add EdDSA C prehash routines

src/GENERATED/c/curve25519/eddsa.c

@@ -56,6 +56,7 @@ static void clamp (
 static void hash_init_with_dom(
     hash_ctx_t hash,
     uint8_t prehashed,
+    uint8_t for_prehash,
     const uint8_t *context,
     uint8_t context_len
 ) {
@@ -63,12 +64,13 @@ static void hash_init_with_dom(
     
 #if SUPPORTS_CONTEXTS
     const char *dom_s = "";
-    const uint8_t dom[2] = {1+word_is_zero(prehashed), context_len};
+    const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
     hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
     hash_update(hash,dom,2);
     hash_update(hash,context,context_len);
 #else
     (void)prehashed;
+    (void)for_prehash;
     (void)context;
     assert(context==NULL);
     (void)context_len;
@@ -76,6 +78,20 @@ static void hash_init_with_dom(
 #endif
 }
 
+void decaf_ed25519_prehash_init (
+    hash_ctx_t hash
+#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) {
+#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
+    hash_init_with_dom(hash,1,1,context,context_len);
+#else
+    hash_init_with_dom(hash,1,1,NULL,0);
+#endif
+}
+
 void decaf_ed25519_derive_public_key (
     uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
     const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES]
@@ -149,7 +165,7 @@ void decaf_ed25519_sign (
         API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
     
         /* Hash to create the nonce */
-        hash_init_with_dom(hash,prehashed,context,context_len);
+        hash_init_with_dom(hash,prehashed,0,context,context_len);
         hash_update(hash,expanded.seed,sizeof(expanded.seed));
         hash_update(hash,message,message_len);
         decaf_bzero(&expanded, sizeof(expanded));
@@ -183,7 +199,7 @@ void decaf_ed25519_sign (
     API_NS(scalar_t) challenge_scalar;
     {
         /* Compute the challenge */
-        hash_init_with_dom(hash,prehashed,context,context_len);
+        hash_init_with_dom(hash,prehashed,0,context,context_len);
         hash_update(hash,nonce_point,sizeof(nonce_point));
         hash_update(hash,pubkey,DECAF_EDDSA_25519_PUBLIC_BYTES);
         hash_update(hash,message,message_len);
@@ -207,6 +223,33 @@ void decaf_ed25519_sign (
 }
 
 
+void decaf_ed25519_sign_prehash (
+    uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
+    const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
+    const decaf_ed25519_prehash_ctx_t hash
+#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) {
+    uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
+    {
+        decaf_ed25519_prehash_ctx_t hash_too;
+        memcpy(hash_too,hash,sizeof(hash_too));
+        hash_final(hash_too,hash_output,sizeof(hash_output));
+        hash_destroy(hash_too);
+    }
+    
+#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
+    decaf_ed25519_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
+#else
+    decaf_ed25519_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1);
+#endif
+    
+    decaf_bzero(hash_output,sizeof(hash_output));
+}
+
 decaf_error_t decaf_ed25519_verify (
     const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
     const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
@@ -233,7 +276,7 @@ decaf_error_t decaf_ed25519_verify (
     {
         /* Compute the challenge */
         hash_ctx_t hash;
-        hash_init_with_dom(hash,prehashed,context,context_len);
+        hash_init_with_dom(hash,prehashed,0,context,context_len);
         hash_update(hash,signature,DECAF_EDDSA_25519_PUBLIC_BYTES);
         hash_update(hash,pubkey,DECAF_EDDSA_25519_PUBLIC_BYTES);
         hash_update(hash,message,message_len);
@@ -265,3 +308,32 @@ decaf_error_t decaf_ed25519_verify (
     );
     return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));
 }
+
+
+decaf_error_t decaf_ed25519_verify_prehash (
+    const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
+    const decaf_ed25519_prehash_ctx_t hash
+#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) {
+    decaf_error_t ret;
+    
+    uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
+    {
+        decaf_ed25519_prehash_ctx_t hash_too;
+        memcpy(hash_too,hash,sizeof(hash_too));
+        hash_final(hash_too,hash_output,sizeof(hash_output));
+        hash_destroy(hash_too);
+    }
+    
+#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
+    ret = decaf_ed25519_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
+#else
+    ret = decaf_ed25519_verify(signature,pubkey,hash_output,sizeof(hash_output),1);
+#endif
+    
+    return ret;
+}

src/GENERATED/c/ed448goldilocks/eddsa.c

@@ -56,6 +56,7 @@ static void clamp (
 static void hash_init_with_dom(
     hash_ctx_t hash,
     uint8_t prehashed,
+    uint8_t for_prehash,
     const uint8_t *context,
     uint8_t context_len
 ) {
@@ -63,12 +64,13 @@ static void hash_init_with_dom(
     
 #if SUPPORTS_CONTEXTS
     const char *dom_s = "SigEd448";
-    const uint8_t dom[2] = {1+word_is_zero(prehashed), context_len};
+    const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
     hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
     hash_update(hash,dom,2);
     hash_update(hash,context,context_len);
 #else
     (void)prehashed;
+    (void)for_prehash;
     (void)context;
     assert(context==NULL);
     (void)context_len;
@@ -76,6 +78,20 @@ static void hash_init_with_dom(
 #endif
 }
 
+void decaf_ed448_prehash_init (
+    hash_ctx_t hash
+#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) {
+#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
+    hash_init_with_dom(hash,1,1,context,context_len);
+#else
+    hash_init_with_dom(hash,1,1,NULL,0);
+#endif
+}
+
 void decaf_ed448_derive_public_key (
     uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
     const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]
@@ -149,7 +165,7 @@ void decaf_ed448_sign (
         API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
     
