[thirdparty/openssl.git] / crypto / ec / curve448 / eddsa.c

/*
 * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright 2015-2016 Cryptography Research, Inc.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 *
 * Originally written by Mike Hamburg
 */
#include <openssl/crypto.h>
#include <openssl/evp.h>

#include "curve448_lcl.h"
#include "word.h"
#include "ed448.h"
#include <string.h>
#include "internal/numbers.h"

#define COFACTOR 4

static c448_error_t oneshot_hash(uint8_t *out, size_t outlen,
                                 const uint8_t *in, size_t inlen)
{
    EVP_MD_CTX *hashctx = EVP_MD_CTX_new();

    if (hashctx == NULL)
        return C448_FAILURE;

    if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
        || !EVP_DigestUpdate(hashctx, in, inlen)
        || !EVP_DigestFinalXOF(hashctx, out, outlen)) {
        EVP_MD_CTX_free(hashctx);
        return C448_FAILURE;
    }

    EVP_MD_CTX_free(hashctx);
    return C448_SUCCESS;
}

static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
{
    uint8_t hibit = (1 << 0) >> 1;

    /* Blarg */
    secret_scalar_ser[0] &= -COFACTOR;
    if (hibit == 0) {
        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
    } else {
        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;
        secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] |= hibit;
    }
}

static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed,
                                       uint8_t for_prehash,
                                       const uint8_t *context,
                                       size_t context_len)
{
    const char *dom_s = "SigEd448";
    uint8_t dom[2];

    dom[0] = 2 + word_is_zero(prehashed) + word_is_zero(for_prehash);
    dom[1] = (uint8_t)context_len;

    if (context_len > UINT8_MAX)
        return C448_FAILURE;

    if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
        || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s))
        || !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
        || !EVP_DigestUpdate(hashctx, context, context_len))
        return C448_FAILURE;

    return C448_SUCCESS;
}

/* In this file because it uses the hash */
c448_error_t c448_ed448_convert_private_key_to_x448(
                            uint8_t x[X448_PRIVATE_BYTES],
                            const uint8_t ed [EDDSA_448_PRIVATE_BYTES])
{
    /* pass the private key through oneshot_hash function */
    /* and keep the first X448_PRIVATE_BYTES bytes */
    return oneshot_hash(x, X448_PRIVATE_BYTES, ed,
                        EDDSA_448_PRIVATE_BYTES);
}

c448_error_t c448_ed448_derive_public_key(
                        uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES])
{
    /* only this much used for keygen */
    uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
    curve448_scalar_t secret_scalar;
    unsigned int c;
    curve448_point_t p;

    if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey,
                      EDDSA_448_PRIVATE_BYTES))
        return C448_FAILURE;

    clamp(secret_scalar_ser);

    curve448_scalar_decode_long(secret_scalar, secret_scalar_ser,
                                sizeof(secret_scalar_ser));

    /*
     * Since we are going to mul_by_cofactor during encoding, divide by it
     * here. However, the EdDSA base point is not the same as the decaf base
     * point if the sigma isogeny is in use: the EdDSA base point is on
     * Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
     * converted it effectively picks up a factor of 2 from the isogenies.  So
     * we might start at 2 instead of 1.
     */
    for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
        curve448_scalar_halve(secret_scalar, secret_scalar);

    curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar);

    curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);

    /* Cleanup */
    curve448_scalar_destroy(secret_scalar);
    curve448_point_destroy(p);
    OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));

    return C448_SUCCESS;
}

c448_error_t c448_ed448_sign(
                        uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
                        const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                        const uint8_t *message, size_t message_len,
                        uint8_t prehashed, const uint8_t *context,
                        size_t context_len)
{
    curve448_scalar_t secret_scalar;
    EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
    c448_error_t ret = C448_FAILURE;
    curve448_scalar_t nonce_scalar;
    uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
    unsigned int c;
    curve448_scalar_t challenge_scalar;

    if (hashctx == NULL)
        return C448_FAILURE;

    {
        /*
         * Schedule the secret key, First EDDSA_448_PRIVATE_BYTES is serialised
         * secret scalar,next EDDSA_448_PRIVATE_BYTES bytes is the seed.
         */
        uint8_t expanded[EDDSA_448_PRIVATE_BYTES * 2];

        if (!oneshot_hash(expanded, sizeof(expanded), privkey,
                          EDDSA_448_PRIVATE_BYTES))
            goto err;
        clamp(expanded);
        curve448_scalar_decode_long(secret_scalar, expanded,
                                    EDDSA_448_PRIVATE_BYTES);

