3 * The Ed25519 signature scheme
5 * (c) 2017 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
28 /*----- Header files ------------------------------------------------------*/
38 /*----- Key fetching ------------------------------------------------------*/
40 const key_fetchdef ed25519_pubfetch
[] = {
41 { "pub", offsetof(ed25519_pub
, pub
), KENC_BINARY
, 0 },
45 static const key_fetchdef priv
[] = {
46 { "priv", offsetof(ed25519_priv
, priv
), KENC_BINARY
, 0 },
50 const key_fetchdef ed25519_privfetch
[] = {
51 { "pub", offsetof(ed25519_priv
, pub
), KENC_BINARY
, 0 },
52 { "private", 0, KENC_STRUCT
, priv
},
56 /*----- A number of magic numbers -----------------------------------------*/
60 static const scaf_piece l
[] = {
61 0xf5d3ed, 0x631a5c, 0xd65812, 0xa2f79c, 0xdef9de, 0x000014,
62 0x000000, 0x000000, 0x000000, 0x000000, 0x001000
64 static const scaf_piece mu
[] = {
65 0x1b3994, 0x0a2c13, 0x9ce5a3, 0x29a7ed, 0x5d0863, 0x210621,
66 0xffffeb, 0xffffff, 0xffffff, 0xffffff, 0xffffff, 0x000fff
72 static const scaf_piece l
[] = {
73 0x3ed, 0xf5d, 0xa5c, 0x631, 0x812, 0xd65,
74 0x79c, 0xa2f, 0x9de, 0xdef, 0x014, 0x000,
75 0x000, 0x000, 0x000, 0x000, 0x000, 0x000,
76 0x000, 0x000, 0x000, 0x001
78 static const scaf_piece mu
[] = {
79 0x994, 0x1b3, 0xc13, 0x0a2, 0x5a3, 0x9ce,
80 0x7ed, 0x29a, 0x863, 0x5d0, 0x621, 0x210,
81 0xfeb, 0xfff, 0xfff, 0xfff, 0xfff, 0xfff,
82 0xfff, 0xfff, 0xfff, 0xfff, 0xfff
86 #define NPIECE SCAF_NPIECE(255, PIECEWD)
90 static const f25519_piece bx_pieces
[] = {
91 -14297830, -7645148, 16144683, -16471763, 27570974,
92 -2696100, -26142465, 8378389, 20764389, 8758491
94 -26843541, -6710886, 13421773, -13421773, 26843546,
95 6710886, -13421773, 13421773, -26843546, -6710886
97 -10913610, 13857413, -15372611, 6949391, 114729,
98 -8787816, -6275908, -3247719, -18696448, -12055116
101 #if F25519_IMPL == 10
103 static const f25519_piece bx_pieces
[] = {
104 282, 373, 242, 386, -467, 86, -423, 318, -437,
105 75, 236, -308, 421, 92, 439, -35, 400, 452,
106 82, -40, 160, 441, -51, 437, -365, 134
108 -405, 410, -410, 410, -410, -102, 205, -205, 205,
109 -205, 205, -410, 410, -410, 410, 102, -205, 205,
110 -205, 205, -205, 410, -410, 410, -410, -102
112 182, -418, 310, -216, -178, -133, 367, -315, -380,
113 -351, -182, -255, 2, 152, -390, -136, -52, -383,
114 -412, -398, -12, 448, -469, -196, 55, -184
118 static const f25519_piece bz_pieces
[NPIECE
] = { 1, 0, /* ... */ };
119 #define BX ((const f25519 *)bx_pieces)
120 #define BY ((const f25519 *)by_pieces)
121 #define BZ ((const f25519 *)bz_pieces)
122 #define D ((const f25519 *)d_pieces)
124 /*----- Point encoding and decoding ---------------------------------------*/
126 static void ptencode(octet q
[32],
127 const f25519
*X
, const f25519
*Y
, const f25519
*Z
)
132 f25519_inv(&t
, Z
); f25519_mul(&x
, X
, &t
); f25519_mul(&y
, Y
, &t
);
133 f25519_store(q
, &y
); f25519_store(b
