Update EdDSA operations to match draft 07 from CFRG.

8 years ago · ef6e74bdec
--- a/src/GENERATED/c/curve25519/eddsa.c
+++ b/src/GENERATED/c/curve25519/eddsa.c
@@ -28,7 +28,7 @@
 #define hash_destroy decaf_sha512_destroy
 #define hash_hash    decaf_sha512_hash
 #define SUPPORTS_CONTEXTS DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
 #define NO_CONTEXT DECAF_EDDSA_25519_NO_CONTEXT
 #define EDDSA_USE_SIGMA_ISOGENY 1
 #define COFACTOR 8
@@ -58,38 +58,33 @@ static void hash_init_with_dom(
    uint8_t prehashed,
    uint8_t for_prehash,
    const uint8_t *context,
    uint8_t context_len
    uint8_t context_len,
    uint8_t no_context
 ) {
    hash_init(hash);
 #if SUPPORTS_CONTEXTS
    const char *dom_s = "";
 #if NO_CONTEXT
    if (no_context) {
        (void)prehashed;
        (void)for_prehash;
        (void)context;
        (void)context_len;
        return;
    }
 #else
    (void)no_context;
 #endif
    const char *dom_s = "SigEd25519 no Ed25519 collisions";
    const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
    hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
    hash_update(hash,dom,2);
    hash_update(hash,context,context_len);
 #else
    (void)prehashed;
    (void)for_prehash;
    (void)context;
    assert(context==NULL);
    (void)context_len;
    assert(context_len == 0);
 #endif
 }
 void decaf_ed25519_prehash_init (
    hash_ctx_t hash
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
 ) {
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
    hash_init_with_dom(hash,1,1,context,context_len);
 #else
    hash_init_with_dom(hash,1,1,NULL,0);
 #endif
    hash_init(hash);
 }
 void decaf_ed25519_derive_public_key (
@@ -137,16 +132,11 @@ void decaf_ed25519_sign (
    const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
    const uint8_t *message,
    size_t message_len,
    uint8_t prehashed
 #if SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
    uint8_t prehashed,
    const uint8_t *context,
    uint8_t context_len,
    uint8_t no_context
 ) {
 #if !SUPPORTS_CONTEXTS
    const uint8_t *const context = NULL;
    const uint8_t context_len = 0;
 #endif
    API_NS(scalar_t) secret_scalar;
    hash_ctx_t hash;
    {
@@ -165,7 +155,7 @@ void decaf_ed25519_sign (
        API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
        /* Hash to create the nonce */
        hash_init_with_dom(hash,prehashed,0,context,context_len);
        hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
        hash_update(hash,expanded.seed,sizeof(expanded.seed));
        hash_update(hash,message,message_len);
        decaf_bzero(&expanded, sizeof(expanded));
@@ -199,7 +189,7 @@ void decaf_ed25519_sign (
    API_NS(scalar_t) challenge_scalar;
    {
        /* Compute the challenge */
        hash_init_with_dom(hash,prehashed,0,context,context_len);
        hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
        hash_update(hash,nonce_point,sizeof(nonce_point));
        hash_update(hash,pubkey,DECAF_EDDSA_25519_PUBLIC_BYTES);
        hash_update(hash,message,message_len);
@@ -227,11 +217,9 @@ void decaf_ed25519_sign_prehash (
    uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
    const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES],
    const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
    const decaf_ed25519_prehash_ctx_t hash
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    const decaf_ed25519_prehash_ctx_t hash,
    const uint8_t *context,
    uint8_t context_len
 #endif
 ) {
    uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
    {
@@ -240,13 +228,8 @@ void decaf_ed25519_sign_prehash (
        hash_final(hash_too,hash_output,sizeof(hash_output));
        hash_destroy(hash_too);
    }
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
    decaf_ed25519_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
 #else
    decaf_ed25519_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1);
 #endif
    decaf_ed25519_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len,0);
    decaf_bzero(hash_output,sizeof(hash_output));
 }
@@ -255,16 +238,11 @@ decaf_error_t decaf_ed25519_verify (
    const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
    const uint8_t *message,
    size_t message_len,
    uint8_t prehashed
 #if SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
    uint8_t prehashed,
    const uint8_t *context,
    uint8_t context_len,
    uint8_t no_context
 ) { 
 #if !SUPPORTS_CONTEXTS
    const uint8_t *const context = NULL;
    const uint8_t context_len = 0;
 #endif
    API_NS(point_t) pk_point, r_point;
    decaf_error_t error = API_NS(point_decode_like_eddsa_and_ignore_cofactor)(pk_point,pubkey);
    if (DECAF_SUCCESS != error) { return error; }
@@ -276,7 +254,7 @@ decaf_error_t decaf_ed25519_verify (
    {
        /* Compute the challenge */
        hash_ctx_t hash;
        hash_init_with_dom(hash,prehashed,0,context,context_len);
        hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
        hash_update(hash,signature,DECAF_EDDSA_25519_PUBLIC_BYTES);
        hash_update(hash,pubkey,DECAF_EDDSA_25519_PUBLIC_BYTES);
        hash_update(hash,message,message_len);
@@ -313,11 +291,9 @@ decaf_error_t decaf_ed25519_verify (
 decaf_error_t decaf_ed25519_verify_prehash (
    const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
    const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
    const decaf_ed25519_prehash_ctx_t hash
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    const decaf_ed25519_prehash_ctx_t hash,
    const uint8_t *context,
    uint8_t context_len
 #endif
 ) {
    decaf_error_t ret;
@@ -329,11 +305,7 @@ decaf_error_t decaf_ed25519_verify_prehash (
        hash_destroy(hash_too);
    }
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
    ret = decaf_ed25519_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
 #else
    ret = decaf_ed25519_verify(signature,pubkey,hash_output,sizeof(hash_output),1);
 #endif
    ret = decaf_ed25519_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len,0);
    return ret;
 }
--- a/src/GENERATED/c/ed448goldilocks/eddsa.c
+++ b/src/GENERATED/c/ed448goldilocks/eddsa.c
@@ -28,7 +28,7 @@
 #define hash_destroy decaf_shake256_destroy
 #define hash_hash    decaf_shake256_hash
 #define SUPPORTS_CONTEXTS DECAF_EDDSA_448_SUPPORTS_CONTEXTS
 #define NO_CONTEXT DECAF_EDDSA_448_NO_CONTEXT
 #define EDDSA_USE_SIGMA_ISOGENY 0
 #define COFACTOR 4
@@ -58,38 +58,33 @@ static void hash_init_with_dom(
    uint8_t prehashed,
    uint8_t for_prehash,
    const uint8_t *context,
    uint8_t context_len
    uint8_t context_len,
    uint8_t no_context
 ) {
    hash_init(hash);
 #if SUPPORTS_CONTEXTS
 #if NO_CONTEXT
    if (no_context) {
        (void)prehashed;
        (void)for_prehash;
        (void)context;
        (void)context_len;
        return;
    }
 #else
    (void)no_context;
 #endif
    const char *dom_s = "SigEd448";
    const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
    hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
    hash_update(hash,dom,2);
    hash_update(hash,context,context_len);
 #else
    (void)prehashed;
    (void)for_prehash;
    (void)context;
    assert(context==NULL);
    (void)context_len;
    assert(context_len == 0);
 #endif
 }
 void decaf_ed448_prehash_init (
    hash_ctx_t hash
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
 ) {
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
    hash_init_with_dom(hash,1,1,context,context_len);
 #else
    hash_init_with_dom(hash,1,1,NULL,0);
 #endif
    hash_init(hash);
 }
 void decaf_ed448_derive_public_key (
@@ -137,16 +132,11 @@ void decaf_ed448_sign (
    const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
    const uint8_t *message,
    size_t message_len,
    uint8_t prehashed
 #if SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
    uint8_t prehashed,
    const uint8_t *context,
    uint8_t context_len,
    uint8_t no_context
 ) {
 #if !SUPPORTS_CONTEXTS
    const uint8_t *const context = NULL;
    const uint8_t context_len = 0;
 #endif
    API_NS(scalar_t) secret_scalar;
    hash_ctx_t hash;
    {
@@ -165,7 +155,7 @@ void decaf_ed448_sign (
        API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
        /* Hash to create the nonce */
        hash_init_with_dom(hash,prehashed,0,context,context_len);
        hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
        hash_update(hash,expanded.seed,sizeof(expanded.seed));
        hash_update(hash,message,message_len);
        decaf_bzero(&expanded, sizeof(expanded));
@@ -199,7 +189,7 @@ void decaf_ed448_sign (
    API_NS(scalar_t) challenge_scalar;
    {
        /* Compute the challenge */
        hash_init_with_dom(hash,prehashed,0,context,context_len);
        hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
        hash_update(hash,nonce_point,sizeof(nonce_point));
        hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
        hash_update(hash,message,message_len);
@@ -227,11 +217,9 @@ void decaf_ed448_sign_prehash (
    uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
    const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
    const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
    const decaf_ed448_prehash_ctx_t hash
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    const decaf_ed448_prehash_ctx_t hash,
    const uint8_t *context,
    uint8_t context_len
 #endif
 ) {
    uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
    {
@@ -240,13 +228,8 @@ void decaf_ed448_sign_prehash (
        hash_final(hash_too,hash_output,sizeof(hash_output));
        hash_destroy(hash_too);
    }
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
    decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
 #else
    decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1);
