[thirdparty/openssl.git] / crypto / ec / curve448 / eddsa.c

/*
 * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright 2015-2016 Cryptography Research, Inc.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 *
 * Originally written by Mike Hamburg
 */
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include "curve448_local.h"
#include "word.h"
#include "ed448.h"
#include "internal/numbers.h"

#define COFACTOR 4

static c448_error_t oneshot_hash(OPENSSL_CTX *ctx, uint8_t *out, size_t outlen,
                                 const uint8_t *in, size_t inlen)
{
    EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
    EVP_MD *shake256 = NULL;
    c448_error_t ret = C448_FAILURE;

    if (hashctx == NULL)
        return C448_FAILURE;

    shake256 = EVP_MD_fetch(ctx, "SHAKE256", NULL);
    if (shake256 == NULL)
        goto err;

    if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
            || !EVP_DigestUpdate(hashctx, in, inlen)
            || !EVP_DigestFinalXOF(hashctx, out, outlen))
        goto err;

    ret = C448_SUCCESS;
 err:
    EVP_MD_CTX_free(hashctx);
    EVP_MD_free(shake256);
    return ret;
}

static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
{
    secret_scalar_ser[0] &= -COFACTOR;
    secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
    secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
}

static c448_error_t hash_init_with_dom(OPENSSL_CTX *ctx, EVP_MD_CTX *hashctx,
                                       uint8_t prehashed,
                                       uint8_t for_prehash,
                                       const uint8_t *context,
                                       size_t context_len)
{
    const char *dom_s = "SigEd448";
    uint8_t dom[2];
    EVP_MD *shake256 = NULL;

    if (context_len > UINT8_MAX)
        return C448_FAILURE;

    dom[0] = (uint8_t)(2 - (prehashed == 0 ? 1 : 0)
                       - (for_prehash == 0 ? 1 : 0));
    dom[1] = (uint8_t)context_len;

    shake256 = EVP_MD_fetch(ctx, "SHAKE256", NULL);
    if (shake256 == NULL)
        return C448_FAILURE;

    if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
            || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s))
            || !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
            || !EVP_DigestUpdate(hashctx, context, context_len)) {
        EVP_MD_free(shake256);
        return C448_FAILURE;
    }

    EVP_MD_free(shake256);
    return C448_SUCCESS;
}

/* In this file because it uses the hash */
c448_error_t c448_ed448_convert_private_key_to_x448(
                            OPENSSL_CTX *ctx,
                            uint8_t x[X448_PRIVATE_BYTES],
                            const uint8_t ed [EDDSA_448_PRIVATE_BYTES])
{
    /* pass the private key through oneshot_hash function */
    /* and keep the first X448_PRIVATE_BYTES bytes */
    return oneshot_hash(ctx, x, X448_PRIVATE_BYTES, ed,
                        EDDSA_448_PRIVATE_BYTES);
}

c448_error_t c448_ed448_derive_public_key(
                        OPENSSL_CTX *ctx,
                        uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES])
{
    /* only this much used for keygen */
    uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
    curve448_scalar_t secret_scalar;
    unsigned int c;
    curve448_point_t p;

    if (!oneshot_hash(ctx, secret_scalar_ser, sizeof(secret_scalar_ser),
                      privkey,
                      EDDSA_448_PRIVATE_BYTES))
        return C448_FAILURE;

    clamp(secret_scalar_ser);

    curve448_scalar_decode_long(secret_scalar, secret_scalar_ser,
                                sizeof(secret_scalar_ser));

    /*
     * Since we are going to mul_by_cofactor during encoding, divide by it
     * here. However, the EdDSA base point is not the same as the decaf base
     * point if the sigma isogeny is in use: the EdDSA base point is on
     * Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
     * converted it effectively picks up a factor of 2 from the isogenies.  So
     * we might start at 2 instead of 1.
     */
    for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
        curve448_scalar_halve(secret_scalar, secret_scalar);

    curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar);

    curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);

