decaf_###_x_direct_scalarmul -> decaf_x###_direct_scalarmul

src/per_curve/decaf.tmpl.c

@@ -35,7 +35,7 @@ static const scalar_t point_scalarmul_adjustment = {{{
     $(ser((2**(combs.n*combs.t*combs.s) - 1) % q,64,"SC_LIMB"))
 }}};
 
-const uint8_t API_NS(x_base_point)[X_SER_BYTES] = { $(ser(mont_base,8)) };
+const uint8_t decaf_x$(gf_shortname)_base_point[DECAF_X$(gf_shortname)_PUBLIC_BYTES] = { $(ser(mont_base,8)) };
 
 #if COFACTOR==8 || EDDSA_USE_SIGMA_ISOGENY
     static const gf SQRT_ONE_MINUS_D = {FIELD_LITERAL(
@@ -47,7 +47,7 @@ const uint8_t API_NS(x_base_point)[X_SER_BYTES] = { $(ser(mont_base,8)) };
 
 /* Sanity */
 #if (COFACTOR == 8) && !IMAGINE_TWIST
-/* FUTURE: Curve41417 doesn't have these properties. */
+/* FUTURE MAGIC: Curve41417 doesn't have these properties. */
     #error "Currently require IMAGINE_TWIST (and thus p=5 mod 8) for cofactor 8"
 #endif
 
@@ -1048,7 +1048,7 @@ decaf_error_t API_NS(direct_scalarmul) (
 }
 
 void API_NS(point_encode_like_eddsa) (
-    uint8_t enc[$(C_NS)_EDDSA_PUBLIC_BYTES],
+    uint8_t enc[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
     const point_t p
 ) {
     
@@ -1123,9 +1123,9 @@ void API_NS(point_encode_like_eddsa) (
     gf_mul(x,y,z);
     
     /* Encode */
-    enc[$(C_NS)_EDDSA_PRIVATE_BYTES-1] = 0;
+    enc[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] = 0;
     gf_serialize(enc, x, 1);
-    enc[$(C_NS)_EDDSA_PRIVATE_BYTES-1] |= 0x80 & gf_lobit(t);
+    enc[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] |= 0x80 & gf_lobit(t);
 
     decaf_bzero(x,sizeof(x));
     decaf_bzero(y,sizeof(y));
@@ -1137,17 +1137,17 @@ void API_NS(point_encode_like_eddsa) (
 
 decaf_error_t API_NS(point_decode_like_eddsa) (
     point_t p,
-    const uint8_t enc[$(C_NS)_EDDSA_PUBLIC_BYTES]
+    const uint8_t enc[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES]
 ) {
-    uint8_t enc2[$(C_NS)_EDDSA_PUBLIC_BYTES];
+    uint8_t enc2[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES];
     memcpy(enc2,enc,sizeof(enc2));
 
-    mask_t low = ~word_is_zero(enc2[$(C_NS)_EDDSA_PRIVATE_BYTES-1] & 0x80);
-    enc2[$(C_NS)_EDDSA_PRIVATE_BYTES-1] &= ~0x80;
+    mask_t low = ~word_is_zero(enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] & 0x80);
+    enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1] &= ~0x80;
     
     mask_t succ = DECAF_TRUE;
 #if $(gf_bits % 8) == 0
-    succ = word_is_zero(enc2[$(C_NS)_EDDSA_PRIVATE_BYTES-1]);
+    succ = word_is_zero(enc2[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES-1]);
 #endif
     
     succ &= gf_deserialize(p->y, enc2, 1);

src/per_curve/decaf.tmpl.h

@@ -38,10 +38,10 @@ typedef struct gf_$(gf_shortname)_s {
 #define $(C_NS)_INVERT_ELLIGATOR_WHICH_BITS $(ceil_log2(cofactor) + 7 + elligator_onto - ((gf_bits-2) % 8))
 
 /** Number of bytes in an x$(gf_shortname) public key */
-#define X$(gf_shortname)_PUBLIC_BYTES $((gf_bits-1)/8 + 1)
+#define DECAF_X$(gf_shortname)_PUBLIC_BYTES $((gf_bits-1)/8 + 1)
 
