3 * The Ed25519 signature scheme
5 * (c) 2017 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
28 /*----- Header files ------------------------------------------------------*/
32 #include <mLib/macros.h>
40 /*----- Key fetching ------------------------------------------------------*/
42 const key_fetchdef ed25519_pubfetch
[] = {
43 { "pub", offsetof(ed25519_pub
, pub
), KENC_BINARY
, 0 },
47 static const key_fetchdef priv
[] = {
48 { "priv", offsetof(ed25519_priv
, priv
), KENC_BINARY
, 0 },
52 const key_fetchdef ed25519_privfetch
[] = {
53 { "pub", offsetof(ed25519_priv
, pub
), KENC_BINARY
, 0 },
54 { "private", 0, KENC_STRUCT
, priv
},
58 /*----- A number of magic numbers -----------------------------------------*/
62 static const scaf_piece l
[] = {
63 0xf5d3ed, 0x631a5c, 0xd65812, 0xa2f79c, 0xdef9de, 0x000014,
64 0x000000, 0x000000, 0x000000, 0x000000, 0x001000
66 static const scaf_piece mu
[] = {
67 0x1b3994, 0x0a2c13, 0x9ce5a3, 0x29a7ed, 0x5d0863, 0x210621,
68 0xffffeb, 0xffffff, 0xffffff, 0xffffff, 0xffffff, 0x000fff
74 static const scaf_piece l
[] = {
75 0x3ed, 0xf5d, 0xa5c, 0x631, 0x812, 0xd65,
76 0x79c, 0xa2f, 0x9de, 0xdef, 0x014, 0x000,
77 0x000, 0x000, 0x000, 0x000, 0x000, 0x000,
78 0x000, 0x000, 0x000, 0x001
80 static const scaf_piece mu
[] = {
81 0x994, 0x1b3, 0xc13, 0x0a2, 0x5a3, 0x9ce,
82 0x7ed, 0x29a, 0x863, 0x5d0, 0x621, 0x210,
83 0xfeb, 0xfff, 0xfff, 0xfff, 0xfff, 0xfff,
84 0xfff, 0xfff, 0xfff, 0xfff, 0xfff
88 #define NPIECE SCAF_NPIECE(255, PIECEWD)
92 static const f25519_piece bx_pieces
[] = {
93 -14297830, -7645148, 16144683, -16471763, 27570974,
94 -2696100, -26142465, 8378389, 20764389, 8758491
96 -26843541, -6710886, 13421773, -13421773, 26843546,
97 6710886, -13421773, 13421773, -26843546, -6710886
99 -10913610, 13857413, -15372611, 6949391, 114729,
100 -8787816, -6275908, -3247719, -18696448, -12055116
103 #if F25519_IMPL == 10
105 static const f25519_piece bx_pieces
[] = {
106 282, 373, 242, 386, -467, 86, -423, 318, -437,
107 75, 236, -308, 421, 92, 439, -35, 400, 452,
108 82, -40, 160, 441, -51, 437, -365, 134
110 -405, 410, -410, 410, -410, -102, 205, -205, 205,
111 -205, 205, -410, 410, -410, 410, 102, -205, 205,
112 -205, 205, -205, 410, -410, 410, -410, -102
114 182, -418, 310, -216, -178, -133, 367, -315, -380,
115 -351, -182, -255, 2, 152, -390, -136, -52, -383,
116 -412, -398, -12, 448, -469, -196, 55, -184
120 static const f25519_piece bz_pieces
[NPIECE
] = { 1, 0, /* ... */ };
121 #define BX ((const f25519 *)bx_pieces)
122 #define BY ((const f25519 *)by_pieces)
123 #define BZ ((const f25519 *)bz_pieces)
124 #define D ((const f25519 *)d_pieces)
126 /*----- Point encoding and decoding ---------------------------------------*/
128 static void ptencode(octet q
[32],
129 const f25519
*X
, const f25519
*Y
, const f25519
*Z
)
134 f25519_inv(&t
, Z
); f25519_mul(&x
, X
, &t
); f25519_mul(&y
, Y
, &t
);
135 f25519_store(q