, &x
); q
[31] |= (b
[0]&1u) << 7;
136 static int ptdecode(f25519
*X
, f25519
*Y
, f25519
*Z
, const octet q
[32])
144 /* Load the y-coordinate. */
145 memcpy(b
, q
, 32); b
[31] &= 0x7fu
; f25519_load(Y
, b
);
147 /* Check that the coordinate was in range. If we store it, we'll get a
148 * canonical version which we can compare against Q; be careful not to
152 for (i
= a
= 0; i
< 31; i
++) a
|= b
[i
] ^ q
[i
];
153 a
|= (b
[31] ^ q
[31])&0x7fu
;
154 a
= ((a
- 1) >> 8)&0x01u
; /* 0 |-> 1, non-0 |-> 0 */
157 /* Decompress the x-coordinate. */
158 f25519_sqr(&t
, Y
); f25519_mul(&u
, &t
, D
); t
.P
[0] -= 1; u
.P
[0] += 1;
159 rc
|= f25519_quosqrt(X
, &t
, &u
);
160 f25519_store(b
, X
); m
= -(uint32
)(((q
[31] >> 7) ^ b
[0])&0x1u
);
161 f25519_condneg(X
, X
, m
);
166 /* And we're done. */
170 /*----- Edwards curve arithmetic ------------------------------------------*/
172 static void ptadd(f25519
*X
, f25519
*Y
, f25519
*Z
,
173 const f25519
*X0
, const f25519
*Y0
, const f25519
*Z0
,
174 const f25519
*X1
, const f25519
*Y1
, const f25519
*Z1
)
176 f25519 t0
, t1
, t2
, t3
;
178 /* Bernstein, Birkner, Joye, Lange, and Peters, `Twisted Edwards Curves',
179 * 2008-03-13, https://cr.yp.to/newelliptic/twisted-20080313.pdf shows the
182 * A = Z1 Z2; B = A^2; C = X1 X2; D = Y1 Y2;
183 * E = d C D; F = B - E; G = B + E;
184 * X3 = A F ((X1 + Y1) (X2 + Y2) - C - D);
185 * Y3 = A G (D - a C); Z3 = F G.
187 * Note that a = -1, which things easier.
190 f25519_mul(&t0
, Z0
, Z1
); /* t0 = A = Z0 Z1 */
191 f25519_add(&t1
, X0
, Y0
); /* t1 = X0 + Y0 */
192 f25519_add(&t2
, X1
, Y1
); /* t2 = X1 + Y1 */
193 f25519_mul(&t1
, &t1
, &t2
); /* t1 = (X0 + Y0) (X1 + Y1) */
194 f25519_mul(&t2
, X0
, X1
); /* t2 = C = X0 X1 */
195 f25519_mul(&t3
, Y0
, Y1
); /* t3 = D = Y0 Y1 */
196 f25519_add(Y
, &t2
, &t3
); /* Y = C + D = D - a C */
197 f25519_sub(X
, &t1
, Y
); /* X = (X0 + Y0) (X1 + Y1) - C - D */
198 f25519_mul(X
, X
, &t0
); /* X = A ((X0 + Y0) (X1 + Y1) - C - D) */
199 f25519_mul(Y
, Y
, &t0
); /* Y = A (D - a C) */
200 f25519_sqr(&t0
, &t0
); /* t0 = B = A^2 */
201 f25519_mul(&t1
, &t2
, &t3
); /* t1 = C D */
202 f25519_mul(&t1
, &t1
, D
); /* t1 = E = d C D */
203 f25519_sub(&t2
, &t0
, &t1
); /* t2 = F = B - E */
204 f25519_add(&t1
, &t0
, &t1
); /* t1 = G = B + E */
205 f25519_mul(X
, X
, &t2
); /* X = A F ((X0 + Y0) (X1 + Y1) - C - D) */
206 f25519_mul(Y
, Y
, &t1
); /* Y = A G (D - a C) */
207 f25519_mul(Z
, &t1
, &t2
); /* Z = F G */
210 static void ptdbl(f25519
*X
, f25519
*Y
, f25519
*Z
,
211 const f25519
*X0
, const f25519
*Y0
, const f25519
*Z0
)
215 /* Bernstein, Birkner, Joye, Lange, and Peters, `Twisted Edwards Curves',
216 * 2008-03-13, https://cr.yp.to/newelliptic/twisted-20080313.pdf shows the
219 * B = (X1 + Y1)^2; C = X1^2; D = Y1^2; E = a C;
220 * F = E + D; H = Z1^2; J = F - 2 H;
221 * X3 = (B - C - D) J; Y3 = F (E - D); Z3 = F J.