    /* Cleanup */
    curve448_scalar_destroy(secret_scalar);
    curve448_point_destroy(p);
    OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));

    return C448_SUCCESS;
}

c448_error_t c448_ed448_sign(
                        OPENSSL_CTX *ctx,
                        uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
                        const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                        const uint8_t *message, size_t message_len,
                        uint8_t prehashed, const uint8_t *context,
                        size_t context_len)
{
    curve448_scalar_t secret_scalar;
    EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
    c448_error_t ret = C448_FAILURE;
    curve448_scalar_t nonce_scalar;
    uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
    unsigned int c;
    curve448_scalar_t challenge_scalar;

    if (hashctx == NULL)
        return C448_FAILURE;

    {
        /*
         * Schedule the secret key, First EDDSA_448_PRIVATE_BYTES is serialised
         * secret scalar,next EDDSA_448_PRIVATE_BYTES bytes is the seed.
         */
        uint8_t expanded[EDDSA_448_PRIVATE_BYTES * 2];

        if (!oneshot_hash(ctx, expanded, sizeof(expanded), privkey,
                          EDDSA_448_PRIVATE_BYTES))
            goto err;
        clamp(expanded);
        curve448_scalar_decode_long(secret_scalar, expanded,
                                    EDDSA_448_PRIVATE_BYTES);

        /* Hash to create the nonce */
        if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
                                context_len)
                || !EVP_DigestUpdate(hashctx,
                                     expanded + EDDSA_448_PRIVATE_BYTES,
                                     EDDSA_448_PRIVATE_BYTES)
                || !EVP_DigestUpdate(hashctx, message, message_len)) {
            OPENSSL_cleanse(expanded, sizeof(expanded));
            goto err;
        }
        OPENSSL_cleanse(expanded, sizeof(expanded));
    }

    /* Decode the nonce */
    {
        uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];

        if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
            goto err;
        curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
        OPENSSL_cleanse(nonce, sizeof(nonce));
    }

    {
        /* Scalarmul to create the nonce-point */
        curve448_scalar_t nonce_scalar_2;
        curve448_point_t p;

        curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
        for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
            curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);

        curve448_precomputed_scalarmul(p, curve448_precomputed_base,
                                       nonce_scalar_2);
        curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
        curve448_point_destroy(p);
        curve448_scalar_destroy(nonce_scalar_2);
    }

    {
        uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];

        /* Compute the challenge */
        if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context, context_len)
                || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
                || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
                || !EVP_DigestUpdate(hashctx, message, message_len)
                || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
            goto err;

        curve448_scalar_decode_long(challenge_scalar, challenge,
                                    sizeof(challenge));
        OPENSSL_cleanse(challenge, sizeof(challenge));
    }

    curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
    curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);

    OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
    memcpy(signature, nonce_point, sizeof(nonce_point));
    curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
                           challenge_scalar);

    curve448_scalar_destroy(secret_scalar);
    curve448_scalar_destroy(nonce_scalar);
    curve448_scalar_destroy(challenge_scalar);

    ret = C448_SUCCESS;
 err:
    EVP_MD_CTX_free(hashctx);
    return ret;
}

c448_error_t c448_ed448_sign_prehash(
                        OPENSSL_CTX *ctx,
                        uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
                        const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                        const uint8_t hash[64], const uint8_t *context,
                        size_t context_len)
{
    return c448_ed448_sign(ctx, signature, privkey, pubkey, hash, 64, 1,
                           context, context_len);
}

c448_error_t c448_ed448_verify(
                    OPENSSL_CTX *ctx,
                    const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                    const uint8_t *message, size_t message_len,
                    uint8_t prehashed, const uint8_t *context,
                    uint8_t context_len)
{
    curve448_point_t pk_point, r_point;
    c448_error_t error;
    curve448_scalar_t challenge_scalar;
    curve448_scalar_t response_scalar;
    /* Order in little endian format */
    static const uint8_t order[] = {
        0xF3, 0x44, 0x58, 0xAB, 0x92, 0xC2, 0x78, 0x23, 0x55, 0x8F, 0xC5, 0x8D,
        0x72, 0xC2, 0x6C, 0x21, 0x90, 0x36, 0xD6, 0xAE, 0x49, 0xDB, 0x4E, 0xC4,
        0xE9, 0x23, 0xCA, 0x7C, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x3F, 0x00
    };
    int i;