        /* Hash to create the nonce */
        if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
            || !EVP_DigestUpdate(hashctx, expanded + EDDSA_448_PRIVATE_BYTES,
                                 EDDSA_448_PRIVATE_BYTES)
            || !EVP_DigestUpdate(hashctx, message, message_len)) {
            OPENSSL_cleanse(expanded, sizeof(expanded));
            goto err;
        }
        OPENSSL_cleanse(expanded, sizeof(expanded));
    }

    /* Decode the nonce */
    {
        uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];

        if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
            goto err;
        curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
        OPENSSL_cleanse(nonce, sizeof(nonce));
    }

    {
        /* Scalarmul to create the nonce-point */
        curve448_scalar_t nonce_scalar_2;
        curve448_point_t p;

        curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
        for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) {
            curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
        }

        curve448_precomputed_scalarmul(p, curve448_precomputed_base,
                                       nonce_scalar_2);
        curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
        curve448_point_destroy(p);
        curve448_scalar_destroy(nonce_scalar_2);
    }

    {
        uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];

        /* Compute the challenge */
        if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
            || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
            || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
            || !EVP_DigestUpdate(hashctx, message, message_len)
            || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
            goto err;

        curve448_scalar_decode_long(challenge_scalar, challenge,
                                    sizeof(challenge));
        OPENSSL_cleanse(challenge, sizeof(challenge));
    }

    curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
    curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);

    OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
    memcpy(signature, nonce_point, sizeof(nonce_point));
    curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
                           challenge_scalar);

    curve448_scalar_destroy(secret_scalar);
    curve448_scalar_destroy(nonce_scalar);
    curve448_scalar_destroy(challenge_scalar);

    ret = C448_SUCCESS;
 err:
    EVP_MD_CTX_free(hashctx);
    return ret;
}

c448_error_t c448_ed448_sign_prehash(
                        uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                        const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
                        const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                        const uint8_t hash[64], const uint8_t *context,
                        size_t context_len)
{
    return c448_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context,
                           context_len);
}

c448_error_t c448_ed448_verify(
                    const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                    const uint8_t *message, size_t message_len,
                    uint8_t prehashed, const uint8_t *context,
                    uint8_t context_len)
{
    curve448_point_t pk_point, r_point;
    c448_error_t error =
        curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
    curve448_scalar_t challenge_scalar;
    curve448_scalar_t response_scalar;
    unsigned int c;

    if (C448_SUCCESS != error)
        return error;

    error =
        curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
    if (C448_SUCCESS != error)
        return error;

    {
        /* Compute the challenge */
        EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
        uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];

        if (hashctx == NULL
                || !hash_init_with_dom(hashctx, prehashed, 0, context,
                                       context_len)
                || !EVP_DigestUpdate(hashctx, signature, EDDSA_448_PUBLIC_BYTES)
                || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
                || !EVP_DigestUpdate(hashctx, message, message_len)
                || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
            EVP_MD_CTX_free(hashctx);
            return C448_FAILURE;
        }

        EVP_MD_CTX_free(hashctx);
        curve448_scalar_decode_long(challenge_scalar, challenge,
                                    sizeof(challenge));
        OPENSSL_cleanse(challenge, sizeof(challenge));
    }
    curve448_scalar_sub(challenge_scalar, curve448_scalar_zero,
                        challenge_scalar);

    curve448_scalar_decode_long(response_scalar,
                                &signature[EDDSA_448_PUBLIC_BYTES],
                                EDDSA_448_PRIVATE_BYTES);

    for (c = 1; c < C448_EDDSA_DECODE_RATIO; c <<= 1)
        curve448_scalar_add(response_scalar, response_scalar, response_scalar);