         /* Hash to create the nonce */
-        hash_init_with_dom(hash,prehashed,context,context_len);
+        hash_init_with_dom(hash,prehashed,0,context,context_len);
         hash_update(hash,expanded.seed,sizeof(expanded.seed));
         hash_update(hash,message,message_len);
         decaf_bzero(&expanded, sizeof(expanded));
@@ -183,7 +199,7 @@ void decaf_ed448_sign (
     API_NS(scalar_t) challenge_scalar;
     {
         /* Compute the challenge */
-        hash_init_with_dom(hash,prehashed,context,context_len);
+        hash_init_with_dom(hash,prehashed,0,context,context_len);
         hash_update(hash,nonce_point,sizeof(nonce_point));
         hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
         hash_update(hash,message,message_len);
@@ -207,6 +223,33 @@ void decaf_ed448_sign (
 }
 
 
+void decaf_ed448_sign_prehash (
+    uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
+    const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
+    const decaf_ed448_prehash_ctx_t hash
+#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) {
+    uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
+    {
+        decaf_ed448_prehash_ctx_t hash_too;
+        memcpy(hash_too,hash,sizeof(hash_too));
+        hash_final(hash_too,hash_output,sizeof(hash_output));
+        hash_destroy(hash_too);
+    }
+    
+#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
+    decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
+#else
+    decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1);
+#endif
+    
+    decaf_bzero(hash_output,sizeof(hash_output));
+}
+
 decaf_error_t decaf_ed448_verify (
     const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
     const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
@@ -233,7 +276,7 @@ decaf_error_t decaf_ed448_verify (
     {
         /* Compute the challenge */
         hash_ctx_t hash;
-        hash_init_with_dom(hash,prehashed,context,context_len);
+        hash_init_with_dom(hash,prehashed,0,context,context_len);
         hash_update(hash,signature,DECAF_EDDSA_448_PUBLIC_BYTES);
         hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
         hash_update(hash,message,message_len);
@@ -265,3 +308,32 @@ decaf_error_t decaf_ed448_verify (
     );
     return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));
 }
+
+
+decaf_error_t decaf_ed448_verify_prehash (
+    const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
+    const decaf_ed448_prehash_ctx_t hash
+#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) {
+    decaf_error_t ret;
+    
+    uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
+    {
+        decaf_ed448_prehash_ctx_t hash_too;
+        memcpy(hash_too,hash,sizeof(hash_too));
+        hash_final(hash_too,hash_output,sizeof(hash_output));
+        hash_destroy(hash_too);
+    }
+    
+#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
+    ret = decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
+#else
+    ret = decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1);
+#endif
+    
+    return ret;
+}

src/GENERATED/include/decaf/ed255.h

@@ -16,6 +16,8 @@
 #define __DECAF_ED255_H__ 1
 
 #include <decaf/decaf_255.h>
+#include <decaf/shake.h>
+#include <decaf/sha512.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -32,6 +34,12 @@ extern "C" {
 
 /** Does EdDSA support contexts? */
 #define DECAF_EDDSA_25519_SUPPORTS_CONTEXTS 0
+    
+/** Prehash context renaming macros. */
+#define decaf_ed25519_prehash_ctx_s   decaf_sha512_ctx_s
+#define decaf_ed25519_prehash_ctx_t   decaf_sha512_ctx_t
+#define decaf_ed25519_prehash_update  decaf_sha512_update
+#define decaf_ed25519_prehash_destroy decaf_sha512_destroy
 
 /**
  * @brief EdDSA key generation.  This function uses a different (non-Decaf)
@@ -75,6 +83,48 @@ void decaf_ed25519_sign (
 #endif
 ) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE;
 
+/**
+ * @brief EdDSA signing with prehash.
+ *
+ * @param [out] signature The signature.
+ * @param [in] privkey The private key.
+ * @param [in] pubkey The public key.
+ * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.
+ * @param [in] context_len Length of the context.
+ * @param [in] hash The hash of the message.  This object will not be modified by the call.
+ * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
+ *
+ * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
+ * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
+ * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives
+ * you no seat belt.
+ */  
+void decaf_ed25519_sign_prehash (
+    uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
+    const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
+    const decaf_ed25519_prehash_ctx_t hash
+#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) API_VIS __attribute__((nonnull(1,2,3,4))) NOINLINE;
+    
+/**
+ * @brief Prehash initialization, with contexts if supported.
+ *
+ * @param [out] hash The hash object to be initialized.
+ * @param [in] context A "context" for this signature of up to 255 bytes.
+ * @param [in] context_len Length of the context.
+ */
+void decaf_ed25519_prehash_init (
+    decaf_ed25519_prehash_ctx_t hash
+#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) API_VIS __attribute__((nonnull(1))) NOINLINE;
+
 /**
  * @brief EdDSA signature verification.
  *
@@ -105,7 +155,32 @@ decaf_error_t decaf_ed25519_verify (
 #endif
 ) API_VIS __attribute__((nonnull(1,2))) NOINLINE;
 
-
+/**
+ * @brief EdDSA signature verification.
+ *
+ * Uses the standard (i.e. less-strict) verification formula.
+ *
+ * @param [in] signature The signature.
+ * @param [in] pubkey The public key.
+ * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.
+ * @param [in] context_len Length of the context.
+ * @param [in] hash The hash of the message.  This object will not be modified by the call.
+ * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
+ *
+ * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
+ * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
+ * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives
+ * you no seat belt.
+ */
+decaf_error_t decaf_ed25519_verify_prehash (
+    const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
+    const decaf_ed25519_prehash_ctx_t hash
+#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) API_VIS __attribute__((nonnull(1,2))) NOINLINE;
 
