From: James Muir Date: Sun, 16 Oct 2022 02:23:39 +0000 (-0400) Subject: Support all five EdDSA instances from RFC 8032 X-Git-Tag: openssl-3.2.0-alpha1~1531 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=836080a89a1f5e45dac4e0df76b9270587f65d5b;p=thirdparty%2Fopenssl.git Support all five EdDSA instances from RFC 8032 Fixes #6277 Description: Make each of the five EdDSA instances defined in RFC 8032 -- Ed25519, Ed25519ctx, Ed25519ph, Ed448, Ed448ph -- available via the EVP APIs. The desired EdDSA instance is specified via an OSSL_PARAM. All instances, except for Ed25519, allow context strings as input. Context strings are passed via an OSSL_PARAM. For Ed25519ctx, the context string must be nonempty. Ed25519, Ed25519ctx, Ed448 are PureEdDSA instances, which means that the full message (not a digest) must be passed to sign and verify operations. Ed25519ph, Ed448ph are HashEdDSA instances, which means that the input message is hashed before sign and verify. Testing: All 21 test vectors from RFC 8032 have been added to evppkey_ecx.txt (thanks to Shane Lontis for showing how to do that). Those 21 test vectors are exercised by evp_test.c and cover all five instances. Reviewed-by: Hugo Landau Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/19705) --- diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c index 286d6bff807..4f033d74d0e 100644 --- a/crypto/ec/curve25519.c +++ b/crypto/ec/curve25519.c @@ -5434,9 +5434,47 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, s[31] = (uint8_t) (s11 >> 17); } +static int hash_init_with_dom(EVP_MD_CTX *hash_ctx, + EVP_MD *sha512, + const uint8_t dom2flag, + const uint8_t phflag, + const uint8_t *context, + const size_t context_len) +{ + /* ASCII: "SigEd25519 no Ed25519 collisions", in hex for EBCDIC compatibility */ + const char dom_s[] = + "\x53\x69\x67\x45\x64\x32\x35\x35\x31\x39\x20\x6e" + "\x6f\x20\x45\x64\x32\x35\x35\x31\x39\x20\x63\x6f" + "\x6c\x6c\x69\x73\x69\x6f\x6e\x73"; + uint8_t dom[2]; + + if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL)) + return 0; + + /* return early if dom2flag is not set */ + if (!dom2flag) + return 1; + + if (context_len > UINT8_MAX) + return 0; + + dom[0] = (uint8_t)(phflag >= 1 ? 1 : 0); + dom[1] = (uint8_t)context_len; + + if (!EVP_DigestUpdate(hash_ctx, dom_s, sizeof(dom_s)-1) + || !EVP_DigestUpdate(hash_ctx, dom, sizeof(dom)) + || !EVP_DigestUpdate(hash_ctx, context, context_len)) { + return 0; + } + + return 1; +} + int -ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, +ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *tbs, size_t tbs_len, const uint8_t public_key[32], const uint8_t private_key[32], + const uint8_t dom2flag, const uint8_t phflag, const uint8_t csflag, + const uint8_t *context, size_t context_len, OSSL_LIB_CTX *libctx, const char *propq) { uint8_t az[SHA512_DIGEST_LENGTH]; @@ -5448,6 +5486,17 @@ ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, unsigned int sz; int res = 0; + if (context == NULL) + context_len = 0; + + /* if csflag is set, then a non-empty context-string is required */ + if (csflag && context_len == 0) + goto err; + + /* if dom2flag is not set, then an empty context-string is required */ + if (!dom2flag && context_len > 0) + goto err; + if (sha512 == NULL || hash_ctx == NULL) goto err; @@ -5460,9 +5509,9 @@ ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, az[31] &= 63; az[31] |= 64; - if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL) + if (!hash_init_with_dom(hash_ctx, sha512, dom2flag, phflag, context, context_len) || !EVP_DigestUpdate(hash_ctx, az + 32, 32) - || !EVP_DigestUpdate(hash_ctx, message, message_len) + || !EVP_DigestUpdate(hash_ctx, tbs, tbs_len) || !EVP_DigestFinal_ex(hash_ctx, nonce, &sz)) goto err; @@ -5470,10 +5519,10 @@ ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, ge_scalarmult_base(&R, nonce); ge_p3_tobytes(out_sig, &R); - if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL) + if (!hash_init_with_dom(hash_ctx, sha512, dom2flag, phflag, context, context_len) || !EVP_DigestUpdate(hash_ctx, out_sig, 32) || !EVP_DigestUpdate(hash_ctx, public_key, 32) - || !EVP_DigestUpdate(hash_ctx, message, message_len) + || !EVP_DigestUpdate(hash_ctx, tbs, tbs_len) || !EVP_DigestFinal_ex(hash_ctx, hram, &sz)) goto err; @@ -5492,8 +5541,10 @@ err: static const char allzeroes[15]; int -ossl_ed25519_verify(const uint8_t *message, size_t message_len, +ossl_ed25519_verify(const uint8_t *tbs, size_t tbs_len, const uint8_t signature[64], const uint8_t public_key[32], + const uint8_t dom2flag, const uint8_t phflag, const uint8_t csflag, + const uint8_t *context, size_t context_len, OSSL_LIB_CTX *libctx, const char *propq) { int i; @@ -5512,6 +5563,17 @@ ossl_ed25519_verify(const uint8_t *message, size_t message_len, 0xDE, 0xF9, 0xDE, 0x14 }; + if (context == NULL) + context_len = 0; + + /* if csflag is set, then a non-empty context-string is required */ + if (csflag && context_len == 0) + return 0; + + /* if dom2flag is not set, then an empty context-string is required */ + if (!dom2flag && context_len > 0) + return 0; + r = signature; s = signature + 32; @@ -5556,10 +5618,10 @@ ossl_ed25519_verify(const uint8_t *message, size_t message_len, if (hash_ctx == NULL) goto err; - if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL) + if (!hash_init_with_dom(hash_ctx, sha512, dom2flag, phflag, context, context_len) || !EVP_DigestUpdate(hash_ctx, r, 32) || !EVP_DigestUpdate(hash_ctx, public_key, 32) - || !EVP_DigestUpdate(hash_ctx, message, message_len) + || !EVP_DigestUpdate(hash_ctx, tbs, tbs_len) || !EVP_DigestFinal_ex(hash_ctx, h, &sz)) goto err; @@ -5570,6 +5632,14 @@ ossl_ed25519_verify(const uint8_t *message, size_t message_len, ge_tobytes(rcheck, &R); res = CRYPTO_memcmp(rcheck, r, sizeof(rcheck)) == 0; + + /* note that we have used the strict verification equation here. + * we checked that ENC( [h](-A) + [s]B ) == r + * B is the base point. + * + * the less strict verification equation uses the curve cofactor: + * [h*8](-A) + [s*8]B == [8]R + */ err: EVP_MD_free(sha512); EVP_MD_CTX_free(hash_ctx); diff --git a/crypto/ec/curve448/curve448_local.h b/crypto/ec/curve448/curve448_local.h index 3410f091a65..f118d851ee2 100644 --- a/crypto/ec/curve448/curve448_local.h +++ b/crypto/ec/curve448/curve448_local.h @@ -10,15 +10,4 @@ # define OSSL_CRYPTO_EC_CURVE448_LOCAL_H # include "curve448utils.h" -int -ossl_ed448ph_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t hash[64], - const uint8_t public_key[57], const uint8_t private_key[57], - const uint8_t *context, size_t context_len, const char *propq); - -int -ossl_ed448ph_verify(OSSL_LIB_CTX *ctx, const uint8_t hash[64], - const uint8_t signature[114], const uint8_t