[thirdparty/openssl.git] / crypto / ec / curve448 / eddsa.c

/*
 * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright 2015-2016 Cryptography Research, Inc.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 *
 * Originally written by Mike Hamburg
 */
#include <openssl/crypto.h>
#include <openssl/evp.h>

#include "curve448_lcl.h"
#include "word.h"
#include "ed448.h"
#include <string.h>
#include "internal/numbers.h"

#define COFACTOR 4

static c448_error_t oneshot_hash(uint8_t *out, size_t outlen,
                                 const uint8_t *in, size_t inlen)
{
    EVP_MD_CTX *hashctx = EVP_MD_CTX_new();

    if (hashctx == NULL)
        return C448_FAILURE;

    if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
        || !EVP_DigestUpdate(hashctx, in, inlen)
        || !EVP_DigestFinalXOF(hashctx, out, outlen)) {
        EVP_MD_CTX_free(hashctx);
        return C448_FAILURE;
    }

    EVP_MD_CTX_free(hashctx);
    return C448_SUCCESS;
}

static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
{
    uint8_t hibit = (1 << 0) >> 1;

    /* Blarg */
    secret_scalar_ser[0] &= -COFACTOR;
    if (hibit == 0) {
        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
    } else {
        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;
        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] |= hibit;
    }
}

static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed,
                                       uint8_t for_prehash,
                                       const uint8_t *context,
                                       size_t context_len)
{
    const char *dom_s = "SigEd448";
    uint8_t dom[2];

    dom[0] = 2 + word_is_zero(prehashed) + word_is_zero(for_prehash);
    dom[1] = (uint8_t)context_len;

    if (context_len > UINT8_MAX)
        return C448_FAILURE;

    if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
        || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s))
        || !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
        || !EVP_DigestUpdate(hashctx, context, context_len))
        return C448_FAILURE;

    return C448_SUCCESS;
}

/* In this file because it uses the hash */
c448_error_t c448_ed448_convert_private_key_to_x448(
                            uint8_t x[X448_PRIVATE_BYTES],
                            const uint8_t ed [EDDSA_448_PRIVATE_BYTES])
{
    /* pass the private key through oneshot_hash function */
    /* and keep the first X448_PRIVATE_BYTES bytes */
    return oneshot_hash(x, X448_PRIVATE_BYTES, ed,
                        EDDSA_448_PRIVATE_BYTES);
}

c448_error_t c448_ed448_derive_public_key(
                        uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES])
{
    /* only this much used for keygen */
    uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
    curve448_scalar_t secret_scalar;
    unsigned int c;
    curve448_point_t p;

    if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey,
                      EDDSA_448_PRIVATE_BYTES))
        return C448_FAILURE;

    clamp(secret_scalar_ser);

    curve448_scalar_decode_long(secret_scalar, secret_scalar_ser,
                                sizeof(secret_scalar_ser));

    /*
     * Since we are going to mul_by_cofactor during encoding, divide by it
     * here. However, the EdDSA base point is not the same as the decaf base
     * point if the sigma isogeny is in use: the EdDSA base point is on
     * Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
     * converted it effectively picks up a factor of 2 from the isogenies.  So
     * we might start at 2 instead of 1.
     */
    for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
        curve448_scalar_halve(secret_scalar, secret_scalar);

    curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar);

    curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);

    /* Cleanup */
    curve448_scalar_destroy(secret_scalar);
    curve448_point_destroy(p);
    OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));

    return C448_SUCCESS;
}

c448_error_t c448_ed448_sign(
                        uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
                        const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                        const uint8_t *message, size_t message_len,
                        uint8_t prehashed, const uint8_t *context,
                        size_t context_len)
{
    curve448_scalar_t secret_scalar;
    EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
    c448_error_t ret = C448_FAILURE;
    curve448_scalar_t nonce_scalar;
    uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
    unsigned int c;
    curve448_scalar_t challenge_scalar;

    if (hashctx == NULL)
        return C448_FAILURE;

    {
        /* Schedule the secret key */
        struct {
            uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
            uint8_t seed[EDDSA_448_PRIVATE_BYTES];
        } __attribute__ ((packed)) expanded;

        if (!oneshot_hash((uint8_t *)&expanded, sizeof(expanded), privkey,
                          EDDSA_448_PRIVATE_BYTES))
            goto err;
        clamp(expanded.secret_scalar_ser);
        curve448_scalar_decode_long(secret_scalar, expanded.secret_scalar_ser,
                                    sizeof(expanded.secret_scalar_ser));