 /** Number of bytes in an x$(gf_shortname) private key */
-#define X$(gf_shortname)_PRIVATE_BYTES $((gf_bits-1)/8 + 1)
+#define DECAF_X$(gf_shortname)_PRIVATE_BYTES $((gf_bits-1)/8 + 1)
 
 /** Twisted Edwards extended homogeneous coordinates */
 typedef struct $(c_ns)_point_s {
@@ -384,13 +384,13 @@ decaf_error_t $(c_ns)_direct_scalarmul (
  * point is in a small subgroup.
  */
 decaf_error_t decaf_x$(gf_shortname)_direct_scalarmul (
-    uint8_t out[X$(gf_shortname)_PUBLIC_BYTES],
-    const uint8_t base[X$(gf_shortname)_PUBLIC_BYTES],
-    const uint8_t scalar[X$(gf_shortname)_PRIVATE_BYTES]
+    uint8_t out[DECAF_X$(gf_shortname)_PUBLIC_BYTES],
+    const uint8_t base[DECAF_X$(gf_shortname)_PUBLIC_BYTES],
+    const uint8_t scalar[DECAF_X$(gf_shortname)_PRIVATE_BYTES]
 ) API_VIS NONNULL WARN_UNUSED NOINLINE;
 
 /** The base point for X$(gf_shortname) Diffie-Hellman */
-extern const uint8_t $(c_ns)_x_base_point[X$(gf_shortname)_PUBLIC_BYTES] API_VIS;
+extern const uint8_t decaf_x$(gf_shortname)_base_point[DECAF_X$(gf_shortname)_PUBLIC_BYTES] API_VIS;
 
 /**
  * @brief RFC 7748 Diffie-Hellman base point scalarmul.  This function uses
@@ -400,8 +400,8 @@ extern const uint8_t $(c_ns)_x_base_point[X$(gf_shortname)_PUBLIC_BYTES] API_VIS
  * @param [in] scalar The scalar to multiply by.
  */
 void decaf_x$(gf_shortname)_base_scalarmul (
-    uint8_t out[X$(gf_shortname)_PUBLIC_BYTES],
-    const uint8_t scalar[X$(gf_shortname)_PRIVATE_BYTES]
+    uint8_t out[DECAF_X$(gf_shortname)_PUBLIC_BYTES],
+    const uint8_t scalar[DECAF_X$(gf_shortname)_PRIVATE_BYTES]
 ) API_VIS NONNULL NOINLINE;
 
 /* FUTURE: uint8_t $(c_ns)_encode_like_curve$(gf_shortname)) */

src/per_curve/decaf.tmpl.hxx

@@ -316,13 +316,13 @@ public:
      * Contents of the point are undefined.
      */
     inline decaf_error_t WARN_UNUSED decode_like_eddsa_noexcept (
-        const FixedBlock<$(C_NS)_EDDSA_PUBLIC_BYTES> &buffer
+        const FixedBlock<DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES> &buffer
     ) NOEXCEPT {
         return $(c_ns)_point_decode_like_eddsa(p,buffer.data());
     }
 
     inline void decode_like_eddsa (
-        const FixedBlock<$(C_NS)_EDDSA_PUBLIC_BYTES> &buffer
+        const FixedBlock<DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES> &buffer
     ) throw(CryptoException) {
         if (DECAF_SUCCESS != decode_like_eddsa_noexcept(buffer)) throw(CryptoException());
     }
@@ -331,7 +331,7 @@ public:
      * Encode like EdDSA.  FIXME: and multiply by the cofactor...
      */
     inline SecureBuffer encode_like_eddsa() const {
-        SecureBuffer ret($(C_NS)_EDDSA_PUBLIC_BYTES);
+        SecureBuffer ret(DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
         $(c_ns)_point_encode_like_eddsa(ret.data(),p);
         return ret;
     }
@@ -624,14 +624,14 @@ public:
 struct DhLadder {
 public:
     /** Bytes in an X$(gf_shortname) public key. */
-    static const size_t PUBLIC_BYTES = X$(gf_shortname)_PUBLIC_BYTES;
+    static const size_t PUBLIC_BYTES = DECAF_X$(gf_shortname)_PUBLIC_BYTES;
 