    /*
     * Check that s (second 57 bytes of the sig) is less than the order. Both
     * s and the order are in little-endian format. This can be done in
     * variable time, since if this is not the case the signature if publicly
     * invalid.
     */
    for (i = EDDSA_448_PUBLIC_BYTES - 1; i >= 0; i--) {
        if (signature[i + EDDSA_448_PUBLIC_BYTES] > order[i])
            return C448_FAILURE;
        if (signature[i + EDDSA_448_PUBLIC_BYTES] < order[i])
            break;
    }
    if (i < 0)
        return C448_FAILURE;

    error =
        curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);

    if (C448_SUCCESS != error)
        return error;

    error =
        curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
    if (C448_SUCCESS != error)
        return error;

    {
        /* Compute the challenge */
        EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
        uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];

        if (hashctx == NULL
                || !hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
                                       context_len)
                || !EVP_DigestUpdate(hashctx, signature, EDDSA_448_PUBLIC_BYTES)
                || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
                || !EVP_DigestUpdate(hashctx, message, message_len)
                || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
            EVP_MD_CTX_free(hashctx);
            return C448_FAILURE;
        }

        EVP_MD_CTX_free(hashctx);
        curve448_scalar_decode_long(challenge_scalar, challenge,
                                    sizeof(challenge));
        OPENSSL_cleanse(challenge, sizeof(challenge));
    }
    curve448_scalar_sub(challenge_scalar, curve448_scalar_zero,
                        challenge_scalar);

    curve448_scalar_decode_long(response_scalar,
                                &signature[EDDSA_448_PUBLIC_BYTES],
                                EDDSA_448_PRIVATE_BYTES);

    /* pk_point = -c(x(P)) + (cx + k)G = kG */
    curve448_base_double_scalarmul_non_secret(pk_point,
                                              response_scalar,
                                              pk_point, challenge_scalar);
    return c448_succeed_if(curve448_point_eq(pk_point, r_point));
}

c448_error_t c448_ed448_verify_prehash(
                    OPENSSL_CTX *ctx,
                    const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                    const uint8_t hash[64], const uint8_t *context,
                    uint8_t context_len)
{
    return c448_ed448_verify(ctx, signature, pubkey, hash, 64, 1, context,
                             context_len);
}

int ED448_sign(OPENSSL_CTX *ctx, uint8_t *out_sig, const uint8_t *message,
               size_t message_len, const uint8_t public_key[57],
               const uint8_t private_key[57], const uint8_t *context,
               size_t context_len)
{
    return c448_ed448_sign(ctx, out_sig, private_key, public_key, message,
                           message_len, 0, context, context_len)
        == C448_SUCCESS;
}

int ED448_verify(OPENSSL_CTX *ctx, const uint8_t *message, size_t message_len,
                 const uint8_t signature[114], const uint8_t public_key[57],
                 const uint8_t *context, size_t context_len)
{
    return c448_ed448_verify(ctx, signature, public_key, message, message_len,
                             0, context, (uint8_t)context_len) == C448_SUCCESS;
}

int ED448ph_sign(OPENSSL_CTX *ctx, uint8_t *out_sig, const uint8_t hash[64],
                 const uint8_t public_key[57], const uint8_t private_key[57],
                 const uint8_t *context, size_t context_len)
{
    return c448_ed448_sign_prehash(ctx, out_sig, private_key, public_key, hash,
                                   context, context_len) == C448_SUCCESS;