 #endif
    decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len,0);
    decaf_bzero(hash_output,sizeof(hash_output));
 }
@@ -255,16 +238,11 @@ decaf_error_t decaf_ed448_verify (
    const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
    const uint8_t *message,
    size_t message_len,
    uint8_t prehashed
 #if SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
    uint8_t prehashed,
    const uint8_t *context,
    uint8_t context_len,
    uint8_t no_context
 ) { 
 #if !SUPPORTS_CONTEXTS
    const uint8_t *const context = NULL;
    const uint8_t context_len = 0;
 #endif
    API_NS(point_t) pk_point, r_point;
    decaf_error_t error = API_NS(point_decode_like_eddsa_and_ignore_cofactor)(pk_point,pubkey);
    if (DECAF_SUCCESS != error) { return error; }
@@ -276,7 +254,7 @@ decaf_error_t decaf_ed448_verify (
    {
        /* Compute the challenge */
        hash_ctx_t hash;
        hash_init_with_dom(hash,prehashed,0,context,context_len);
        hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
        hash_update(hash,signature,DECAF_EDDSA_448_PUBLIC_BYTES);
        hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
        hash_update(hash,message,message_len);
@@ -313,11 +291,9 @@ decaf_error_t decaf_ed448_verify (
 decaf_error_t decaf_ed448_verify_prehash (
    const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
    const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
    const decaf_ed448_prehash_ctx_t hash
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    const decaf_ed448_prehash_ctx_t hash,
    const uint8_t *context,
    uint8_t context_len
 #endif
 ) {
    decaf_error_t ret;
@@ -329,11 +305,7 @@ decaf_error_t decaf_ed448_verify_prehash (
        hash_destroy(hash_too);
    }
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
    ret = decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
 #else
    ret = decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1);
 #endif
    ret = decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len,0);
    return ret;
 }
--- a/src/GENERATED/include/decaf/ed255.h
+++ b/src/GENERATED/include/decaf/ed255.h
@@ -32,8 +32,8 @@ extern "C" {
 /** Number of bytes in an EdDSA private key. */
 #define DECAF_EDDSA_25519_SIGNATURE_BYTES (DECAF_EDDSA_25519_PUBLIC_BYTES + DECAF_EDDSA_25519_PRIVATE_BYTES)
 /** Does EdDSA support contexts? */
 #define DECAF_EDDSA_25519_SUPPORTS_CONTEXTS 0
 /** Does EdDSA support non-contextual signatures? */
 #define DECAF_EDDSA_25519_NO_CONTEXT 1
 /** Prehash context renaming macros. */
 #define decaf_ed25519_prehash_ctx_s   decaf_sha512_ctx_s
@@ -59,11 +59,12 @@ void decaf_ed25519_derive_public_key (
 * @param [out] signature The signature.
 * @param [in] privkey The private key.
 * @param [in] pubkey The public key.
 * @param [in] context A "context" for this signature of up to 255 bytes.
 * @param [in] context_len Length of the context.
 * @param [in] message The message to sign.
 * @param [in] message_len The length of the message.
 * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
 * @param [in] context A "context" for this signature of up to 255 bytes.
 * @param [in] context_len Length of the context.
 * @param [in] no_context Nonzero if no context should be used (only Ed25519 supported).
 *
 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
 * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
@@ -76,11 +77,10 @@ void decaf_ed25519_sign (
    const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
    const uint8_t *message,
    size_t message_len,
    uint8_t prehashed
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
    uint8_t prehashed,
    const uint8_t *context,
    uint8_t context_len,
    uint8_t no_context
 ) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE;
 /**
@@ -89,10 +89,9 @@ void decaf_ed25519_sign (
 * @param [out] signature The signature.
 * @param [in] privkey The private key.
 * @param [in] pubkey The public key.
 * @param [in] hash The hash of the message.  This object will not be modified by the call.
 * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.
 * @param [in] context_len Length of the context.
 * @param [in] hash The hash of the message.  This object will not be modified by the call.
 * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
 *
 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
 * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
@@ -103,26 +102,18 @@ void decaf_ed25519_sign_prehash (
    uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
    const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES],
    const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
    const decaf_ed25519_prehash_ctx_t hash
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    const decaf_ed25519_prehash_ctx_t hash,
    const uint8_t *context,
    uint8_t context_len
 #endif
 ) API_VIS __attribute__((nonnull(1,2,3,4))) NOINLINE;
 /**
 * @brief Prehash initialization, with contexts if supported.
 *
 * @param [out] hash The hash object to be initialized.
 * @param [in] context A "context" for this signature of up to 255 bytes.
 * @param [in] context_len Length of the context.
 */
 void decaf_ed25519_prehash_init (
    decaf_ed25519_prehash_ctx_t hash
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
 ) API_VIS __attribute__((nonnull(1))) NOINLINE;
 /**
@@ -132,11 +123,12 @@ void decaf_ed25519_prehash_init (
 *
 * @param [in] signature The signature.
 * @param [in] pubkey The public key.
 * @param [in] context A "context" for this signature of up to 255 bytes.
 * @param [in] context_len Length of the context.
 * @param [in] message The message to verify.
 * @param [in] message_len The length of the message.
 * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
 * @param [in] context A "context" for this signature of up to 255 bytes.
 * @param [in] context_len Length of the context.
 * @param [in] no_context Nonzero if no context should be used (only Ed25519 supported).
 *
 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
 * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
@@ -148,11 +140,10 @@ decaf_error_t decaf_ed25519_verify (
    const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
    const uint8_t *message,
    size_t message_len,
    uint8_t prehashed
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
    uint8_t prehashed,
    const uint8_t *context,
    uint8_t context_len,
    uint8_t no_context
 ) API_VIS __attribute__((nonnull(1,2))) NOINLINE;
 /**
@@ -162,10 +153,9 @@ decaf_error_t decaf_ed25519_verify (
 *
 * @param [in] signature The signature.
 * @param [in] pubkey The public key.
 * @param [in] hash The hash of the message.  This object will not be modified by the call.
 * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.
 * @param [in] context_len Length of the context.
 * @param [in] hash The hash of the message.  This object will not be modified by the call.
 * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
 *
 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
 * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
@@ -175,11 +165,9 @@ decaf_error_t decaf_ed25519_verify (
 decaf_error_t decaf_ed25519_verify_prehash (
    const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
    const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
    const decaf_ed25519_prehash_ctx_t hash
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    const decaf_ed25519_prehash_ctx_t hash,
    const uint8_t *context,
    uint8_t context_len
 #endif
 ) API_VIS __attribute__((nonnull(1,2))) NOINLINE;
 /**
--- a/src/GENERATED/include/decaf/ed255.hxx
+++ b/src/GENERATED/include/decaf/ed255.hxx
@@ -49,22 +49,14 @@ template<> struct EdDSA<IsoEd25519> {
 /** @cond internal */
 template<class CRTP, Prehashed> class Signing;
 template<class CRTP, Prehashed> class Verification;
 template<Prehashed=PURE> class PublicKeyBase;
 template<Prehashed=PURE> class PrivateKeyBase;
 typedef class PublicKeyBase<PURE> PublicKey, PublicKeyPure;
 typedef class PublicKeyBase<PREHASHED> PublicKeyPh;
 typedef class PrivateKeyBase<PURE> PrivateKey, PrivateKeyPure;
 typedef class PrivateKeyBase<PREHASHED> PrivateKeyPh;
 class PublicKeyBase;
 class PrivateKeyBase;
 typedef class PrivateKeyBase PrivateKey, PrivateKeyPure, PrivateKeyPh;
 typedef class PublicKeyBase PublicKey, PublicKeyPure, PublicKeyPh;
 /** @endcond */
 /** Prehash context for EdDSA. */
 class Prehash : public SHA512 {
 public:
    /** Do we support contexts for signatures?  If not, they must always be NULL */
    static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_25519_SUPPORTS_CONTEXTS;
 private:
    typedef SHA512 Super;
    SecureBuffer context_;
@@ -74,17 +66,11 @@ private:
    void init() throw(LengthException) {
        Super::reset();
        if (context_.size() > 255
            || (context_.size() != 0 && !SUPPORTS_CONTEXTS)
        ) {
        if (context_.size() > 255) {
            throw LengthException();
        }
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
        decaf_ed25519_prehash_init((decaf_sha512_ctx_s *)wrapped,context_.data(),context_.size());
 #else
        decaf_ed25519_prehash_init(wrapped);
 #endif
        decaf_ed25519_prehash_init((decaf_sha512_ctx_s *)wrapped);
    }
 public:
@@ -126,11 +112,9 @@ public:
            out.data(),
            ((const CRTP*)this)->priv_.data(),
            ((const CRTP*)this)->pub_.data(),
            (const decaf_ed25519_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
            , ph.context_.data(),
            (const decaf_ed25519_prehash_ctx_s*)ph.wrapped,
            ph.context_.data(),
            ph.context_.size()
 #endif
        );
        return out;
    }
@@ -151,20 +135,18 @@ public:
    /**
     * Sign a message.