        /* Hash to create the nonce */
        if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
            || !EVP_DigestUpdate(hashctx, expanded.seed, sizeof(expanded.seed))
            || !EVP_DigestUpdate(hashctx, message, message_len)) {
            OPENSSL_cleanse(&expanded, sizeof(expanded));
            goto err;
        }
        OPENSSL_cleanse(&expanded, sizeof(expanded));
    }

    /* Decode the nonce */
    {
        uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];

        if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
            goto err;
        curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
        OPENSSL_cleanse(nonce, sizeof(nonce));
    }

    {
        /* Scalarmul to create the nonce-point */
        curve448_scalar_t nonce_scalar_2;
        curve448_point_t p;

        curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
        for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) {
            curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
        }

        curve448_precomputed_scalarmul(p, curve448_precomputed_base,
                                       nonce_scalar_2);
        curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
        curve448_point_destroy(p);
        curve448_scalar_destroy(nonce_scalar_2);
    }

    {
        uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];

        /* Compute the challenge */
        if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
            || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
            || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
            || !EVP_DigestUpdate(hashctx, message, message_len)
            || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
            goto err;

        curve448_scalar_decode_long(challenge_scalar, challenge,
                                    sizeof(challenge));
        OPENSSL_cleanse(challenge, sizeof(challenge));
    }

    curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
    curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);

    OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
    memcpy(signature, nonce_point, sizeof(nonce_point));
    curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
                           challenge_scalar);

    curve448_scalar_destroy(secret_scalar);
    curve448_scalar_destroy(nonce_scalar);
    curve448_scalar_destroy(challenge_scalar);

    ret = C448_SUCCESS;
 err:
    EVP_MD_CTX_free(hashctx);
    return ret;
}

c448_error_t c448_ed448_sign_prehash(
                        uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
                        const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                        const uint8_t hash[64], const uint8_t *context,
                        size_t context_len)
{
    return c448_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context,
                           context_len);
}

c448_error_t c448_ed448_verify(
                    const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                    const uint8_t *message, size_t message_len,
                    uint8_t prehashed, const uint8_t *context,
                    uint8_t context_len)
{
    curve448_point_t pk_point, r_point;
    c448_error_t error =
        curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
    curve448_scalar_t challenge_scalar;
    curve448_scalar_t response_scalar;
    unsigned int c;

    if (C448_SUCCESS != error)
        return error;

    error =
        curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
    if (C448_SUCCESS != error)
        return error;

    {
        /* Compute the challenge */
        EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
        uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];

        if (hashctx == NULL
            || !hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
            || !EVP_DigestUpdate(hashctx, signature,
                                 EDDSA_448_PUBLIC_BYTES)
            || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
            || !EVP_DigestUpdate(hashctx, message, message_len)
            || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
            EVP_MD_CTX_free(hashctx);
            return C448_FAILURE;
        }

        EVP_MD_CTX_free(hashctx);
        curve448_scalar_decode_long(challenge_scalar, challenge,
                                    sizeof(challenge));
        OPENSSL_cleanse(challenge, sizeof(challenge));
    }
    curve448_scalar_sub(challenge_scalar, curve448_scalar_zero,
                        challenge_scalar);

    curve448_scalar_decode_long(response_scalar,
                                &signature[EDDSA_448_PUBLIC_BYTES],
                                EDDSA_448_PRIVATE_BYTES);

    for (c = 1; c < C448_EDDSA_DECODE_RATIO; c <<= 1)
        curve448_scalar_add(response_scalar, response_scalar, response_scalar);

    /* pk_point = -c(x(P)) + (cx + k)G = kG */
    curve448_base_double_scalarmul_non_secret(pk_point,
                                              response_scalar,
                                              pk_point, challenge_scalar);
    return c448_succeed_if(curve448_point_eq(pk_point, r_point));
}

c448_error_t c448_ed448_verify_prehash(
                    const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                    const uint8_t hash[64], const uint8_t *context,
                    uint8_t context_len)
{
    c448_error_t ret;

    ret = c448_ed448_verify(signature, pubkey, hash, 64, 1, context,
                            context_len);

    return ret;
}

int ED448_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
               const uint8_t public_key[57], const uint8_t private_key[57],
               const uint8_t *context, size_t context_len)
{

