| 1 | /* -*-c-*- |
| 2 | * |
| 3 | * The Ed448 signature scheme |
| 4 | * |
| 5 | * (c) 2017 Straylight/Edgeware |
| 6 | */ |
| 7 | |
| 8 | /*----- Licensing notice --------------------------------------------------* |
| 9 | * |
| 10 | * This file is part of Catacomb. |
| 11 | * |
| 12 | * Catacomb is free software; you can redistribute it and/or modify |
| 13 | * it under the terms of the GNU Library General Public License as |
| 14 | * published by the Free Software Foundation; either version 2 of the |
| 15 | * License, or (at your option) any later version. |
| 16 | * |
| 17 | * Catacomb is distributed in the hope that it will be useful, |
| 18 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 19 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 20 | * GNU Library General Public License for more details. |
| 21 | * |
| 22 | * You should have received a copy of the GNU Library General Public |
| 23 | * License along with Catacomb; if not, write to the Free |
| 24 | * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, |
| 25 | * MA 02111-1307, USA. |
| 26 | */ |
| 27 | |
| 28 | /*----- Notes on the Ed448 signature scheme -------------------------------* |
| 29 | * |
| 30 | * This is Ed448, as described in RFC8032, using the EdDSA signature scheme |
| 31 | * defined by Daniel J. Bernstein, Neils Duif, Simon Josefsson, Tanja Lange, |
| 32 | * Peter Schwabe, and Bo-Yin Yang, `High-speed high-security signatures', |
| 33 | * CHES 2011, https://ed25519.cr.yp.to/ed25519-20110926.pdf and `EdDSA for |
| 34 | * more curves', http://ed25519.cr.yp.to/eddsa-20150704.pdf. |
| 35 | * |
| 36 | * This is not the signature scheme described in Hamburg's paper |
| 37 | * `Ed448-Goldilocks, a new elliptic curve', EUROCRYPT 2016, |
| 38 | * https://eprint.iacr.org/2015/625/, which (a) made use of his `Decaf' |
| 39 | * cofactor elimination technique, and (b) was based on Schnorr rather than |
| 40 | * EdDSA. |
| 41 | * |
| 42 | * This code implements the `Ed448' and `Ed448ph' schemes described in |
| 43 | * RFC8032, though in the latter case it assumes that you've already done the |
| 44 | * hashing and have provided the hash as the `message' input. |
| 45 | */ |
| 46 | |
| 47 | #ifndef CATACOMB_ED448_H |
| 48 | #define CATACOMB_ED448_H |
| 49 | |
| 50 | #ifdef __cplusplus |
| 51 | extern "C" { |
| 52 | #endif |
| 53 | |
| 54 | /*----- Header files ------------------------------------------------------*/ |
| 55 | |
| 56 | #include <mLib/bits.h> |
| 57 | |
| 58 | #ifndef CATACOMB_KEY_H |
| 59 | # include "key.h" |
| 60 | #endif |
| 61 | |
| 62 | /*----- Important constants -----------------------------------------------*/ |
| 63 | |
| 64 | #define ED448_KEYSZ 57u |
| 65 | #define ED448_PUBSZ 57u |
| 66 | #define ED448_SIGSZ 114u |
| 67 | |
| 68 | #define ED448_MAXPERSOSZ 255u |
| 69 | |
| 70 | /*----- Key fetching ------------------------------------------------------*/ |
| 71 | |
| 72 | typedef struct ed448_priv { key_bin priv, pub; } ed448_priv; |
| 73 | typedef struct ed448_pub { key_bin pub; } ed448_pub; |
| 74 | |
| 75 | extern const key_fetchdef ed448_pubfetch[], ed448_privfetch[]; |
| 76 | #define ED448_PUBFETCHSZ 3 |
| 77 | #define ED448_PRIVFETCHSZ 6 |
| 78 | |
| 79 | /*----- Functions provided ------------------------------------------------*/ |
| 80 | |
| 81 | /* --- @ed448_pubkey@ --- * |
| 82 | * |
| 83 | * Arguments: @octet K[ED448_PUBSZ]@ = where to put the public key |
| 84 | * @const void *k@ = private key |
| 85 | * @size_t ksz@ = length of private key |
| 86 | * |
| 87 | * Returns: --- |
| 88 | * |
| 89 | * Use: Derives the public key from a private key. |
| 90 | */ |
| 91 | |
| 92 | extern void ed448_pubkey(octet /*K*/[ED448_PUBSZ], |
| 93 | const void */*k*/, size_t /*ksz*/); |
| 94 | |
| 95 | /* --- @ed448_sign@ --- * |
| 96 | * |
| 97 | * Arguments: @octet sig[ED448_SIGSZ]@ = where to put the signature |
| 98 | * @const void *k@ = private key |
| 99 | * @size_t ksz@ = length of private key |
| 100 | * @const octet K[ED448_PUBSZ]@ = public key |
| 101 | * @int phflag@ = whether the `message' has been hashed already |
| 102 | * @const void *p@ = personalization string |
| 103 | * @size_t psz@ = length of personalization string |
| 104 | * @const void *m@ = message to sign |
| 105 | * @size_t msz@ = length of message |
| 106 | * |
| 107 | * Returns: --- |
| 108 | * |
| 109 | * Use: Signs a message. |
| 110 | */ |
| 111 | |
| 112 | extern void ed448_sign(octet /*sig*/[ED448_SIGSZ], |
| 113 | const void */*k*/, size_t /*ksz*/, |
| 114 | const octet /*K*/[ED448_PUBSZ], |
| 115 | int /*phflag*/, const void */*p*/, size_t /*psz*/, |
| 116 | const void */*m*/, size_t /*msz*/); |
| 117 | |
| 118 | /* --- @ed448_verify@ --- * |
| 119 | * |
| 120 | * Arguments: @const octet K[ED448_PUBSZ]@ = public key |
| 121 | * @const void *m@ = message to sign |
| 122 | * @int phflag@ = whether the `message' has been hashed already |
| 123 | * @const void *p@ = personalization string |
| 124 | * @size_t psz@ = length of personalization string |
| 125 | * @size_t msz@ = length of message |
| 126 | * @const octet sig[ED448_SIGSZ]@ = signature |
| 127 | * |
| 128 | * Returns: Zero if OK, negative on failure. |
| 129 | * |
| 130 | * Use: Verify a signature. |
| 131 | */ |
| 132 | |
| 133 | extern int ed448_verify(const octet /*K*/[ED448_PUBSZ], |
| 134 | int /*phflag*/, const void */*p*/, size_t /*psz*/, |
| 135 | const void */*m*/, size_t /*msz*/, |
| 136 | const octet /*sig*/[ED448_SIGSZ]); |
| 137 | |
| 138 | /*----- That's all, folks -------------------------------------------------*/ |
| 139 | |
| 140 | #ifdef __cplusplus |
| 141 | } |
| 142 | #endif |
| 143 | |
| 144 | #endif |