223 * Note that a = -1, which things easier.
226 f25519_add(&t0
, X0
, Y0
); /* t0 = X0 + Y0 */
227 f25519_sqr(&t0
, &t0
); /* t0 = B = (X0 + Y0)^2 */
228 f25519_sqr(&t1
, X0
); /* t1 = C = X0^2 */
229 f25519_sqr(&t2
, Y0
); /* t2 = D = Y0^2 */
230 f25519_add(Y
, &t1
, &t2
); /* Y = C + D = -(E - D) */
231 f25519_sub(X
, &t0
, Y
); /* X = B - C - D */
233 f25519_sub(&t0
, &t2
, &t1
); /* t0 = F = D - C = E + D */
234 f25519_sqr(&t1
, Z0
); /* t1 = H = Z0^2 */
235 f25519_add(&t1
, &t1
, &t1
); /* t1 = 2 H */
236 f25519_sub(&t1
, &t0
, &t1
); /* t1 = J = F - 2 H */
237 f25519_mul(X
, X
, &t1
); /* X = (B - C - D) J */
238 f25519_mul(Y
, Y
, &t0
); /* Y = -F (E - D) */
239 f25519_neg(Y
, Y
); /* Y = F (E - D) */
240 f25519_mul(Z
, &t0
, &t1
); /* Z = F J */
243 static DEFINE_SCMUL(ptmul
, f25519
, 4, PIECEWD
, NPIECE
, ptadd
, ptdbl
)
244 static DEFINE_SCSIMMUL(ptsimmul
, f25519
, 2, PIECEWD
, NPIECE
, ptadd
, ptdbl
)
246 /*----- Key derivation utilities ------------------------------------------*/
248 static void unpack_key(scaf_piece a
[NPIECE
], octet h1
[32],
249 const octet
*k
, size_t ksz
)
252 octet b
[SHA512_HASHSZ
];
254 sha512_init(&h
); sha512_hash(&h
, k
, ksz
); sha512_done(&h
, b
);
255 b
[0] &= 0xf8u
; b
[31] = (b
[31]&0x3f) | 0x40;
256 scaf_load(a
, b
, 32, NPIECE
, PIECEWD
);
257 if (h1
) memcpy(h1
, b
+ 32, 32);
260 #define PREFIX_BUFSZ 290
261 static size_t prefix(octet b
[PREFIX_BUFSZ
],
262 int phflag
, const octet
*p
, size_t psz
)
264 if (phflag
< 0) return (0);
265 memcpy(b
, "SigEd25519 no Ed25519 collisions", 32);
267 assert(psz
< ED25519_MAXPERSOSZ
); b
[33] = psz
; memcpy(b
+ 34, p
, psz
);
271 /*----- Main code ---------------------------------------------------------*/
273 /* --- @ed25519_pubkey@ --- *
275 * Arguments: @octet K[ED25519_PUBSZ]@ = where to put the public key
276 * @const void *k@ = private key
277 * @size_t ksz@ = length of private key
281 * Use: Derives the public key from a private key.
284 void ed25519_pubkey(octet K
[ED25519_PUBSZ
], const void *k
, size_t ksz
)
286 scaf_piece a
[NPIECE
];
289 unpack_key(a
, 0, k
, ksz
);
290 ptmul(&AX
, &AY
, &AZ
, a
, BX
, BY
, BZ
);
291 ptencode(K
, &AX
, &AY
, &AZ
);
294 /* --- @ed25519_sign@, @ed25519ctx_sign@ --- *
296 * Arguments: @octet sig[ED25519_SIGSZ]@ = where to put the signature
297 * @const void *k@ = private key
298 * @size_t ksz@ = length of private key
299 * @const octet K[ED25519_PUBSZ]@ = public key
300 * @int phflag@ = whether the `message' has been hashed already
301 * @const void *p@ = personalization string
302 * @size_t psz@ = length of personalization string
303 * @const void *m@ = message to sign
304 * @size_t msz@ = length of message
308 * Use: Signs a message.