    return c448_ed448_sign(out_sig, private_key, public_key, message,
                           message_len, 0, context, context_len)
        == C448_SUCCESS;
}

int ED448_verify(const uint8_t *message, size_t message_len,
                 const uint8_t signature[114], const uint8_t public_key[57],
                 const uint8_t *context, size_t context_len)
{
    return c448_ed448_verify(signature, public_key, message, message_len, 0,
                             context, context_len) == C448_SUCCESS;
}

int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64],
                 const uint8_t public_key[57], const uint8_t private_key[57],
                 const uint8_t *context, size_t context_len)
{
    return c448_ed448_sign_prehash(out_sig, private_key, public_key, hash,
                                   context, context_len) == C448_SUCCESS;

}

int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114],
                   const uint8_t public_key[57], const uint8_t *context,
                   size_t context_len)
{
    return c448_ed448_verify_prehash(signature, public_key, hash, context,
                                     context_len) == C448_SUCCESS;
}

int ED448_public_from_private(uint8_t out_public_key[57],
                              const uint8_t private_key[57])
{
    return c448_ed448_derive_public_key(out_public_key, private_key)
        == C448_SUCCESS;
}
Commit	Line	Data
1308e022 MC	1	/*
	2	* Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
	3	* Copyright 2015-2016 Cryptography Research, Inc.
7324473f	4	*
1308e022 MC	5	* Licensed under the OpenSSL license (the "License"). You may not use
	6	* this file except in compliance with the License. You can obtain a copy
	7	* in the file LICENSE in the source distribution or at
	8	* https://www.openssl.org/source/license.html
7324473f	9	*
1308e022	10	* Originally written by Mike Hamburg
7324473f	11	*/
b6e388ba	12	#include <openssl/crypto.h>
a242839f	13	#include <openssl/evp.h>
b6e388ba	14
4ea41daa	15	#include "curve448_lcl.h"
7324473f	16	#include "word.h"
a2039c87	17	#include "ed448.h"
7324473f	18	#include <string.h>
a242839f	19	#include "internal/numbers.h"
7324473f	20
7324473f	21	#define COFACTOR 4
7324473f	22
aeeef83c MC	23	static c448_error_t oneshot_hash(uint8_t *out, size_t outlen,
aeeef83c MC	24	const uint8_t *in, size_t inlen)
a242839f MC	25	{
	26	EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
	27
	28	if (hashctx == NULL)
aeeef83c	29	return C448_FAILURE;
a242839f MC	30
a242839f MC	31	if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
205fd638 MC	32	\|\| !EVP_DigestUpdate(hashctx, in, inlen)
205fd638 MC	33	\|\| !EVP_DigestFinalXOF(hashctx, out, outlen)) {
a242839f	34	EVP_MD_CTX_free(hashctx);
aeeef83c	35	return C448_FAILURE;
a242839f MC	36	}
	37
	38	EVP_MD_CTX_free(hashctx);
aeeef83c	39	return C448_SUCCESS;
a242839f MC	40	}
a242839f MC	41
db90b274	42	static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
205fd638 MC	43	{
205fd638 MC	44	uint8_t hibit = (1 << 0) >> 1;
094c071c	45
7324473f MC	46	/* Blarg */
7324473f MC	47	secret_scalar_ser[0] &= -COFACTOR;
7324473f	48	if (hibit == 0) {
db90b274 MC	49	secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
db90b274 MC	50	secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] \|= 0x80;
7324473f	51	} else {
db90b274 MC	52	secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;
db90b274 MC	53	secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] \|= hibit;
7324473f MC	54	}
	55	}
	56
aeeef83c MC	57	static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed,
	58	uint8_t for_prehash,
	59	const uint8_t *context,
	60	size_t context_len)
205fd638	61	{
a242839f	62	const char *dom_s = "SigEd448";
094c071c MC	63	uint8_t dom[2];
	64
	65	dom[0] = 2 + word_is_zero(prehashed) + word_is_zero(for_prehash);
	66	dom[1] = (uint8_t)context_len;
a242839f MC	67
a242839f MC	68	if (context_len > UINT8_MAX)
aeeef83c	69	return C448_FAILURE;
7324473f	70
a242839f	71	if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
205fd638 MC	72	\|\| !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s))