 /**
  * @brief EdDSA point encoding.  Used internally, exposed externally.

src/GENERATED/include/decaf/ed255.hxx

@@ -79,14 +79,12 @@ private:
         ) {
             throw LengthException();
         }
-        
-        if (SUPPORTS_CONTEXTS) {
-            const char pfx[] = "";
-            uint8_t dom[2] = {2, (uint8_t)context_.size() };
-            update((const unsigned char*)pfx,strlen(pfx));
-            update(dom,2);
-            update(context_);
-        }
+
+#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
+        decaf_ed25519_prehash_init((decaf_sha512_ctx_s *)wrapped,context_.data(),context_.size());
+#else
+        decaf_ed25519_prehash_init(wrapped);
+#endif
     }
     
 public:
@@ -122,17 +120,13 @@ template<class CRTP, Prehashed ph> class Signing;
 template<class CRTP> class Signing<CRTP,PREHASHED> {
 public:
     /* Sign a prehash context, and reset the context */
-    inline SecureBuffer sign_prehashed ( Prehash &ph ) const /*throw(std::bad_alloc)*/ {
+    inline SecureBuffer sign_prehashed ( const Prehash &ph ) const /*throw(std::bad_alloc)*/ {
         SecureBuffer out(CRTP::SIG_BYTES);
-        FixedArrayBuffer<Prehash::OUTPUT_BYTES> tmp;
-        ph.final(tmp);
-        decaf_ed25519_sign (
+        decaf_ed25519_sign_prehash (
             out.data(),
             ((const CRTP*)this)->priv_.data(),
             ((const CRTP*)this)->pub_.data(),
-            tmp.data(),
-            tmp.size(),
-            1
+            (const decaf_ed25519_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
             , ph.context_.data(),
             ph.context_.size()
@@ -324,19 +318,15 @@ public:
 
 template<class CRTP> class Verification<CRTP,PREHASHED> {
 public:
-    /* Verify a prehash context, and reset the context */
+    /* Verify a prehash context. */
     inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept (
         const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
-        Prehash &ph
+        const Prehash &ph
     ) const /*NOEXCEPT*/ {
-        FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
-        ph.final(m);
-        return decaf_ed25519_verify (
+        return decaf_ed25519_verify_prehash (
             sig.data(),
             ((const CRTP*)this)->pub_.data(),
-            m.data(),
-            m.size(),
-            1
+            (const decaf_ed25519_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
             , ph.context_.data(),
             ph.context_.size()
@@ -344,19 +334,15 @@ public:
         );
     }
     
-    /* Verify a prehash context, and reset the context */
+    /* Verify a prehash context. */
     inline void verify_prehashed (
         const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
-        Prehash &ph
+        const Prehash &ph
     ) const /*throw(CryptoException)*/ {
-        FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
-        ph.final(m);
-        if (DECAF_SUCCESS != decaf_ed25519_verify (
+        if (DECAF_SUCCESS != decaf_ed25519_verify_prehash (
             sig.data(),
             ((const CRTP*)this)->pub_.data(),
-            m.data(),
-            m.size(),
-            1
+            (const decaf_ed25519_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
             , ph.context_.data(),
             ph.context_.size()

src/GENERATED/include/decaf/ed448.h

@@ -16,6 +16,8 @@
 #define __DECAF_ED448_H__ 1
 
 #include <decaf/decaf_448.h>
+#include <decaf/shake.h>
+#include <decaf/sha512.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -32,6 +34,12 @@ extern "C" {
 
 /** Does EdDSA support contexts? */
 #define DECAF_EDDSA_448_SUPPORTS_CONTEXTS 1
+    
+/** Prehash context renaming macros. */
+#define decaf_ed448_prehash_ctx_s   decaf_shake256_ctx_s
+#define decaf_ed448_prehash_ctx_t   decaf_shake256_ctx_t
+#define decaf_ed448_prehash_update  decaf_shake256_update
+#define decaf_ed448_prehash_destroy decaf_shake256_destroy
 
 /**
  * @brief EdDSA key generation.  This function uses a different (non-Decaf)
@@ -75,6 +83,48 @@ void decaf_ed448_sign (
 #endif
 ) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE;
 
+/**
+ * @brief EdDSA signing with prehash.
+ *
+ * @param [out] signature The signature.
+ * @param [in] privkey The private key.
+ * @param [in] pubkey The public key.
+ * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.
+ * @param [in] context_len Length of the context.
+ * @param [in] hash The hash of the message.  This object will not be modified by the call.
+ * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
+ *
+ * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
+ * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
+ * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives
+ * you no seat belt.
+ */  
+void decaf_ed448_sign_prehash (
+    uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
+    const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
+    const decaf_ed448_prehash_ctx_t hash
+#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) API_VIS __attribute__((nonnull(1,2,3,4))) NOINLINE;
+    
+/**
+ * @brief Prehash initialization, with contexts if supported.
+ *
+ * @param [out] hash The hash object to be initialized.
+ * @param [in] context A "context" for this signature of up to 255 bytes.
+ * @param [in] context_len Length of the context.
+ */
+void decaf_ed448_prehash_init (
+    decaf_ed448_prehash_ctx_t hash
+#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) API_VIS __attribute__((nonnull(1))) NOINLINE;
+
 /**
  * @brief EdDSA signature verification.
  *
@@ -105,7 +155,32 @@ decaf_error_t decaf_ed448_verify (
 #endif
 ) API_VIS __attribute__((nonnull(1,2))) NOINLINE;
 