310 * In @ed25519ctx_sign@, if @phflag@ is @-1@ then you get plain
311 * old Ed25519: the personalization string pointer @p@ will be
312 * ignored. If @phflag > 0@ then the `message' @m@ should be a
313 * SHA512 hash of the actual message.
316 void ed25519ctx_sign(octet sig
[ED25519_SIGSZ
],
317 const void *k
, size_t ksz
, const octet K
[ED25519_PUBSZ
],
318 int phflag
, const void *p
, size_t psz
,
319 const void *m
, size_t msz
)
322 scaf_piece a
[NPIECE
], r
[NPIECE
], t
[NPIECE
], scratch
[3*NPIECE
];
323 scaf_dblpiece tt
[2*NPIECE
];
325 octet h1
[32], pb
[PREFIX_BUFSZ
], rb
[SHA512_HASHSZ
];
328 /* Get my private key. */
329 unpack_key(a
, h1
, k
, ksz
);
331 /* Determine the prefix string. */
332 psz
= prefix(pb
, phflag
, p
, psz
);
334 /* Select the nonce and the vector part. */
336 sha512_hash(&h
, pb
, psz
);
337 sha512_hash(&h
, h1
, 32);
338 sha512_hash(&h
, m
, msz
);
340 scaf_loaddbl(tt
, rb
, 64, 2*NPIECE
, PIECEWD
);
341 scaf_reduce(r
, tt
, l
, mu
, NPIECE
, PIECEWD
, scratch
);
342 ptmul(&RX
, &RY
, &RZ
, r
, BX
, BY
, BZ
);
343 ptencode(sig
, &RX
, &RY
, &RZ
);
345 /* Calculate the scalar part. */
347 sha512_hash(&h
, pb
, psz
);
348 sha512_hash(&h
, sig
, 32);
349 sha512_hash(&h
, K
, 32);
350 sha512_hash(&h
, m
, msz
);
352 scaf_loaddbl(tt
, rb
, 64, 2*NPIECE
, PIECEWD
);
353 scaf_reduce(t
, tt
, l
, mu
, NPIECE
, PIECEWD
, scratch
);
354 scaf_mul(tt
, t
, a
, NPIECE
);
355 for (i
= 0; i
< NPIECE
; i
++) tt
[i
] += r
[i
];
356 scaf_reduce(t
, tt
, l
, mu
, NPIECE
, PIECEWD
, scratch
);
357 scaf_store(sig
+ 32, 32, t
, NPIECE
, PIECEWD
);
360 void ed25519_sign(octet sig
[ED25519_SIGSZ
],
361 const void *k
, size_t ksz
, const octet K
[ED25519_PUBSZ
],
362 const void *m
, size_t msz
)
363 { ed25519ctx_sign(sig
, k
, ksz
, K
, -1, 0, 0, m
, msz
); }
365 /* --- @ed25519_verify@, @ed25519ctx_verify@ --- *
367 * Arguments: @const octet K[ED25519_PUBSZ]@ = public key
368 * @int phflag@ = whether the `message' has been hashed already
369 * @const void *p@ = personalization string
370 * @size_t psz@ = length of personalization string
371 * @const void *m@ = message to sign
372 * @size_t msz@ = length of message
373 * @const octet sig[ED25519_SIGSZ]@ = signature
375 * Returns: Zero if OK, negative on failure.
377 * Use: Verify a signature.
379 * In @ed25519ctx_verify@, if @phflag@ is @-1@ then you get
380 * plain old Ed25519: the personalization string pointer @p@
381 * will be ignored. If @phflag > 0@ then the `message' @m@
382 * should be a SHA512 hash of the actual message.
385 int ed25519ctx_verify(const octet K
[ED25519_PUBSZ
],
386 int phflag
, const void *p
, size_t psz
,
387 const void *m
, size_t msz
,
388 const octet sig
[ED25519_SIGSZ
])
391 scaf_piece s
[NPIECE
], t
[NPIECE
], scratch
[3*NPIECE
];
392 scaf_dblpiece tt
[2*NPIECE
];
393 f25519 AX
, AY
, AZ
, RX
, RY
, RZ
;
394 octet b
[PREFIX_BUFSZ
];
396 /* Unpack the public key. Negate it: we're meant to subtract the term
397 * involving the public key point, and this is easier than negating the
400 if (ptdecode(&AX
, &AY
, &AZ
, K
)) return (-1);
401 f25519_neg(&AX
, &AX
);
403 /* Load the scalar and check that it's in range. The easy way is to store
404 * it again and see if the two match.