	73	\|\| !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
	74	\|\| !EVP_DigestUpdate(hashctx, context, context_len))
aeeef83c	75	return C448_FAILURE;
a242839f	76
aeeef83c	77	return C448_SUCCESS;
7324473f MC	78	}
7324473f MC	79
7324473f	80	/* In this file because it uses the hash */
aeeef83c	81	c448_error_t c448_ed448_convert_private_key_to_x448(
db90b274 MC	82	uint8_t x[X448_PRIVATE_BYTES],
db90b274 MC	83	const uint8_t ed [EDDSA_448_PRIVATE_BYTES])
205fd638	84	{
a242839f	85	/* pass the private key through oneshot_hash function */
db90b274 MC	86	/* and keep the first X448_PRIVATE_BYTES bytes */
	87	return oneshot_hash(x, X448_PRIVATE_BYTES, ed,
	88	EDDSA_448_PRIVATE_BYTES);
7324473f	89	}
205fd638	90
aeeef83c	91	c448_error_t c448_ed448_derive_public_key(
db90b274 MC	92	uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
db90b274 MC	93	const uint8_t privkey[EDDSA_448_PRIVATE_BYTES])
205fd638	94	{
7324473f	95	/* only this much used for keygen */
db90b274	96	uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
094c071c MC	97	curve448_scalar_t secret_scalar;
	98	unsigned int c;
	99	curve448_point_t p;
	100
a242839f	101	if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey,
db90b274	102	EDDSA_448_PRIVATE_BYTES))
aeeef83c	103	return C448_FAILURE;
8d55f844	104
7324473f	105	clamp(secret_scalar_ser);
094c071c	106
205fd638 MC	107	curve448_scalar_decode_long(secret_scalar, secret_scalar_ser,
	108	sizeof(secret_scalar_ser));
	109
	110	/*
	111	* Since we are going to mul_by_cofactor during encoding, divide by it
	112	* here. However, the EdDSA base point is not the same as the decaf base
	113	* point if the sigma isogeny is in use: the EdDSA base point is on
	114	* Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
	115	* converted it effectively picks up a factor of 2 from the isogenies. So
	116	* we might start at 2 instead of 1.
7324473f	117	*/
db90b274	118	for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
205fd638	119	curve448_scalar_halve(secret_scalar, secret_scalar);
205fd638 MC	120
	121	curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar);
	122
e7772577	123	curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);
205fd638	124
7324473f	125	/* Cleanup */
e7772577 MC	126	curve448_scalar_destroy(secret_scalar);
e7772577 MC	127	curve448_point_destroy(p);
b6e388ba	128	OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
a242839f	129
aeeef83c	130	return C448_SUCCESS;
7324473f MC	131	}
7324473f MC	132
aeeef83c	133	c448_error_t c448_ed448_sign(
db90b274 MC	134	uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
	135	const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
	136	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
8d55f844 MC	137	const uint8_t *message, size_t message_len,
	138	uint8_t prehashed, const uint8_t *context,
	139	size_t context_len)
205fd638	140	{
e7772577	141	curve448_scalar_t secret_scalar;
a242839f	142	EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
aeeef83c	143	c448_error_t ret = C448_FAILURE;
094c071c	144	curve448_scalar_t nonce_scalar;
db90b274	145	uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
094c071c MC	146	unsigned int c;
094c071c MC	147	curve448_scalar_t challenge_scalar;
a242839f MC	148
a242839f MC	149	if (hashctx == NULL)
aeeef83c	150	return C448_FAILURE;
a242839f	151
7324473f MC	152	{
	153	/* Schedule the secret key */
	154	struct {
db90b274 MC	155	uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
db90b274 MC	156	uint8_t seed[EDDSA_448_PRIVATE_BYTES];
205fd638	157	} __attribute__ ((packed)) expanded;
a242839f MC	158
a242839f MC	159	if (!oneshot_hash((uint8_t *)&expanded, sizeof(expanded), privkey,
db90b274	160	EDDSA_448_PRIVATE_BYTES))
a242839f	161	goto err;
205fd638 MC	162	clamp(expanded.secret_scalar_ser);
	163	curve448_scalar_decode_long(secret_scalar, expanded.secret_scalar_ser,
	164	sizeof(expanded.secret_scalar_ser));
	165
7324473f	166	/* Hash to create the nonce */
a242839f	167	if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
205fd638 MC	168	\|\| !EVP_DigestUpdate(hashctx, expanded.seed, sizeof(expanded.seed))