-
+/**
+ * @brief EdDSA signature verification.
+ *
+ * Uses the standard (i.e. less-strict) verification formula.
+ *
+ * @param [in] signature The signature.
+ * @param [in] pubkey The public key.
+ * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.
+ * @param [in] context_len Length of the context.
+ * @param [in] hash The hash of the message.  This object will not be modified by the call.
+ * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
+ *
+ * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
+ * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
+ * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives
+ * you no seat belt.
+ */
+decaf_error_t decaf_ed448_verify_prehash (
+    const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
+    const decaf_ed448_prehash_ctx_t hash
+#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) API_VIS __attribute__((nonnull(1,2))) NOINLINE;
 
 /**
  * @brief EdDSA point encoding.  Used internally, exposed externally.

src/GENERATED/include/decaf/ed448.hxx

@@ -77,14 +77,12 @@ private:
         ) {
             throw LengthException();
         }
-        
-        if (SUPPORTS_CONTEXTS) {
-            const char pfx[] = "SigEd448";
-            uint8_t dom[2] = {2, (uint8_t)context_.size() };
-            update((const unsigned char*)pfx,strlen(pfx));
-            update(dom,2);
-            update(context_);
-        }
+
+#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
+        decaf_ed448_prehash_init((decaf_shake256_ctx_s *)wrapped,context_.data(),context_.size());
+#else
+        decaf_ed448_prehash_init(wrapped);
+#endif
     }
     
 public:
@@ -120,17 +118,13 @@ template<class CRTP, Prehashed ph> class Signing;
 template<class CRTP> class Signing<CRTP,PREHASHED> {
 public:
     /* Sign a prehash context, and reset the context */
-    inline SecureBuffer sign_prehashed ( Prehash &ph ) const /*throw(std::bad_alloc)*/ {
+    inline SecureBuffer sign_prehashed ( const Prehash &ph ) const /*throw(std::bad_alloc)*/ {
         SecureBuffer out(CRTP::SIG_BYTES);
-        FixedArrayBuffer<Prehash::OUTPUT_BYTES> tmp;
-        ph.final(tmp);
-        decaf_ed448_sign (
+        decaf_ed448_sign_prehash (
             out.data(),
             ((const CRTP*)this)->priv_.data(),
             ((const CRTP*)this)->pub_.data(),
-            tmp.data(),
-            tmp.size(),
-            1
+            (const decaf_ed448_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
             , ph.context_.data(),
             ph.context_.size()
@@ -324,19 +318,15 @@ public:
 
 template<class CRTP> class Verification<CRTP,PREHASHED> {
 public:
-    /* Verify a prehash context, and reset the context */
+    /* Verify a prehash context. */
     inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept (
         const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
-        Prehash &ph
+        const Prehash &ph
     ) const /*NOEXCEPT*/ {
-        FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
-        ph.final(m);
-        return decaf_ed448_verify (
+        return decaf_ed448_verify_prehash (
             sig.data(),
             ((const CRTP*)this)->pub_.data(),
-            m.data(),
-            m.size(),
-            1
+            (const decaf_ed448_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
             , ph.context_.data(),
             ph.context_.size()
@@ -344,19 +334,15 @@ public:
         );
     }
     
-    /* Verify a prehash context, and reset the context */
+    /* Verify a prehash context. */
     inline void verify_prehashed (
         const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
-        Prehash &ph
+        const Prehash &ph
     ) const /*throw(CryptoException)*/ {
-        FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
-        ph.final(m);
-        if (DECAF_SUCCESS != decaf_ed448_verify (
+        if (DECAF_SUCCESS != decaf_ed448_verify_prehash (
             sig.data(),
             ((const CRTP*)this)->pub_.data(),
-            m.data(),
-            m.size(),
-            1
+            (const decaf_ed448_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
             , ph.context_.data(),
             ph.context_.size()

src/GENERATED/include/decaf/sha512.hxx

@@ -30,7 +30,7 @@ class SHA512 {
 protected:
     /** @cond internal */
     /** The C-wrapper sponge state */
-    decaf_sha512_ctx_t sha;
+    decaf_sha512_ctx_t wrapped;
 
 public:
     
@@ -44,10 +44,10 @@ public:
     static const size_t DEFAULT_OUTPUT_BYTES = OUTPUT_BYTES;
     
     /** Constructor */
-    inline SHA512() NOEXCEPT { decaf_sha512_init(sha); }
+    inline SHA512() NOEXCEPT { decaf_sha512_init(wrapped); }
     
     /** Add more data to running hash */
-    inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha512_update(sha,in,len); }
+    inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha512_update(wrapped,in,len); }
 
     /** Add more data to running hash, C++ version. */
     inline void update(const Block &s) NOEXCEPT { update(s.data(),s.size()); }
@@ -61,17 +61,17 @@ public:
     /** @brief Output bytes from the SHA context, and resets it. */
     inline void final(Buffer b) throw(LengthException) {
         if (b.size() > OUTPUT_BYTES) throw LengthException();
-        decaf_sha512_final(sha,b.data(),b.size());
+        decaf_sha512_final(wrapped,b.data(),b.size());
     }
     