, &y
); f25519_store(b
, &x
); q
[31] |= (b
[0]&1u) << 7;
138 static int ptdecode(f25519
*X
, f25519
*Y
, f25519
*Z
, const octet q
[32])
146 /* Load the y-coordinate. */
147 memcpy(b
, q
, 32); b
[31] &= 0x7fu
; f25519_load(Y
, b
);
149 /* Check that the coordinate was in range. If we store it, we'll get a
150 * canonical version which we can compare against Q; be careful not to
154 for (i
= a
= 0; i
< 31; i
++) a
|= b
[i
] ^ q
[i
];
155 a
|= (b
[31] ^ q
[31])&0x7fu
;
156 a
= ((a
- 1) >> 8)&0x01u
; /* 0 |-> 1, non-0 |-> 0 */
159 /* Decompress the x-coordinate. */
160 f25519_sqr(&t
, Y
); f25519_mul(&u
, &t
, D
); t
.P
[0] -= 1; u
.P
[0] += 1;
161 rc
|= f25519_quosqrt(X
, &t
, &u
);
162 f25519_store(b
, X
); m
= -(uint32
)(((q
[31] >> 7) ^ b
[0])&0x1u
);
163 f25519_condneg(X
, X
, m
);
168 /* And we're done. */
172 /*----- Edwards curve arithmetic ------------------------------------------*/
174 static void ptadd(f25519
*X
, f25519
*Y
, f25519
*Z
,
175 const f25519
*X0
, const f25519
*Y0
, const f25519
*Z0
,
176 const f25519
*X1
, const f25519
*Y1
, const f25519
*Z1
)
178 f25519 t0
, t1
, t2
, t3
;
180 /* Bernstein, Birkner, Joye, Lange, and Peters, `Twisted Edwards Curves',
181 * 2008-03-13, https://cr.yp.to/newelliptic/twisted-20080313.pdf shows the
184 * A = Z1 Z2; B = A^2; C = X1 X2; D = Y1 Y2;
185 * E = d C D; F = B - E; G = B + E;
186 * X3 = A F ((X1 + Y1) (X2 + Y2) - C - D);
187 * Y3 = A G (D - a C); Z3 = F G.
189 * Note that a = -1, which things easier.
192 f25519_mul(&t0
, Z0
, Z1
); /* t0 = A = Z0 Z1 */
193 f25519_add(&t1
, X0
, Y0
); /* t1 = X0 + Y0 */
194 f25519_add(&t2
, X1
, Y1
); /* t2 = X1 + Y1 */
195 f25519_mul(&t1
, &t1
, &t2
); /* t1 = (X0 + Y0) (X1 + Y1) */
196 f25519_mul(&t2
, X0
, X1
); /* t2 = C = X0 X1 */
197 f25519_mul(&t3
, Y0
, Y1
); /* t3 = D = Y0 Y1 */
198 f25519_add(Y
, &t2
, &t3
); /* Y = C + D = D - a C */
199 f25519_sub(X
, &t1
, Y
); /* X = (X0 + Y0) (X1 + Y1) - C - D */
200 f25519_mul(X
, X
, &t0
); /* X = A ((X0 + Y0) (X1 + Y1) - C - D) */
201 f25519_mul(Y
, Y
, &t0
); /* Y = A (D - a C) */
202 f25519_sqr(&t0
, &t0
); /* t0 = B = A^2 */
203 f25519_mul(&t1
, &t2
, &t3
); /* t1 = C D */
204 f25519_mul(&t1
, &t1
, D
); /* t1 = E = d C D */
205 f25519_sub(&t2
, &t0
, &t1
); /* t2 = F = B - E */
206 f25519_add(&t1
, &t0
, &t1
); /* t1 = G = B + E */
207 f25519_mul(X
, X
, &t2
); /* X = A F ((X0 + Y0) (X1 + Y1) - C - D) */
208 f25519_mul(Y
, Y
, &t1
); /* Y = A G (D - a C) */
209 f25519_mul(Z
, &t1
, &t2
); /* Z = F G */
212 static void ptdbl(f25519
*X
, f25519
*Y
, f25519
*Z
,
213 const f25519
*X0
, const f25519
*Y0
, const f25519
*Z0
)
217 /* Bernstein, Birkner, Joye, Lange, and Peters, `Twisted Edwards Curves',
218 * 2008-03-13, https://cr.yp.to/newelliptic/twisted-20080313.pdf shows the
221 * B = (X1 + Y1)^2; C = X1^2; D = Y1^2; E = a C;
222 * F = E + D; H = Z1^2; J = F - 2 H;
223 * X3 = (B - C - D) J; Y3 = F (E - D); Z3 = F J.