     /** Bytes in an X$(gf_shortname) private key. */
-    static const size_t PRIVATE_BYTES = X$(gf_shortname)_PRIVATE_BYTES;
+    static const size_t PRIVATE_BYTES = DECAF_X$(gf_shortname)_PRIVATE_BYTES;
 
     /** Base point for a scalar multiplication. */
     static const FixedBlock<PUBLIC_BYTES> base_point() NOEXCEPT {
-        return FixedBlock<PUBLIC_BYTES>($(c_ns)_x_base_point);
+        return FixedBlock<PUBLIC_BYTES>(decaf_x$(gf_shortname)_base_point);
     }
 
     /** Generate and return a shared secret with public key.  */

src/per_curve/eddsa.tmpl.c

@@ -19,22 +19,28 @@
 #define hash_destroy decaf_$(eddsa_hash)_destroy
 #define hash_hash    decaf_$(eddsa_hash)_hash
 
-#define SUPPORTS_CONTEXTS $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
+#define SUPPORTS_CONTEXTS DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
 #define EDDSA_USE_SIGMA_ISOGENY $(eddsa_sigma_iso)
 #define COFACTOR $(cofactor)
 
+/* EDDSA_BASE_POINT_RATIO = 1 or 2
+ * Because EdDSA25519 is not on E_d but on the isogenous E_sigma_d,
+ * its base point is twice ours.
+ */
+#define EDDSA_BASE_POINT_RATIO (1+EDDSA_USE_SIGMA_ISOGENY)
+
 static void clamp (
-    uint8_t secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES]
+    uint8_t secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]
 ) {
     /* Blarg */
     secret_scalar_ser[0] &= -COFACTOR;
     uint8_t hibit = (1<<$(gf_bits % 8))>>1;
     if (hibit == 0) {
-        secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES - 1] = 0;
-        secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES - 2] |= 0x80;
+        secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES - 1] = 0;
+        secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES - 2] |= 0x80;
     } else {
-        secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES - 1] &= hibit-1;
-        secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES - 1] |= hibit;
+        secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES - 1] &= hibit-1;
+        secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES - 1] |= hibit;
     }
 }
 
@@ -61,18 +67,18 @@ static void hash_init_with_dom(
 #endif
 }
 
-void API_NS(eddsa_derive_public_key) (
-    uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES],
-    const uint8_t privkey[$(C_NS)_EDDSA_PRIVATE_BYTES]
+void decaf_eddsa_$(gf_shortname)_derive_public_key (
+    uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
+    const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]
 ) {
     /* only this much used for keygen */
-    uint8_t secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES];
+    uint8_t secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES];
     
     hash_hash(
         secret_scalar_ser,
         sizeof(secret_scalar_ser),
         privkey,
-        $(C_NS)_EDDSA_PRIVATE_BYTES
+        DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES
     );
     clamp(secret_scalar_ser);
         
@@ -80,7 +86,7 @@ void API_NS(eddsa_derive_public_key) (
     API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));
     
     /* TODO: write documentation for why (due to isogenies) this needs to be quartered/eighthed */
-    for (unsigned int c = 1; c < COFACTOR/(1+EDDSA_USE_SIGMA_ISOGENY); c <<= 1) {
+    for (unsigned int c = 1; c < COFACTOR/EDDSA_BASE_POINT_RATIO; c <<= 1) {
         API_NS(scalar_halve)(secret_scalar,secret_scalar);
     }
     
@@ -95,10 +101,10 @@ void API_NS(eddsa_derive_public_key) (
     decaf_bzero(secret_scalar_ser, sizeof(secret_scalar_ser));
 }
 