     /** Resets the SHA context */
-    inline void reset() NOEXCEPT { decaf_sha512_init(sha); }
+    inline void reset() NOEXCEPT { decaf_sha512_init(wrapped); }
 
     /** @brief Output bytes from the sponge. */
     inline SecureBuffer final(size_t len = OUTPUT_BYTES) throw(LengthException) {
         if (len > OUTPUT_BYTES) throw LengthException();
         SecureBuffer buffer(len);
-        decaf_sha512_final(sha,buffer.data(),len);
+        decaf_sha512_final(wrapped,buffer.data(),len);
         return buffer;
     }
 
@@ -93,7 +93,7 @@ public:
     }
 
     /** Destructor zeroizes state */
-    inline ~SHA512() NOEXCEPT { decaf_sha512_destroy(sha); }
+    inline ~SHA512() NOEXCEPT { decaf_sha512_destroy(wrapped); }
 };
   
 } /* namespace decaf */

src/GENERATED/include/decaf/shake.hxx

@@ -35,18 +35,18 @@ class KeccakHash {
 protected:
     /** @cond internal */
     /** The C-wrapper sponge state */
-    decaf_keccak_sponge_t sp;
+    decaf_keccak_sponge_t wrapped;
     
     /** Initialize from parameters */
-    inline KeccakHash(const decaf_kparams_s *params) NOEXCEPT { decaf_sponge_init(sp, params); }
+    inline KeccakHash(const decaf_kparams_s *params) NOEXCEPT { decaf_sponge_init(wrapped, params); }
     /** @endcond */
     
 public:
     /** Add more data to running hash */
-    inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha3_update(sp,in,len); }
+    inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha3_update(wrapped,in,len); }
 
     /** Add more data to running hash, C++ version. */
-    inline void update(const Block &s) NOEXCEPT { decaf_sha3_update(sp,s.data(),s.size()); }
+    inline void update(const Block &s) NOEXCEPT { decaf_sha3_update(wrapped,s.data(),s.size()); }
     
     /** Add more data, stream version. */
     inline KeccakHash &operator<<(const Block &s) NOEXCEPT { update(s); return *this; }
@@ -58,7 +58,7 @@ public:
     inline SecureBuffer output(size_t len) throw(std::bad_alloc, LengthException) {
         if (len > max_output_size()) throw LengthException();
         SecureBuffer buffer(len);
-        if (DECAF_SUCCESS != decaf_sha3_output(sp,buffer.data(),len)) {
+        if (DECAF_SUCCESS != decaf_sha3_output(wrapped,buffer.data(),len)) {
             throw LengthException();
         }
         return buffer;
@@ -68,7 +68,7 @@ public:
     inline SecureBuffer final(size_t len) throw(std::bad_alloc, LengthException) {
         if (len > max_output_size()) throw LengthException();
         SecureBuffer buffer(len);
-        if (DECAF_SUCCESS != decaf_sha3_final(sp,buffer.data(),len)) {
+        if (DECAF_SUCCESS != decaf_sha3_final(wrapped,buffer.data(),len)) {
             throw LengthException();
         }
         return buffer;
@@ -78,7 +78,7 @@ public:
      * output too many bytes from a SHA-3 instance.
      */
     inline void output(Buffer b) throw(LengthException) {
-        if (DECAF_SUCCESS != decaf_sha3_output(sp,b.data(),b.size())) {
+        if (DECAF_SUCCESS != decaf_sha3_output(wrapped,b.data(),b.size())) {
             throw LengthException();
         }
     }
@@ -87,19 +87,19 @@ public:
      * LengthException if you've output too many bytes from a SHA3 instance.
      */
     inline void final(Buffer b) throw(LengthException) {
-        if (DECAF_SUCCESS != decaf_sha3_final(sp,b.data(),b.size())) {
+        if (DECAF_SUCCESS != decaf_sha3_final(wrapped,b.data(),b.size())) {
             throw LengthException();
         }
     }
     
     /** @brief Return the sponge's default output size. */
     inline size_t default_output_size() const NOEXCEPT {
-        return decaf_sponge_default_output_bytes(sp);
+        return decaf_sponge_default_output_bytes(wrapped);
     }
     
     /** @brief Return the sponge's maximum output size. */
     inline size_t max_output_size() const NOEXCEPT {
-        return decaf_sponge_max_output_bytes(sp);
+        return decaf_sponge_max_output_bytes(wrapped);
     }
     
     /** Output the default number of bytes. */
@@ -113,10 +113,10 @@ public:
     }
 
     /** Reset the hash to the empty string */
-    inline void reset() NOEXCEPT { decaf_sha3_reset(sp); }
+    inline void reset() NOEXCEPT { decaf_sha3_reset(wrapped); }
     
     /** Destructor zeroizes state */
-    inline ~KeccakHash() NOEXCEPT { decaf_sponge_destroy(sp); }
+    inline ~KeccakHash() NOEXCEPT { decaf_sponge_destroy(wrapped); }
 };
 
 /** Fixed-output-length SHA3 */

src/per_curve/eddsa.tmpl.c

@@ -47,6 +47,7 @@ static void clamp (
 static void hash_init_with_dom(
     hash_ctx_t hash,
     uint8_t prehashed,
+    uint8_t for_prehash,
     const uint8_t *context,
     uint8_t context_len
 ) {
@@ -54,12 +55,13 @@ static void hash_init_with_dom(
     