225 * Note that a = -1, which things easier.
228 f25519_add(&t0
, X0
, Y0
); /* t0 = X0 + Y0 */
229 f25519_sqr(&t0
, &t0
); /* t0 = B = (X0 + Y0)^2 */
230 f25519_sqr(&t1
, X0
); /* t1 = C = X0^2 */
231 f25519_sqr(&t2
, Y0
); /* t2 = D = Y0^2 */
232 f25519_add(Y
, &t1
, &t2
); /* Y = C + D = -(E - D) */
233 f25519_sub(X
, &t0
, Y
); /* X = B - C - D */
235 f25519_sub(&t0
, &t2
, &t1
); /* t0 = F = D - C = E + D */
236 f25519_sqr(&t1
, Z0
); /* t1 = H = Z0^2 */
237 f25519_add(&t1
, &t1
, &t1
); /* t1 = 2 H */
238 f25519_sub(&t1
, &t0
, &t1
); /* t1 = J = F - 2 H */
239 f25519_mul(X
, X
, &t1
); /* X = (B - C - D) J */
240 f25519_mul(Y
, Y
, &t0
); /* Y = -F (E - D) */
241 f25519_neg(Y
, Y
); /* Y = F (E - D) */
242 f25519_mul(Z
, &t0
, &t1
); /* Z = F J */
245 static DEFINE_SCMUL(ptmul
, f25519
, 4, PIECEWD
, NPIECE
, ptadd
, ptdbl
)
246 static DEFINE_SCSIMMUL(ptsimmul
, f25519
, 2, PIECEWD
, NPIECE
, ptadd
, ptdbl
)
248 /*----- Key derivation utilities ------------------------------------------*/
250 static void unpack_key(scaf_piece a
[NPIECE
], octet h1
[32],
251 const octet
*k
, size_t ksz
)
254 octet b
[SHA512_HASHSZ
];
256 sha512_init(&h
); sha512_hash(&h
, k
, ksz
); sha512_done(&h
, b
);
257 b
[0] &= 0xf8u
; b
[31] = (b
[31]&0x3f) | 0x40;
258 scaf_load(a
, b
, 32, NPIECE
, PIECEWD
);
259 if (h1
) memcpy(h1
, b
+ 32, 32);
262 #define PREFIX_BUFSZ 290
263 static size_t prefix(octet b
[PREFIX_BUFSZ
],
264 int phflag
, const octet
*p
, size_t psz
)
266 if (phflag
< 0) return (0);
267 memcpy(b
, "SigEd25519 no Ed25519 collisions", 32);
269 assert(psz
< ED25519_MAXPERSOSZ
); b
[33] = psz
; memcpy(b
+ 34, p
, psz
);
273 /*----- Main code ---------------------------------------------------------*/
275 /* --- @ed25519_pubkey@ --- *
277 * Arguments: @octet K[ED25519_PUBSZ]@ = where to put the public key
278 * @const void *k@ = private key
279 * @size_t ksz@ = length of private key
283 * Use: Derives the public key from a private key.
286 void ed25519_pubkey(octet K
[ED25519_PUBSZ
], const void *k
, size_t ksz
)
288 scaf_piece a
[NPIECE
];
291 unpack_key(a
, 0, k
, ksz
);
292 ptmul(&AX
, &AY
, &AZ
, a
, BX
, BY
, BZ
);
293 ptencode(K
, &AX
, &AY
, &AZ
);
296 /* --- @ed25519_sign@, @ed25519ctx_sign@ --- *
298 * Arguments: @octet sig[ED25519_SIGSZ]@ = where to put the signature
299 * @const void *k@ = private key
300 * @size_t ksz@ = length of private key
301 * @const octet K[ED25519_PUBSZ]@ = public key
302 * @int phflag@ = whether the `message' has been hashed already
303 * @const void *p@ = personalization string
304 * @size_t psz@ = length of personalization string
305 * @const void *m@ = message to sign
306 * @size_t msz@ = length of message
310 * Use: Signs a message.
