X-Git-Url: https://git.distorted.org.uk/~mdw/catacomb/blobdiff_plain/1bc00e2a032fa3899ed734f6cfeab88e9000041d..c578d5d85b11f004c151948684ca5753a5ac5962:/pub/ed448.h diff --git a/pub/ed448.h b/pub/ed448.h new file mode 100644 index 00000000..86a82155 --- /dev/null +++ b/pub/ed448.h @@ -0,0 +1,144 @@ +/* -*-c-*- + * + * The Ed448 signature scheme + * + * (c) 2017 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Catacomb. + * + * Catacomb is free software; you can redistribute it and/or modify + * it under the terms of the GNU Library General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * Catacomb is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Library General Public License for more details. + * + * You should have received a copy of the GNU Library General Public + * License along with Catacomb; if not, write to the Free + * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, + * MA 02111-1307, USA. + */ + +/*----- Notes on the Ed448 signature scheme -------------------------------* + * + * This is Ed448, as described in RFC8032, using the EdDSA signature scheme + * defined by Daniel J. Bernstein, Neils Duif, Simon Josefsson, Tanja Lange, + * Peter Schwabe, and Bo-Yin Yang, `High-speed high-security signatures', + * CHES 2011, https://ed25519.cr.yp.to/ed25519-20110926.pdf and `EdDSA for + * more curves', http://ed25519.cr.yp.to/eddsa-20150704.pdf. + * + * This is not the signature scheme described in Hamburg's paper + * `Ed448-Goldilocks, a new elliptic curve', EUROCRYPT 2016, + * https://eprint.iacr.org/2015/625/, which (a) made use of his `Decaf' + * cofactor elimination technique, and (b) was based on Schnorr rather than + * EdDSA. + * + * This code implements the `Ed448' and `Ed448ph' schemes described in + * RFC8032, though in the latter case it assumes that you've already done the + * hashing and have provided the hash as the `message' input. + */ + +#ifndef CATACOMB_ED448_H +#define CATACOMB_ED448_H + +#ifdef __cplusplus + extern "C" { +#endif + +/*----- Header files ------------------------------------------------------*/ + +#include + +#ifndef CATACOMB_KEY_H +# include "key.h" +#endif + +/*----- Important constants -----------------------------------------------*/ + +#define ED448_KEYSZ 57u +#define ED448_PUBSZ 57u +#define ED448_SIGSZ 114u + +#define ED448_MAXPERSOSZ 255u + +/*----- Key fetching ------------------------------------------------------*/ + +typedef struct ed448_priv { key_bin priv, pub; } ed448_priv; +typedef struct ed448_pub { key_bin pub; } ed448_pub; + +extern const key_fetchdef ed448_pubfetch[], ed448_privfetch[]; +#define ED448_PUBFETCHSZ 3 +#define ED448_PRIVFETCHSZ 6 + +/*----- Functions provided ------------------------------------------------*/ + +/* --- @ed448_pubkey@ --- * + * + * Arguments: @octet K[ED448_PUBSZ]@ = where to put the public key + * @const void *k@ = private key + * @size_t ksz@ = length of private key + * + * Returns: --- + * + * Use: Derives the public key from a private key. + */ + +extern void ed448_pubkey(octet /*K*/[ED448_PUBSZ], + const void */*k*/, size_t /*ksz*/); + +/* --- @ed448_sign@ --- * + * + * Arguments: @octet sig[ED448_SIGSZ]@ = where to put the signature + * @const void *k@ = private key + * @size_t ksz@ = length of private key + * @const octet K[ED448_PUBSZ]@ = public key + * @int phflag@ = whether the `message' has been hashed already + * @const void *p@ = personalization string + * @size_t psz@ = length of personalization string + * @const void *m@ = message to sign + * @size_t msz@ = length of message + * + * Returns: --- + * + * Use: Signs a message. + */ + +extern void ed448_sign(octet /*sig*/[ED448_SIGSZ], + const void */*k*/, size_t /*ksz*/, + const octet /*K*/[ED448_PUBSZ], + int /*phflag*/, const void */*p*/, size_t /*psz*/, + const void */*m*/, size_t /*msz*/); + +/* --- @ed448_verify@ --- * + * + * Arguments: @const octet K[ED448_PUBSZ]@ = public key + * @const void *m@ = message to sign + * @int phflag@ = whether the `message' has been hashed already + * @const void *p@ = personalization string + * @size_t psz@ = length of personalization string + * @size_t msz@ = length of message + * @const octet sig[ED448_SIGSZ]@ = signature + * + * Returns: Zero if OK, negative on failure. + * + * Use: Verify a signature. + */ + +extern int ed448_verify(const octet /*K*/[ED448_PUBSZ], + int /*phflag*/, const void */*p*/, size_t /*psz*/, + const void */*m*/, size_t /*msz*/, + const octet /*sig*/[ED448_SIGSZ]); + +/*----- That's all, folks -------------------------------------------------*/ + +#ifdef __cplusplus + } +#endif + +#endif