     * @param [in] message The message to be signed.
     * @param [in] context A context for the signature; must be at most 255 bytes;
     * must be absent if SUPPORTS_CONTEXTS == false.
     * @param [in] context A context for the signature; must be at most 255 bytes.
     *
     * @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
     */
    inline SecureBuffer sign (
        const Block &message,
        const Block &context = Block(NULL,0)
        const Block &context = Block(NULL,0),
        const bool no_context = false
    ) const /* TODO: this exn spec tickles a Clang bug?
             * throw(LengthException, std::bad_alloc)
             */ {
        if (context.size() > 255
            || (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
        ) {
        if (context.size() > 255) {
            throw LengthException();
        }
@@ -175,28 +157,27 @@ public:
            ((const CRTP*)this)->pub_.data(),
            message.data(),
            message.size(),
            0
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
            , context.data(),
            context.size()
 #endif
            0,
            context.data(),
            context.size(),
            no_context
        );
        return out;
    }
 };
 template<Prehashed ph> class PrivateKeyBase
    : public Serializable<PrivateKeyBase<ph> >
    , public Signing<PrivateKeyBase<ph>,ph> {
 class PrivateKeyBase
    : public Serializable<PrivateKeyBase>
    , public Signing<PrivateKeyBase,PURE>
    , public Signing<PrivateKeyBase,PREHASHED> {
 public:
    typedef class PublicKeyBase<ph> MyPublicKey;
    typedef class PublicKeyBase MyPublicKey;
 private:
 /** @cond internal */
    friend class PublicKeyBase<ph>;
    friend class Signing<PrivateKeyBase<ph>, ph>;
    friend class PublicKeyBase;
    friend class Signing<PrivateKey,PURE>;
    friend class Signing<PrivateKey,PREHASHED>;
 /** @endcond */
    /** The pre-expansion form of the signing key. */
    FixedArrayBuffer<DECAF_EDDSA_25519_PRIVATE_BYTES> priv_;
@@ -214,9 +195,6 @@ public:
    /** Serialization size. */
    static const size_t SER_BYTES = DECAF_EDDSA_25519_PRIVATE_BYTES;
    /** Do we support contexts for signatures?  If not, they must always be NULL */
    static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_25519_SUPPORTS_CONTEXTS;
    /** Create but don't initialize */
    inline explicit PrivateKeyBase(const NOINIT&) NOEXCEPT : priv_((NOINIT())), pub_((NOINIT())) { }
@@ -269,11 +247,10 @@ public:
    inline decaf_error_t WARN_UNUSED verify_noexcept (
        const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
        const Block &message,
        const Block &context = Block(NULL,0)
        const Block &context = Block(NULL,0),
        const bool no_context = false
    ) const /*NOEXCEPT*/ {
        if (context.size() > 255
            || (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
        ) {
        if (context.size() > 255) {
            return DECAF_FAILURE;
        }
@@ -282,34 +259,31 @@ public:
            ((const CRTP*)this)->pub_.data(),
            message.data(),
            message.size(),
            0
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
            , context.data(),
            context.size()
 #endif
            0,
            context.data(),
            context.size(),
            no_context
        );
    }
    /** Verify a signature, throwing an exception if verification fails
     * @param [in] sig The signature.
     * @param [in] message The signed message.
     * @param [in] context A context for the signature; must be at most 255 bytes;
     * must be absent if SUPPORTS_CONTEXTS == false.
     * @param [in] context A context for the signature; must be at most 255 bytes.
     *
     * @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
     */
    inline void verify (
        const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
        const Block &message,
        const Block &context = Block(NULL,0)
        const Block &context = Block(NULL,0),
        const bool no_context = false
    ) const /*throw(LengthException,CryptoException)*/ {
        if (context.size() > 255
            || (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
        ) {
        if (context.size() > 255) {
            throw LengthException();
        }
        if (DECAF_SUCCESS != verify_noexcept( sig, message, context )) {
        if (DECAF_SUCCESS != verify_noexcept( sig, message, context, no_context )) {
            throw CryptoException();
        }
    }
@@ -326,11 +300,9 @@ public:
        return decaf_ed25519_verify_prehash (
            sig.data(),
            ((const CRTP*)this)->pub_.data(),
            (const decaf_ed25519_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
            , ph.context_.data(),
            (const decaf_ed25519_prehash_ctx_s*)ph.wrapped,
            ph.context_.data(),
            ph.context_.size()
 #endif
        );
    }
@@ -342,11 +314,9 @@ public:
        if (DECAF_SUCCESS != decaf_ed25519_verify_prehash (
            sig.data(),
            ((const CRTP*)this)->pub_.data(),
            (const decaf_ed25519_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
            , ph.context_.data(),
            (const decaf_ed25519_prehash_ctx_s*)ph.wrapped,
            ph.context_.data(),
            ph.context_.size()
 #endif
        )) {
            throw CryptoException();
        }
@@ -365,20 +335,20 @@ public:
 };
 template<Prehashed ph> class PublicKeyBase
    : public Serializable<PublicKeyBase<ph> >
    , public Verification<PublicKeyBase<ph>,ph> {
 class PublicKeyBase
    : public Serializable<PublicKeyBase>
    , public Verification<PublicKeyBase,PURE>
    , public Verification<PublicKeyBase,PREHASHED> {
 public:
    typedef class PrivateKeyBase<ph> MyPrivateKey;
    typedef class PrivateKeyBase MyPrivateKey;
 private:
 /** @cond internal */
    friend class PrivateKeyBase<ph>;
    friend class Verification<PublicKeyBase<ph>, ph>;
    friend class PrivateKeyBase;
    friend class Verification<PublicKey,PURE>;
    friend class Verification<PublicKey,PREHASHED>;
 /** @endcond */
 private:
    /** The pre-expansion form of the signature */
    FixedArrayBuffer<DECAF_EDDSA_25519_PUBLIC_BYTES> pub_;
@@ -395,9 +365,6 @@ public:
    /** Serialization size. */
    static const size_t SER_BYTES = DECAF_EDDSA_25519_PRIVATE_BYTES;
    /** Do we support contexts for signatures?  If not, they must always be NULL */
    static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_25519_SUPPORTS_CONTEXTS;
    /** Create but don't initialize */
    inline explicit PublicKeyBase(const NOINIT&) NOEXCEPT : pub_((NOINIT())) { }
--- a/src/GENERATED/include/decaf/ed448.h
+++ b/src/GENERATED/include/decaf/ed448.h
@@ -32,8 +32,8 @@ extern "C" {
 /** Number of bytes in an EdDSA private key. */
 #define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + DECAF_EDDSA_448_PRIVATE_BYTES)
 /** Does EdDSA support contexts? */
 #define DECAF_EDDSA_448_SUPPORTS_CONTEXTS 1
 /** Does EdDSA support non-contextual signatures? */
 #define DECAF_EDDSA_448_NO_CONTEXT 0
 /** Prehash context renaming macros. */
 #define decaf_ed448_prehash_ctx_s   decaf_shake256_ctx_s
@@ -59,11 +59,12 @@ void decaf_ed448_derive_public_key (
 * @param [out] signature The signature.
 * @param [in] privkey The private key.
 * @param [in] pubkey The public key.
 * @param [in] context A "context" for this signature of up to 255 bytes.
 * @param [in] context_len Length of the context.
 * @param [in] message The message to sign.
 * @param [in] message_len The length of the message.
 * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
 * @param [in] context A "context" for this signature of up to 255 bytes.
 * @param [in] context_len Length of the context.
 * @param [in] no_context Nonzero if no context should be used (only Ed25519 supported).