205fd638 MC	169	\|\| !EVP_DigestUpdate(hashctx, message, message_len)) {
a242839f MC	170	OPENSSL_cleanse(&expanded, sizeof(expanded));
	171	goto err;
	172	}
b6e388ba	173	OPENSSL_cleanse(&expanded, sizeof(expanded));
7324473f	174	}
205fd638	175
7324473f	176	/* Decode the nonce */
7324473f	177	{
db90b274	178	uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];
a242839f MC	179
	180	if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
	181	goto err;
e7772577	182	curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
b6e388ba	183	OPENSSL_cleanse(nonce, sizeof(nonce));
7324473f	184	}
094c071c	185
7324473f MC	186	{
7324473f MC	187	/* Scalarmul to create the nonce-point */
e7772577	188	curve448_scalar_t nonce_scalar_2;
094c071c MC	189	curve448_point_t p;
094c071c MC	190
205fd638	191	curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
db90b274	192	for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) {
205fd638	193	curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
7324473f	194	}
094c071c	195
205fd638 MC	196	curve448_precomputed_scalarmul(p, curve448_precomputed_base,
205fd638 MC	197	nonce_scalar_2);
e7772577 MC	198	curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
	199	curve448_point_destroy(p);
	200	curve448_scalar_destroy(nonce_scalar_2);
7324473f	201	}
094c071c	202
7324473f	203	{
db90b274	204	uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
a242839f MC	205
	206	/* Compute the challenge */
	207	if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
205fd638	208	\|\| !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
db90b274	209	\|\| !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
205fd638 MC	210	\|\| !EVP_DigestUpdate(hashctx, message, message_len)
205fd638 MC	211	\|\| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
a242839f MC	212	goto err;
a242839f MC	213
205fd638 MC	214	curve448_scalar_decode_long(challenge_scalar, challenge,
	215	sizeof(challenge));
	216	OPENSSL_cleanse(challenge, sizeof(challenge));
7324473f	217	}
205fd638 MC	218
	219	curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
	220	curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);
	221
db90b274	222	OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
205fd638	223	memcpy(signature, nonce_point, sizeof(nonce_point));
db90b274	224	curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
205fd638 MC	225	challenge_scalar);
205fd638 MC	226
e7772577 MC	227	curve448_scalar_destroy(secret_scalar);
	228	curve448_scalar_destroy(nonce_scalar);
	229	curve448_scalar_destroy(challenge_scalar);
a242839f	230
aeeef83c	231	ret = C448_SUCCESS;
a242839f MC	232	err:
	233	EVP_MD_CTX_free(hashctx);
	234	return ret;
7324473f MC	235	}
7324473f MC	236
aeeef83c	237	c448_error_t c448_ed448_sign_prehash(
db90b274 MC	238	uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
	239	const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
	240	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
aeeef83c MC	241	const uint8_t hash[64], const uint8_t *context,
aeeef83c MC	242	size_t context_len)
205fd638	243	{
aeeef83c MC	244	return c448_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context,
aeeef83c MC	245	context_len);
7324473f MC	246	}
7324473f MC	247
aeeef83c	248	c448_error_t c448_ed448_verify(
db90b274 MC	249	const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
db90b274 MC	250	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
aeeef83c MC	251	const uint8_t *message, size_t message_len,
	252	uint8_t prehashed, const uint8_t *context,
	253	uint8_t context_len)
205fd638	254	{
e7772577	255	curve448_point_t pk_point, r_point;
aeeef83c	256	c448_error_t error =
205fd638	257	curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
094c071c MC	258	curve448_scalar_t challenge_scalar;
	259	curve448_scalar_t response_scalar;
	260	unsigned int c;
	261
aeeef83c	262	if (C448_SUCCESS != error)
205fd638	263	return error;
205fd638 MC	264
	265	error =
	266	curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
aeeef83c	267	if (C448_SUCCESS != error)
205fd638	268	return error;