    /* pk_point = -c(x(P)) + (cx + k)G = kG */
    curve448_base_double_scalarmul_non_secret(pk_point,
                                              response_scalar,
                                              pk_point, challenge_scalar);
    return c448_succeed_if(curve448_point_eq(pk_point, r_point));
}

c448_error_t c448_ed448_verify_prehash(
                    const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
                    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
                    const uint8_t hash[64], const uint8_t *context,
                    uint8_t context_len)
{
    c448_error_t ret;

    ret = c448_ed448_verify(signature, pubkey, hash, 64, 1, context,
                            context_len);

    return ret;
}

int ED448_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
               const uint8_t public_key[57], const uint8_t private_key[57],
               const uint8_t *context, size_t context_len)
{

    return c448_ed448_sign(out_sig, private_key, public_key, message,
                           message_len, 0, context, context_len)
        == C448_SUCCESS;
}

int ED448_verify(const uint8_t *message, size_t message_len,
                 const uint8_t signature[114], const uint8_t public_key[57],
                 const uint8_t *context, size_t context_len)
{
    return c448_ed448_verify(signature, public_key, message, message_len, 0,
                             context, (uint8_t)context_len) == C448_SUCCESS;
}

int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64],
                 const uint8_t public_key[57], const uint8_t private_key[57],
                 const uint8_t *context, size_t context_len)
{
    return c448_ed448_sign_prehash(out_sig, private_key, public_key, hash,
                                   context, context_len) == C448_SUCCESS;

}

int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114],
                   const uint8_t public_key[57], const uint8_t *context,
                   size_t context_len)
{
    return c448_ed448_verify_prehash(signature, public_key, hash, context,
                                     (uint8_t)context_len) == C448_SUCCESS;
}