 *
 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
 * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
@@ -76,11 +77,10 @@ void decaf_ed448_sign (
    const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
    const uint8_t *message,
    size_t message_len,
    uint8_t prehashed
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
    uint8_t prehashed,
    const uint8_t *context,
    uint8_t context_len,
    uint8_t no_context
 ) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE;
 /**
@@ -89,10 +89,9 @@ void decaf_ed448_sign (
 * @param [out] signature The signature.
 * @param [in] privkey The private key.
 * @param [in] pubkey The public key.
 * @param [in] hash The hash of the message.  This object will not be modified by the call.
 * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.
 * @param [in] context_len Length of the context.
 * @param [in] hash The hash of the message.  This object will not be modified by the call.
 * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
 *
 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
 * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
@@ -103,26 +102,18 @@ void decaf_ed448_sign_prehash (
    uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
    const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
    const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
    const decaf_ed448_prehash_ctx_t hash
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    const decaf_ed448_prehash_ctx_t hash,
    const uint8_t *context,
    uint8_t context_len
 #endif
 ) API_VIS __attribute__((nonnull(1,2,3,4))) NOINLINE;
 /**
 * @brief Prehash initialization, with contexts if supported.
 *
 * @param [out] hash The hash object to be initialized.
 * @param [in] context A "context" for this signature of up to 255 bytes.
 * @param [in] context_len Length of the context.
 */
 void decaf_ed448_prehash_init (
    decaf_ed448_prehash_ctx_t hash
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
 ) API_VIS __attribute__((nonnull(1))) NOINLINE;
 /**
@@ -132,11 +123,12 @@ void decaf_ed448_prehash_init (
 *
 * @param [in] signature The signature.
 * @param [in] pubkey The public key.
 * @param [in] context A "context" for this signature of up to 255 bytes.
 * @param [in] context_len Length of the context.
 * @param [in] message The message to verify.
 * @param [in] message_len The length of the message.
 * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
 * @param [in] context A "context" for this signature of up to 255 bytes.
 * @param [in] context_len Length of the context.
 * @param [in] no_context Nonzero if no context should be used (only Ed25519 supported).
 *
 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
 * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
@@ -148,11 +140,10 @@ decaf_error_t decaf_ed448_verify (
    const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
    const uint8_t *message,
    size_t message_len,
    uint8_t prehashed
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
    uint8_t prehashed,
    const uint8_t *context,
    uint8_t context_len,
    uint8_t no_context
 ) API_VIS __attribute__((nonnull(1,2))) NOINLINE;
 /**
@@ -162,10 +153,9 @@ decaf_error_t decaf_ed448_verify (
 *
 * @param [in] signature The signature.
 * @param [in] pubkey The public key.
 * @param [in] hash The hash of the message.  This object will not be modified by the call.
 * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.
 * @param [in] context_len Length of the context.
 * @param [in] hash The hash of the message.  This object will not be modified by the call.
 * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
 *
 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
 * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
@@ -175,11 +165,9 @@ decaf_error_t decaf_ed448_verify (
 decaf_error_t decaf_ed448_verify_prehash (
    const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
    const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
    const decaf_ed448_prehash_ctx_t hash
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    const decaf_ed448_prehash_ctx_t hash,
    const uint8_t *context,
    uint8_t context_len
 #endif
 ) API_VIS __attribute__((nonnull(1,2))) NOINLINE;
 /**
--- a/src/GENERATED/include/decaf/ed448.hxx
+++ b/src/GENERATED/include/decaf/ed448.hxx
@@ -49,20 +49,14 @@ template<> struct EdDSA<Ed448Goldilocks> {
 /** @cond internal */
 template<class CRTP, Prehashed> class Signing;
 template<class CRTP, Prehashed> class Verification;
 class PublicKeyBase;
 class PrivateKeyBase;
 typedef class PrivateKeyBase PrivateKey, PrivateKeyPure, PrivateKeyPh;
 typedef class PublicKeyBase PublicKey, PublicKeyPure, PublicKeyPh;
 /** @endcond */
 /** Prehash context for EdDSA. */
 class Prehash : public SHAKE<256> {
 public:
    /** Do we support contexts for signatures?  If not, they must always be NULL */
    static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_448_SUPPORTS_CONTEXTS;
 private:
    typedef SHAKE<256> Super;
    SecureBuffer context_;
@@ -72,17 +66,11 @@ private:
    void init() throw(LengthException) {
        Super::reset();
        if (context_.size() > 255
            || (context_.size() != 0 && !SUPPORTS_CONTEXTS)
        ) {
        if (context_.size() > 255) {
            throw LengthException();
        }
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
        decaf_ed448_prehash_init((decaf_shake256_ctx_s *)wrapped,context_.data(),context_.size());
 #else
        decaf_ed448_prehash_init(wrapped);
 #endif
        decaf_ed448_prehash_init((decaf_shake256_ctx_s *)wrapped);
    }
 public:
@@ -124,11 +112,9 @@ public:
            out.data(),
            ((const CRTP*)this)->priv_.data(),
            ((const CRTP*)this)->pub_.data(),
            (const decaf_ed448_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
            , ph.context_.data(),
            (const decaf_ed448_prehash_ctx_s*)ph.wrapped,
            ph.context_.data(),
            ph.context_.size()
 #endif
        );
        return out;
    }
@@ -149,20 +135,18 @@ public:
    /**
     * Sign a message.
     * @param [in] message The message to be signed.
     * @param [in] context A context for the signature; must be at most 255 bytes;
     * must be absent if SUPPORTS_CONTEXTS == false.
     * @param [in] context A context for the signature; must be at most 255 bytes.
     *
     * @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
     */
    inline SecureBuffer sign (
        const Block &message,
        const Block &context = Block(NULL,0)
        const Block &context = Block(NULL,0),
        const bool no_context = false
    ) const /* TODO: this exn spec tickles a Clang bug?
             * throw(LengthException, std::bad_alloc)
             */ {
        if (context.size() > 255
            || (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
        ) {
        if (context.size() > 255) {
            throw LengthException();
        }
@@ -173,17 +157,15 @@ public:
            ((const CRTP*)this)->pub_.data(),
            message.data(),
            message.size(),
            0
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
            , context.data(),
            context.size()
 #endif
            0,
            context.data(),
            context.size(),
            no_context
        );
        return out;
    }
 };
 class PrivateKeyBase
    : public Serializable<PrivateKeyBase>
    , public Signing<PrivateKeyBase,PURE>
@@ -196,7 +178,6 @@ private:
    friend class Signing<PrivateKey,PURE>;
    friend class Signing<PrivateKey,PREHASHED>;
 /** @endcond */
    /** The pre-expansion form of the signing key. */
    FixedArrayBuffer<DECAF_EDDSA_448_PRIVATE_BYTES> priv_;
@@ -214,9 +195,6 @@ public:
    /** Serialization size. */
    static const size_t SER_BYTES = DECAF_EDDSA_448_PRIVATE_BYTES;
    /** Do we support contexts for signatures?  If not, they must always be NULL */
    static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_448_SUPPORTS_CONTEXTS;
    /** Create but don't initialize */
    inline explicit PrivateKeyBase(const NOINIT&) NOEXCEPT : priv_((NOINIT())), pub_((NOINIT())) { }
@@ -269,11 +247,10 @@ public:
    inline decaf_error_t WARN_UNUSED verify_noexcept (
        const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
        const Block &message,
        const Block &context = Block(NULL,0)
        const Block &context = Block(NULL,0),
        const bool no_context = false
    ) const /*NOEXCEPT*/ {
        if (context.size() > 255
            || (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
        ) {
        if (context.size() > 255) {
            return DECAF_FAILURE;
        }
@@ -282,34 +259,31 @@ public:
            ((const CRTP*)this)->pub_.data(),
            message.data(),
            message.size(),
            0
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
            , context.data(),
            context.size()
 #endif
            0,
            context.data(),
            context.size(),
            no_context
        );
    }
    /** Verify a signature, throwing an exception if verification fails
     * @param [in] sig The signature.
     * @param [in] message The signed message.
     * @param [in] context A context for the signature; must be at most 255 bytes;
     * must be absent if SUPPORTS_CONTEXTS == false.
     * @param [in] context A context for the signature; must be at most 255 bytes.