312 * In @ed25519ctx_sign@, if @phflag@ is @-1@ then you get plain
313 * old Ed25519: the personalization string pointer @p@ will be
314 * ignored. If @phflag > 0@ then the `message' @m@ should be a
315 * SHA512 hash of the actual message.
318 void ed25519ctx_sign(octet sig
[ED25519_SIGSZ
],
319 const void *k
, size_t ksz
, const octet K
[ED25519_PUBSZ
],
320 int phflag
, const void *p
, size_t psz
,
321 const void *m
, size_t msz
)
324 scaf_piece a
[NPIECE
], r
[NPIECE
], t
[NPIECE
], scratch
[3*NPIECE
];
325 scaf_dblpiece tt
[2*NPIECE
];
327 octet h1
[32], pb
[PREFIX_BUFSZ
], rb
[SHA512_HASHSZ
];
330 /* Get my private key. */
331 unpack_key(a
, h1
, k
, ksz
);
333 /* Determine the prefix string. */
334 psz
= prefix(pb
, phflag
, p
, psz
);
336 /* Select the nonce and the vector part. */
338 sha512_hash(&h
, pb
, psz
);
339 sha512_hash(&h
, h1
, 32);
340 sha512_hash(&h
, m
, msz
);
342 scaf_loaddbl(tt
, rb
, 64, 2*NPIECE
, PIECEWD
);
343 scaf_reduce(r
, tt
, l
, mu
, NPIECE
, PIECEWD
, scratch
);
344 ptmul(&RX
, &RY
, &RZ
, r
, BX
, BY
, BZ
);
345 ptencode(sig
, &RX
, &RY
, &RZ
);
347 /* Calculate the scalar part. */
349 sha512_hash(&h
, pb
, psz
);
350 sha512_hash(&h
, sig
, 32);
351 sha512_hash(&h
, K
, 32);
352 sha512_hash(&h
, m
, msz
);
354 scaf_loaddbl(tt
, rb
, 64, 2*NPIECE
, PIECEWD
);
355 scaf_reduce(t
, tt
, l
, mu
, NPIECE
, PIECEWD
, scratch
);
356 scaf_mul(tt
, t
, a
, NPIECE
);
357 for (i
= 0; i
< NPIECE
; i
++) tt
[i
] += r
[i
];
358 scaf_reduce(t
, tt
, l
, mu
, NPIECE
, PIECEWD
, scratch
);
359 scaf_store(sig
+ 32, 32, t
, NPIECE
, PIECEWD
);
362 void ed25519_sign(octet sig
[ED25519_SIGSZ
],
363 const void *k
, size_t ksz
, const octet K
[ED25519_PUBSZ
],
364 const void *m
, size_t msz
)
365 { ed25519ctx_sign(sig
, k
, ksz
, K
, -1, 0, 0, m
, msz
); }
367 /* --- @ed25519_verify@, @ed25519ctx_verify@ --- *
369 * Arguments: @const octet K[ED25519_PUBSZ]@ = public key
370 * @int phflag@ = whether the `message' has been hashed already
371 * @const void *p@ = personalization string
372 * @size_t psz@ = length of personalization string
373 * @const void *m@ = message to sign
374 * @size_t msz@ = length of message
375 * @const octet sig[ED25519_SIGSZ]@ = signature
377 * Returns: Zero if OK, negative on failure.
379 * Use: Verify a signature.
381 * In @ed25519ctx_verify@, if @phflag@ is @-1@ then you get
382 * plain old Ed25519: the personalization string pointer @p@
383 * will be ignored. If @phflag > 0@ then the `message' @m@
384 * should be a SHA512 hash of the actual message.
387 int ed25519ctx_verify(const octet K
[ED25519_PUBSZ
],
388 int phflag
, const void *p
, size_t psz
,
389 const void *m
, size_t msz
,
390 const octet sig
[ED25519_SIGSZ
])
393 scaf_piece s
[NPIECE
], t
[NPIECE
], scratch
[3*NPIECE
];
394 scaf_dblpiece tt
[2*NPIECE
];
395 f25519 AX
, AY
, AZ
, RX
, RY
, RZ
;
396 octet b
[PREFIX_BUFSZ
];
398 /* Unpack the public key. Negate it: we're meant to subtract the term
399 * involving the public key point, and this is easier than negating the
402 if (ptdecode(&AX
, &AY
, &AZ
, K
)) return (-1);
403 f25519_neg(&AX
, &AX
);
405 /* Load the scalar and check that it's in range. The easy way is to store
406 * it again and see if the two match.