-void API_NS(eddsa_sign) (
-    uint8_t signature[$(C_NS)_EDDSA_SIGNATURE_BYTES],
-    const uint8_t privkey[$(C_NS)_EDDSA_PRIVATE_BYTES],
-    const uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES],
+void decaf_eddsa_$(gf_shortname)_sign (
+    uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
+    const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
     const uint8_t *message,
     size_t message_len,
     uint8_t prehashed
@@ -116,14 +122,14 @@ void API_NS(eddsa_sign) (
     {
         /* Schedule the secret key */
         struct {
-            uint8_t secret_scalar_ser[$(C_NS)_EDDSA_PRIVATE_BYTES];
-            uint8_t seed[$(C_NS)_EDDSA_PRIVATE_BYTES];
+            uint8_t secret_scalar_ser[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES];
+            uint8_t seed[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES];
         } __attribute__((packed)) expanded;
         hash_hash(
             (uint8_t *)&expanded,
             sizeof(expanded),
             privkey,
-            $(C_NS)_EDDSA_PRIVATE_BYTES
+            DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES
         );
         clamp(expanded.secret_scalar_ser);   
         API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
@@ -138,18 +144,18 @@ void API_NS(eddsa_sign) (
     /* Decode the nonce */
     API_NS(scalar_t) nonce_scalar;
     {
-        uint8_t nonce[2*$(C_NS)_EDDSA_PRIVATE_BYTES];
+        uint8_t nonce[2*DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES];
         hash_final(hash,nonce,sizeof(nonce));
         API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce));
         decaf_bzero(nonce, sizeof(nonce));
     }
     
-    uint8_t nonce_point[$(C_NS)_EDDSA_PUBLIC_BYTES] = {0};
+    uint8_t nonce_point[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES] = {0};
     {
         /* Scalarmul to create the nonce-point */
         API_NS(scalar_t) nonce_scalar_2;
         API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar);
-        for (unsigned int c = 2; c < COFACTOR/(1+EDDSA_USE_SIGMA_ISOGENY); c <<= 1) {
+        for (unsigned int c = 2; c < COFACTOR/EDDSA_BASE_POINT_RATIO; c <<= 1) {
             API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2);
         }
         
@@ -165,9 +171,9 @@ void API_NS(eddsa_sign) (
         /* Compute the challenge */
         hash_init_with_dom(hash,prehashed,context,context_len);
         hash_update(hash,nonce_point,sizeof(nonce_point));
-        hash_update(hash,pubkey,$(C_NS)_EDDSA_PUBLIC_BYTES);
+        hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
         hash_update(hash,message,message_len);
-        uint8_t challenge[2*$(C_NS)_EDDSA_PRIVATE_BYTES];
+        uint8_t challenge[2*DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES];
         hash_final(hash,challenge,sizeof(challenge));
         hash_destroy(hash);
         API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
@@ -177,9 +183,9 @@ void API_NS(eddsa_sign) (
     API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar);
     API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar);
     
-    decaf_bzero(signature,$(C_NS)_EDDSA_SIGNATURE_BYTES);
+    decaf_bzero(signature,DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES);
     memcpy(signature,nonce_point,sizeof(nonce_point));
-    API_NS(scalar_encode)(&signature[$(C_NS)_EDDSA_PUBLIC_BYTES],challenge_scalar);
+    API_NS(scalar_encode)(&signature[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],challenge_scalar);
     
     API_NS(scalar_destroy)(secret_scalar);
     API_NS(scalar_destroy)(nonce_scalar);
@@ -187,9 +193,9 @@ void API_NS(eddsa_sign) (
 }
 