int ED448_public_from_private(uint8_t out_public_key[57],
                              const uint8_t private_key[57])
{
    return c448_ed448_derive_public_key(out_public_key, private_key)
        == C448_SUCCESS;
}
Commit	Line	Data
1308e022	1	/*
f53c7764	2	* Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
1308e022	3	* Copyright 2015-2016 Cryptography Research, Inc.
7324473f	4	*
1308e022 MC	5	* Licensed under the OpenSSL license (the "License"). You may not use
	6	* this file except in compliance with the License. You can obtain a copy
	7	* in the file LICENSE in the source distribution or at
	8	* https://www.openssl.org/source/license.html
7324473f	9	*
1308e022	10	* Originally written by Mike Hamburg
7324473f	11	*/
b6e388ba	12	#include <openssl/crypto.h>
a242839f	13	#include <openssl/evp.h>
b6e388ba	14
4ea41daa	15	#include "curve448_lcl.h"
7324473f	16	#include "word.h"
a2039c87	17	#include "ed448.h"
7324473f	18	#include <string.h>
a242839f	19	#include "internal/numbers.h"
7324473f	20
7324473f	21	#define COFACTOR 4
7324473f	22
aeeef83c MC	23	static c448_error_t oneshot_hash(uint8_t *out, size_t outlen,
aeeef83c MC	24	const uint8_t *in, size_t inlen)
a242839f MC	25	{
	26	EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
	27
	28	if (hashctx == NULL)
aeeef83c	29	return C448_FAILURE;
a242839f MC	30
a242839f MC	31	if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
205fd638 MC	32	\|\| !EVP_DigestUpdate(hashctx, in, inlen)
205fd638 MC	33	\|\| !EVP_DigestFinalXOF(hashctx, out, outlen)) {
a242839f	34	EVP_MD_CTX_free(hashctx);
aeeef83c	35	return C448_FAILURE;
a242839f MC	36	}
	37
	38	EVP_MD_CTX_free(hashctx);
aeeef83c	39	return C448_SUCCESS;
a242839f MC	40	}
a242839f MC	41
db90b274	42	static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
205fd638 MC	43	{
205fd638 MC	44	uint8_t hibit = (1 << 0) >> 1;
094c071c	45
7324473f MC	46	/* Blarg */
7324473f MC	47	secret_scalar_ser[0] &= -COFACTOR;
7324473f	48	if (hibit == 0) {
db90b274 MC	49	secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
db90b274 MC	50	secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] \|= 0x80;
7324473f	51	} else {
db90b274 MC	52	secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1;
db90b274 MC	53	secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] \|= hibit;
7324473f MC	54	}
	55	}
	56
aeeef83c MC	57	static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed,
	58	uint8_t for_prehash,
	59	const uint8_t *context,
	60	size_t context_len)
205fd638	61	{
a242839f	62	const char *dom_s = "SigEd448";
094c071c MC	63	uint8_t dom[2];
	64
	65	dom[0] = 2 + word_is_zero(prehashed) + word_is_zero(for_prehash);
	66	dom[1] = (uint8_t)context_len;
a242839f MC	67
a242839f MC	68	if (context_len > UINT8_MAX)
aeeef83c	69	return C448_FAILURE;
7324473f	70
a242839f	71	if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
205fd638 MC	72	\|\| !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s))
	73	\|\| !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
	74	\|\| !EVP_DigestUpdate(hashctx, context, context_len))
aeeef83c	75	return C448_FAILURE;
a242839f	76
aeeef83c	77	return C448_SUCCESS;
7324473f MC	78	}
7324473f MC	79
7324473f	80	/* In this file because it uses the hash */
aeeef83c	81	c448_error_t c448_ed448_convert_private_key_to_x448(
db90b274 MC	82	uint8_t x[X448_PRIVATE_BYTES],
db90b274 MC	83	const uint8_t ed [EDDSA_448_PRIVATE_BYTES])
205fd638	84	{
a242839f	85	/* pass the private key through oneshot_hash function */
db90b274 MC	86	/* and keep the first X448_PRIVATE_BYTES bytes */
	87	return oneshot_hash(x, X448_PRIVATE_BYTES, ed,
	88	EDDSA_448_PRIVATE_BYTES);
7324473f	89	}
205fd638	90
aeeef83c	91	c448_error_t c448_ed448_derive_public_key(
db90b274 MC	92	uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
db90b274 MC	93	const uint8_t privkey[EDDSA_448_PRIVATE_BYTES])
205fd638	94	{
7324473f	95	/* only this much used for keygen */
db90b274	96	uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
094c071c MC	97	curve448_scalar_t secret_scalar;
	98	unsigned int c;
	99	curve448_point_t p;
	100
a242839f	101	if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey,
db90b274	102	EDDSA_448_PRIVATE_BYTES))
aeeef83c	103	return C448_FAILURE;
8d55f844	104
7324473f	105	clamp(secret_scalar_ser);
094c071c	106
205fd638 MC	107	curve448_scalar_decode_long(secret_scalar, secret_scalar_ser,
	108	sizeof(secret_scalar_ser));
	109
	110	/*
	111	* Since we are going to mul_by_cofactor during encoding, divide by it
	112	* here. However, the EdDSA base point is not the same as the decaf base
	113	* point if the sigma isogeny is in use: the EdDSA base point is on
	114	* Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
	115	* converted it effectively picks up a factor of 2 from the isogenies. So
	116	* we might start at 2 instead of 1.
7324473f	117	*/
db90b274	118	for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
205fd638	119	curve448_scalar_halve(secret_scalar, secret_scalar);
205fd638 MC	120
	121	curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar);
	122
