mdw@git.distorted.org.uk Git - catacomb/blob - pub/ed448.h

   1 /* -*-c-*-
   2  *
   3  * The Ed448 signature scheme
   4  *
   5  * (c) 2017 Straylight/Edgeware
   6  */
   7
   8 /*----- Licensing notice --------------------------------------------------*
   9  *
  10  * This file is part of Catacomb.
  11  *
  12  * Catacomb is free software; you can redistribute it and/or modify
  13  * it under the terms of the GNU Library General Public License as
  14  * published by the Free Software Foundation; either version 2 of the
  15  * License, or (at your option) any later version.
  16  *
  17  * Catacomb is distributed in the hope that it will be useful,
  18  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  20  * GNU Library General Public License for more details.
  21  *
  22  * You should have received a copy of the GNU Library General Public
  23  * License along with Catacomb; if not, write to the Free
  24  * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
  25  * MA 02111-1307, USA.
  26  */
  27
  28 /*----- Notes on the Ed448 signature scheme -------------------------------*
  29  *
  30  * This is Ed448, as described in RFC8032, using the EdDSA signature scheme
  31  * defined by Daniel J. Bernstein, Neils Duif, Simon Josefsson, Tanja Lange,
  32  * Peter Schwabe, and Bo-Yin Yang, `High-speed high-security signatures',
  33  * CHES 2011, https://ed25519.cr.yp.to/ed25519-20110926.pdf and `EdDSA for
  34  * more curves', http://ed25519.cr.yp.to/eddsa-20150704.pdf.
  35  *
  36  * This is not the signature scheme described in Hamburg's paper
  37  * `Ed448-Goldilocks, a new elliptic curve', EUROCRYPT 2016,
  38  * https://eprint.iacr.org/2015/625/, which (a) made use of his `Decaf'
  39  * cofactor elimination technique, and (b) was based on Schnorr rather than
  40  * EdDSA.
  41  *
  42  * This code implements the `Ed448' and `Ed448ph' schemes described in
  43  * RFC8032, though in the latter case it assumes that you've already done the
  44  * hashing and have provided the hash as the `message' input.
  45  */
  46
  47 #ifndef CATACOMB_ED448_H
  48 #define CATACOMB_ED448_H
  49
  50 #ifdef __cplusplus
  51   extern "C" {
  52 #endif
  53
  54 /*----- Header files ------------------------------------------------------*/
  55
  56 #include <mLib/bits.h>
  57
  58 #ifndef CATACOMB_KEY_H
  59 #  include "key.h"
  60 #endif
  61
  62 /*----- Important constants -----------------------------------------------*/
  63
  64 #define ED448_KEYSZ 57u
  65 #define ED448_PUBSZ 57u
  66 #define ED448_SIGSZ 114u
  67
  68 #define ED448_MAXPERSOSZ 255u
  69
  70 /*----- Key fetching ------------------------------------------------------*/
  71
  72 typedef struct ed448_priv { key_bin priv, pub; } ed448_priv;
  73 typedef struct ed448_pub { key_bin pub; } ed448_pub;
  74
  75 extern const key_fetchdef ed448_pubfetch[], ed448_privfetch[];
  76 #define ED448_PUBFETCHSZ 3
  77 #define ED448_PRIVFETCHSZ 6
  78
  79 /*----- Functions provided ------------------------------------------------*/
  80
  81 /* --- @ed448_pubkey@ --- *
  82  *
  83  * Arguments:   @octet K[ED448_PUBSZ]@ = where to put the public key
  84  *              @const void *k@ = private key
  85  *              @size_t ksz@ = length of private key
  86  *
  87  * Returns:     ---
  88  *
  89  * Use:         Derives the public key from a private key.
  90  */
  91
  92 extern void ed448_pubkey(octet /*K*/[ED448_PUBSZ],
  93                          const void */*k*/, size_t /*ksz*/);
  94
  95 /* --- @ed448_sign@ --- *
  96  *
  97  * Arguments:   @octet sig[ED448_SIGSZ]@ = where to put the signature
  98  *              @const void *k@ = private key
  99  *              @size_t ksz@ = length of private key
 100  *              @const octet K[ED448_PUBSZ]@ = public key
 101  *              @int phflag@ = whether the `message' has been hashed already
 102  *              @const void *p@ = personalization string
 103  *              @size_t psz@ = length of personalization string
 104  *              @const void *m@ = message to sign
 105  *              @size_t msz@ = length of message
 106  *
 107  * Returns:     ---
 108  *
 109  * Use:         Signs a message.
 110  */
 111
 112 extern void ed448_sign(octet /*sig*/[ED448_SIGSZ],
 113                        const void */*k*/, size_t /*ksz*/,
 114                        const octet /*K*/[ED448_PUBSZ],
 115                        int /*phflag*/, const void */*p*/, size_t /*psz*/,
 116                        const void */*m*/, size_t /*msz*/);
 117
 118 /* --- @ed448_verify@ --- *
 119  *
 120  * Arguments:   @const octet K[ED448_PUBSZ]@ = public key
 121  *              @const void *m@ = message to sign
 122  *              @int phflag@ = whether the `message' has been hashed already
 123  *              @const void *p@ = personalization string
 124  *              @size_t psz@ = length of personalization string
 125  *              @size_t msz@ = length of message
 126  *              @const octet sig[ED448_SIGSZ]@ = signature
 127  *
 128  * Returns:     Zero if OK, negative on failure.
 129  *
 130  * Use:         Verify a signature.
 131  */
 132
 133 extern int ed448_verify(const octet /*K*/[ED448_PUBSZ],
 134                         int /*phflag*/, const void */*p*/, size_t /*psz*/,
 135                         const void */*m*/, size_t /*msz*/,
 136                         const octet /*sig*/[ED448_SIGSZ]);
 137
 138 /*----- That's all, folks -------------------------------------------------*/
 139
 140 #ifdef __cplusplus
 141   }
 142 #endif
 143
 144 #endif