}

int ED448ph_verify(OPENSSL_CTX *ctx, const uint8_t hash[64],
                   const uint8_t signature[114], const uint8_t public_key[57],
                   const uint8_t *context, size_t context_len)
{
    return c448_ed448_verify_prehash(ctx, signature, public_key, hash, context,
                                     (uint8_t)context_len) == C448_SUCCESS;
}

int ED448_public_from_private(OPENSSL_CTX *ctx, uint8_t out_public_key[57],
                              const uint8_t private_key[57])
{
    return c448_ed448_derive_public_key(ctx, out_public_key, private_key)
        == C448_SUCCESS;
}
Commit	Line	Data
1308e022	1	/*
f53c7764	2	* Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
1308e022	3	* Copyright 2015-2016 Cryptography Research, Inc.
7324473f	4	*
a7f182b7	5	* Licensed under the Apache License 2.0 (the "License"). You may not use
1308e022 MC	6	* this file except in compliance with the License. You can obtain a copy
	7	* in the file LICENSE in the source distribution or at
	8	* https://www.openssl.org/source/license.html
7324473f	9	*
1308e022	10	* Originally written by Mike Hamburg
7324473f	11	*/
53ef3252	12	#include <string.h>
b6e388ba	13	#include <openssl/crypto.h>
a242839f	14	#include <openssl/evp.h>
706457b7	15	#include "curve448_local.h"
7324473f	16	#include "word.h"
a2039c87	17	#include "ed448.h"
a242839f	18	#include "internal/numbers.h"
7324473f	19
7324473f	20	#define COFACTOR 4
7324473f	21
a9612d6c	22	static c448_error_t oneshot_hash(OPENSSL_CTX ctx, uint8_t out, size_t outlen,
aeeef83c	23	const uint8_t *in, size_t inlen)
a242839f MC	24	{
a242839f MC	25	EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
a9612d6c MC	26	EVP_MD *shake256 = NULL;
a9612d6c MC	27	c448_error_t ret = C448_FAILURE;
a242839f MC	28
a242839f MC	29	if (hashctx == NULL)
aeeef83c	30	return C448_FAILURE;
a242839f	31
a9612d6c MC	32	shake256 = EVP_MD_fetch(ctx, "SHAKE256", NULL);
	33	if (shake256 == NULL)
	34	goto err;
	35
	36	if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
04ebd4e1	37	\|\| !EVP_DigestUpdate(hashctx, in, inlen)
a9612d6c MC	38	\|\| !EVP_DigestFinalXOF(hashctx, out, outlen))
a9612d6c MC	39	goto err;
a242839f	40
a9612d6c MC	41	ret = C448_SUCCESS;
a9612d6c MC	42	err:
a242839f	43	EVP_MD_CTX_free(hashctx);
3fd70262	44	EVP_MD_free(shake256);
a9612d6c	45	return ret;
a242839f MC	46	}
a242839f MC	47
db90b274	48	static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
205fd638	49	{
7324473f	50	secret_scalar_ser[0] &= -COFACTOR;
9c9d6ff4 MC	51	secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
9c9d6ff4 MC	52	secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] \|= 0x80;
7324473f MC	53	}
7324473f MC	54
a9612d6c MC	55	static c448_error_t hash_init_with_dom(OPENSSL_CTX ctx, EVP_MD_CTX hashctx,
a9612d6c MC	56	uint8_t prehashed,
aeeef83c MC	57	uint8_t for_prehash,
	58	const uint8_t *context,
	59	size_t context_len)
205fd638	60	{
a242839f	61	const char *dom_s = "SigEd448";
094c071c	62	uint8_t dom[2];
a9612d6c	63	EVP_MD *shake256 = NULL;
094c071c	64
a242839f	65	if (context_len > UINT8_MAX)
aeeef83c	66	return C448_FAILURE;
7324473f	67
a7232276 MC	68	dom[0] = (uint8_t)(2 - (prehashed == 0 ? 1 : 0)
a7232276 MC	69	- (for_prehash == 0 ? 1 : 0));
53ef3252 MC	70	dom[1] = (uint8_t)context_len;
53ef3252 MC	71
a9612d6c MC	72	shake256 = EVP_MD_fetch(ctx, "SHAKE256", NULL);
	73	if (shake256 == NULL)
	74	return C448_FAILURE;