 #if SUPPORTS_CONTEXTS
     const char *dom_s = "$(eddsa_dom)";
-    const uint8_t dom[2] = {1+word_is_zero(prehashed), context_len};
+    const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
     hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
     hash_update(hash,dom,2);
     hash_update(hash,context,context_len);
 #else
     (void)prehashed;
+    (void)for_prehash;
     (void)context;
     assert(context==NULL);
     (void)context_len;
@@ -67,6 +69,20 @@ static void hash_init_with_dom(
 #endif
 }
 
+void decaf_ed$(gf_shortname)_prehash_init (
+    hash_ctx_t hash
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) {
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
+    hash_init_with_dom(hash,1,1,context,context_len);
+#else
+    hash_init_with_dom(hash,1,1,NULL,0);
+#endif
+}
+
 void decaf_ed$(gf_shortname)_derive_public_key (
     uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
     const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]
@@ -140,7 +156,7 @@ void decaf_ed$(gf_shortname)_sign (
         API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
     
         /* Hash to create the nonce */
-        hash_init_with_dom(hash,prehashed,context,context_len);
+        hash_init_with_dom(hash,prehashed,0,context,context_len);
         hash_update(hash,expanded.seed,sizeof(expanded.seed));
         hash_update(hash,message,message_len);
         decaf_bzero(&expanded, sizeof(expanded));
@@ -174,7 +190,7 @@ void decaf_ed$(gf_shortname)_sign (
     API_NS(scalar_t) challenge_scalar;
     {
         /* Compute the challenge */
-        hash_init_with_dom(hash,prehashed,context,context_len);
+        hash_init_with_dom(hash,prehashed,0,context,context_len);
         hash_update(hash,nonce_point,sizeof(nonce_point));
         hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
         hash_update(hash,message,message_len);
@@ -198,6 +214,33 @@ void decaf_ed$(gf_shortname)_sign (
 }
 
 
+void decaf_ed$(gf_shortname)_sign_prehash (
+    uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
+    const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
+    const decaf_ed$(gf_shortname)_prehash_ctx_t hash
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) {
+    uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
+    {
+        decaf_ed$(gf_shortname)_prehash_ctx_t hash_too;
+        memcpy(hash_too,hash,sizeof(hash_too));
+        hash_final(hash_too,hash_output,sizeof(hash_output));
+        hash_destroy(hash_too);
+    }
+    
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
+    decaf_ed$(gf_shortname)_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
+#else
+    decaf_ed$(gf_shortname)_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1);
+#endif
+    
+    decaf_bzero(hash_output,sizeof(hash_output));
+}
+
 decaf_error_t decaf_ed$(gf_shortname)_verify (
     const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
     const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
@@ -224,7 +267,7 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
     {
         /* Compute the challenge */
         hash_ctx_t hash;
-        hash_init_with_dom(hash,prehashed,context,context_len);
+        hash_init_with_dom(hash,prehashed,0,context,context_len);
         hash_update(hash,signature,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
         hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
         hash_update(hash,message,message_len);
@@ -256,3 +299,32 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
     );
     return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));
 }
+
+
+decaf_error_t decaf_ed$(gf_shortname)_verify_prehash (
+    const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
+    const decaf_ed$(gf_shortname)_prehash_ctx_t hash
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) {
+    decaf_error_t ret;
+    
+    uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
+    {
+        decaf_ed$(gf_shortname)_prehash_ctx_t hash_too;
+        memcpy(hash_too,hash,sizeof(hash_too));
+        hash_final(hash_too,hash_output,sizeof(hash_output));
+        hash_destroy(hash_too);
+    }
+    
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
+    ret = decaf_ed$(gf_shortname)_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
+#else
+    ret = decaf_ed$(gf_shortname)_verify(signature,pubkey,hash_output,sizeof(hash_output),1);
+#endif
+    
+    return ret;
+}

src/per_curve/eddsa.tmpl.h

@@ -1,6 +1,8 @@
 /** @brief A group of prime order p, based on $(iso_to). */
 
 #include <decaf/decaf_$(gf_bits).h>
+#include <decaf/shake.h>
+#include <decaf/sha512.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -17,6 +19,12 @@ extern "C" {
 
 /** Does EdDSA support contexts? */
 #define DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS $(eddsa_supports_contexts)
+    
+/** Prehash context renaming macros. */
+#define decaf_ed$(gf_shortname)_prehash_ctx_s   decaf_$(eddsa_hash)_ctx_s
+#define decaf_ed$(gf_shortname)_prehash_ctx_t   decaf_$(eddsa_hash)_ctx_t
+#define decaf_ed$(gf_shortname)_prehash_update  decaf_$(eddsa_hash)_update
+#define decaf_ed$(gf_shortname)_prehash_destroy decaf_$(eddsa_hash)_destroy
 
 /**
  * @brief EdDSA key generation.  This function uses a different (non-Decaf)
@@ -60,6 +68,48 @@ void decaf_ed$(gf_shortname)_sign (
 #endif
 ) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE;
 
+/**
+ * @brief EdDSA signing with prehash.
+ *
+ * @param [out] signature The signature.
+ * @param [in] privkey The private key.
+ * @param [in] pubkey The public key.
+ * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.
+ * @param [in] context_len Length of the context.
+ * @param [in] hash The hash of the message.  This object will not be modified by the call.
+ * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
+ *
+ * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
+ * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
+ * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives
+ * you no seat belt.
+ */  
+void decaf_ed$(gf_shortname)_sign_prehash (
+    uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
+    const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
+    const decaf_ed$(gf_shortname)_prehash_ctx_t hash
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) API_VIS __attribute__((nonnull(1,2,3,4))) NOINLINE;
+    
+/**
+ * @brief Prehash initialization, with contexts if supported.
+ *
+ * @param [out] hash The hash object to be initialized.
+ * @param [in] context A "context" for this signature of up to 255 bytes.
+ * @param [in] context_len Length of the context.
+ */
+void decaf_ed$(gf_shortname)_prehash_init (
+    decaf_ed$(gf_shortname)_prehash_ctx_t hash
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) API_VIS __attribute__((nonnull(1))) NOINLINE;
+
 /**
  * @brief EdDSA signature verification.
  *
@@ -90,7 +140,32 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
 #endif
 ) API_VIS __attribute__((nonnull(1,2))) NOINLINE;
 