406 scaf_loaddbl(tt
, sig
+ 32, 32, 2*NPIECE
, PIECEWD
);
407 scaf_reduce(s
, tt
, l
, mu
, NPIECE
, PIECEWD
, scratch
);
408 scaf_store(b
, 32, s
, NPIECE
, PIECEWD
);
409 if (memcmp(b
, sig
+ 32, 32) != 0) return (-1);
411 /* Check the signature. */
412 psz
= prefix(b
, phflag
, p
, psz
);
414 sha512_hash(&h
, b
, psz
);
415 sha512_hash(&h
, sig
, 32);
416 sha512_hash(&h
, K
, 32);
417 sha512_hash(&h
, m
, msz
);
419 scaf_loaddbl(tt
, b
, 64, 2*NPIECE
, PIECEWD
);
420 scaf_reduce(t
, tt
, l
, mu
, NPIECE
, PIECEWD
, scratch
);
421 ptsimmul(&RX
, &RY
, &RZ
, s
, BX
, BY
, BZ
, t
, &AX
, &AY
, &AZ
);
422 ptencode(b
, &RX
, &RY
, &RZ
);
423 if (memcmp(b
, sig
, 32) != 0) return (-1);
429 int ed25519_verify(const octet K
[ED25519_PUBSZ
],
430 const void *m
, size_t msz
,
431 const octet sig
[ED25519_SIGSZ
])
432 { return (ed25519ctx_verify(K
, -1, 0, 0, m
, msz
, sig
)); }
434 /*----- Test rig ----------------------------------------------------------*/
441 #include <mLib/report.h>
442 #include <mLib/testrig.h>
446 static int vrf_pubkey(dstr dv
[])
448 dstr dpub
= DSTR_INIT
;
451 if (dv
[1].len
!= ED25519_PUBSZ
) die(1, "bad pub length");
453 ct_poison(dv
[0].buf
, dv
[0].len
);
454 dstr_ensure(&dpub
, ED25519_PUBSZ
); dpub
.len
= ED25519_PUBSZ
;
455 ed25519_pubkey((octet
*)dpub
.buf
, dv
[0].buf
, dv
[0].len
);
456 ct_remedy(dpub
.buf
, dpub
.len
);
457 if (memcmp(dpub
.buf
, dv
[1].buf
, ED25519_PUBSZ
) != 0) {
459 fprintf(stderr
, "failed!");
460 fprintf(stderr
, "\n\tpriv = "); type_hex
.dump(&dv
[0], stderr
);
461 fprintf(stderr
, "\n\tcalc = "); type_hex
.dump(&dpub
, stderr
);
462 fprintf(stderr
, "\n\twant = "); type_hex
.dump(&dv
[1], stderr
);
463 fprintf(stderr
, "\n");
470 static int vrf_sign(dstr
*priv
, int phflag
, dstr
*perso
,
471 dstr
*msg
, dstr
*want
)
474 octet K
[ED25519_PUBSZ
];
475 dstr d
= DSTR_INIT
, dsig
= DSTR_INIT
, *m
;
478 if (want
->len
!= ED25519_SIGSZ
) die(1, "bad result length");
480 ct_poison(priv
->buf
, priv
->len
);
481 dstr_ensure(&dsig
, ED25519_SIGSZ
); dsig
.len
= ED25519_SIGSZ
;
485 dstr_ensure(&d
, SHA512_HASHSZ
); d
.len
= SHA512_HASHSZ
;
487 sha512_hash(&h
, msg
->buf
, msg
->len
);
488 sha512_done(&h
, d
.buf
);
491 ed25519_pubkey(K
, priv
->buf
, priv
->len
);
492 ed25519ctx_sign((octet
*)dsig
.buf
, priv
->buf
, priv
->len
, K
,
493 phflag
, perso ? perso
->buf
: 0, perso ? perso
->len
: 0,
495 ct_remedy(dsig
.buf
, dsig
.len
);
496 if (memcmp(dsig
.buf
, want
->buf
, ED25519_SIGSZ
) != 0) {
498 fprintf(stderr
, "failed!");
499 fprintf(stderr
, "\n\tpriv = "); type_hex
.dump(priv
, stderr
);
501 fprintf(stderr
, "\n\t ph = %d", phflag
);
502 fprintf(stderr
