversion * Using the appropriate hash function, hash the EdDSA private key * and keep only the lower bytes to get the ECDH private key * - * @param[out] x The ECDH private key as in RFC7748 - * @param[in] ed The EdDSA private key + * x (out): The ECDH private key as in RFC7748 + * ed (in): The EdDSA private key */ -decaf_error_t decaf_ed448_convert_private_key_to_x448 ( - uint8_t x[DECAF_X448_PRIVATE_BYTES], - const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES] -); +c448_error_t c448_ed448_convert_private_key_to_x448( + uint8_t x[X448_PRIVATE_BYTES], + const uint8_t ed[EDDSA_448_PRIVATE_BYTES]); #ifdef __cplusplus } /* extern "C" */ #endif -#endif /* __DECAF_ED448_H__ */ +#endif /* __C448_ED448_H__ */