	75
	76	if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
04ebd4e1 MC	77	\|\| !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s))
04ebd4e1 MC	78	\|\| !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
a9612d6c	79	\|\| !EVP_DigestUpdate(hashctx, context, context_len)) {
3fd70262	80	EVP_MD_free(shake256);
aeeef83c	81	return C448_FAILURE;
a9612d6c	82	}
a242839f	83
3fd70262	84	EVP_MD_free(shake256);
aeeef83c	85	return C448_SUCCESS;
7324473f MC	86	}
7324473f MC	87
7324473f	88	/* In this file because it uses the hash */
aeeef83c	89	c448_error_t c448_ed448_convert_private_key_to_x448(
a9612d6c	90	OPENSSL_CTX *ctx,
db90b274 MC	91	uint8_t x[X448_PRIVATE_BYTES],
db90b274 MC	92	const uint8_t ed [EDDSA_448_PRIVATE_BYTES])
205fd638	93	{
a242839f	94	/* pass the private key through oneshot_hash function */
db90b274	95	/* and keep the first X448_PRIVATE_BYTES bytes */
a9612d6c	96	return oneshot_hash(ctx, x, X448_PRIVATE_BYTES, ed,
db90b274	97	EDDSA_448_PRIVATE_BYTES);
7324473f	98	}
205fd638	99
aeeef83c	100	c448_error_t c448_ed448_derive_public_key(
a9612d6c	101	OPENSSL_CTX *ctx,
db90b274 MC	102	uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
db90b274 MC	103	const uint8_t privkey[EDDSA_448_PRIVATE_BYTES])
205fd638	104	{
7324473f	105	/* only this much used for keygen */
db90b274	106	uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
094c071c MC	107	curve448_scalar_t secret_scalar;
	108	unsigned int c;
	109	curve448_point_t p;
	110
a9612d6c MC	111	if (!oneshot_hash(ctx, secret_scalar_ser, sizeof(secret_scalar_ser),
a9612d6c MC	112	privkey,
db90b274	113	EDDSA_448_PRIVATE_BYTES))
aeeef83c	114	return C448_FAILURE;
8d55f844	115
7324473f	116	clamp(secret_scalar_ser);
094c071c	117
205fd638 MC	118	curve448_scalar_decode_long(secret_scalar, secret_scalar_ser,
	119	sizeof(secret_scalar_ser));
	120
	121	/*
	122	* Since we are going to mul_by_cofactor during encoding, divide by it
	123	* here. However, the EdDSA base point is not the same as the decaf base
	124	* point if the sigma isogeny is in use: the EdDSA base point is on
	125	* Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
	126	* converted it effectively picks up a factor of 2 from the isogenies. So
	127	* we might start at 2 instead of 1.
7324473f	128	*/
db90b274	129	for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
205fd638	130	curve448_scalar_halve(secret_scalar, secret_scalar);
205fd638 MC	131
	132	curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar);
	133
e7772577	134	curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);
205fd638	135
7324473f	136	/* Cleanup */
e7772577 MC	137	curve448_scalar_destroy(secret_scalar);
e7772577 MC	138	curve448_point_destroy(p);
b6e388ba	139	OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
a242839f	140
aeeef83c	141	return C448_SUCCESS;
7324473f MC	142	}
7324473f MC	143
aeeef83c	144	c448_error_t c448_ed448_sign(
a9612d6c	145	OPENSSL_CTX *ctx,
db90b274 MC	146	uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
	147	const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
	148	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
8d55f844 MC	149	const uint8_t *message, size_t message_len,
	150	uint8_t prehashed, const uint8_t *context,
	151	size_t context_len)
205fd638	152	{
e7772577	153	curve448_scalar_t secret_scalar;
a242839f	154	EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
aeeef83c	155	c448_error_t ret = C448_FAILURE;