public_key[57], - const uint8_t *context, size_t context_len, - const char *propq); - #endif /* OSSL_CRYPTO_EC_CURVE448_LOCAL_H */ diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c index 6648692ff39..cbef27d9bb0 100644 --- a/crypto/ec/curve448/eddsa.c +++ b/crypto/ec/curve448/eddsa.c @@ -61,12 +61,8 @@ static c448_error_t hash_init_with_dom(OSSL_LIB_CTX *ctx, EVP_MD_CTX *hashctx, size_t context_len, const char *propq) { -#ifdef CHARSET_EBCDIC - const char dom_s[] = {0x53, 0x69, 0x67, 0x45, - 0x64, 0x34, 0x34, 0x38, 0x00}; -#else - const char dom_s[] = "SigEd448"; -#endif + /* ASCII: "SigEd448", in hex for EBCDIC compatibility */ + const char dom_s[] = "\x53\x69\x67\x45\x64\x34\x34\x38"; uint8_t dom[2]; EVP_MD *shake256 = NULL; @@ -82,7 +78,7 @@ static c448_error_t hash_init_with_dom(OSSL_LIB_CTX *ctx, EVP_MD_CTX *hashctx, return C448_FAILURE; if (!EVP_DigestInit_ex(hashctx, shake256, NULL) - || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s)) + || !EVP_DigestUpdate(hashctx, dom_s, sizeof(dom_s)-1) || !EVP_DigestUpdate(hashctx, dom, sizeof(dom)) || !EVP_DigestUpdate(hashctx, context, context_len)) { EVP_MD_free(shake256); @@ -373,47 +369,29 @@ ossl_c448_ed448_verify_prehash( } int -ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t *message, - size_t message_len, const uint8_t public_key[57], - const uint8_t private_key[57], const uint8_t *context, - size_t context_len, const char *propq) +ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, + const uint8_t *message, size_t message_len, + const uint8_t public_key[57], const uint8_t private_key[57], + const uint8_t *context, size_t context_len, + const uint8_t phflag, const char *propq) { return ossl_c448_ed448_sign(ctx, out_sig, private_key, public_key, message, - message_len, 0, context, context_len, + message_len, phflag, context, context_len, propq) == C448_SUCCESS; } int -ossl_ed448_verify(OSSL_LIB_CTX *ctx, const uint8_t *message, size_t message_len, +ossl_ed448_verify(OSSL_LIB_CTX *ctx, + const uint8_t *message, size_t message_len, const uint8_t signature[114], const uint8_t public_key[57], - const uint8_t *context, size_t context_len, const char *propq) + const uint8_t *context, size_t context_len, + const uint8_t phflag, const char *propq) { return ossl_c448_ed448_verify(ctx, signature, public_key, message, - message_len, 0, context, (uint8_t)context_len, + message_len, phflag, context, (uint8_t)context_len, propq) == C448_SUCCESS; } -int -ossl_ed448ph_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t hash[64], - const uint8_t public_key[57], const uint8_t private_key[57], - const uint8_t *context, size_t context_len, const char *propq) -{ - return ossl_c448_ed448_sign_prehash(ctx, out_sig, private_key, public_key, - hash, context, context_len, - propq) == C448_SUCCESS; -} - -int -ossl_ed448ph_verify(OSSL_LIB_CTX *ctx, const uint8_t hash[64], - const uint8_t signature[114], const uint8_t public_key[57], - const uint8_t *context, size_t context_len, - const char *propq) -{ - return ossl_c448_ed448_verify_prehash(ctx, signature, public_key, hash, - context, (uint8_t)context_len, - propq) == C448_SUCCESS; -} - int ossl_ed448_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[57], const uint8_t private_key[57], const char *propq) diff --git a/crypto/ec/ecx_meth.c b/crypto/ec/ecx_meth.c index e83a2d71720..45531b86a1e 100644 --- a/crypto/ec/ecx_meth.c +++ b/crypto/ec/ecx_meth.c @@ -821,8 +821,10 @@ static int pkey_ecd_digestsign25519(EVP_MD_CTX *ctx, unsigned char *sig, return 0; } - if (ossl_ed25519_sign(sig, tbs, tbslen, edkey->pubkey, edkey->privkey, NULL, - NULL) == 0) + if (ossl_ed25519_sign(sig, tbs, tbslen, edkey->pubkey, edkey->privkey, + 0, 0, 0, + NULL, 0, + NULL, NULL) == 0) return 0; *siglen = ED25519_SIGSIZE; return 1; @@ -849,7 +851,7 @@ static int pkey_ecd_digestsign448(EVP_MD_CTX *ctx, unsigned char *sig, } if (ossl_ed448_sign(edkey->libctx, sig, tbs, tbslen, edkey->pubkey, - edkey->privkey, NULL, 0, edkey->propq) == 0) + edkey->privkey, NULL, 0, 0, edkey->propq) == 0) return 0; *siglen = ED448_SIGSIZE; return 1; @@ -870,6 +872,8 @@ static int pkey_ecd_digestverify25519(EVP_MD_CTX *ctx, const unsigned char *sig, return 0; return ossl_ed25519_verify(tbs, tbslen, sig, edkey->pubkey, + 0, 0, 0, + NULL, 0, edkey->libctx, edkey->propq); } @@ -888,7 +892,7 @@ static int pkey_ecd_digestverify448(EVP_MD_CTX *ctx, const unsigned char *sig, return 0; return ossl_ed448_verify(edkey->libctx, tbs, tbslen, sig, edkey->pubkey, - NULL, 0, edkey->propq); + NULL, 0, 0, edkey->propq); } static int pkey_ecd_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) diff --git a/doc/man7/EVP_SIGNATURE-ED25519.pod b/doc/man7/EVP_SIGNATURE-ED25519.pod index 2183d83c2ea..dbb7de3279d 100644 --- a/doc/man7/EVP_SIGNATURE-ED25519.pod +++ b/doc/man7/EVP_SIGNATURE-ED25519.pod @@ -10,16 +10,65 @@ Ed448 =head1 DESCRIPTION -The B and B EVP_PKEY implementation supports key generation, -one-shot digest sign and digest verify using PureEdDSA and B or B -(see RFC8032). It has associated private and public key formats compatible with -RFC 8410. +The B and B EVP_PKEY implementation supports key +generation, one-shot digest-sign and digest-verify using the EdDSA +signature scheme described in RFC 8032. It has associated private and +public key formats compatible with RFC 8410. + +=head2 EdDSA Instances + +RFC 8032 describes five EdDSA instances: Ed25519, Ed25519ctx, +Ed25519ph, Ed448, Ed448ph. + +The instances Ed25519, Ed25519ctx, Ed448 are referred to as B +schemes. For these three instances, the sign and verify procedures +require access to the complete message (not a digest of the message). + +The instances Ed25519ph, Ed448ph are referred to as B +schemes. For these two instances, the sign and verify procedures do +not require access to the complete message; they operate on a hash of +the message. For Ed25519ph, the hash function is SHA512. For +Ed448ph, the hash function is SHAKE256 with an output length of 512 +bits. + +The instances Ed25519ctx, Ed25519ph, Ed448, Ed448ph accept an optional +B as input to sign and verify operations (and for +Ed25519ctx, the context-string must be nonempty). For the Ed25519 +instance, a nonempty context-string is not permitted. =head2 ED25519 and ED448 Signature Parameters -No additional parameters can be set during one-shot signing or verification. -In particular, because PureEdDSA is used, a digest must B be specified when -signing or verifying. +Two parameters can be set during signing or verification: the EdDSA +B and the B. They can be set by +passing an OSSL_PARAM array to EVP_DigestSignInit_ex(). + +=over 4 + +=item * "instance" (B) + +One of the five strings "Ed25519", "Ed25519ctx", "Ed25519ph", "Ed448", "Ed448ph". + +"Ed25519", "Ed25519ctx", "Ed25519ph" are valid only for an Ed25519 EVP_PKEY. + +"Ed448", "Ed448ph" are valid only for an Ed448 EVP_PKEY. + +=item * "context-string" (B) + +A string of octets with length at most 255. + +=back + +Both of these parameters are optional. + +If the instance name is not specified, then the default "Ed25519" or +"Ed448" is used. + +If a context-string is not specified, then an empty context-string is +used. + +Note that a message digest name must B be specified when signing +or verifying. + See L for information related to B and B keys. The following signature parameters can be retrieved using @@ -27,19 +76,26 @@ EVP_PKEY_CTX_get_params(). =over 4 -=item "algorithm-id" (B) +=item * "algorithm-id" (B) -The parameters are described in L. +=item * "instance" (B) + +=item * "context-string" (B) =back +The parameters are described in L. + =head1 NOTES -The PureEdDSA algorithm does not support the streaming mechanism -of other signature algorithms using, for example, EVP_DigestUpdate(). +The PureEdDSA instances do not support the streaming mechanism of +other signature algorithms using, for example, EVP_DigestUpdate(). The message to sign or verify must be passed using the one-shot EVP_DigestSign() and EVP_DigestVerify() functions. +The HashEdDSA instances do not yet support the streaming mechanisms +(so the one-shot functions must be used with HashEdDSA as well). + When calling EVP_DigestSignInit() or EVP_DigestVerifyInit(), the digest I parameter B be set to NULL. @@ -64,7 +120,7 @@ specified, then both Ed25519 and Ed448 are benchmarked. =head1 EXAMPLES -To sign a message using a ED25519 or ED448 key: +To sign a message using an ED25519 EVP_PKEY structure: void do_sign(EVP_PKEY *ed_key, unsigned char *msg, size_t msg_len) { @@ -72,8 +128,16 @@ To sign a message using a ED25519 or ED448 key: unsigned char *sig = NULL; EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); - EVP_DigestSignInit(md_ctx, NULL, NULL, NULL, ed_key); - /* Calculate the requires size for the signature by passing a NULL buffer */ + const OSSL_PARAM params[] = { + OSSL_PARAM_utf8_string ("instance", "Ed25519ctx", 10), + OSSL_PARAM_octet_string("context-string", (unsigned char *)"A protocol defined context string", 33), + OSSL_PARAM_END + }; + + /* The input "params" is not needed if default options are acceptable. + Use NULL in place of "params" in that case. */ + EVP_DigestSignInit_ex(md_ctx, NULL, NULL, NULL, NULL, ed_key, params); + /* Calculate the required size for the signature by passing a NULL buffer. */ EVP_DigestSign(md_ctx, NULL, &sig_len, msg, msg_len); sig = OPENSSL_zalloc(sig_len); diff --git a/include/crypto/ecx.h b/include/crypto/ecx.h index 79026b6c416..e6b61b5a79d 100644 --- a/include/crypto/ecx.h +++ b/include/crypto/ecx.h @@ -97,27 +97,33 @@ ossl_ed25519_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[32], const uint8_t private_key[32], const char *propq); int -ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, +ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *tbs, size_t tbs_len, const uint8_t public_key[32], const uint8_t private_key[32], + const uint8_t dom2flag, const uint8_t phflag, const uint8_t csflag, + const uint8_t *context, size_t context_len, OSSL_LIB_CTX *libctx, const char *propq); int -ossl_ed25519_verify(const uint8_t *message, size_t message_len, +ossl_ed25519_verify(const uint8_t *tbs, size_t tbs_len, const uint8_t signature[64], const uint8_t public_key[32], + const uint8_t dom2flag, const uint8_t phflag, const uint8_t csflag, + const uint8_t *context, size_t context_len, OSSL_LIB_CTX *libctx, const char *propq); - int ossl_ed448_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[57], const uint8_t private_key[57], const char *propq); int -ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t *message, - size_t message_len, const uint8_t public_key[57], - const uint8_t private_key[57], const uint8_t *context, - size_t context_len, const char *propq); +ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, + const uint8_t *message, size_t message_len, + const uint8_t public_key[57], const uint8_t private_key[57], + const uint8_t *context, size_t context_len, + const uint8_t phflag, const char *propq); int -ossl_ed448_verify(OSSL_LIB_CTX *ctx, const uint8_t *message, size_t message_len, +ossl_ed448_verify(OSSL_LIB_CTX *ctx, + const uint8_t *message, size_t message_len, const uint8_t signature[114], const uint8_t public_key[57], - const uint8_t *context, size_t context_len, const char *propq); + const uint8_t *context, size_t context_len, + const uint8_t phflag, const char *propq); int ossl_x448(uint8_t out_shared_key[56], const uint8_t private_key[56], diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 1b19ef74d09..2cde6cdb94b 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -467,6 +467,8 @@ extern "C" { OSSL_PKEY_PARAM_MGF1_PROPERTIES #define OSSL_SIGNATURE_PARAM_DIGEST_SIZE OSSL_PKEY_PARAM_DIGEST_SIZE #define OSSL_SIGNATURE_PARAM_NONCE_TYPE "nonce-type" +#define OSSL_SIGNATURE_PARAM_INSTANCE "instance" +#define OSSL_SIGNATURE_PARAM_CONTEXT_STRING "context-string" /* Asym cipher parameters */ #define OSSL_ASYM_CIPHER_PARAM_DIGEST OSSL_PKEY_PARAM_DIGEST diff --git a/providers/implementations/signature/eddsa_sig.c b/providers/implementations/signature/eddsa_sig.c index f678e64cf8d..e3d5c5a7c8a 100644 --- a/providers/implementations/signature/eddsa_sig.c +++ b/providers/implementations/signature/eddsa_sig.c @@ -43,6 +43,24 @@ static int s390x_ed448_digestverify(const ECX_KEY *edkey, #endif /* S390X_EC_ASM */ +enum ID_EdDSA_INSTANCE { + ID_NOT_SET = 0, + ID_Ed25519, + ID_Ed25519ctx, + ID_Ed25519ph, + ID_Ed448, + ID_Ed448ph +}; + +#define SN_Ed25519 "Ed25519" +#define SN_Ed25519ph "Ed25519ph" +#define SN_Ed25519ctx "Ed25519ctx" +#define SN_Ed448 "Ed448" +#define SN_Ed448ph "Ed448ph" + +#define EDDSA_MAX_CONTEXT_STRING_LEN 255 +#define EDDSA_PREHASH_OUTPUT_LEN 64 + static OSSL_FUNC_signature_newctx_fn eddsa_newctx; static OSSL_FUNC_signature_digest_sign_init_fn eddsa_digest_signverify_init; static OSSL_FUNC_signature_digest_sign_fn ed25519_digest_sign; @@ -53,6 +71,55 @@ static OSSL_FUNC_signature_freectx_fn eddsa_freectx; static OSSL_FUNC_signature_dupctx_fn eddsa_dupctx; static OSSL_FUNC_signature_get_ctx_params_fn eddsa_get_ctx_params; static OSSL_FUNC_signature_gettable_ctx_params_fn eddsa_gettable_ctx_params; +static OSSL_FUNC_signature_set_ctx_params_fn eddsa_set_ctx_params; +static OSSL_FUNC_signature_settable_ctx_params_fn eddsa_settable_ctx_params; + +/* there are five EdDSA instances: + + Ed25519 + Ed25519ph + Ed25519ctx + Ed448 + Ed448ph + + Quoting from RFC 8032, Section 5.1: + + For