 
-decaf_error_t API_NS(eddsa_verify) (
-    const uint8_t signature[$(C_NS)_EDDSA_SIGNATURE_BYTES],
-    const uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES],
+decaf_error_t decaf_eddsa_$(gf_shortname)_verify (
+    const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
     const uint8_t *message,
     size_t message_len,
     uint8_t prehashed
@@ -214,10 +220,10 @@ decaf_error_t API_NS(eddsa_verify) (
         /* Compute the challenge */
         hash_ctx_t hash;
         hash_init_with_dom(hash,prehashed,context,context_len);
-        hash_update(hash,signature,$(C_NS)_EDDSA_PUBLIC_BYTES);
-        hash_update(hash,pubkey,$(C_NS)_EDDSA_PUBLIC_BYTES);
+        hash_update(hash,signature,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
+        hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
         hash_update(hash,message,message_len);
-        uint8_t challenge[2*$(C_NS)_EDDSA_PRIVATE_BYTES];
+        uint8_t challenge[2*DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES];
         hash_final(hash,challenge,sizeof(challenge));
         hash_destroy(hash);
         API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
@@ -228,10 +234,10 @@ decaf_error_t API_NS(eddsa_verify) (
     API_NS(scalar_t) response_scalar;
     API_NS(scalar_decode_long)(
         response_scalar,
-        &signature[$(C_NS)_EDDSA_PUBLIC_BYTES],
-        $(C_NS)_EDDSA_PRIVATE_BYTES
+        &signature[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
+        DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES
     );
-#if EDDSA_USE_SIGMA_ISOGENY
+#if EDDSA_BASE_POINT_RATIO == 2
     API_NS(scalar_add)(response_scalar,response_scalar,response_scalar);
 #endif
     

src/per_curve/eddsa.tmpl.h

@@ -7,16 +7,16 @@ extern "C" {
 #endif
 
 /** Number of bytes in an EdDSA public key. */
-#define $(C_NS)_EDDSA_PUBLIC_BYTES $((gf_bits)/8 + 1)
+#define DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES $((gf_bits)/8 + 1)
 
 /** Number of bytes in an EdDSA private key. */
-#define $(C_NS)_EDDSA_PRIVATE_BYTES $(C_NS)_EDDSA_PUBLIC_BYTES
+#define DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES
 
 /** Number of bytes in an EdDSA private key. */
-#define $(C_NS)_EDDSA_SIGNATURE_BYTES ($(C_NS)_EDDSA_PUBLIC_BYTES + $(C_NS)_EDDSA_PRIVATE_BYTES)
+#define DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES (DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES + DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES)
 
 /** Does EdDSA support contexts? */
-#define $(C_NS)_EDDSA_SUPPORTS_CONTEXTS $(eddsa_supports_contexts)
+#define DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS $(eddsa_supports_contexts)
 
 /**
  * @brief EdDSA key generation.  This function uses a different (non-Decaf)
@@ -25,9 +25,9 @@ extern "C" {
  * @param [out] pubkey The public key.
  * @param [in] privkey The private key.
  */    
-void $(c_ns)_eddsa_derive_public_key (
-    uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES],
-    const uint8_t privkey[$(C_NS)_EDDSA_PRIVATE_BYTES]
+void decaf_eddsa_$(gf_shortname)_derive_public_key (
+    uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
+    const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]
 ) API_VIS NONNULL NOINLINE;
 
 /**
@@ -42,14 +42,14 @@ void $(c_ns)_eddsa_derive_public_key (
  * @param [in] message_len The length of the message.
  * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
  */  
-void $(c_ns)_eddsa_sign (
-    uint8_t signature[$(C_NS)_EDDSA_SIGNATURE_BYTES],
-    const uint8_t privkey[$(C_NS)_EDDSA_PRIVATE_BYTES],
-    const uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES],
+void decaf_eddsa_$(gf_shortname)_sign (
+    uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
+    const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
     const uint8_t *message,
     size_t message_len,
     uint8_t prehashed
-#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
     , const uint8_t *context,
     uint8_t context_len
 #endif
@@ -68,13 +68,13 @@ void $(c_ns)_eddsa_sign (
  * @param [in] message_len The length of the message.
  * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
  */
-decaf_error_t $(c_ns)_eddsa_verify (
-    const uint8_t signature[$(C_NS)_EDDSA_SIGNATURE_BYTES],
-    const uint8_t pubkey[$(C_NS)_EDDSA_PUBLIC_BYTES],
+decaf_error_t decaf_eddsa_$(gf_shortname)_verify (
+    const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
+    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
     const uint8_t *message,
     size_t message_len,
     uint8_t prehashed
-#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
     , const uint8_t *context,
     uint8_t context_len
 #endif
@@ -93,7 +93,7 @@ decaf_error_t $(c_ns)_eddsa_verify (
  * point doctrine is worked out.
  */       
 void $(c_ns)_point_encode_like_eddsa (
-    uint8_t enc[$(C_NS)_EDDSA_PUBLIC_BYTES],
+    uint8_t enc[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
     const $(c_ns)_point_t p
 ) API_VIS NONNULL NOINLINE;
 