094c071c	156	curve448_scalar_t nonce_scalar;
db90b274	157	uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
094c071c MC	158	unsigned int c;
094c071c MC	159	curve448_scalar_t challenge_scalar;
a242839f MC	160
a242839f MC	161	if (hashctx == NULL)
aeeef83c	162	return C448_FAILURE;
a242839f	163
7324473f	164	{
52a9587c MC	165	/*
	166	* Schedule the secret key, First EDDSA_448_PRIVATE_BYTES is serialised
	167	* secret scalar,next EDDSA_448_PRIVATE_BYTES bytes is the seed.
	168	*/
	169	uint8_t expanded[EDDSA_448_PRIVATE_BYTES * 2];
a242839f	170
a9612d6c	171	if (!oneshot_hash(ctx, expanded, sizeof(expanded), privkey,
db90b274	172	EDDSA_448_PRIVATE_BYTES))
a242839f	173	goto err;
52a9587c MC	174	clamp(expanded);
	175	curve448_scalar_decode_long(secret_scalar, expanded,
	176	EDDSA_448_PRIVATE_BYTES);
205fd638	177
7324473f	178	/* Hash to create the nonce */
a9612d6c MC	179	if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
a9612d6c MC	180	context_len)
04ebd4e1 MC	181	\|\| !EVP_DigestUpdate(hashctx,
	182	expanded + EDDSA_448_PRIVATE_BYTES,
	183	EDDSA_448_PRIVATE_BYTES)
28c5b7d4	184	\|\| !EVP_DigestUpdate(hashctx, message, message_len)) {
68b20c00	185	OPENSSL_cleanse(expanded, sizeof(expanded));
a242839f MC	186	goto err;
a242839f MC	187	}
52a9587c	188	OPENSSL_cleanse(expanded, sizeof(expanded));
7324473f	189	}
205fd638	190
7324473f	191	/* Decode the nonce */
7324473f	192	{
db90b274	193	uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];
a242839f MC	194
	195	if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
	196	goto err;
e7772577	197	curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
b6e388ba	198	OPENSSL_cleanse(nonce, sizeof(nonce));
7324473f	199	}
094c071c	200
7324473f MC	201	{
7324473f MC	202	/* Scalarmul to create the nonce-point */
e7772577	203	curve448_scalar_t nonce_scalar_2;
094c071c MC	204	curve448_point_t p;
094c071c MC	205
205fd638	206	curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
68b20c00	207	for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
205fd638	208	curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
094c071c	209
205fd638 MC	210	curve448_precomputed_scalarmul(p, curve448_precomputed_base,
205fd638 MC	211	nonce_scalar_2);
e7772577 MC	212	curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
	213	curve448_point_destroy(p);
	214	curve448_scalar_destroy(nonce_scalar_2);
7324473f	215	}
094c071c	216
7324473f	217	{
db90b274	218	uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
a242839f MC	219
a242839f MC	220	/* Compute the challenge */
a9612d6c	221	if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context, context_len)
68b20c00 MC	222	\|\| !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
68b20c00 MC	223	\|\| !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
28c5b7d4	224	\|\| !EVP_DigestUpdate(hashctx, message, message_len)
68b20c00	225	\|\| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
a242839f MC	226	goto err;
a242839f MC	227
205fd638 MC	228	curve448_scalar_decode_long(challenge_scalar, challenge,
	229	sizeof(challenge));
	230	OPENSSL_cleanse(challenge, sizeof(challenge));
7324473f	231	}
205fd638 MC	232
	233	curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
	234	curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);
	235
db90b274	236	OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
205fd638	237	memcpy(signature, nonce_point, sizeof(nonce_point));