Ed25519, dom2(f,c) is the empty string. The phflag value is + irrelevant. The context (if present at all) MUST be empty. This + causes the scheme to be one and the same with the Ed25519 scheme + published earlier. + + For Ed25519ctx, phflag=0. The context input SHOULD NOT be empty. + + For Ed25519ph, phflag=1 and PH is SHA512 instead. That is, the input + is hashed using SHA-512 before signing with Ed25519. + + Quoting from RFC 8032, Section 5.2: + + Ed448ph is the same but with PH being SHAKE256(x, 64) and phflag + being 1, i.e., the input is hashed before signing with Ed448 with a + hash constant modified. + + Value of context is set by signer and verifier (maximum of 255 + octets; the default is empty string) and has to match octet by octet + for verification to be successful. + + Quoting from RFC 8032, Section 2: + + dom2(x, y) The blank octet string when signing or verifying + Ed25519. Otherwise, the octet string: "SigEd25519 no + Ed25519 collisions" || octet(x) || octet(OLEN(y)) || + y, where x is in range 0-255 and y is an octet string + of at most 255 octets. "SigEd25519 no Ed25519 + collisions" is in ASCII (32 octets). + + dom4(x, y) The octet string "SigEd448" || octet(x) || + octet(OLEN(y)) || y, where x is in range 0-255 and y + is an octet string of at most 255 octets. "SigEd448" + is in ASCII (8 octets). + + Note above that x is the pre-hash flag, and y is the context string. +*/ typedef struct { OSSL_LIB_CTX *libctx; @@ -62,6 +129,19 @@ typedef struct { unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE]; unsigned char *aid; size_t aid_len; + + /* id indicating the EdDSA instance */ + int instance_id; + + unsigned int dom2_flag : 1; + unsigned int prehash_flag : 1; + + /* indicates that a non-empty context string is required, as in Ed25519ctx */ + unsigned int context_string_flag : 1; + + unsigned char context_string[EDDSA_MAX_CONTEXT_STRING_LEN]; + size_t context_string_len; + } PROV_EDDSA_CTX; static void *eddsa_newctx(void *provctx, const char *propq_unused) @@ -82,7 +162,7 @@ static void *eddsa_newctx(void *provctx, const char *propq_unused) static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, void *vedkey, - ossl_unused const OSSL_PARAM params[]) + const OSSL_PARAM params[]) { PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; ECX_KEY *edkey = (ECX_KEY *)vedkey; @@ -99,8 +179,7 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, if (edkey == NULL) { if (peddsactx->key != NULL) - /* there is nothing to do on reinit */ - return 1; + return eddsa_set_ctx_params(peddsactx, params); ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET); return 0; } @@ -110,6 +189,11 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, return 0; } + peddsactx->dom2_flag = 0; + peddsactx->prehash_flag = 0; + peddsactx->context_string_flag = 0; + peddsactx->context_string_len = 0; + /* * We do not care about DER writing errors. * All it really means is that for some reason, there's no @@ -122,9 +206,11 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, switch (edkey->type) { case ECX_KEY_TYPE_ED25519: ret = ret && ossl_DER_w_algorithmIdentifier_ED25519(&pkt, -1, edkey); + peddsactx->instance_id = ID_Ed25519; break; case ECX_KEY_TYPE_ED448: ret = ret && ossl_DER_w_algorithmIdentifier_ED448(&pkt, -1, edkey); + peddsactx->instance_id = ID_Ed448; break; default: /* Should never happen */ @@ -140,6 +226,9 @@ static int eddsa_digest_signverify_init(void *vpeddsactx, const char *mdname, peddsactx->key = edkey; + if (!eddsa_set_ctx_params(peddsactx, params)) + return 0; + return 1; } @@ -149,6 +238,8 @@ int ed25519_digest_sign(void *vpeddsactx, unsigned char *sigret, { PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; const ECX_KEY *edkey = peddsactx->key; + uint8_t md[EVP_MAX_MD_SIZE]; + size_t mdlen; if (!ossl_prov_is_running()) return 0; @@ -166,17 +257,33 @@ int ed25519_digest_sign(void *vpeddsactx, unsigned char *sigret, return 0; } #ifdef S390X_EC_ASM - if (S390X_CAN_SIGN(ED25519)) { - if (s390x_ed25519_digestsign(edkey, sigret, tbs, tbslen) == 0) { - ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN); - return 0; - } - *siglen = ED25519_SIGSIZE; - return 1; + /* s390x_ed25519_digestsign() does not yet support dom2 or context-strings. + fall back to non-accelerated sign if those options are set. */ + if (S390X_CAN_SIGN(ED25519) + && !peddsactx->dom2_flag + && !peddsactx->context_string_flag + && peddsactx->context_string_len == 0) { + if (s390x_ed25519_digestsign(edkey, sigret, tbs, tbslen) == 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN); + return 0; + } + *siglen = ED25519_SIGSIZE; + return 1; } #endif /* S390X_EC_ASM */ + + if (peddsactx->prehash_flag) { + if (!EVP_Q_digest(peddsactx->libctx, SN_sha512, NULL, tbs, tbslen, md, &mdlen) + || mdlen != EDDSA_PREHASH_OUTPUT_LEN) + return 0; + tbs = md; + tbslen = mdlen; + } + if (ossl_ed25519_sign(sigret, tbs, tbslen, edkey->pubkey, edkey->privkey, - peddsactx->libctx, NULL) == 0) { + peddsactx->dom2_flag, peddsactx->prehash_flag, peddsactx->context_string_flag, + peddsactx->context_string, peddsactx->context_string_len, + peddsactx->libctx, NULL) == 0) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN); return 0; } @@ -184,12 +291,41 @@ int ed25519_digest_sign(void *vpeddsactx, unsigned char *sigret, return 1; } +/* EVP_Q_digest() does not allow variable output length for XOFs, + so we use this function */ +static int ed448_shake256(OSSL_LIB_CTX *libctx, + const char *propq, + const uint8_t *in, size_t inlen, + uint8_t *out, size_t outlen) +{ + int ret = 0; + EVP_MD_CTX *hash_ctx = EVP_MD_CTX_new(); + EVP_MD *shake256 = EVP_MD_fetch(libctx, SN_shake256, propq); + + if (hash_ctx == NULL || shake256 == NULL) + goto err; + + if (!EVP_DigestInit_ex(hash_ctx, shake256, NULL) + || !EVP_DigestUpdate(hash_ctx, in, inlen) + || !EVP_DigestFinalXOF(hash_ctx, out, outlen)) + goto err; + + ret = 1; + + err: + EVP_MD_CTX_free(hash_ctx); + EVP_MD_free(shake256); + return ret; +} + int ed448_digest_sign(void *vpeddsactx, unsigned char *sigret, size_t *siglen, size_t sigsize, const unsigned char *tbs, size_t tbslen) { PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; const ECX_KEY *edkey = peddsactx->key; + uint8_t md[EDDSA_PREHASH_OUTPUT_LEN]; + size_t mdlen = sizeof(md); if (!ossl_prov_is_running()) return 0; @@ -207,17 +343,30 @@ int ed448_digest_sign(void *vpeddsactx, unsigned char *sigret, return 0; } #ifdef S390X_EC_ASM - if (S390X_CAN_SIGN(ED448)) { + /* s390x_ed448_digestsign() does not yet support context-strings. + fall back to non-accelerated sign if a context-string is provided. */ + if (S390X_CAN_SIGN(ED448) + && peddsactx->context_string_len == 0) { if (s390x_ed448_digestsign(edkey, sigret, tbs, tbslen) == 0) { - ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN); - return 0; - } - *siglen = ED448_SIGSIZE; - return 1; + ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN); + return 0; + } + *siglen = ED448_SIGSIZE; + return 1; } #endif /* S390X_EC_ASM */ - if (ossl_ed448_sign(peddsactx->libctx, sigret, tbs, tbslen, edkey->pubkey, - edkey->privkey, NULL, 0, edkey->propq) == 0) { + + if (peddsactx->prehash_flag) { + if (!ed448_shake256(peddsactx->libctx, NULL, tbs, tbslen, md, mdlen)) + return 0; + tbs = md; + tbslen = mdlen; + } + + if (ossl_ed448_sign(peddsactx->libctx, sigret, tbs, tbslen, + edkey->pubkey, edkey->privkey, + peddsactx->context_string, peddsactx->context_string_len, + peddsactx->prehash_flag, edkey->propq) == 0) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SIGN); return 0; } @@ -231,16 +380,34 @@ int ed25519_digest_verify(void *vpeddsactx, const unsigned char *sig, { PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; const ECX_KEY *edkey = peddsactx->key; + uint8_t md[EVP_MAX_MD_SIZE]; + size_t mdlen; if (!ossl_prov_is_running() || siglen != ED25519_SIGSIZE) return 0; #ifdef S390X_EC_ASM - if (S390X_CAN_SIGN(ED25519)) + /* s390x_ed25519_digestverify() does not yet support dom2 or context-strings. + fall back to non-accelerated verify if those options are set. */ + if (S390X_CAN_SIGN(ED25519) + && !peddsactx->dom2_flag + && !peddsactx->context_string_flag + && peddsactx->context_string_len == 0) { return s390x_ed25519_digestverify(edkey, sig, tbs, tbslen); + } #endif /* S390X_EC_ASM */ + if (peddsactx->prehash_flag) { + if (!EVP_Q_digest(peddsactx->libctx, SN_sha512, NULL, tbs, tbslen, md, &mdlen) + || mdlen != EDDSA_PREHASH_OUTPUT_LEN) + return 0; + tbs = md; + tbslen = mdlen; + } + return ossl_ed25519_verify(tbs, tbslen, sig, edkey->pubkey, + peddsactx->dom2_flag, peddsactx->prehash_flag, peddsactx->context_string_flag, + peddsactx->context_string, peddsactx->context_string_len, peddsactx->libctx, edkey->propq); } @@ -250,17 +417,31 @@ int ed448_digest_verify(void *vpeddsactx, const unsigned char *sig, { PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; const ECX_KEY *edkey = peddsactx->key; + uint8_t md[EDDSA_PREHASH_OUTPUT_LEN]; + size_t mdlen = sizeof(md); if (!ossl_prov_is_running() || siglen != ED448_SIGSIZE) return 0; #ifdef S390X_EC_ASM - if (S390X_CAN_SIGN(ED448)) + /* s390x_ed448_digestverify() does not yet support context-strings. + fall back to non-accelerated verify if a context-string is provided. */ + if (S390X_CAN_SIGN(ED448) + && peddsactx->context_string_len == 0) { return s390x_ed448_digestverify(edkey, sig, tbs, tbslen); + } #endif /* S390X_EC_ASM */ + if (peddsactx->prehash_flag) { + if (!ed448_shake256(peddsactx->libctx, NULL, tbs, tbslen, md, mdlen)) + return 0; + tbs = md; + tbslen = mdlen; + } + return ossl_ed448_verify(peddsactx->libctx, tbs, tbslen, sig, edkey->pubkey, - NULL, 0, edkey->propq); + peddsactx->context_string, peddsactx->context_string_len, + peddsactx->prehash_flag, edkey->propq); } static void eddsa_freectx(void *vpeddsactx) @@ -317,6 +498,8 @@ static int eddsa_get_ctx_params(void *vpeddsactx, OSSL_PARAM *params) static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_INSTANCE, NULL, 0), + OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0), OSSL_PARAM_END }; @@ -326,6 +509,84 @@ static const OSSL_PARAM *eddsa_gettable_ctx_params(ossl_unused void *vpeddsactx, return known_gettable_ctx_params; } +static int eddsa_set_ctx_params(void *vpeddsactx, const OSSL_PARAM params[]) +{ + PROV_EDDSA_CTX *peddsactx = (PROV_EDDSA_CTX *)vpeddsactx; + const OSSL_PARAM *p; + + if (peddsactx == NULL) + return 0; + if (params == NULL) + return 1; + + p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_INSTANCE); + if (p != NULL) { + char instance_name[OSSL_MAX_NAME_SIZE] = ""; + char *pinstance_name = instance_name; + + if (!OSSL_PARAM_get_utf8_string(p, &pinstance_name, sizeof(instance_name))) + return 0; + + if (OPENSSL_strcasecmp(pinstance_name, SN_Ed25519) == 0) { + peddsactx->instance_id = ID_Ed25519; + if (peddsactx->key->type != ECX_KEY_TYPE_ED25519) return 0; + peddsactx->dom2_flag = 0; + peddsactx->prehash_flag = 0; + peddsactx->context_string_flag = 0; + } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed25519ctx) == 0) { + peddsactx->instance_id = ID_Ed25519ctx; + if (peddsactx->key->type != ECX_KEY_TYPE_ED25519) return 0; + peddsactx->dom2_flag = 1; + peddsactx->prehash_flag = 0; + peddsactx->context_string_flag = 1; + } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed25519ph) == 0) { + peddsactx->instance_id = ID_Ed25519ph; + if (peddsactx->key->type != ECX_KEY_TYPE_ED25519) return 0; + peddsactx->dom2_flag = 1; + peddsactx->prehash_flag = 1; + peddsactx->context_string_flag = 0; + } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed448) == 0) { + peddsactx->instance_id = ID_Ed448; + if (peddsactx->key->type != ECX_KEY_TYPE_ED448) return 0; + peddsactx->prehash_flag = 0; + peddsactx->context_string_flag = 0; + } else if (OPENSSL_strcasecmp(pinstance_name, SN_Ed448ph) == 0) { + peddsactx->instance_id = ID_Ed448ph; + if (peddsactx->key->type != ECX_KEY_TYPE_ED448) return 0; + peddsactx->prehash_flag = 1; + peddsactx->context_string_flag = 0; + } else { + /* we did not recognize the instance */ + return 0; + } + + } + + p = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_CONTEXT_STRING); + if (p != NULL) { + void *vp_context_string = peddsactx->context_string; + + if (!OSSL_PARAM_get_octet_string(p, &vp_context_string, sizeof(peddsactx->context_string), &(peddsactx->context_string_len))) { + peddsactx->context_string_len = 0; + return 0; + } + } + + return 1; +} + +static const OSSL_PARAM settable_ctx_params[] = { + OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_INSTANCE, NULL, 0), + OSSL_PARAM_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING, NULL, 0), + OSSL_PARAM_END +}; + +static const OSSL_PARAM *eddsa_settable_ctx_params(ossl_unused void *vpeddsactx, + ossl_unused void *provctx) +{ + return settable_ctx_params; +} + const OSSL_DISPATCH ossl_ed25519_signature_functions[] = { { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))eddsa_newctx }, { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, @@ -341,6 +602,9 @@ const OSSL_DISPATCH ossl_ed25519_signature_functions[] = { { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))eddsa_get_ctx_params }, { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, (void (*)(void))eddsa_gettable_ctx_params }, + { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))eddsa_set_ctx_params }, + { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, + (void (*)(void))eddsa_settable_ctx_params }, { 0, NULL } }; @@ -359,6 +623,9 @@ const OSSL_DISPATCH ossl_ed448_signature_functions[] = { { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))eddsa_get_ctx_params }, { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, (void (*)(void))eddsa_gettable_ctx_params }, + { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))eddsa_set_ctx_params }, + { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, + (void (*)(void))eddsa_settable_ctx_params }, { 0, NULL } }; diff --git a/test/curve448_internal_test.c b/test/curve448_internal_test.c index 9d811e08a88..226c8706070 100644 --- a/test/curve448_internal_test.c +++ b/test/curve448_internal_test.c @@ -602,43 +602,43 @@ static int test_ed448(void) if (!TEST_ptr(hashctx) || !TEST_true(ossl_ed448_sign(NULL, outsig, NULL, 0, pubkey1, - privkey1, NULL, 0, NULL)) + privkey1, NULL, 0, 0, NULL)) || !TEST_int_eq(memcmp(sig1, outsig, sizeof(sig1)), 0) || !TEST_true(ossl_ed448_sign(NULL, outsig, msg2, sizeof(msg2), - pubkey2, privkey2, NULL, 0, NULL)) + pubkey2, privkey2, NULL, 0, 0, NULL)) || !TEST_int_eq(memcmp(sig2, outsig, sizeof(sig2)), 0) || !TEST_true(ossl_ed448_sign(NULL, outsig, msg3, sizeof(msg3), pubkey3, privkey3, context3, - sizeof(context3), NULL)) + sizeof(context3), 0, NULL)) || !TEST_int_eq(memcmp(sig3, outsig, sizeof(sig3)), 0) || !TEST_true(ossl_ed448_sign(NULL, outsig, msg4, sizeof(msg4), - pubkey4, privkey4, NULL, 0, NULL)) + pubkey4, privkey4, NULL, 0, 0, NULL)) || !TEST_int_eq(memcmp(sig4, outsig, sizeof(sig4)), 0) || !TEST_true(ossl_ed448_sign(NULL, outsig, msg5, sizeof(msg5), - pubkey5, privkey5, NULL, 0, NULL)) + pubkey5, privkey5, NULL, 0, 0, NULL)) || !TEST_int_eq(memcmp(sig5, outsig, sizeof(sig5)), 0) || !TEST_true(ossl_ed448_sign(NULL, outsig, msg6, sizeof(msg6), - pubkey6, privkey6, NULL, 0, NULL)) + pubkey6, privkey6, NULL, 0, 0, NULL)) || !TEST_int_eq(memcmp(sig6, outsig, sizeof(sig6)), 0) || !TEST_true(ossl_ed448_sign(NULL, outsig, msg7, sizeof(msg7), - pubkey7, privkey7, NULL, 0, NULL)) + pubkey7, privkey7, NULL, 0, 0, NULL)) || !TEST_int_eq(memcmp(sig7, outsig, sizeof(sig7)), 0) || !TEST_true(ossl_ed448_sign(NULL, outsig, msg8, sizeof(msg8), - pubkey8, privkey8, NULL, 0, NULL)) + pubkey8, privkey8, NULL, 0, 0, NULL)) || !TEST_int_eq(memcmp(sig8, outsig, sizeof(sig8)), 0) || !TEST_true(ossl_ed448_sign(NULL, outsig, msg9, sizeof(msg9), - pubkey9, privkey9, NULL, 0, NULL)) + pubkey9, privkey9, NULL, 0, 0, NULL)) || !TEST_int_eq(memcmp(sig9, outsig, sizeof(sig9)), 0) - || !TEST_true(ossl_ed448ph_sign(NULL, outsig, - dohash(hashctx, phmsg1, - sizeof(phmsg1)), phpubkey1, - phprivkey1, NULL, 0, NULL)) + || !TEST_true(ossl_ed448_sign(NULL, outsig, + dohash(hashctx, phmsg1, + sizeof(phmsg1)), 64, phpubkey1, + phprivkey1, NULL, 0, 1, NULL)) || !TEST_int_eq(memcmp(phsig1, outsig, sizeof(phsig1)), 0) - || !TEST_true(ossl_ed448ph_sign(NULL, outsig, - dohash(hashctx, phmsg2, - sizeof(phmsg2)), phpubkey2, - phprivkey2, phcontext2, - sizeof(phcontext2), NULL)) + || !TEST_true(ossl_ed448_sign(NULL, outsig, + dohash(hashctx, phmsg2, + sizeof(phmsg2)), 64, phpubkey2, + phprivkey2, phcontext2, + sizeof(phcontext2), 1, NULL)) || !TEST_int_eq(memcmp(phsig2, outsig, sizeof(phsig2)), 0)) { EVP_MD_CTX_free(hashctx); return 0; diff --git a/test/recipes/30-test_evp_data/evppkey_ecx.txt b/test/recipes/30-test_evp_data/evppkey_ecx.txt index e7f6c1a16f1..56930372305 100644 --- a/test/recipes/30-test_evp_data/evppkey_ecx.txt +++ b/test/recipes/30-test_evp_data/evppkey_ecx.txt @@ -9,6 +9,7 @@ # Tests start with one of these keywords # Cipher Decrypt Derive Digest Encoding KDF MAC PBE # PrivPubKeyPair Sign Verify VerifyRecover +# OneShotDigestSign # and continue until a blank line. Lines starting with a pound sign are ignored. @@ -580,3 +581,341 @@ Result = KEYPAIR_MISMATCH PrivPubKeyPair = Bob-448:Alice-448-PUBLIC Result = KEYPAIR_MISMATCH + +######## RFC 8032 test vectors + +# Test Vector 1 +# Ed25519 +PrivateKeyRaw = EDDSA-TV-1-Raw:ED25519:9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60 + +PublicKeyRaw = EDDSA-TV-1-PUBLIC-Raw:ED25519:d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a + +PrivPubKeyPair = EDDSA-TV-1-Raw:EDDSA-TV-1-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-1-Raw +Input = +Ctrl = instance:Ed25519 +Ctrl = hexcontext-string: +Output = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b + +# Test Vector 2 +# Ed25519 +PrivateKeyRaw = EDDSA-TV-2-Raw:ED25519:4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb + +PublicKeyRaw = EDDSA-TV-2-PUBLIC-Raw:ED25519:3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c + +PrivPubKeyPair = EDDSA-TV-2-Raw:EDDSA-TV-2-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-2-Raw +Input = 72 +Ctrl = instance:Ed25519 +Ctrl = hexcontext-string: +Output = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00 + +# Test Vector 3 +# Ed25519 +PrivateKeyRaw = EDDSA-TV-3-Raw:ED25519:c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7 + +PublicKeyRaw = EDDSA-TV-3-PUBLIC-Raw:ED25519:fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025 + +PrivPubKeyPair = EDDSA-TV-3-Raw:EDDSA-TV-3-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-3-Raw +Input = af82 +Ctrl = instance:Ed25519 +Ctrl = hexcontext-string: +Output = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a + +# Test Vector 4 +# Ed25519 +PrivateKeyRaw = EDDSA-TV-4-Raw:ED25519:f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5 + +PublicKeyRaw = EDDSA-TV-4-PUBLIC-Raw:ED25519:278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e + +PrivPubKeyPair = EDDSA-TV-4-Raw:EDDSA-TV-4-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-4-Raw +Input = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0 +Ctrl = instance:Ed25519 +Ctrl = hexcontext-string: +Output = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03 + +# Test Vector 5 +# Ed25519 +PrivateKeyRaw = EDDSA-TV-5-Raw:ED25519:833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42 + +PublicKeyRaw = EDDSA-TV-5-PUBLIC-Raw:ED25519:ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf + +PrivPubKeyPair = EDDSA-TV-5-Raw:EDDSA-TV-5-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-5-Raw +Input = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f +Ctrl = instance:Ed25519 +Ctrl = hexcontext-string: +Output = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704 + +# Test Vector 6 +# Ed25519ctx +PrivateKeyRaw = EDDSA-TV-6-Raw:ED25519:0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6 + +PublicKeyRaw = EDDSA-TV-6-PUBLIC-Raw:ED25519:dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292 + +PrivPubKeyPair = EDDSA-TV-6-Raw:EDDSA-TV-6-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-6-Raw +Input = f726936d19c800494e3fdaff20b276a8 +Ctrl = instance:Ed25519ctx +Ctrl = hexcontext-string:666f6f +Output = 55a4cc2f70a54e04288c5f4cd1e45a7bb520b36292911876cada7323198dd87a8b36950b95130022907a7fb7c4e9b2d5f6cca685a587b4b21f4b888e4e7edb0d + +# Test Vector 7 +# Ed25519ctx +PrivateKeyRaw = EDDSA-TV-7-Raw:ED25519:0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6 + +PublicKeyRaw = EDDSA-TV-7-PUBLIC-Raw:ED25519:dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292 + +PrivPubKeyPair = EDDSA-TV-7-Raw:EDDSA-TV-7-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-7-Raw +Input = f726936d19c800494e3fdaff20b276a8 +Ctrl = instance:Ed25519ctx +Ctrl = hexcontext-string:626172 +Output = fc60d5872fc46b3aa69f8b5b4351d5808f92bcc044606db097abab6dbcb1aee3216c48e8b3b66431b5b186d1d28f8ee15a5ca2df6668346291c2043d4eb3e90d + +# Test Vector 8 +# Ed25519ctx +PrivateKeyRaw = EDDSA-TV-8-Raw:ED25519:0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6 + +PublicKeyRaw = EDDSA-TV-8-PUBLIC-Raw:ED25519:dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292 + +PrivPubKeyPair = EDDSA-TV-8-Raw:EDDSA-TV-8-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-8-Raw +Input = 508e9e6882b979fea900f62adceaca35 +Ctrl = instance:Ed25519ctx +Ctrl = hexcontext-string:666f6f +Output = 8b70c1cc8310e1de20ac53ce28ae6e7207f33c3295e03bb5c0732a1d20dc64908922a8b052cf99b7c4fe107a5abb5b2c4085ae75890d02df26269d8945f84b0b + +# Test Vector 9 +# Ed25519ctx +PrivateKeyRaw = EDDSA-TV-9-Raw:ED25519:ab9c2853ce297ddab85c993b3ae14bcad39b2c682beabc27d6d4eb20711d6560 + +PublicKeyRaw = EDDSA-TV-9-PUBLIC-Raw:ED25519:0f1d1274943b91415889152e893d80e93275a1fc0b65fd71b4b0dda10ad7d772 + +PrivPubKeyPair = EDDSA-TV-9-Raw:EDDSA-TV-9-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-9-Raw +Input = f726936d19c800494e3fdaff20b276a8 +Ctrl = instance:Ed25519ctx +Ctrl = hexcontext-string:666f6f +Output = 21655b5f1aa965996b3f97b3c849eafba922a0a62992f73b3d1b73106a84ad85e9b86a7b6005ea868337ff2d20a7f5fbd4cd10b0be49a68da2b2e0dc0ad8960f + +# Test Vector 10 +# Ed25519ph +PrivateKeyRaw = EDDSA-TV-10-Raw:ED25519:833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42 + +PublicKeyRaw = EDDSA-TV-10-PUBLIC-Raw:ED25519:ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf + +PrivPubKeyPair = EDDSA-TV-10-Raw:EDDSA-TV-10-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-10-Raw +Input = 616263 +Ctrl = instance:Ed25519ph +Ctrl = hexcontext-string: +Output = 98a70222f0b8121aa9d30f813d683f809e462b469c7ff87639499bb94e6dae4131f85042463c2a355a2003d062adf5aaa10b8c61e636062aaad11c2a26083406 + +# Test Vector 11 +# Ed448 +PrivateKeyRaw = EDDSA-TV-11-Raw:ED448:6c82a562cb808d10d632be89c8513ebf6c929f34ddfa8c9f63c9960ef6e348a3528c8a3fcc2f044e39a3fc5b94492f8f032e7549a20098f95b + +PublicKeyRaw = EDDSA-TV-11-PUBLIC-Raw:ED448:5fd7449b59b461fd2ce787ec616ad46a1da1342485a70e1f8a0ea75d80e96778edf124769b46c7061bd6783df1e50f6cd1fa1abeafe8256180 + +PrivPubKeyPair = EDDSA-TV-11-Raw:EDDSA-TV-11-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-11-Raw +Input = +Ctrl = instance:Ed448 +Ctrl = hexcontext-string: +Output = 533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652600 + +# Test Vector 12 +# Ed448 +PrivateKeyRaw = EDDSA-TV-12-Raw:ED448:c4eab05d357007c632f3dbb48489924d552b08fe0c353a0d4a1f00acda2c463afbea67c5e8d2877c5e3bc397a659949ef8021e954e0a12274e + +PublicKeyRaw = EDDSA-TV-12-PUBLIC-Raw:ED448:43ba28f430cdff456ae531545f7ecd0ac834a55d9358c0372bfa0c6c6798c0866aea01eb00742802b8438ea4cb82169c235160627b4c3a9480 + +PrivPubKeyPair = EDDSA-TV-12-Raw:EDDSA-TV-12-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-12-Raw +Input = 03 +Ctrl = instance:Ed448 +Ctrl = hexcontext-string: +Output = 26b8f91727bd62897af15e41eb43c377efb9c610d48f2335cb0bd0087810f4352541b143c4b981b7e18f62de8ccdf633fc1bf037ab7cd779805e0dbcc0aae1cbcee1afb2e027df36bc04dcecbf154336c19f0af7e0a6472905e799f1953d2a0ff3348ab21aa4adafd1d234441cf807c03a00 + +# Test Vector 13 +# Ed448 +PrivateKeyRaw = EDDSA-TV-13-Raw:ED448:c4eab05d357007c632f3dbb48489924d552b08fe0c353a0d4a1f00acda2c463afbea67c5e8d2877c5e3bc397a659949ef8021e954e0a12274e + +PublicKeyRaw = EDDSA-TV-13-PUBLIC-Raw:ED448:43ba28f430cdff456ae531545f7ecd0ac834a55d9358c0372bfa0c6c6798c0866aea01eb00742802b8438ea4cb82169c235160627b4c3a9480 + +PrivPubKeyPair = EDDSA-TV-13-Raw:EDDSA-TV-13-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-13-Raw +Input = 03 +Ctrl = instance:Ed448 +Ctrl = hexcontext-string:666f6f +Output = d4f8f6131770dd46f40867d6fd5d5055de43541f8c5e35abbcd001b32a89f7d2151f7647f11d8ca2ae279fb842d607217fce6e042f6815ea000c85741de5c8da1144a6a1aba7f96de42505d7a7298524fda538fccbbb754f578c1cad10d54d0d5428407e85dcbc98a49155c13764e66c3c00 + +# Test Vector 14 +# Ed448 +PrivateKeyRaw = EDDSA-TV-14-Raw:ED448:cd23d24f714274e744343237b93290f511f6425f98e64459ff203e8985083ffdf60500553abc0e05cd02184bdb89c4ccd67e187951267eb328 + +PublicKeyRaw = EDDSA-TV-14-PUBLIC-Raw:ED448:dcea9e78f35a1bf3499a831b10b86c90aac01cd84b67a0109b55a36e9328b1e365fce161d71ce7131a543ea4cb5f7e9f1d8b00696447001400 + +PrivPubKeyPair = EDDSA-TV-14-Raw:EDDSA-TV-14-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-14-Raw +Input = 0c3e544074ec63b0265e0c +Ctrl = instance:Ed448 +Ctrl = hexcontext-string: +Output = 1f0a8888ce25e8d458a21130879b840a9089d999aaba039eaf3e3afa090a09d389dba82c4ff2ae8ac5cdfb7c55e94d5d961a29fe0109941e00b8dbdeea6d3b051068df7254c0cdc129cbe62db2dc957dbb47b51fd3f213fb8698f064774250a5028961c9bf8ffd973fe5d5c206492b140e00 + +# Test Vector 15 +# Ed448 +PrivateKeyRaw = EDDSA-TV-15-Raw:ED448:258cdd4ada32ed9c9ff54e63756ae582fb8fab2ac721f2c8e676a72768513d939f63dddb55609133f29adf86ec9929dccb52c1c5fd2ff7e21b + +PublicKeyRaw = EDDSA-TV-15-PUBLIC-Raw:ED448:3ba16da0c6f2cc1f30187740756f5e798d6bc5fc015d7c63cc9510ee3fd44adc24d8e968b6e46e6f94d19b945361726bd75e149ef09817f580 + +PrivPubKeyPair = EDDSA-TV-15-Raw:EDDSA-TV-15-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-15-Raw +Input = 64a65f3cdedcdd66811e2915 +Ctrl = instance:Ed448 +Ctrl = hexcontext-string: +Output = 7eeeab7c4e50fb799b418ee5e3197ff6bf15d43a14c34389b59dd1a7b1b85b4ae90438aca634bea45e3a2695f1270f07fdcdf7c62b8efeaf00b45c2c96ba457eb1a8bf075a3db28e5c24f6b923ed4ad747c3c9e03c7079efb87cb110d3a99861e72003cbae6d6b8b827e4e6c143064ff3c00 + +# Test Vector 16 +# Ed448 +PrivateKeyRaw = EDDSA-TV-16-Raw:ED448:7ef4e84544236752fbb56b8f31a23a10e42814f5f55ca037cdcc11c64c9a3b2949c1bb60700314611732a6c2fea98eebc0266a11a93970100e + +PublicKeyRaw = EDDSA-TV-16-PUBLIC-Raw:ED448:b3da079b0aa493a5772029f0467baebee5a8112d9d3a22532361da294f7bb3815c5dc59e176b4d9f381ca0938e13c6c07b174be65dfa578e80 + +PrivPubKeyPair = EDDSA-TV-16-Raw:EDDSA-TV-16-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-16-Raw +Input = 64a65f3cdedcdd66811e2915e7 +Ctrl = instance:Ed448 +Ctrl = hexcontext-string: +Output = 