     *
     * @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
     */
    inline void verify (
        const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
        const Block &message,
        const Block &context = Block(NULL,0)
        const Block &context = Block(NULL,0),
        const bool no_context = false
    ) const /*throw(LengthException,CryptoException)*/ {
        if (context.size() > 255
            || (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
        ) {
        if (context.size() > 255) {
            throw LengthException();
        }
        if (DECAF_SUCCESS != verify_noexcept( sig, message, context )) {
        if (DECAF_SUCCESS != verify_noexcept( sig, message, context, no_context )) {
            throw CryptoException();
        }
    }
@@ -326,11 +300,9 @@ public:
        return decaf_ed448_verify_prehash (
            sig.data(),
            ((const CRTP*)this)->pub_.data(),
            (const decaf_ed448_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
            , ph.context_.data(),
            (const decaf_ed448_prehash_ctx_s*)ph.wrapped,
            ph.context_.data(),
            ph.context_.size()
 #endif
        );
    }
@@ -342,11 +314,9 @@ public:
        if (DECAF_SUCCESS != decaf_ed448_verify_prehash (
            sig.data(),
            ((const CRTP*)this)->pub_.data(),
            (const decaf_ed448_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
            , ph.context_.data(),
            (const decaf_ed448_prehash_ctx_s*)ph.wrapped,
            ph.context_.data(),
            ph.context_.size()
 #endif
        )) {
            throw CryptoException();
        }
@@ -365,7 +335,6 @@ public:
 };
 class PublicKeyBase
    : public Serializable<PublicKeyBase>
    , public Verification<PublicKeyBase,PURE>
@@ -380,7 +349,6 @@ private:
    friend class Verification<PublicKey,PREHASHED>;
 /** @endcond */
 private:
    /** The pre-expansion form of the signature */
    FixedArrayBuffer<DECAF_EDDSA_448_PUBLIC_BYTES> pub_;
@@ -397,9 +365,6 @@ public:
    /** Serialization size. */
    static const size_t SER_BYTES = DECAF_EDDSA_448_PRIVATE_BYTES;
    /** Do we support contexts for signatures?  If not, they must always be NULL */
    static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_448_SUPPORTS_CONTEXTS;
    /** Create but don't initialize */
    inline explicit PublicKeyBase(const NOINIT&) NOEXCEPT : pub_((NOINIT())) { }
--- a/src/generator/curve_data.py
+++ b/src/generator/curve_data.py
@@ -36,8 +36,8 @@ curve_data = {
        "window_bits":4,
        "eddsa_hash": "sha512",
        "eddsa_supports_contexts": 0,
        "eddsa_dom": "",
        "eddsa_no_context": 1,
        "eddsa_dom": "SigEd25519 no Ed25519 collisions",
        "eddsa_sigma_iso": 1
    },
    "ed448goldilocks" : {
@@ -112,8 +112,8 @@ for curve,data in curve_data.iteritems():
    if "eddsa_hash" not in data:
        data["eddsa_hash"] = "shake256"
    if "eddsa_supports_contexts" not in data:
        data["eddsa_supports_contexts"] = 1
    if "eddsa_no_context" not in data:
        data["eddsa_no_context"] = 0
    if "cxx_ns" not in data:
        data["cxx_ns"] = data["name"].replace("-","")
--- a/src/per_curve/eddsa.tmpl.c
+++ b/src/per_curve/eddsa.tmpl.c
@@ -19,7 +19,7 @@
 #define hash_destroy decaf_$(eddsa_hash)_destroy
 #define hash_hash    decaf_$(eddsa_hash)_hash
 #define SUPPORTS_CONTEXTS DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
 #define NO_CONTEXT DECAF_EDDSA_$(gf_shortname)_NO_CONTEXT
 #define EDDSA_USE_SIGMA_ISOGENY $(eddsa_sigma_iso)
 #define COFACTOR $(cofactor)
@@ -49,38 +49,33 @@ static void hash_init_with_dom(
    uint8_t prehashed,
    uint8_t for_prehash,
    const uint8_t *context,
    uint8_t context_len
    uint8_t context_len,
    uint8_t no_context
 ) {
    hash_init(hash);
 #if SUPPORTS_CONTEXTS
 #if NO_CONTEXT
    if (no_context) {
        (void)prehashed;
        (void)for_prehash;
        (void)context;
        (void)context_len;
        return;
    }
 #else
    (void)no_context;
 #endif
    const char *dom_s = "$(eddsa_dom)";
    const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
    hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
    hash_update(hash,dom,2);
    hash_update(hash,context,context_len);
 #else
    (void)prehashed;
    (void)for_prehash;
    (void)context;
    assert(context==NULL);
    (void)context_len;
    assert(context_len == 0);
 #endif
 }
 void decaf_ed$(gf_shortname)_prehash_init (
    hash_ctx_t hash
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
 ) {
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
    hash_init_with_dom(hash,1,1,context,context_len);
 #else
    hash_init_with_dom(hash,1,1,NULL,0);
 #endif
    hash_init(hash);
 }
 void decaf_ed$(gf_shortname)_derive_public_key (
@@ -128,16 +123,11 @@ void decaf_ed$(gf_shortname)_sign (
    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
    const uint8_t *message,
    size_t message_len,
    uint8_t prehashed
 #if SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
    uint8_t prehashed,
    const uint8_t *context,
    uint8_t context_len,
    uint8_t no_context
 ) {
 #if !SUPPORTS_CONTEXTS
    const uint8_t *const context = NULL;
    const uint8_t context_len = 0;
 #endif
    API_NS(scalar_t) secret_scalar;
    hash_ctx_t hash;
    {
@@ -156,7 +146,7 @@ void decaf_ed$(gf_shortname)_sign (
        API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
        /* Hash to create the nonce */
        hash_init_with_dom(hash,prehashed,0,context,context_len);
        hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
        hash_update(hash,expanded.seed,sizeof(expanded.seed));
        hash_update(hash,message,message_len);
        decaf_bzero(&expanded, sizeof(expanded));
@@ -190,7 +180,7 @@ void decaf_ed$(gf_shortname)_sign (
    API_NS(scalar_t) challenge_scalar;
    {
        /* Compute the challenge */
        hash_init_with_dom(hash,prehashed,0,context,context_len);
        hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
        hash_update(hash,nonce_point,sizeof(nonce_point));
        hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
        hash_update(hash,message,message_len);
@@ -218,11 +208,9 @@ void decaf_ed$(gf_shortname)_sign_prehash (
    uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
    const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES],
    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
    const decaf_ed$(gf_shortname)_prehash_ctx_t hash
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    const decaf_ed$(gf_shortname)_prehash_ctx_t hash,
    const uint8_t *context,
    uint8_t context_len
 #endif
 ) {
    uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
    {
@@ -231,13 +219,8 @@ void decaf_ed$(gf_shortname)_sign_prehash (
        hash_final(hash_too,hash_output,sizeof(hash_output));
        hash_destroy(hash_too);
    }
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
    decaf_ed$(gf_shortname)_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
 #else
    decaf_ed$(gf_shortname)_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1);
 #endif
    decaf_ed$(gf_shortname)_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len,0);
    decaf_bzero(hash_output,sizeof(hash_output));
 }
@@ -246,16 +229,11 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
    const uint8_t *message,
    size_t message_len,
    uint8_t prehashed
 #if SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
    uint8_t prehashed,
    const uint8_t *context,
    uint8_t context_len,
    uint8_t no_context
 ) { 
 #if !SUPPORTS_CONTEXTS
    const uint8_t *const context = NULL;
    const uint8_t context_len = 0;
 #endif
    API_NS(point_t) pk_point, r_point;
    decaf_error_t error = API_NS(point_decode_like_eddsa_and_ignore_cofactor)(pk_point,pubkey);
    if (DECAF_SUCCESS != error) { return error; }
@@ -267,7 +245,7 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
    {
        /* Compute the challenge */
        hash_ctx_t hash;
        hash_init_with_dom(hash,prehashed,0,context,context_len);
        hash_init_with_dom(hash,prehashed,0,context,context_len,no_context);
        hash_update(hash,signature,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
        hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
        hash_update(hash,message,message_len);
@@ -304,11 +282,9 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
 decaf_error_t decaf_ed$(gf_shortname)_verify_prehash (
    const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
    const decaf_ed$(gf_shortname)_prehash_ctx_t hash
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    const decaf_ed$(gf_shortname)_prehash_ctx_t hash,
    const uint8_t *context,
    uint8_t context_len
 #endif
 ) {
    decaf_error_t ret;
@@ -320,11 +296,7 @@ decaf_error_t decaf_ed$(gf_shortname)_verify_prehash (
        hash_destroy(hash_too);
    }
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
    ret = decaf_ed$(gf_shortname)_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
 #else
    ret = decaf_ed$(gf_shortname)_verify(signature,pubkey,hash_output,sizeof(hash_output),1);
 #endif
    ret = decaf_ed$(gf_shortname)_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len,0);
    return ret;
 }
--- a/src/per_curve/eddsa.tmpl.h
+++ b/src/per_curve/eddsa.tmpl.h
@@ -17,8 +17,8 @@ extern "C" {
 /** Number of bytes in an EdDSA private key. */
 #define DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES (DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES + DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES)
 /** Does EdDSA support contexts? */
 #define DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS $(eddsa_supports_contexts)
 /** Does EdDSA support non-contextual signatures? */
 #define DECAF_EDDSA_$(gf_shortname)_NO_CONTEXT $(eddsa_no_context)
 /** Prehash context renaming macros. */
 #define decaf_ed$(gf_shortname)_prehash_ctx_s   decaf_$(eddsa_hash)_ctx_s
@@ -44,11 +44,12 @@ void decaf_ed$(gf_shortname)_derive_public_key (
 * @param [out] signature The signature.