-
+/**
+ * @brief EdDSA signature verification.
+ *
+ * Uses the standard (i.e. less-strict) verification formula.
+ *
+ * @param [in] signature The signature.
+ * @param [in] pubkey The public key.
+ * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.
+ * @param [in] context_len Length of the context.
+ * @param [in] hash The hash of the message.  This object will not be modified by the call.
+ * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
+ *
+ * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
+ * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
+ * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives
+ * you no seat belt.
+ */
+decaf_error_t decaf_ed$(gf_shortname)_verify_prehash (
+    const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
+    const decaf_ed$(gf_shortname)_prehash_ctx_t hash
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
+    , const uint8_t *context,
+    uint8_t context_len
+#endif
+) API_VIS __attribute__((nonnull(1,2))) NOINLINE;
 
 /**
  * @brief EdDSA point encoding.  Used internally, exposed externally.

src/per_curve/eddsa.tmpl.hxx

@@ -68,14 +68,12 @@ private:
         ) {
             throw LengthException();
         }
-        
-        if (SUPPORTS_CONTEXTS) {
-            const char pfx[] = "$(eddsa_dom)";
-            uint8_t dom[2] = {2, (uint8_t)context_.size() };
-            update((const unsigned char*)pfx,strlen(pfx));
-            update(dom,2);
-            update(context_);
-        }
+
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
+        decaf_ed$(gf_shortname)_prehash_init((decaf_$(eddsa_hash)_ctx_s *)wrapped,context_.data(),context_.size());
+#else
+        decaf_ed$(gf_shortname)_prehash_init(wrapped);
+#endif
     }
     
 public:
@@ -111,17 +109,13 @@ template<class CRTP, Prehashed ph> class Signing;
 template<class CRTP> class Signing<CRTP,PREHASHED> {
 public:
     /* Sign a prehash context, and reset the context */
-    inline SecureBuffer sign_prehashed ( Prehash &ph ) const /*throw(std::bad_alloc)*/ {
+    inline SecureBuffer sign_prehashed ( const Prehash &ph ) const /*throw(std::bad_alloc)*/ {
         SecureBuffer out(CRTP::SIG_BYTES);
-        FixedArrayBuffer<Prehash::OUTPUT_BYTES> tmp;
-        ph.final(tmp);
-        decaf_ed$(gf_shortname)_sign (
+        decaf_ed$(gf_shortname)_sign_prehash (
             out.data(),
             ((const CRTP*)this)->priv_.data(),
             ((const CRTP*)this)->pub_.data(),
-            tmp.data(),
-            tmp.size(),
-            1
+            (const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
             , ph.context_.data(),
             ph.context_.size()
@@ -326,19 +320,15 @@ public:
 
 template<class CRTP> class Verification<CRTP,PREHASHED> {
 public:
-    /* Verify a prehash context, and reset the context */
+    /* Verify a prehash context. */
     inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept (
         const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
-        Prehash &ph
+        const Prehash &ph
     ) const /*NOEXCEPT*/ {
-        FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
-        ph.final(m);
-        return decaf_ed$(gf_shortname)_verify (
+        return decaf_ed$(gf_shortname)_verify_prehash (
             sig.data(),
             ((const CRTP*)this)->pub_.data(),
-            m.data(),
-            m.size(),
-            1
+            (const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
             , ph.context_.data(),
             ph.context_.size()
@@ -346,19 +336,15 @@ public:
         );
     }
     
-    /* Verify a prehash context, and reset the context */
+    /* Verify a prehash context. */
     inline void verify_prehashed (
         const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
-        Prehash &ph
+        const Prehash &ph
     ) const /*throw(CryptoException)*/ {
-        FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
-        ph.final(m);
-        if (DECAF_SUCCESS != decaf_ed$(gf_shortname)_verify (
+        if (DECAF_SUCCESS != decaf_ed$(gf_shortname)_verify_prehash (
             sig.data(),
             ((const CRTP*)this)->pub_.data(),
-            m.data(),
-            m.size(),
-            1
+            (const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
             , ph.context_.data(),
             ph.context_.size()

src/public_include/decaf/sha512.hxx

@@ -30,7 +30,7 @@ class SHA512 {
 protected:
     /** @cond internal */
     /** The C-wrapper sponge state */
-    decaf_sha512_ctx_t sha;
+    decaf_sha512_ctx_t wrapped;
 
 public:
     
@@ -44,10 +44,10 @@ public:
     static const size_t DEFAULT_OUTPUT_BYTES = OUTPUT_BYTES;
     
     /** Constructor */
-    inline SHA512() NOEXCEPT { decaf_sha512_init(sha); }
+    inline SHA512() NOEXCEPT { decaf_sha512_init(wrapped); }
     
     /** Add more data to running hash */
-    inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha512_update(sha,in,len); }
+    inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha512_update(wrapped,in,len); }
 