6a12066f55331b6c22acd5d5bfc5d71228fbda80ae8dec26bdd306743c5027cb4890810c162c027468675ecf645a83176c0d7323a2ccde2d80efe5a1268e8aca1d6fbc194d3f77c44986eb4ab4177919ad8bec33eb47bbb5fc6e28196fd1caf56b4e7e0ba5519234d047155ac727a1053100 + +# Test Vector 17 +# Ed448 +PrivateKeyRaw = EDDSA-TV-17-Raw:ED448:d65df341ad13e008567688baedda8e9dcdc17dc024974ea5b4227b6530e339bff21f99e68ca6968f3cca6dfe0fb9f4fab4fa135d5542ea3f01 + +PublicKeyRaw = EDDSA-TV-17-PUBLIC-Raw:ED448:df9705f58edbab802c7f8363cfe5560ab1c6132c20a9f1dd163483a26f8ac53a39d6808bf4a1dfbd261b099bb03b3fb50906cb28bd8a081f00 + +PrivPubKeyPair = EDDSA-TV-17-Raw:EDDSA-TV-17-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-17-Raw +Input = bd0f6a3747cd561bdddf4640a332461a4a30a12a434cd0bf40d766d9c6d458e5512204a30c17d1f50b5079631f64eb3112182da3005835461113718d1a5ef944 +Ctrl = instance:Ed448 +Ctrl = hexcontext-string: +Output = 554bc2480860b49eab8532d2a533b7d578ef473eeb58c98bb2d0e1ce488a98b18dfde9b9b90775e67f47d4a1c3482058efc9f40d2ca033a0801b63d45b3b722ef552bad3b4ccb667da350192b61c508cf7b6b5adadc2c8d9a446ef003fb05cba5f30e88e36ec2703b349ca229c2670833900 + +# Test Vector 18 +# Ed448 +PrivateKeyRaw = EDDSA-TV-18-Raw:ED448:2ec5fe3c17045abdb136a5e6a913e32ab75ae68b53d2fc149b77e504132d37569b7e766ba74a19bd6162343a21c8590aa9cebca9014c636df5 + +PublicKeyRaw = EDDSA-TV-18-PUBLIC-Raw:ED448:79756f014dcfe2079f5dd9e718be4171e2ef2486a08f25186f6bff43a9936b9bfe12402b08ae65798a3d81e22e9ec80e7690862ef3d4ed3a00 + +PrivPubKeyPair = EDDSA-TV-18-Raw:EDDSA-TV-18-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-18-Raw +Input = 15777532b0bdd0d1389f636c5f6b9ba734c90af572877e2d272dd078aa1e567cfa80e12928bb542330e8409f3174504107ecd5efac61ae7504dabe2a602ede89e5cca6257a7c77e27a702b3ae39fc769fc54f2395ae6a1178cab4738e543072fc1c177fe71e92e25bf03e4ecb72f47b64d0465aaea4c7fad372536c8ba516a6039c3c2a39f0e4d832be432dfa9a706a6e5c7e19f397964ca4258002f7c0541b590316dbc5622b6b2a6fe7a4abffd96105eca76ea7b98816af0748c10df048ce012d901015a51f189f3888145c03650aa23ce894c3bd889e030d565071c59f409a9981b51878fd6fc110624dcbcde0bf7a69ccce38fabdf86f3bef6044819de11 +Ctrl = instance:Ed448 +Ctrl = hexcontext-string: +Output = c650ddbb0601c19ca11439e1640dd931f43c518ea5bea70d3dcde5f4191fe53f00cf966546b72bcc7d58be2b9badef28743954e3a44a23f880e8d4f1cfce2d7a61452d26da05896f0a50da66a239a8a188b6d825b3305ad77b73fbac0836ecc60987fd08527c1a8e80d5823e65cafe2a3d00 + +# Test Vector 19 +# Ed448 +PrivateKeyRaw = EDDSA-TV-19-Raw:ED448:872d093780f5d3730df7c212664b37b8a0f24f56810daa8382cd4fa3f77634ec44dc54f1c2ed9bea86fafb7632d8be199ea165f5ad55dd9ce8 + +PublicKeyRaw = EDDSA-TV-19-PUBLIC-Raw:ED448:a81b2e8a70a5ac94ffdbcc9badfc3feb0801f258578bb114ad44ece1ec0e799da08effb81c5d685c0c56f64eecaef8cdf11cc38737838cf400 + +PrivPubKeyPair = EDDSA-TV-19-Raw:EDDSA-TV-19-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-19-Raw +Input = 6ddf802e1aae4986935f7f981ba3f0351d6273c0a0c22c9c0e8339168e675412a3debfaf435ed651558007db4384b650fcc07e3b586a27a4f7a00ac8a6fec2cd86ae4bf1570c41e6a40c931db27b2faa15a8cedd52cff7362c4e6e23daec0fbc3a79b6806e316efcc7b68119bf46bc76a26067a53f296dafdbdc11c77f7777e972660cf4b6a9b369a6665f02e0cc9b6edfad136b4fabe723d2813db3136cfde9b6d044322fee2947952e031b73ab5c603349b307bdc27bc6cb8b8bbd7bd323219b8033a581b59eadebb09b3c4f3d2277d4f0343624acc817804728b25ab797172b4c5c21a22f9c7839d64300232eb66e53f31c723fa37fe387c7d3e50bdf9813a30e5bb12cf4cd930c40cfb4e1fc622592a49588794494d56d24ea4b40c89fc0596cc9ebb961c8cb10adde976a5d602b1c3f85b9b9a001ed3c6a4d3b1437f52096cd1956d042a597d561a596ecd3d1735a8d570ea0ec27225a2c4aaff26306d1526c1af3ca6d9cf5a2c98f47e1c46db9a33234cfd4d81f2c98538a09ebe76998d0d8fd25997c7d255c6d66ece6fa56f11144950f027795e653008f4bd7ca2dee85d8e90f3dc315130ce2a00375a318c7c3d97be2c8ce5b6db41a6254ff264fa6155baee3b0773c0f497c573f19bb4f4240281f0b1f4f7be857a4e59d416c06b4c50fa09e1810ddc6b1467baeac5a3668d11b6ecaa901440016f389f80acc4db977025e7f5924388c7e340a732e554440e76570f8dd71b7d640b3450d1fd5f0410a18f9a3494f707c717b79b4bf75c98400b096b21653b5d217cf3565c9597456f70703497a078763829bc01bb1cbc8fa04eadc9a6e3f6699587a9e75c94e5bab0036e0b2e711392cff0047d0d6b05bd2a588bc109718954259f1d86678a579a3120f19cfb2963f177aeb70f2d4844826262e51b80271272068ef5b3856fa8535aa2a88b2d41f2a0e2fda7624c2850272ac4a2f561f8f2f7a318bfd5caf9696149e4ac824ad3460538fdc25421beec2cc6818162d06bbed0c40a387192349db67a118bada6cd5ab0140ee273204f628aad1c135f770279a651e24d8c14d75a6059d76b96a6fd857def5e0b354b27ab937a5815d16b5fae407ff18222c6d1ed263be68c95f32d908bd895cd76207ae726487567f9a67dad79abec316f683b17f2d02bf07e0ac8b5bc6162cf94697b3c27cd1fea49b27f23ba2901871962506520c392da8b6ad0d99f7013fbc06c2c17a569500c8a7696481c1cd33e9b14e40b82e79a5f5db82571ba97bae3ad3e0479515bb0e2b0f3bfcd1fd33034efc6245eddd7ee2086ddae2600d8ca73e214e8c2b0bdb2b047c6a464a562ed77b73d2d841c4b34973551257713b753632efba348169abc90a68f42611a40126d7cb21b58695568186f7e569d2ff0f9e745d0487dd2eb997cafc5abf9dd102e62ff66cba87 +Ctrl = instance:Ed448 +Ctrl = hexcontext-string: +Output = e301345a41a39a4d72fff8df69c98075a0cc082b802fc9b2b6bc503f926b65bddf7f4c8f1cb49f6396afc8a70abe6d8aef0db478d4c6b2970076c6a0484fe76d76b3a97625d79f1ce240e7c576750d295528286f719b413de9ada3e8eb78ed573603ce30d8bb761785dc30dbc320869e1a00 + +# Test Vector 20 +# Ed448ph +PrivateKeyRaw = EDDSA-TV-20-Raw:ED448:833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42ef7822e0d5104127dc05d6dbefde69e3ab2cec7c867c6e2c49 + +PublicKeyRaw = EDDSA-TV-20-PUBLIC-Raw:ED448:259b71c19f83ef77a7abd26524cbdb3161b590a48f7d17de3ee0ba9c52beb743c09428a131d6b1b57303d90d8132c276d5ed3d5d01c0f53880 + +PrivPubKeyPair = EDDSA-TV-20-Raw:EDDSA-TV-20-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-20-Raw +Input = 616263 +Ctrl = instance:Ed448ph +Ctrl = hexcontext-string: +Output = 822f6901f7480f3d5f562c592994d9693602875614483256505600bbc281ae381f54d6bce2ea911574932f52a4e6cadd78769375ec3ffd1b801a0d9b3f4030cd433964b6457ea39476511214f97469b57dd32dbc560a9a94d00bff07620464a3ad203df7dc7ce360c3cd3696d9d9fab90f00 + +# Test Vector 21 +# Ed448ph +PrivateKeyRaw = EDDSA-TV-21-Raw:ED448:833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42ef7822e0d5104127dc05d6dbefde69e3ab2cec7c867c6e2c49 + +PublicKeyRaw = EDDSA-TV-21-PUBLIC-Raw:ED448:259b71c19f83ef77a7abd26524cbdb3161b590a48f7d17de3ee0ba9c52beb743c09428a131d6b1b57303d90d8132c276d5ed3d5d01c0f53880 + +PrivPubKeyPair = EDDSA-TV-21-Raw:EDDSA-TV-21-PUBLIC-Raw + +FIPSversion = >=3.2.0 +OneShotDigestSign = NULL +Key = EDDSA-TV-21-Raw +Input = 616263 +Ctrl = instance:Ed448ph +Ctrl = hexcontext-string:666f6f +Output = c32299d46ec8ff02b54540982814dce9a05812f81962b649d528095916a2aa481065b1580423ef927ecf0af5888f90da0f6a9a85ad5dc3f280d91224ba9911a3653d00e484e2ce232521481c8658df304bb7745a73514cdb9bf3e15784ab71284f8d0704a608c54a6b62d97beb511d132100