@@ -105,7 +105,7 @@ void $(c_ns)_point_encode_like_eddsa (
  */       
 decaf_error_t $(c_ns)_point_decode_like_eddsa (
     $(c_ns)_point_t p,
-    const uint8_t enc[$(C_NS)_EDDSA_PUBLIC_BYTES]
+    const uint8_t enc[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES]
 ) API_VIS NONNULL NOINLINE;
 
 #ifdef __cplusplus

src/per_curve/eddsa.tmpl.hxx

@@ -52,7 +52,7 @@ typedef class PrivateKeyBase<PREHASHED> PrivateKeyPh;
 class Prehash : public $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) {
 public:
     /** Do we support contexts for signatures?  If not, they must always be NULL */
-    static const bool SUPPORTS_CONTEXTS = $(C_NS)_EDDSA_SUPPORTS_CONTEXTS;
+    static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS;
     
 private:
     typedef $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) Super;
@@ -113,14 +113,14 @@ public:
         SecureBuffer out(CRTP::SIG_BYTES);
         FixedArrayBuffer<Prehash::OUTPUT_BYTES> tmp;
         ph.final(tmp);
-        $(c_ns)_eddsa_sign (
+        decaf_eddsa_$(gf_shortname)_sign (
             out.data(),
             ((const CRTP*)this)->priv_.data(),
             ((const CRTP*)this)->pub_.data(),
             tmp.data(),
             tmp.size(),
             1
-#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
             , ph.context_.data(),
             ph.context_.size()
 #endif
@@ -162,14 +162,14 @@ public:
         }
         
         SecureBuffer out(CRTP::SIG_BYTES);
-        $(c_ns)_eddsa_sign (
+        decaf_eddsa_$(gf_shortname)_sign (
             out.data(),
             ((const CRTP*)this)->priv_.data(),
             ((const CRTP*)this)->pub_.data(),
             message.data(),
             message.size(),
             0
-#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
             , context.data(),
             context.size()
 #endif
@@ -205,23 +205,23 @@ private:
 """)
     
     /** The pre-expansion form of the signing key. */
-    FixedArrayBuffer<$(C_NS)_EDDSA_PRIVATE_BYTES> priv_;
+    FixedArrayBuffer<DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES> priv_;
     
     /** The post-expansion public key. */
-    FixedArrayBuffer<$(C_NS)_EDDSA_PUBLIC_BYTES> pub_;
+    FixedArrayBuffer<DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES> pub_;
     
 public:
     /** Underlying group */
     typedef $(cxx_ns) Group;
     
     /** Signature size. */
-    static const size_t SIG_BYTES = $(C_NS)_EDDSA_SIGNATURE_BYTES;
+    static const size_t SIG_BYTES = DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES;
     
     /** Serialization size. */
-    static const size_t SER_BYTES = $(C_NS)_EDDSA_PRIVATE_BYTES;
+    static const size_t SER_BYTES = DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES;
     
     /** Do we support contexts for signatures?  If not, they must always be NULL */
-    static const bool SUPPORTS_CONTEXTS = $(C_NS)_EDDSA_SUPPORTS_CONTEXTS;
+    static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS;
     
     
     /** Create but don't initialize */
@@ -235,13 +235,13 @@ public:
     
     /** Create at random */
     inline explicit PrivateKeyBase(Rng &r) NOEXCEPT : priv_(r) {
-        $(c_ns)_eddsa_derive_public_key(pub_.data(), priv_.data());
+        decaf_eddsa_$(gf_shortname)_derive_public_key(pub_.data(), priv_.data());
     }
     