, "\n\tpers = "); type_hex
.dump(perso
, stderr
);
504 fprintf(stderr
, "\n\t msg = "); type_hex
.dump(msg
, stderr
);
506 { fprintf(stderr
, "\n\thash = "); type_hex
.dump(m
, stderr
); }
507 fprintf(stderr
, "\n\tcalc = "); type_hex
.dump(&dsig
, stderr
);
508 fprintf(stderr
, "\n\twant = "); type_hex
.dump(want
, stderr
);
509 fprintf(stderr
, "\n");
516 static int vrf_sign_trad(dstr
*dv
)
517 { return (vrf_sign(&dv
[0], -1, 0, &dv
[1], &dv
[2])); }
519 static int vrf_sign_ctx(dstr
*dv
)
520 { return (vrf_sign(&dv
[0], *(int *)dv
[1].buf
, &dv
[2], &dv
[3], &dv
[4])); }
522 static int vrf_verify(dstr
*pub
, int phflag
, dstr
*perso
,
523 dstr
*msg
, dstr
*sig
, int rc_want
)
527 dstr d
= DSTR_INIT
, *m
;
530 if (pub
->len
!= ED25519_PUBSZ
) die(1, "bad pub length");
531 if (sig
->len
!= ED25519_SIGSZ
) die(1, "bad sig length");
536 dstr_ensure(&d
, SHA512_HASHSZ
); d
.len
= SHA512_HASHSZ
;
538 sha512_hash(&h
, msg
->buf
, msg
->len
);
539 sha512_done(&h
, d
.buf
);
542 rc_calc
= ed25519ctx_verify((const octet
*)pub
->buf
,
543 phflag
, perso ? perso
->buf
: 0,
544 perso ? perso
->len
: 0,
546 (const octet
*)sig
->buf
);
547 if (!rc_want
!= !rc_calc
) {
549 fprintf(stderr
, "failed!");
550 fprintf(stderr
, "\n\t pub = "); type_hex
.dump(pub
, stderr
);
552 fprintf(stderr
, "\n\t ph = %d", phflag
);
553 fprintf(stderr
, "\n\tpers = "); type_hex
.dump(perso
, stderr
);
555 fprintf(stderr
, "\n\t msg = "); type_hex
.dump(msg
, stderr
);
557 { fprintf(stderr
, "\n\thash = "); type_hex
.dump(m
, stderr
); }
558 fprintf(stderr
, "\n\t sig = "); type_hex
.dump(sig
, stderr
);
559 fprintf(stderr
, "\n\tcalc = %d", rc_calc
);
560 fprintf(stderr
, "\n\twant = %d", rc_want
);
561 fprintf(stderr
, "\n");
567 static int vrf_verify_trad(dstr
*dv
)
568 { return (vrf_verify(&dv
[0], -1, 0, &dv
[1], &dv
[2], *(int *)dv
[3].buf
)); }
570 static int vrf_verify_ctx(dstr
*dv
)
572 return (vrf_verify(&dv
[0], *(int *)dv
[1].buf
, &dv
[2],
573 &dv
[3], &dv
[4], *(int *)dv
[5].buf
));
576 static test_chunk tests
[] = {
577 { "pubkey", vrf_pubkey
,
578 { &type_hex
, &type_hex
} },
579 { "sign", vrf_sign_trad
,
580 { &type_hex
, &type_hex
, &type_hex
} },
581 { "verify", vrf_verify_trad
,
582 { &type_hex
, &type_hex
, &type_hex
, &type_int
} },
583 { "sign-ctx", vrf_sign_ctx
,
584 { &type_hex
, &type_int
, &type_hex
, &type_hex
, &type_hex
} },
585 { "verify-ctx", vrf_verify_ctx
,
586 { &type_hex
, &type_int
, &type_hex
, &type_hex
, &type_hex
, &type_int
} },
590 int main(int argc
, char *argv
[])
592 test_run(argc
, argv
, tests
, SRCDIR
"/t/ed25519");
598 /*----- That's all, folks -------------------------------------------------*/