 * @param [in] privkey The private key.
 * @param [in] pubkey The public key.
 * @param [in] context A "context" for this signature of up to 255 bytes.
 * @param [in] context_len Length of the context.
 * @param [in] message The message to sign.
 * @param [in] message_len The length of the message.
 * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
 * @param [in] context A "context" for this signature of up to 255 bytes.
 * @param [in] context_len Length of the context.
 * @param [in] no_context Nonzero if no context should be used (only Ed25519 supported).
 *
 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
 * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
@@ -61,11 +62,10 @@ void decaf_ed$(gf_shortname)_sign (
    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
    const uint8_t *message,
    size_t message_len,
    uint8_t prehashed
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
    uint8_t prehashed,
    const uint8_t *context,
    uint8_t context_len,
    uint8_t no_context
 ) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE;
 /**
@@ -74,10 +74,9 @@ void decaf_ed$(gf_shortname)_sign (
 * @param [out] signature The signature.
 * @param [in] privkey The private key.
 * @param [in] pubkey The public key.
 * @param [in] hash The hash of the message.  This object will not be modified by the call.
 * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.
 * @param [in] context_len Length of the context.
 * @param [in] hash The hash of the message.  This object will not be modified by the call.
 * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
 *
 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
 * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
@@ -88,26 +87,18 @@ void decaf_ed$(gf_shortname)_sign_prehash (
    uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
    const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES],
    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
    const decaf_ed$(gf_shortname)_prehash_ctx_t hash
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    const decaf_ed$(gf_shortname)_prehash_ctx_t hash,
    const uint8_t *context,
    uint8_t context_len
 #endif
 ) API_VIS __attribute__((nonnull(1,2,3,4))) NOINLINE;
 /**
 * @brief Prehash initialization, with contexts if supported.
 *
 * @param [out] hash The hash object to be initialized.
 * @param [in] context A "context" for this signature of up to 255 bytes.
 * @param [in] context_len Length of the context.
 */
 void decaf_ed$(gf_shortname)_prehash_init (
    decaf_ed$(gf_shortname)_prehash_ctx_t hash
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
 ) API_VIS __attribute__((nonnull(1))) NOINLINE;
 /**
@@ -117,11 +108,12 @@ void decaf_ed$(gf_shortname)_prehash_init (
 *
 * @param [in] signature The signature.
 * @param [in] pubkey The public key.
 * @param [in] context A "context" for this signature of up to 255 bytes.
 * @param [in] context_len Length of the context.
 * @param [in] message The message to verify.
 * @param [in] message_len The length of the message.
 * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
 * @param [in] context A "context" for this signature of up to 255 bytes.
 * @param [in] context_len Length of the context.
 * @param [in] no_context Nonzero if no context should be used (only Ed25519 supported).
 *
 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
 * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
@@ -133,11 +125,10 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
    const uint8_t *message,
    size_t message_len,
    uint8_t prehashed
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    uint8_t context_len
 #endif
    uint8_t prehashed,
    const uint8_t *context,
    uint8_t context_len,
    uint8_t no_context
 ) API_VIS __attribute__((nonnull(1,2))) NOINLINE;
 /**
@@ -147,10 +138,9 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
 *
 * @param [in] signature The signature.
 * @param [in] pubkey The public key.
 * @param [in] hash The hash of the message.  This object will not be modified by the call.
 * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.
 * @param [in] context_len Length of the context.
 * @param [in] hash The hash of the message.  This object will not be modified by the call.
 * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
 *
 * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
 * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is
@@ -160,11 +150,9 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
 decaf_error_t decaf_ed$(gf_shortname)_verify_prehash (
    const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
    const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
    const decaf_ed$(gf_shortname)_prehash_ctx_t hash
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
    , const uint8_t *context,
    const decaf_ed$(gf_shortname)_prehash_ctx_t hash,
    const uint8_t *context,
    uint8_t context_len
 #endif
 ) API_VIS __attribute__((nonnull(1,2))) NOINLINE;
 /**
--- a/src/per_curve/eddsa.tmpl.hxx
+++ b/src/per_curve/eddsa.tmpl.hxx
@@ -33,27 +33,14 @@ template<> struct EdDSA<$(cxx_ns)> {
 /** @cond internal */
 template<class CRTP, Prehashed> class Signing;
 template<class CRTP, Prehashed> class Verification;
 $("""
 class PublicKeyBase;
 class PrivateKeyBase;
 typedef class PrivateKeyBase PrivateKey, PrivateKeyPure, PrivateKeyPh;
 typedef class PublicKeyBase PublicKey, PublicKeyPure, PublicKeyPh;
  """ if eddsa_supports_contexts else """
 template<Prehashed=PURE> class PublicKeyBase;
 template<Prehashed=PURE> class PrivateKeyBase;
 typedef class PublicKeyBase<PURE> PublicKey, PublicKeyPure;
 typedef class PublicKeyBase<PREHASHED> PublicKeyPh;
 typedef class PrivateKeyBase<PURE> PrivateKey, PrivateKeyPure;
 typedef class PrivateKeyBase<PREHASHED> PrivateKeyPh;
 """)
 /** @endcond */
 /** Prehash context for EdDSA. */
 class Prehash : public $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) {
 public:
    /** Do we support contexts for signatures?  If not, they must always be NULL */
    static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS;
 private:
    typedef $(re.sub(r"SHAKE(\d+)",r"SHAKE<\1>", eddsa_hash.upper())) Super;
    SecureBuffer context_;
@@ -63,17 +50,11 @@ private:
    void init() throw(LengthException) {
        Super::reset();
        if (context_.size() > 255
            || (context_.size() != 0 && !SUPPORTS_CONTEXTS)
        ) {
        if (context_.size() > 255) {
            throw LengthException();
        }
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
        decaf_ed$(gf_shortname)_prehash_init((decaf_$(eddsa_hash)_ctx_s *)wrapped,context_.data(),context_.size());
 #else
        decaf_ed$(gf_shortname)_prehash_init(wrapped);
 #endif
        decaf_ed$(gf_shortname)_prehash_init((decaf_$(eddsa_hash)_ctx_s *)wrapped);
    }
 public:
@@ -115,11 +96,9 @@ public:
            out.data(),
            ((const CRTP*)this)->priv_.data(),
            ((const CRTP*)this)->pub_.data(),
            (const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
            , ph.context_.data(),
            (const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped,
            ph.context_.data(),
            ph.context_.size()
 #endif
        );
        return out;
    }
@@ -140,20 +119,18 @@ public:
    /**
     * Sign a message.
     * @param [in] message The message to be signed.
     * @param [in] context A context for the signature; must be at most 255 bytes;
     * must be absent if SUPPORTS_CONTEXTS == false.
     * @param [in] context A context for the signature; must be at most 255 bytes.
     *
     * @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
     */
    inline SecureBuffer sign (
        const Block &message,
        const Block &context = Block(NULL,0)
        const Block &context = Block(NULL,0),
        const bool no_context = false
    ) const /* TODO: this exn spec tickles a Clang bug?