     /** Assignment from string */
     inline PrivateKeyBase &operator=(const FixedBlock<SER_BYTES> &b) NOEXCEPT {
         memcpy(priv_.data(),b.data(),b.size());
-        $(c_ns)_eddsa_derive_public_key(pub_.data(), priv_.data());
+        decaf_eddsa_$(gf_shortname)_derive_public_key(pub_.data(), priv_.data());
         return *this;
     }
     
@@ -273,7 +273,7 @@ template<class CRTP> class Verification<CRTP,PURE> {
 public:
     /** Verify a signature, returning DECAF_FAILURE if verification fails */
     inline decaf_error_t WARN_UNUSED verify_noexcept (
-        const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig,
+        const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
         const Block &message,
         const Block &context = Block(NULL,0)
     ) const /*NOEXCEPT*/ {
@@ -283,13 +283,13 @@ public:
             return DECAF_FAILURE;
         }
         
-        return $(c_ns)_eddsa_verify (
+        return decaf_eddsa_$(gf_shortname)_verify (
             sig.data(),
             ((const CRTP*)this)->pub_.data(),
             message.data(),
             message.size(),
             0
-#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
             , context.data(),
             context.size()
 #endif
@@ -305,7 +305,7 @@ public:
      * @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
      */
     inline void verify (
-        const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig,
+        const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
         const Block &message,
         const Block &context = Block(NULL,0)
     ) const /*throw(LengthException,CryptoException)*/ {
@@ -326,18 +326,18 @@ template<class CRTP> class Verification<CRTP,PREHASHED> {
 public:
     /* Verify a prehash context, and reset the context */
     inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept (
-        const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig,
+        const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
         Prehash &ph
     ) const /*NOEXCEPT*/ {
         FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
         ph.final(m);
-        return $(c_ns)_eddsa_verify (
+        return decaf_eddsa_$(gf_shortname)_verify (
             sig.data(),
             ((const CRTP*)this)->pub_.data(),
             m.data(),
             m.size(),
             1
-#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
             , ph.context_.data(),
             ph.context_.size()
 #endif
@@ -346,18 +346,18 @@ public:
     
     /* Verify a prehash context, and reset the context */
     inline void verify_prehashed (
-        const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig,
+        const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
         Prehash &ph
     ) const /*throw(CryptoException)*/ {
         FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
         ph.final(m);
-        if (DECAF_SUCCESS != $(c_ns)_eddsa_verify (
+        if (DECAF_SUCCESS != decaf_eddsa_$(gf_shortname)_verify (
             sig.data(),
             ((const CRTP*)this)->pub_.data(),
             m.data(),
             m.size(),
             1
-#if $(C_NS)_EDDSA_SUPPORTS_CONTEXTS
+#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
             , ph.context_.data(),
             ph.context_.size()
 #endif
@@ -368,7 +368,7 @@ public:
     
     /* Verify a message using the prehasher */
     inline void verify_with_prehash (
-        const FixedBlock<$(C_NS)_EDDSA_SIGNATURE_BYTES> &sig,
+        const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
         const Block &message,
         const Block &context = Block(NULL,0)
     ) const /*throw(LengthException,CryptoException)*/ {
@@ -409,7 +409,7 @@ private:
 
 private:
     /** The pre-expansion form of the signature */
-    FixedArrayBuffer<$(C_NS)_EDDSA_PUBLIC_BYTES> pub_;
+    FixedArrayBuffer<DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES> pub_;
     
 public:
     /* PERF FUTURE: Pre-cached decoding? Precomputed table?? */
@@ -418,13 +418,13 @@ public:
     typedef $(cxx_ns) Group;
     
     /** Signature size. */
-    static const size_t SIG_BYTES = $(C_NS)_EDDSA_SIGNATURE_BYTES;
+    static const size_t SIG_BYTES = DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES;
     
     /** Serialization size. */
-    static const size_t SER_BYTES = $(C_NS)_EDDSA_PRIVATE_BYTES;
+    static const size_t SER_BYTES = DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES;
     
     /** Do we support contexts for signatures?  If not, they must always be NULL */
-    static const bool SUPPORTS_CONTEXTS = $(C_NS)_EDDSA_SUPPORTS_CONTEXTS;
+    static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS;
     
     
     /** Create but don't initialize */