408 scaf_loaddbl(tt
, sig
+ 32, 32, 2*NPIECE
, PIECEWD
);
409 scaf_reduce(s
, tt
, l
, mu
, NPIECE
, PIECEWD
, scratch
);
410 scaf_store(b
, 32, s
, NPIECE
, PIECEWD
);
411 if (MEMCMP(b
, !=, sig
+ 32, 32)) return (-1);
413 /* Check the signature. */
414 psz
= prefix(b
, phflag
, p
, psz
);
416 sha512_hash(&h
, b
, psz
);
417 sha512_hash(&h
, sig
, 32);
418 sha512_hash(&h
, K
, 32);
419 sha512_hash(&h
, m
, msz
);
421 scaf_loaddbl(tt
, b
, 64, 2*NPIECE
, PIECEWD
);
422 scaf_reduce(t
, tt
, l
, mu
, NPIECE
, PIECEWD
, scratch
);
423 ptsimmul(&RX
, &RY
, &RZ
, s
, BX
, BY
, BZ
, t
, &AX
, &AY
, &AZ
);
424 ptencode(b
, &RX
, &RY
, &RZ
);
425 if (MEMCMP(b
, !=, sig
, 32)) return (-1);
431 int ed25519_verify(const octet K
[ED25519_PUBSZ
],
432 const void *m
, size_t msz
,
433 const octet sig
[ED25519_SIGSZ
])
434 { return (ed25519ctx_verify(K
, -1, 0, 0, m
, msz
, sig
)); }
436 /*----- Test rig ----------------------------------------------------------*/
443 #include <mLib/report.h>
444 #include <mLib/testrig.h>
448 static int vrf_pubkey(dstr dv
[])
450 dstr dpub
= DSTR_INIT
;
453 if (dv
[1].len
!= ED25519_PUBSZ
) die(1, "bad pub length");
455 ct_poison(dv
[0].buf
, dv
[0].len
);
456 dstr_ensure(&dpub
, ED25519_PUBSZ
); dpub
.len
= ED25519_PUBSZ
;
457 ed25519_pubkey((octet
*)dpub
.buf
, dv
[0].buf
, dv
[0].len
);
458 ct_remedy(dpub
.buf
, dpub
.len
);
459 if (MEMCMP(dpub
.buf
, !=, dv
[1].buf
, ED25519_PUBSZ
)) {
461 fprintf(stderr
, "failed!");
462 fprintf(stderr
, "\n\tpriv = "); type_hex
.dump(&dv
[0], stderr
);
463 fprintf(stderr
, "\n\tcalc = "); type_hex
.dump(&dpub
, stderr
);
464 fprintf(stderr
, "\n\twant = "); type_hex
.dump(&dv
[1], stderr
);
465 fprintf(stderr
, "\n");
472 static int vrf_sign(dstr
*priv
, int phflag
, dstr
*perso
,
473 dstr
*msg
, dstr
*want
)
476 octet K
[ED25519_PUBSZ
];
477 dstr d
= DSTR_INIT
, dsig
= DSTR_INIT
, *m
;
480 if (want
->len
!= ED25519_SIGSZ
) die(1, "bad result length");
482 ct_poison(priv
->buf
, priv
->len
);
483 dstr_ensure(&dsig
, ED25519_SIGSZ
); dsig
.len
= ED25519_SIGSZ
;
487 dstr_ensure(&d
, SHA512_HASHSZ
); d
.len
= SHA512_HASHSZ
;
489 sha512_hash(&h
, msg
->buf
, msg
->len
);
490 sha512_done(&h
, d
.buf
);
493 ed25519_pubkey(K
, priv
->buf
, priv
->len
);
494 ed25519ctx_sign((octet
*)dsig
.buf
, priv
->buf
, priv
->len
, K
,
495 phflag
, perso ? perso
->buf
: 0, perso ? perso
->len
: 0,
497 ct_remedy(dsig
.buf
, dsig
.len
);
498 if (MEMCMP(dsig
.buf
, !=, want
->buf
, ED25519_SIGSZ
)) {
500 fprintf(stderr
, "failed!");
501 fprintf(stderr
, "\n\tpriv = "); type_hex
.dump(priv
, stderr
);
503 fprintf(stderr
, "\n\t ph = %d", phflag
);
504 fprintf(stderr