             * throw(LengthException, std::bad_alloc)
             */ {
        if (context.size() > 255
            || (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
        ) {
        if (context.size() > 255) {
            throw LengthException();
        }
@@ -164,17 +141,15 @@ public:
            ((const CRTP*)this)->pub_.data(),
            message.data(),
            message.size(),
            0
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
            , context.data(),
            context.size()
 #endif
            0,
            context.data(),
            context.size(),
            no_context
        );
        return out;
    }
 };
 $("""
 class PrivateKeyBase
    : public Serializable<PrivateKeyBase>
    , public Signing<PrivateKeyBase,PURE>
@@ -187,18 +162,6 @@ private:
    friend class Signing<PrivateKey,PURE>;
    friend class Signing<PrivateKey,PREHASHED>;
 /** @endcond */
 """ if eddsa_supports_contexts else """
 template<Prehashed ph> class PrivateKeyBase
    : public Serializable<PrivateKeyBase<ph> >
    , public Signing<PrivateKeyBase<ph>,ph> {
 public:
    typedef class PublicKeyBase<ph> MyPublicKey;
 private:
 /** @cond internal */
    friend class PublicKeyBase<ph>;
    friend class Signing<PrivateKeyBase<ph>, ph>;
 /** @endcond */
 """)
    /** The pre-expansion form of the signing key. */
    FixedArrayBuffer<DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES> priv_;
@@ -216,9 +179,6 @@ public:
    /** Serialization size. */
    static const size_t SER_BYTES = DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES;
    /** Do we support contexts for signatures?  If not, they must always be NULL */
    static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS;
    /** Create but don't initialize */
    inline explicit PrivateKeyBase(const NOINIT&) NOEXCEPT : priv_((NOINIT())), pub_((NOINIT())) { }
@@ -271,11 +231,10 @@ public:
    inline decaf_error_t WARN_UNUSED verify_noexcept (
        const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
        const Block &message,
        const Block &context = Block(NULL,0)
        const Block &context = Block(NULL,0),
        const bool no_context = false
    ) const /*NOEXCEPT*/ {
        if (context.size() > 255
            || (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
        ) {
        if (context.size() > 255) {
            return DECAF_FAILURE;
        }
@@ -284,34 +243,31 @@ public:
            ((const CRTP*)this)->pub_.data(),
            message.data(),
            message.size(),
            0
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
            , context.data(),
            context.size()
 #endif
            0,
            context.data(),
            context.size(),
            no_context
        );
    }
    /** Verify a signature, throwing an exception if verification fails
     * @param [in] sig The signature.
     * @param [in] message The signed message.
     * @param [in] context A context for the signature; must be at most 255 bytes;
     * must be absent if SUPPORTS_CONTEXTS == false.
     * @param [in] context A context for the signature; must be at most 255 bytes.
     *
     * @warning It is generally unsafe to use Ed25519 with both prehashed and non-prehashed messages.
     */
    inline void verify (
        const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
        const Block &message,
        const Block &context = Block(NULL,0)
        const Block &context = Block(NULL,0),
        const bool no_context = false
    ) const /*throw(LengthException,CryptoException)*/ {
        if (context.size() > 255
            || (context.size() != 0 && !CRTP::SUPPORTS_CONTEXTS)
        ) {
        if (context.size() > 255) {
            throw LengthException();
        }
        if (DECAF_SUCCESS != verify_noexcept( sig, message, context )) {
        if (DECAF_SUCCESS != verify_noexcept( sig, message, context, no_context )) {
            throw CryptoException();
        }
    }
@@ -328,11 +284,9 @@ public:
        return decaf_ed$(gf_shortname)_verify_prehash (
            sig.data(),
            ((const CRTP*)this)->pub_.data(),
            (const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
            , ph.context_.data(),
            (const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped,
            ph.context_.data(),
            ph.context_.size()
 #endif
        );
    }
@@ -344,11 +298,9 @@ public:
        if (DECAF_SUCCESS != decaf_ed$(gf_shortname)_verify_prehash (
            sig.data(),
            ((const CRTP*)this)->pub_.data(),
            (const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped
 #if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
            , ph.context_.data(),
            (const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped,
            ph.context_.data(),
            ph.context_.size()
 #endif
        )) {
            throw CryptoException();
        }
@@ -367,7 +319,6 @@ public:
 };
 $("""
 class PublicKeyBase
    : public Serializable<PublicKeyBase>
    , public Verification<PublicKeyBase,PURE>
@@ -381,19 +332,6 @@ private:
    friend class Verification<PublicKey,PURE>;
    friend class Verification<PublicKey,PREHASHED>;
 /** @endcond */
 """ if eddsa_supports_contexts else """
 template<Prehashed ph> class PublicKeyBase
    : public Serializable<PublicKeyBase<ph> >
    , public Verification<PublicKeyBase<ph>,ph> {
 public:
    typedef class PrivateKeyBase<ph> MyPrivateKey;
 private:
 /** @cond internal */
    friend class PrivateKeyBase<ph>;
    friend class Verification<PublicKeyBase<ph>, ph>;
 /** @endcond */
 """)
 private:
    /** The pre-expansion form of the signature */
@@ -411,9 +349,6 @@ public:
    /** Serialization size. */
    static const size_t SER_BYTES = DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES;
    /** Do we support contexts for signatures?  If not, they must always be NULL */
    static const bool SUPPORTS_CONTEXTS = DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS;
    /** Create but don't initialize */
    inline explicit PublicKeyBase(const NOINIT&) NOEXCEPT : pub_((NOINIT())) { }
--- a/test/test_decaf.cxx
+++ b/test/test_decaf.cxx
@@ -469,7 +469,7 @@ static void test_cfrg_crypto() {
    }
 }
 static const bool eddsa_prehashed[];
 static const bool eddsa_prehashed[], eddsa_no_context[];
 static const Block eddsa_sk[], eddsa_pk[], eddsa_message[], eddsa_context[], eddsa_sig[];
 static void test_cfrg_vectors() {
@@ -497,17 +497,9 @@ static void test_cfrg_vectors() {
        if (eddsa_prehashed[t]) {
            typename EdDSA<Group>::PrivateKeyPh priv2(eddsa_sk[t]); 
            if (priv2.SUPPORTS_CONTEXTS) {
                sig = priv2.sign_with_prehash(eddsa_message[t],eddsa_context[t]);
            } else {
                sig = priv2.sign_with_prehash(eddsa_message[t]);