db90b274	238	curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
205fd638 MC	239	challenge_scalar);
205fd638 MC	240
e7772577 MC	241	curve448_scalar_destroy(secret_scalar);
	242	curve448_scalar_destroy(nonce_scalar);
	243	curve448_scalar_destroy(challenge_scalar);
a242839f	244
aeeef83c	245	ret = C448_SUCCESS;
a242839f MC	246	err:
	247	EVP_MD_CTX_free(hashctx);
	248	return ret;
7324473f MC	249	}
7324473f MC	250
aeeef83c	251	c448_error_t c448_ed448_sign_prehash(
a9612d6c	252	OPENSSL_CTX *ctx,
db90b274 MC	253	uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
	254	const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
	255	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
aeeef83c MC	256	const uint8_t hash[64], const uint8_t *context,
aeeef83c MC	257	size_t context_len)
205fd638	258	{
a9612d6c MC	259	return c448_ed448_sign(ctx, signature, privkey, pubkey, hash, 64, 1,
a9612d6c MC	260	context, context_len);
7324473f MC	261	}
7324473f MC	262
aeeef83c	263	c448_error_t c448_ed448_verify(
a9612d6c	264	OPENSSL_CTX *ctx,
db90b274 MC	265	const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
db90b274 MC	266	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
aeeef83c MC	267	const uint8_t *message, size_t message_len,
	268	uint8_t prehashed, const uint8_t *context,
	269	uint8_t context_len)
205fd638	270	{
e7772577	271	curve448_point_t pk_point, r_point;
08afd2f3	272	c448_error_t error;
094c071c MC	273	curve448_scalar_t challenge_scalar;
094c071c MC	274	curve448_scalar_t response_scalar;
08afd2f3 MC	275	/* Order in little endian format */
	276	static const uint8_t order[] = {
	277	0xF3, 0x44, 0x58, 0xAB, 0x92, 0xC2, 0x78, 0x23, 0x55, 0x8F, 0xC5, 0x8D,
	278	0x72, 0xC2, 0x6C, 0x21, 0x90, 0x36, 0xD6, 0xAE, 0x49, 0xDB, 0x4E, 0xC4,
	279	0xE9, 0x23, 0xCA, 0x7C, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
	280	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
	281	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x3F, 0x00
	282	};
	283	int i;
	284
	285	/*
	286	* Check that s (second 57 bytes of the sig) is less than the order. Both
	287	* s and the order are in little-endian format. This can be done in
	288	* variable time, since if this is not the case the signature if publicly
	289	* invalid.
	290	*/
	291	for (i = EDDSA_448_PUBLIC_BYTES - 1; i >= 0; i--) {
	292	if (signature[i + EDDSA_448_PUBLIC_BYTES] > order[i])
	293	return C448_FAILURE;
	294	if (signature[i + EDDSA_448_PUBLIC_BYTES] < order[i])
	295	break;
	296	}
	297	if (i < 0)
	298	return C448_FAILURE;
	299
	300	error =
	301	curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
094c071c	302
aeeef83c	303	if (C448_SUCCESS != error)
205fd638	304	return error;
205fd638 MC	305
	306	error =
	307	curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
aeeef83c	308	if (C448_SUCCESS != error)
205fd638	309	return error;
205fd638	310
7324473f MC	311	{
7324473f MC	312	/* Compute the challenge */
a242839f	313	EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
db90b274	314	uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
a242839f MC	315
a242839f MC	316	if (hashctx == NULL
a9612d6c	317	\|\| !hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
e4118223 MC	318	context_len)
	319	\|\| !EVP_DigestUpdate(hashctx, signature, EDDSA_448_PUBLIC_BYTES)
	320	\|\| !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
