6 * Copyright (c) 2015-2016 Cryptography Research, Inc. \n
7 * Released under the MIT License. See LICENSE.txt for license information.
9 * @brief A group of prime order p, based on Ed448-Goldilocks.
11 * @warning This file was automatically generated in Python.
12 * Please do not edit it.
15 #ifndef __DECAF_ED448_H__
16 #define __DECAF_ED448_H__ 1
18 #include "point_448.h"
25 /** Number of bytes in an EdDSA public key. */
26 #define DECAF_EDDSA_448_PUBLIC_BYTES 57
28 /** Number of bytes in an EdDSA private key. */
29 #define DECAF_EDDSA_448_PRIVATE_BYTES DECAF_EDDSA_448_PUBLIC_BYTES
31 /** Number of bytes in an EdDSA private key. */
32 #define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + DECAF_EDDSA_448_PRIVATE_BYTES)
34 /** Does EdDSA support non-contextual signatures? */
35 #define DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS 0
37 /** Prehash context renaming macros. */
38 #define decaf_ed448_prehash_ctx_s decaf_shake256_ctx_s
39 #define decaf_ed448_prehash_ctx_t decaf_shake256_ctx_t
40 #define decaf_ed448_prehash_update decaf_shake256_update
41 #define decaf_ed448_prehash_destroy decaf_shake256_destroy
43 /** EdDSA encoding ratio. */
44 #define DECAF_448_EDDSA_ENCODE_RATIO 4
46 /** EdDSA decoding ratio. */
47 #define DECAF_448_EDDSA_DECODE_RATIO (4 / 4)
50 * @brief EdDSA key generation. This function uses a different (non-Decaf)
53 * @param [out] pubkey The public key.
54 * @param [in] privkey The private key.
56 void decaf_ed448_derive_public_key (
57 uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
58 const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]
59 ) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
62 * @brief EdDSA signing.
64 * @param [out] signature The signature.
65 * @param [in] privkey The private key.
66 * @param [in] pubkey The public key.
67 * @param [in] message The message to sign.
68 * @param [in] message_len The length of the message.
69 * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
70 * @param [in] context A "context" for this signature of up to 255 bytes.
71 * @param [in] context_len Length of the context.
73 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
74 * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
75 * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
78 void decaf_ed448_sign (
79 uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
80 const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
81 const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
82 const uint8_t *message,
85 const uint8_t *context,
87 ) DECAF_API_VIS __attribute__((nonnull(1,2,3))) DECAF_NOINLINE;
90 * @brief EdDSA signing with prehash.
92 * @param [out] signature The signature.
93 * @param [in] privkey The private key.
94 * @param [in] pubkey The public key.
95 * @param [in] hash The hash of the message. This object will not be modified by the call.
96 * @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
97 * @param [in] context_len Length of the context.
99 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
100 * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
101 * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
104 void decaf_ed448_sign_prehash (
105 uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
106 const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
107 const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
108 const decaf_ed448_prehash_ctx_t hash,
109 const uint8_t *context,
111 ) DECAF_API_VIS __attribute__((nonnull(1,2,3,4))) DECAF_NOINLINE;
114 * @brief Prehash initialization, with contexts if supported.
116 * @param [out] hash The hash object to be initialized.
118 void decaf_ed448_prehash_init (
119 decaf_ed448_prehash_ctx_t hash
120 ) DECAF_API_VIS __attribute__((nonnull(1))) DECAF_NOINLINE;
123 * @brief EdDSA signature verification.
125 * Uses the standard (i.e. less-strict) verification formula.
127 * @param [in] signature The signature.
128 * @param [in] pubkey The public key.
129 * @param [in] message The message to verify.
130 * @param [in] message_len The length of the message.
131 * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
132 * @param [in] context A "context" for this signature of up to 255 bytes.
133 * @param [in] context_len Length of the context.
135 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
136 * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
137 * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
140 decaf_error_t decaf_ed448_verify (
141 const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
142 const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
143 const uint8_t *message,
146 const uint8_t *context,
148 ) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE;
151 * @brief EdDSA signature verification.
153 * Uses the standard (i.e. less-strict) verification formula.
155 * @param [in] signature The signature.
156 * @param [in] pubkey The public key.
157 * @param [in] hash The hash of the message. This object will not be modified by the call.
158 * @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
159 * @param [in] context_len Length of the context.
161 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
162 * messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
163 * safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
166 decaf_error_t decaf_ed448_verify_prehash (
167 const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
168 const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
169 const decaf_ed448_prehash_ctx_t hash,
170 const uint8_t *context,
172 ) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE;
175 * @brief EdDSA point encoding. Used internally, exposed externally.
176 * Multiplies by DECAF_448_EDDSA_ENCODE_RATIO first.
178 * The multiplication is required because the EdDSA encoding represents
179 * the cofactor information, but the Decaf encoding ignores it (which
180 * is the whole point). So if you decode from EdDSA and re-encode to
181 * EdDSA, the cofactor info must get cleared, because the intermediate
182 * representation doesn't track it.
184 * The way libdecaf handles this is to multiply by
185 * DECAF_448_EDDSA_DECODE_RATIO when decoding, and by
186 * DECAF_448_EDDSA_ENCODE_RATIO when encoding. The product of these
187 * ratios is always exactly the cofactor 4, so the cofactor
188 * ends up cleared one way or another. But exactly how that shakes
189 * out depends on the base points specified in RFC 8032.
191 * The upshot is that if you pass the Decaf/Ristretto base point to
192 * this function, you will get DECAF_448_EDDSA_ENCODE_RATIO times the
195 * @param [out] enc The encoded point.
196 * @param [in] p The point.
198 void decaf_448_point_mul_by_ratio_and_encode_like_eddsa (
199 uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],
200 const decaf_448_point_t p
201 ) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
204 * @brief EdDSA point decoding. Multiplies by DECAF_448_EDDSA_DECODE_RATIO,
205 * and ignores cofactor information.
207 * See notes on decaf_448_point_mul_by_ratio_and_encode_like_eddsa
209 * @param [out] enc The encoded point.
210 * @param [in] p The point.
212 decaf_error_t decaf_448_point_decode_like_eddsa_and_mul_by_ratio (
214 const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]
215 ) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
218 * @brief EdDSA to ECDH public key conversion
219 * Deserialize the point to get y on Edwards curve,
220 * Convert it to u coordinate on Montgomery curve.
222 * @warning This function does not check that the public key being converted
223 * is a valid EdDSA public key (FUTURE?)
225 * @param[out] x The ECDH public key as in RFC7748(point on Montgomery curve)
226 * @param[in] ed The EdDSA public key(point on Edwards curve)
228 void decaf_ed448_convert_public_key_to_x448 (
229 uint8_t x[DECAF_X448_PUBLIC_BYTES],
230 const uint8_t ed[DECAF_EDDSA_448_PUBLIC_BYTES]
231 ) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
234 * @brief EdDSA to ECDH private key conversion
235 * Using the appropriate hash function, hash the EdDSA private key
236 * and keep only the lower bytes to get the ECDH private key
238 * @param[out] x The ECDH private key as in RFC7748
239 * @param[in] ed The EdDSA private key
241 void decaf_ed448_convert_private_key_to_x448 (
242 uint8_t x[DECAF_X448_PRIVATE_BYTES],
243 const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES]
244 ) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
250 #endif /* __DECAF_ED448_H__ */