e7772577	123	curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);
205fd638	124
7324473f	125	/* Cleanup */
e7772577 MC	126	curve448_scalar_destroy(secret_scalar);
e7772577 MC	127	curve448_point_destroy(p);
b6e388ba	128	OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
a242839f	129
aeeef83c	130	return C448_SUCCESS;
7324473f MC	131	}
7324473f MC	132
aeeef83c	133	c448_error_t c448_ed448_sign(
db90b274 MC	134	uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
	135	const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
	136	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
8d55f844 MC	137	const uint8_t *message, size_t message_len,
	138	uint8_t prehashed, const uint8_t *context,
	139	size_t context_len)
205fd638	140	{
e7772577	141	curve448_scalar_t secret_scalar;
a242839f	142	EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
aeeef83c	143	c448_error_t ret = C448_FAILURE;
094c071c	144	curve448_scalar_t nonce_scalar;
db90b274	145	uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
094c071c MC	146	unsigned int c;
094c071c MC	147	curve448_scalar_t challenge_scalar;
a242839f MC	148
a242839f MC	149	if (hashctx == NULL)
aeeef83c	150	return C448_FAILURE;
a242839f	151
7324473f	152	{
52a9587c MC	153	/*
	154	* Schedule the secret key, First EDDSA_448_PRIVATE_BYTES is serialised
	155	* secret scalar,next EDDSA_448_PRIVATE_BYTES bytes is the seed.
	156	*/
	157	uint8_t expanded[EDDSA_448_PRIVATE_BYTES * 2];
a242839f	158
52a9587c	159	if (!oneshot_hash(expanded, sizeof(expanded), privkey,
db90b274	160	EDDSA_448_PRIVATE_BYTES))
a242839f	161	goto err;
52a9587c MC	162	clamp(expanded);
	163	curve448_scalar_decode_long(secret_scalar, expanded,
	164	EDDSA_448_PRIVATE_BYTES);
205fd638	165
7324473f	166	/* Hash to create the nonce */
a242839f	167	if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
52a9587c MC	168	\|\| !EVP_DigestUpdate(hashctx, expanded + EDDSA_448_PRIVATE_BYTES,
52a9587c MC	169	EDDSA_448_PRIVATE_BYTES)
205fd638	170	\|\| !EVP_DigestUpdate(hashctx, message, message_len)) {
52a9587c	171	OPENSSL_cleanse(expanded, sizeof(expanded));
a242839f MC	172	goto err;
a242839f MC	173	}
52a9587c	174	OPENSSL_cleanse(expanded, sizeof(expanded));
7324473f	175	}
205fd638	176
7324473f	177	/* Decode the nonce */
7324473f	178	{
db90b274	179	uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];
a242839f MC	180
	181	if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
	182	goto err;
e7772577	183	curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
b6e388ba	184	OPENSSL_cleanse(nonce, sizeof(nonce));
7324473f	185	}
094c071c	186
7324473f MC	187	{
7324473f MC	188	/* Scalarmul to create the nonce-point */
e7772577	189	curve448_scalar_t nonce_scalar_2;
094c071c MC	190	curve448_point_t p;
094c071c MC	191
205fd638	192	curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
db90b274	193	for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) {
205fd638	194	curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
7324473f	195	}
094c071c	196
205fd638 MC	197	curve448_precomputed_scalarmul(p, curve448_precomputed_base,
205fd638 MC	198	nonce_scalar_2);
e7772577 MC	199	curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
	200	curve448_point_destroy(p);
	201	curve448_scalar_destroy(nonce_scalar_2);
7324473f	202	}
094c071c	203
7324473f	204	{
db90b274	205	uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
a242839f MC	206
	207	/* Compute the challenge */
	208	if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
205fd638	209	\|\| !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
db90b274	210	\|\| !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
205fd638 MC	211	\|\| !EVP_DigestUpdate(hashctx, message, message_len)
205fd638 MC	212	\|\| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
a242839f MC	213	goto err;
a242839f MC	214
205fd638 MC	215	curve448_scalar_decode_long(challenge_scalar, challenge,
	216	sizeof(challenge));
	217	OPENSSL_cleanse(challenge, sizeof(challenge));
7324473f	218	}
205fd638 MC	219
	220	curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
	221	curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);
	222
db90b274	223	OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
205fd638	224	memcpy(signature, nonce_point, sizeof(nonce_point));
db90b274	225	curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
205fd638 MC	226	challenge_scalar);
205fd638 MC	227
e7772577 MC	228	curve448_scalar_destroy(secret_scalar);
	229	curve448_scalar_destroy(nonce_scalar);
	230	curve448_scalar_destroy(challenge_scalar);
a242839f	231
aeeef83c	232	ret = C448_SUCCESS;
a242839f MC	233	err:
	234	EVP_MD_CTX_free(hashctx);
	235	return ret;
7324473f MC	236	}
7324473f MC	237
aeeef83c	238	c448_error_t c448_ed448_sign_prehash(
db90b274 MC	239	uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
	240	const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
	241	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
aeeef83c MC	242	const uint8_t hash[64], const uint8_t *context,
aeeef83c MC	243	size_t context_len)
205fd638	244	{
