Commit | Line | Data |
---|---|---|
c578d5d8 MW |
1 | /* -*-c-*- |
2 | * | |
3 | * The Ed448 signature scheme | |
4 | * | |
5 | * (c) 2017 Straylight/Edgeware | |
6 | */ | |
7 | ||
8 | /*----- Licensing notice --------------------------------------------------* | |
9 | * | |
10 | * This file is part of Catacomb. | |
11 | * | |
12 | * Catacomb is free software; you can redistribute it and/or modify | |
13 | * it under the terms of the GNU Library General Public License as | |
14 | * published by the Free Software Foundation; either version 2 of the | |
15 | * License, or (at your option) any later version. | |
16 | * | |
17 | * Catacomb is distributed in the hope that it will be useful, | |
18 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
19 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
20 | * GNU Library General Public License for more details. | |
21 | * | |
22 | * You should have received a copy of the GNU Library General Public | |
23 | * License along with Catacomb; if not, write to the Free | |
24 | * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, | |
25 | * MA 02111-1307, USA. | |
26 | */ | |
27 | ||
28 | /*----- Notes on the Ed448 signature scheme -------------------------------* | |
29 | * | |
30 | * This is Ed448, as described in RFC8032, using the EdDSA signature scheme | |
31 | * defined by Daniel J. Bernstein, Neils Duif, Simon Josefsson, Tanja Lange, | |
32 | * Peter Schwabe, and Bo-Yin Yang, `High-speed high-security signatures', | |
33 | * CHES 2011, https://ed25519.cr.yp.to/ed25519-20110926.pdf and `EdDSA for | |
34 | * more curves', http://ed25519.cr.yp.to/eddsa-20150704.pdf. | |
35 | * | |
36 | * This is not the signature scheme described in Hamburg's paper | |
37 | * `Ed448-Goldilocks, a new elliptic curve', EUROCRYPT 2016, | |
38 | * https://eprint.iacr.org/2015/625/, which (a) made use of his `Decaf' | |
39 | * cofactor elimination technique, and (b) was based on Schnorr rather than | |
40 | * EdDSA. | |
41 | * | |
42 | * This code implements the `Ed448' and `Ed448ph' schemes described in | |
43 | * RFC8032, though in the latter case it assumes that you've already done the | |
44 | * hashing and have provided the hash as the `message' input. | |
45 | */ | |
46 | ||
47 | #ifndef CATACOMB_ED448_H | |
48 | #define CATACOMB_ED448_H | |
49 | ||
50 | #ifdef __cplusplus | |
51 | extern "C" { | |
52 | #endif | |
53 | ||
54 | /*----- Header files ------------------------------------------------------*/ | |
55 | ||
56 | #include <mLib/bits.h> | |
57 | ||
58 | #ifndef CATACOMB_KEY_H | |
59 | # include "key.h" | |
60 | #endif | |
61 | ||
62 | /*----- Important constants -----------------------------------------------*/ | |
63 | ||
64 | #define ED448_KEYSZ 57u | |
65 | #define ED448_PUBSZ 57u | |
66 | #define ED448_SIGSZ 114u | |
67 | ||
68 | #define ED448_MAXPERSOSZ 255u | |
69 | ||
70 | /*----- Key fetching ------------------------------------------------------*/ | |
71 | ||
72 | typedef struct ed448_priv { key_bin priv, pub; } ed448_priv; | |
73 | typedef struct ed448_pub { key_bin pub; } ed448_pub; | |
74 | ||
75 | extern const key_fetchdef ed448_pubfetch[], ed448_privfetch[]; | |
76 | #define ED448_PUBFETCHSZ 3 | |
77 | #define ED448_PRIVFETCHSZ 6 | |
78 | ||
79 | /*----- Functions provided ------------------------------------------------*/ | |
80 | ||
81 | /* --- @ed448_pubkey@ --- * | |
82 | * | |
83 | * Arguments: @octet K[ED448_PUBSZ]@ = where to put the public key | |
84 | * @const void *k@ = private key | |
85 | * @size_t ksz@ = length of private key | |
86 | * | |
87 | * Returns: --- | |
88 | * | |
89 | * Use: Derives the public key from a private key. | |
90 | */ | |
91 | ||
92 | extern void ed448_pubkey(octet /*K*/[ED448_PUBSZ], | |
93 | const void */*k*/, size_t /*ksz*/); | |
94 | ||
95 | /* --- @ed448_sign@ --- * | |
96 | * | |
97 | * Arguments: @octet sig[ED448_SIGSZ]@ = where to put the signature | |
98 | * @const void *k@ = private key | |
99 | * @size_t ksz@ = length of private key | |
100 | * @const octet K[ED448_PUBSZ]@ = public key | |
101 | * @int phflag@ = whether the `message' has been hashed already | |
102 | * @const void *p@ = personalization string | |
103 | * @size_t psz@ = length of personalization string | |
104 | * @const void *m@ = message to sign | |
105 | * @size_t msz@ = length of message | |
106 | * | |
107 | * Returns: --- | |
108 | * | |
109 | * Use: Signs a message. | |
110 | */ | |
111 | ||
112 | extern void ed448_sign(octet /*sig*/[ED448_SIGSZ], | |
113 | const void */*k*/, size_t /*ksz*/, | |
114 | const octet /*K*/[ED448_PUBSZ], | |
115 | int /*phflag*/, const void */*p*/, size_t /*psz*/, | |
116 | const void */*m*/, size_t /*msz*/); | |
117 | ||
118 | /* --- @ed448_verify@ --- * | |
119 | * | |
120 | * Arguments: @const octet K[ED448_PUBSZ]@ = public key | |
121 | * @const void *m@ = message to sign | |
122 | * @int phflag@ = whether the `message' has been hashed already | |
123 | * @const void *p@ = personalization string | |
124 | * @size_t psz@ = length of personalization string | |
125 | * @size_t msz@ = length of message | |
126 | * @const octet sig[ED448_SIGSZ]@ = signature | |
127 | * | |
128 | * Returns: Zero if OK, negative on failure. | |
129 | * | |
130 | * Use: Verify a signature. | |
131 | */ | |
132 | ||
133 | extern int ed448_verify(const octet /*K*/[ED448_PUBSZ], | |
134 | int /*phflag*/, const void */*p*/, size_t /*psz*/, | |
135 | const void */*m*/, size_t /*msz*/, | |
136 | const octet /*sig*/[ED448_SIGSZ]); | |
137 | ||
138 | /*----- That's all, folks -------------------------------------------------*/ | |
139 | ||
140 | #ifdef __cplusplus | |
141 | } | |
142 | #endif | |
143 | ||
144 | #endif |