, "\n\tpers = "); type_hex
.dump(perso
, stderr
);
506 fprintf(stderr
, "\n\t msg = "); type_hex
.dump(msg
, stderr
);
508 { fprintf(stderr
, "\n\thash = "); type_hex
.dump(m
, stderr
); }
509 fprintf(stderr
, "\n\tcalc = "); type_hex
.dump(&dsig
, stderr
);
510 fprintf(stderr
, "\n\twant = "); type_hex
.dump(want
, stderr
);
511 fprintf(stderr
, "\n");
518 static int vrf_sign_trad(dstr
*dv
)
519 { return (vrf_sign(&dv
[0], -1, 0, &dv
[1], &dv
[2])); }
521 static int vrf_sign_ctx(dstr
*dv
)
522 { return (vrf_sign(&dv
[0], *(int *)dv
[1].buf
, &dv
[2], &dv
[3], &dv
[4])); }
524 static int vrf_verify(dstr
*pub
, int phflag
, dstr
*perso
,
525 dstr
*msg
, dstr
*sig
, int rc_want
)
529 dstr d
= DSTR_INIT
, *m
;
532 if (pub
->len
!= ED25519_PUBSZ
) die(1, "bad pub length");
533 if (sig
->len
!= ED25519_SIGSZ
) die(1, "bad sig length");
538 dstr_ensure(&d
, SHA512_HASHSZ
); d
.len
= SHA512_HASHSZ
;
540 sha512_hash(&h
, msg
->buf
, msg
->len
);
541 sha512_done(&h
, d
.buf
);
544 rc_calc
= ed25519ctx_verify((const octet
*)pub
->buf
,
545 phflag
, perso ? perso
->buf
: 0,
546 perso ? perso
->len
: 0,
548 (const octet
*)sig
->buf
);
549 if (!rc_want
!= !rc_calc
) {
551 fprintf(stderr
, "failed!");
552 fprintf(stderr
, "\n\t pub = "); type_hex
.dump(pub
, stderr
);
554 fprintf(stderr
, "\n\t ph = %d", phflag
);
555 fprintf(stderr
, "\n\tpers = "); type_hex
.dump(perso
, stderr
);
557 fprintf(stderr
, "\n\t msg = "); type_hex
.dump(msg
, stderr
);
559 { fprintf(stderr
, "\n\thash = "); type_hex
.dump(m
, stderr
); }
560 fprintf(stderr
, "\n\t sig = "); type_hex
.dump(sig
, stderr
);
561 fprintf(stderr
, "\n\tcalc = %d", rc_calc
);
562 fprintf(stderr
, "\n\twant = %d", rc_want
);
563 fprintf(stderr
, "\n");
569 static int vrf_verify_trad(dstr
*dv
)
570 { return (vrf_verify(&dv
[0], -1, 0, &dv
[1], &dv
[2], *(int *)dv
[3].buf
)); }
572 static int vrf_verify_ctx(dstr
*dv
)
574 return (vrf_verify(&dv
[0], *(int *)dv
[1].buf
, &dv
[2],
575 &dv
[3], &dv
[4], *(int *)dv
[5].buf
));
578 static test_chunk tests
[] = {
579 { "pubkey", vrf_pubkey
,
580 { &type_hex
, &type_hex
} },
581 { "sign", vrf_sign_trad
,
582 { &type_hex
, &type_hex
, &type_hex
} },
583 { "verify", vrf_verify_trad
,
584 { &type_hex
, &type_hex
, &type_hex
, &type_int
} },
585 { "sign-ctx", vrf_sign_ctx
,
586 { &type_hex
, &type_int
, &type_hex
, &type_hex
, &type_hex
} },
587 { "verify-ctx", vrf_verify_ctx
,
588 { &type_hex
, &type_int
, &type_hex
, &type_hex
, &type_hex
, &type_int
} },
592 int main(int argc
, char *argv
[])
594 test_run(argc
, argv
, tests
, SRCDIR
"/t/ed25519");
600 /*----- That's all, folks -------------------------------------------------*/