aeeef83c MC	245	return c448_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context,
aeeef83c MC	246	context_len);
7324473f MC	247	}
7324473f MC	248
aeeef83c	249	c448_error_t c448_ed448_verify(
db90b274 MC	250	const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
db90b274 MC	251	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
aeeef83c MC	252	const uint8_t *message, size_t message_len,
	253	uint8_t prehashed, const uint8_t *context,
	254	uint8_t context_len)
205fd638	255	{
e7772577	256	curve448_point_t pk_point, r_point;
aeeef83c	257	c448_error_t error =
205fd638	258	curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
094c071c MC	259	curve448_scalar_t challenge_scalar;
	260	curve448_scalar_t response_scalar;
	261	unsigned int c;
	262
aeeef83c	263	if (C448_SUCCESS != error)
205fd638	264	return error;
205fd638 MC	265
	266	error =
	267	curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
aeeef83c	268	if (C448_SUCCESS != error)
205fd638	269	return error;
205fd638	270
7324473f MC	271	{
7324473f MC	272	/* Compute the challenge */
a242839f	273	EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
db90b274	274	uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
a242839f MC	275
a242839f MC	276	if (hashctx == NULL
e4118223 MC	277	\|\| !hash_init_with_dom(hashctx, prehashed, 0, context,
	278	context_len)
	279	\|\| !EVP_DigestUpdate(hashctx, signature, EDDSA_448_PUBLIC_BYTES)
	280	\|\| !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
	281	\|\| !EVP_DigestUpdate(hashctx, message, message_len)
	282	\|\| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
a242839f	283	EVP_MD_CTX_free(hashctx);
aeeef83c	284	return C448_FAILURE;
a242839f MC	285	}
	286
	287	EVP_MD_CTX_free(hashctx);
205fd638 MC	288	curve448_scalar_decode_long(challenge_scalar, challenge,
	289	sizeof(challenge));
	290	OPENSSL_cleanse(challenge, sizeof(challenge));
7324473f	291	}
205fd638 MC	292	curve448_scalar_sub(challenge_scalar, curve448_scalar_zero,
	293	challenge_scalar);
	294
	295	curve448_scalar_decode_long(response_scalar,
db90b274 MC	296	&signature[EDDSA_448_PUBLIC_BYTES],
db90b274 MC	297	EDDSA_448_PRIVATE_BYTES);
205fd638	298
db90b274	299	for (c = 1; c < C448_EDDSA_DECODE_RATIO; c <<= 1)
205fd638	300	curve448_scalar_add(response_scalar, response_scalar, response_scalar);
205fd638	301
7324473f	302	/* pk_point = -c(x(P)) + (cx + k)G = kG */
205fd638 MC	303	curve448_base_double_scalarmul_non_secret(pk_point,
	304	response_scalar,
	305	pk_point, challenge_scalar);
aeeef83c	306	return c448_succeed_if(curve448_point_eq(pk_point, r_point));
7324473f MC	307	}
7324473f MC	308
aeeef83c	309	c448_error_t c448_ed448_verify_prehash(
db90b274 MC	310	const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
db90b274 MC	311	const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
8d55f844 MC	312	const uint8_t hash[64], const uint8_t *context,
8d55f844 MC	313	uint8_t context_len)
205fd638	314	{
aeeef83c	315	c448_error_t ret;
205fd638	316
aeeef83c MC	317	ret = c448_ed448_verify(signature, pubkey, hash, 64, 1, context,
aeeef83c MC	318	context_len);
205fd638	319
7324473f MC	320	return ret;
7324473f MC	321	}
4ea41daa MC	322
4ea41daa MC	323	int ED448_sign(uint8_t out_sig, const uint8_t message, size_t message_len,
22bcc9cb	324	const uint8_t public_key[57], const uint8_t private_key[57],
6ea71cba MC	325	const uint8_t *context, size_t context_len)
6ea71cba MC	326	{
4ea41daa	327
aeeef83c MC	328	return c448_ed448_sign(out_sig, private_key, public_key, message,
	329	message_len, 0, context, context_len)
	330	== C448_SUCCESS;
4ea41daa MC	331	}
4ea41daa MC	332
4ea41daa	333	int ED448_verify(const uint8_t *message, size_t message_len,
22bcc9cb	334	const uint8_t signature[114], const uint8_t public_key[57],
6ea71cba MC	335	const uint8_t *context, size_t context_len)
6ea71cba MC	336	{
aeeef83c	337	return c448_ed448_verify(signature, public_key, message, message_len, 0,
0cdcdacc	338	context, (uint8_t)context_len) == C448_SUCCESS;
4ea41daa MC	339	}
4ea41daa MC	340
6ea71cba	341	int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64],
22bcc9cb	342	const uint8_t public_key[57], const uint8_t private_key[57],
6ea71cba MC	343	const uint8_t *context, size_t context_len)
6ea71cba MC	344	{
aeeef83c MC	345	return c448_ed448_sign_prehash(out_sig, private_key, public_key, hash,
aeeef83c MC	346	context, context_len) == C448_SUCCESS;
4ea41daa	347
6ea71cba	348	}
4ea41daa	349
22bcc9cb MC	350	int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114],
22bcc9cb MC	351	const uint8_t public_key[57], const uint8_t *context,
6ea71cba MC	352	size_t context_len)
6ea71cba MC	353	{
aeeef83c	354	return c448_ed448_verify_prehash(signature, public_key, hash, context,
0cdcdacc	355	(uint8_t)context_len) == C448_SUCCESS;
4ea41daa MC	356	}
4ea41daa MC	357
22bcc9cb	358	int ED448_public_from_private(uint8_t out_public_key[57],
205fd638	359	const uint8_t private_key[57])
6ea71cba	360	{
aeeef83c MC	361	return c448_ed448_derive_public_key(out_public_key, private_key)
aeeef83c MC	362	== C448_SUCCESS;
4ea41daa	363	}