     /** Add more data to running hash, C++ version. */
     inline void update(const Block &s) NOEXCEPT { update(s.data(),s.size()); }
@@ -61,17 +61,17 @@ public:
     /** @brief Output bytes from the SHA context, and resets it. */
     inline void final(Buffer b) throw(LengthException) {
         if (b.size() > OUTPUT_BYTES) throw LengthException();
-        decaf_sha512_final(sha,b.data(),b.size());
+        decaf_sha512_final(wrapped,b.data(),b.size());
     }
     
     /** Resets the SHA context */
-    inline void reset() NOEXCEPT { decaf_sha512_init(sha); }
+    inline void reset() NOEXCEPT { decaf_sha512_init(wrapped); }
 
     /** @brief Output bytes from the sponge. */
     inline SecureBuffer final(size_t len = OUTPUT_BYTES) throw(LengthException) {
         if (len > OUTPUT_BYTES) throw LengthException();
         SecureBuffer buffer(len);
-        decaf_sha512_final(sha,buffer.data(),len);
+        decaf_sha512_final(wrapped,buffer.data(),len);
         return buffer;
     }
 
@@ -93,7 +93,7 @@ public:
     }
 
     /** Destructor zeroizes state */
-    inline ~SHA512() NOEXCEPT { decaf_sha512_destroy(sha); }
+    inline ~SHA512() NOEXCEPT { decaf_sha512_destroy(wrapped); }
 };
   
 } /* namespace decaf */

src/public_include/decaf/shake.hxx

@@ -35,18 +35,18 @@ class KeccakHash {
 protected:
     /** @cond internal */
     /** The C-wrapper sponge state */
-    decaf_keccak_sponge_t sp;
+    decaf_keccak_sponge_t wrapped;
     
     /** Initialize from parameters */
-    inline KeccakHash(const decaf_kparams_s *params) NOEXCEPT { decaf_sponge_init(sp, params); }
+    inline KeccakHash(const decaf_kparams_s *params) NOEXCEPT { decaf_sponge_init(wrapped, params); }
     /** @endcond */
     
 public:
     /** Add more data to running hash */
-    inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha3_update(sp,in,len); }
+    inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha3_update(wrapped,in,len); }
 
     /** Add more data to running hash, C++ version. */
-    inline void update(const Block &s) NOEXCEPT { decaf_sha3_update(sp,s.data(),s.size()); }
+    inline void update(const Block &s) NOEXCEPT { decaf_sha3_update(wrapped,s.data(),s.size()); }
     
     /** Add more data, stream version. */
     inline KeccakHash &operator<<(const Block &s) NOEXCEPT { update(s); return *this; }
@@ -58,7 +58,7 @@ public:
     inline SecureBuffer output(size_t len) throw(std::bad_alloc, LengthException) {
         if (len > max_output_size()) throw LengthException();
         SecureBuffer buffer(len);
-        if (DECAF_SUCCESS != decaf_sha3_output(sp,buffer.data(),len)) {
+        if (DECAF_SUCCESS != decaf_sha3_output(wrapped,buffer.data(),len)) {
             throw LengthException();
         }
         return buffer;
@@ -68,7 +68,7 @@ public:
     inline SecureBuffer final(size_t len) throw(std::bad_alloc, LengthException) {
         if (len > max_output_size()) throw LengthException();
         SecureBuffer buffer(len);
-        if (DECAF_SUCCESS != decaf_sha3_final(sp,buffer.data(),len)) {
+        if (DECAF_SUCCESS != decaf_sha3_final(wrapped,buffer.data(),len)) {
             throw LengthException();
         }
         return buffer;
@@ -78,7 +78,7 @@ public:
      * output too many bytes from a SHA-3 instance.
      */
     inline void output(Buffer b) throw(LengthException) {
-        if (DECAF_SUCCESS != decaf_sha3_output(sp,b.data(),b.size())) {
+        if (DECAF_SUCCESS != decaf_sha3_output(wrapped,b.data(),b.size())) {
             throw LengthException();
         }
     }
@@ -87,19 +87,19 @@ public:
      * LengthException if you've output too many bytes from a SHA3 instance.
      */
     inline void final(Buffer b) throw(LengthException) {
-        if (DECAF_SUCCESS != decaf_sha3_final(sp,b.data(),b.size())) {
+        if (DECAF_SUCCESS != decaf_sha3_final(wrapped,b.data(),b.size())) {
             throw LengthException();
         }
     }
     
     /** @brief Return the sponge's default output size. */
     inline size_t default_output_size() const NOEXCEPT {
-        return decaf_sponge_default_output_bytes(sp);
+        return decaf_sponge_default_output_bytes(wrapped);
     }
     
     /** @brief Return the sponge's maximum output size. */
     inline size_t max_output_size() const NOEXCEPT {
-        return decaf_sponge_max_output_bytes(sp);
+        return decaf_sponge_max_output_bytes(wrapped);
     }
     
     /** Output the default number of bytes. */
@@ -113,10 +113,10 @@ public:
     }
 
     /** Reset the hash to the empty string */
-    inline void reset() NOEXCEPT { decaf_sha3_reset(sp); }
+    inline void reset() NOEXCEPT { decaf_sha3_reset(wrapped); }
     
     /** Destructor zeroizes state */
-    inline ~KeccakHash() NOEXCEPT { decaf_sponge_destroy(sp); }
+    inline ~KeccakHash() NOEXCEPT { decaf_sponge_destroy(wrapped); }
 };
 
 /** Fixed-output-length SHA3 */