	321	\|\| !EVP_DigestUpdate(hashctx, message, message_len)
	322	\|\| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
a242839f	323	EVP_MD_CTX_free(hashctx);
aeeef83c	324	return C448_FAILURE;
a242839f MC	325	}
	326
	327	EVP_MD_CTX_free(hashctx);
205fd638 MC	328	curve448_scalar_decode_long(challenge_scalar, challenge,
	329	sizeof(challenge));
	330	OPENSSL_cleanse(challenge, sizeof(challenge));
7324473f	331	}
205fd638 MC	332	curve448_scalar_sub(challenge_scalar, curve448_scalar_zero,
	333	challenge_scalar);
	334
	335	curve448_scalar_decode_long(response_scalar,
db90b274 MC	336	&signature[EDDSA_448_PUBLIC_BYTES],
db90b274 MC	337	EDDSA_448_PRIVATE_BYTES);
205fd638	338
7324473f	339	/* pk_point = -c(x(P)) + (cx + k)G = kG */
205fd638 MC	340	curve448_base_double_scalarmul_non_secret(pk_point,
	341	response_scalar,
	342	pk_point, challenge_scalar);
aeeef83c	343	return c448_succeed_if(curve448_point_eq(pk_point, r_point));
7324473f MC	344	}
7324473f MC	345
aeeef83c	346	c448_error_t c448_ed448_verify_prehash(
a9612d6c	347	OPENSSL_CTX *ctx,
db90b274 MC	348	const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
db90b274 MC	349	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
8d55f844 MC	350	const uint8_t hash[64], const uint8_t *context,
8d55f844 MC	351	uint8_t context_len)
205fd638	352	{
a9612d6c	353	return c448_ed448_verify(ctx, signature, pubkey, hash, 64, 1, context,
68b20c00	354	context_len);
7324473f	355	}
4ea41daa	356
a9612d6c MC	357	int ED448_sign(OPENSSL_CTX ctx, uint8_t out_sig, const uint8_t *message,
	358	size_t message_len, const uint8_t public_key[57],
	359	const uint8_t private_key[57], const uint8_t *context,
	360	size_t context_len)
6ea71cba	361	{
a9612d6c	362	return c448_ed448_sign(ctx, out_sig, private_key, public_key, message,
aeeef83c MC	363	message_len, 0, context, context_len)
aeeef83c MC	364	== C448_SUCCESS;
4ea41daa MC	365	}
4ea41daa MC	366
a9612d6c	367	int ED448_verify(OPENSSL_CTX ctx, const uint8_t message, size_t message_len,
22bcc9cb	368	const uint8_t signature[114], const uint8_t public_key[57],
6ea71cba MC	369	const uint8_t *context, size_t context_len)
6ea71cba MC	370	{
a9612d6c MC	371	return c448_ed448_verify(ctx, signature, public_key, message, message_len,
a9612d6c MC	372	0, context, (uint8_t)context_len) == C448_SUCCESS;
4ea41daa MC	373	}
4ea41daa MC	374
a9612d6c	375	int ED448ph_sign(OPENSSL_CTX ctx, uint8_t out_sig, const uint8_t hash[64],
22bcc9cb	376	const uint8_t public_key[57], const uint8_t private_key[57],
6ea71cba MC	377	const uint8_t *context, size_t context_len)
6ea71cba MC	378	{
a9612d6c	379	return c448_ed448_sign_prehash(ctx, out_sig, private_key, public_key, hash,
aeeef83c	380	context, context_len) == C448_SUCCESS;
4ea41daa	381
6ea71cba	382	}
4ea41daa	383
a9612d6c MC	384	int ED448ph_verify(OPENSSL_CTX *ctx, const uint8_t hash[64],
	385	const uint8_t signature[114], const uint8_t public_key[57],
	386	const uint8_t *context, size_t context_len)
6ea71cba	387	{
a9612d6c	388	return c448_ed448_verify_prehash(ctx, signature, public_key, hash, context,
0cdcdacc	389	(uint8_t)context_len) == C448_SUCCESS;
4ea41daa MC	390	}
4ea41daa MC	391
a9612d6c	392	int ED448_public_from_private(OPENSSL_CTX *ctx, uint8_t out_public_key[57],
205fd638	393	const uint8_t private_key[57])
6ea71cba	394	{
a9612d6c	395	return c448_ed448_derive_public_key(ctx, out_public_key, private_key)
aeeef83c	396	== C448_SUCCESS;
4ea41daa	397	}