205fd638	269
7324473f MC	270	{
7324473f MC	271	/* Compute the challenge */
a242839f	272	EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
db90b274	273	uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
a242839f MC	274
a242839f MC	275	if (hashctx == NULL
205fd638 MC	276	\|\| !hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
205fd638 MC	277	\|\| !EVP_DigestUpdate(hashctx, signature,
db90b274 MC	278	EDDSA_448_PUBLIC_BYTES)
db90b274 MC	279	\|\| !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
205fd638 MC	280	\|\| !EVP_DigestUpdate(hashctx, message, message_len)
205fd638 MC	281	\|\| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
a242839f	282	EVP_MD_CTX_free(hashctx);
aeeef83c	283	return C448_FAILURE;
a242839f MC	284	}
	285
	286	EVP_MD_CTX_free(hashctx);
205fd638 MC	287	curve448_scalar_decode_long(challenge_scalar, challenge,
	288	sizeof(challenge));
	289	OPENSSL_cleanse(challenge, sizeof(challenge));
7324473f	290	}
205fd638 MC	291	curve448_scalar_sub(challenge_scalar, curve448_scalar_zero,
	292	challenge_scalar);
	293
	294	curve448_scalar_decode_long(response_scalar,
db90b274 MC	295	&signature[EDDSA_448_PUBLIC_BYTES],
db90b274 MC	296	EDDSA_448_PRIVATE_BYTES);
205fd638	297
db90b274	298	for (c = 1; c < C448_EDDSA_DECODE_RATIO; c <<= 1)
205fd638	299	curve448_scalar_add(response_scalar, response_scalar, response_scalar);
205fd638	300
7324473f	301	/* pk_point = -c(x(P)) + (cx + k)G = kG */
205fd638 MC	302	curve448_base_double_scalarmul_non_secret(pk_point,
	303	response_scalar,
	304	pk_point, challenge_scalar);
aeeef83c	305	return c448_succeed_if(curve448_point_eq(pk_point, r_point));
7324473f MC	306	}
7324473f MC	307
aeeef83c	308	c448_error_t c448_ed448_verify_prehash(
db90b274 MC	309	const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
db90b274 MC	310	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
8d55f844 MC	311	const uint8_t hash[64], const uint8_t *context,
8d55f844 MC	312	uint8_t context_len)
205fd638	313	{
aeeef83c	314	c448_error_t ret;
205fd638	315
aeeef83c MC	316	ret = c448_ed448_verify(signature, pubkey, hash, 64, 1, context,
aeeef83c MC	317	context_len);
205fd638	318
7324473f MC	319	return ret;
7324473f MC	320	}
4ea41daa MC	321
4ea41daa MC	322	int ED448_sign(uint8_t out_sig, const uint8_t message, size_t message_len,
22bcc9cb	323	const uint8_t public_key[57], const uint8_t private_key[57],
6ea71cba MC	324	const uint8_t *context, size_t context_len)
6ea71cba MC	325	{
4ea41daa	326
aeeef83c MC	327	return c448_ed448_sign(out_sig, private_key, public_key, message,
	328	message_len, 0, context, context_len)
	329	== C448_SUCCESS;
4ea41daa MC	330	}
4ea41daa MC	331
4ea41daa	332	int ED448_verify(const uint8_t *message, size_t message_len,
22bcc9cb	333	const uint8_t signature[114], const uint8_t public_key[57],
6ea71cba MC	334	const uint8_t *context, size_t context_len)
6ea71cba MC	335	{
aeeef83c MC	336	return c448_ed448_verify(signature, public_key, message, message_len, 0,
aeeef83c MC	337	context, context_len) == C448_SUCCESS;
4ea41daa MC	338	}
4ea41daa MC	339
6ea71cba	340	int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64],
22bcc9cb	341	const uint8_t public_key[57], const uint8_t private_key[57],
6ea71cba MC	342	const uint8_t *context, size_t context_len)
6ea71cba MC	343	{
aeeef83c MC	344	return c448_ed448_sign_prehash(out_sig, private_key, public_key, hash,
aeeef83c MC	345	context, context_len) == C448_SUCCESS;
4ea41daa	346
6ea71cba	347	}
4ea41daa	348
22bcc9cb MC	349	int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114],
22bcc9cb MC	350	const uint8_t public_key[57], const uint8_t *context,
6ea71cba MC	351	size_t context_len)
6ea71cba MC	352	{
aeeef83c MC	353	return c448_ed448_verify_prehash(signature, public_key, hash, context,
aeeef83c MC	354	context_len) == C448_SUCCESS;
4ea41daa MC	355	}
4ea41daa MC	356
22bcc9cb	357	int ED448_public_from_private(uint8_t out_public_key[57],
205fd638	358	const uint8_t private_key[57])
6ea71cba	359	{
aeeef83c MC	360	return c448_ed448_derive_public_key(out_public_key, private_key)
aeeef83c MC	361	== C448_SUCCESS;
4ea41daa	362	}