            }
            sig = priv2.sign_with_prehash(eddsa_message[t],eddsa_context[t]);
        } else {
            if (priv.SUPPORTS_CONTEXTS) {
                sig = priv.sign(eddsa_message[t],eddsa_context[t]);
            } else {
                sig = priv.sign(eddsa_message[t]);
            }
            sig = priv.sign(eddsa_message[t],eddsa_context[t],eddsa_no_context[t]);
        }
        if (!memeq(SecureBuffer(eddsa_sig[t]),sig)) {
@@ -557,7 +549,7 @@ static void test_eddsa() {
        SecureBuffer message(i);
        rng.read(message);
        SecureBuffer context(priv.SUPPORTS_CONTEXTS ? i%256 : 0);
        SecureBuffer context(i%256);
        rng.read(message);
        SecureBuffer sig = priv.sign(message,context); 
--- a/test/vectors.inc.cxx
+++ b/test/vectors.inc.cxx
@@ -189,6 +189,7 @@ template<> const bool Tests<Ed448Goldilocks>::eddsa_prehashed[] = {
    false,
    false,
    false,
    true,
    true
 };
@@ -276,21 +277,37 @@ const uint8_t ed448_eddsa_sig[][114] = {{
    0xa4,0x91,0x55,0xc1,0x37,0x64,0xe6,0x6c,
    0x3c,0x00
 }, {
    0x86,0xa6,0xbf,0x52,0xf9,0xe8,0xf8,0x4f,
    0x45,0x1b,0x2f,0x39,0x2a,0x8d,0x1c,0x3a,
    0x41,0x44,0x25,0xfa,0xc0,0x06,0x8f,0x74,
    0xae,0xea,0xd5,0x3b,0x0e,0x6b,0x53,0xd4,
    0x55,0x5c,0xea,0x17,0x26,0xda,0x4a,0x65,
    0x20,0x28,0x80,0xd4,0x07,0x26,0x70,0x87,
    0x9e,0x8e,0x6f,0xa4,0xd9,0x69,0x4c,0x06,
    0x00,0x54,0xf2,0x06,0x5d,0xc2,0x06,0xa6,
    0xe6,0x15,0xd0,0xd8,0xc9,0x9b,0x95,0x20,
    0x9b,0x69,0x6c,0x81,0x25,0xc5,0xfb,0xb9,
    0xbc,0x82,0xa0,0xf7,0xed,0x3d,0x99,0xc4,
    0xc1,0x1c,0x47,0x79,0x8e,0xf0,0xf7,0xeb,
    0x97,0xb3,0xb7,0x2a,0xb4,0xac,0x86,0xea,
    0xf8,0xb4,0x34,0x49,0xe8,0xac,0x30,0xff,
    0x3f,0x00
    0x82,0x2f,0x69,0x01,0xf7,0x48,0x0f,0x3d,
    0x5f,0x56,0x2c,0x59,0x29,0x94,0xd9,0x69,
    0x36,0x02,0x87,0x56,0x14,0x48,0x32,0x56,
    0x50,0x56,0x00,0xbb,0xc2,0x81,0xae,0x38,
    0x1f,0x54,0xd6,0xbc,0xe2,0xea,0x91,0x15,
    0x74,0x93,0x2f,0x52,0xa4,0xe6,0xca,0xdd,
    0x78,0x76,0x93,0x75,0xec,0x3f,0xfd,0x1b,
    0x80,0x1a,0x0d,0x9b,0x3f,0x40,0x30,0xcd,
    0x43,0x39,0x64,0xb6,0x45,0x7e,0xa3,0x94,
    0x76,0x51,0x12,0x14,0xf9,0x74,0x69,0xb5,
    0x7d,0xd3,0x2d,0xbc,0x56,0x0a,0x9a,0x94,
    0xd0,0x0b,0xff,0x07,0x62,0x04,0x64,0xa3,
    0xad,0x20,0x3d,0xf7,0xdc,0x7c,0xe3,0x60,
    0xc3,0xcd,0x36,0x96,0xd9,0xd9,0xfa,0xb9,
    0x0f,0x00
 }, {
    0xc3,0x22,0x99,0xd4,0x6e,0xc8,0xff,0x02,
    0xb5,0x45,0x40,0x98,0x28,0x14,0xdc,0xe9,
    0xa0,0x58,0x12,0xf8,0x19,0x62,0xb6,0x49,
    0xd5,0x28,0x09,0x59,0x16,0xa2,0xaa,0x48,
    0x10,0x65,0xb1,0x58,0x04,0x23,0xef,0x92,
    0x7e,0xcf,0x0a,0xf5,0x88,0x8f,0x90,0xda,
    0x0f,0x6a,0x9a,0x85,0xad,0x5d,0xc3,0xf2,
    0x80,0xd9,0x12,0x24,0xba,0x99,0x11,0xa3,
    0x65,0x3d,0x00,0xe4,0x84,0xe2,0xce,0x23,
    0x25,0x21,0x48,0x1c,0x86,0x58,0xdf,0x30,
    0x4b,0xb7,0x74,0x5a,0x73,0x51,0x4c,0xdb,
    0x9b,0xf3,0xe1,0x57,0x84,0xab,0x71,0x28,
    0x4f,0x8d,0x07,0x04,0xa6,0x08,0xc5,0x4a,
    0x6b,0x62,0xd9,0x7b,0xeb,0x51,0x1d,0x13,
    0x21,0x00
 }};
 template<> const Block Tests<Ed448Goldilocks>::eddsa_sk[] = {
    Block(ed448_eddsa_sk[0],57),
@@ -299,6 +316,7 @@ template<> const Block Tests<Ed448Goldilocks>::eddsa_sk[] = {
    Block(ed448_eddsa_sk[2],57),
    Block(ed448_eddsa_sk[3],57),
    Block(ed448_eddsa_sk[4],57),
    Block(ed448_eddsa_sk[4],57),
    Block(NULL,0)
 };
 template<> const Block Tests<Ed448Goldilocks>::eddsa_pk[] = {
@@ -307,6 +325,7 @@ template<> const Block Tests<Ed448Goldilocks>::eddsa_pk[] = {
    Block(ed448_eddsa_pk[1],57),
    Block(ed448_eddsa_pk[2],57),
    Block(ed448_eddsa_pk[3],57),
    Block(ed448_eddsa_pk[4],57),
    Block(ed448_eddsa_pk[4],57)
 };
 template<> const Block Tests<Ed448Goldilocks>::eddsa_message[] = {
@@ -315,6 +334,7 @@ template<> const Block Tests<Ed448Goldilocks>::eddsa_message[] = {
    Block(ed448_eddsa_message[1],1),
    Block(ed448_eddsa_message[2],11),
    Block(ed448_eddsa_message[3],12),
    Block(ed448_eddsa_message[4],3),
    Block(ed448_eddsa_message[4],3)
 };
 template<> const Block Tests<Ed448Goldilocks>::eddsa_context[] = {
@@ -323,15 +343,26 @@ template<> const Block Tests<Ed448Goldilocks>::eddsa_context[] = {
    Block(ed448_eddsa_context[0],3),
    Block(NULL,0),
    Block(NULL,0),
    Block(NULL,0),
    Block(ed448_eddsa_context[0],3)
 };
 template<> const bool Tests<Ed448Goldilocks>::eddsa_no_context[] = {
    false,
    false,
    false,
    false,
    false,
    false,
    false
 };
 template<> const Block Tests<Ed448Goldilocks>::eddsa_sig[] = {
    Block(ed448_eddsa_sig[0],114),
    Block(ed448_eddsa_sig[1],114),
    Block(ed448_eddsa_sig[4],114),
    Block(ed448_eddsa_sig[2],114),
    Block(ed448_eddsa_sig[3],114),
    Block(ed448_eddsa_sig[5],114)
    Block(ed448_eddsa_sig[5],114),
    Block(ed448_eddsa_sig[6],114)
 };
 const uint8_t ed25519_eddsa_sk[][32] = {{
@@ -354,6 +385,11 @@ const uint8_t ed25519_eddsa_sk[][32] = {{
    0x62,0xec,0x77,0x58,0x75,0x20,0x91,0x1e,
    0x9a,0x75,0x9c,0xec,0x1d,0x19,0x75,0x5b,
    0x7d,0xa9,0x01,0xb9,0x6d,0xca,0x3d,0x42
 }, {
    0x03,0x05,0x33,0x4e,0x38,0x1a,0xf7,0x8f,
    0x14,0x1c,0xb6,0x66,0xf6,0x19,0x9f,0x57,
    0xbc,0x34,0x95,0x33,0x5a,0x25,0x6a,0x95,
    0xbd,0x2a,0x55,0xbf,0x54,0x66,0x63,0xf6
 }};
 const uint8_t ed25519_eddsa_pk[][32] = {{
    0xd7,0x5a,0x98,0x01,0x82,0xb1,0x0a,0xb7,
@@ -375,8 +411,13 @@ const uint8_t ed25519_eddsa_pk[][32] = {{
    0xf4,0x93,0x2c,0x70,0xe1,0x24,0x50,0x34,
    0xc3,0x54,0x67,0xef,0x2e,0xfd,0x4d,0x64,
    0xeb,0xf8,0x19,0x68,0x34,0x67,0xe2,0xbf
 }, {
    0xdf,0xc9,0x42,0x5e,0x4f,0x96,0x8f,0x7f,
    0x0c,0x29,0xf0,0x25,0x9c,0xf5,0xf9,0xae,
    0xd6,0x85,0x1c,0x2b,0xb4,0xad,0x8b,0xfb,
    0x86,0x0c,0xfe,0xe0,0xab,0x24,0x82,0x92
 }};
 const uint8_t ed25519_eddsa_message[][3] = {{
 const uint8_t ed25519_eddsa_message[][16] = {{
    0
 }, {
    0x72
@@ -384,6 +425,14 @@ const uint8_t ed25519_eddsa_message[][3] = {{
    0xaf,0x82
 }, {
    0x61,0x62,0x63
 }, {
    0xf7,0x26,0x93,0x6d,0x19,0xc8,0x00,0x49,
    0x4e,0x3f,0xda,0xff,0x20,0xb2,0x76,0xa8
 }};
 const uint8_t ed25519_eddsa_context[][3] = {{
    0x66,0x6f,0x6f
 }, {
    0x62,0x61,0x72
 }};
 const uint8_t ed25519_eddsa_sig[][64] = {{
    0xe5,0x56,0x43,0x00,0xc3,0x60,0xac,0x72,
@@ -413,50 +462,88 @@ const uint8_t ed25519_eddsa_sig[][64] = {{
    0x4a,0x7c,0x15,0xe9,0x71,0x6e,0xd2,0x8d,
    0xc0,0x27,0xbe,0xce,0xea,0x1e,0xc4,0x0a
 }, {
    0xdc,0x2a,0x44,0x59,0xe7,0x36,0x96,0x33,
    0xa5,0x2b,0x1b,0xf2,0x77,0x83,0x9a,0x00,
    0x20,0x10,0x09,0xa3,0xef,0xbf,0x3e,0xcb,
    0x69,0xbe,0xa2,0x18,0x6c,0x26,0xb5,0x89,
    0x09,0x35,0x1f,0xc9,0xac,0x90,0xb3,0xec,
    0xfd,0xfb,0xc7,0xc6,0x64,0x31,0xe0,0x30,
    0x3d,0xca,0x17,0x9c,0x13,0x8a,0xc1,0x7a,
    0xd9,0xbe,0xf1,0x17,0x73,0x31,0xa7,0x04
    0x98,0xa7,0x02,0x22,0xf0,0xb8,0x12,0x1a,
    0xa9,0xd3,0x0f,0x81,0x3d,0x68,0x3f,0x80,
    0x9e,0x46,0x2b,0x46,0x9c,0x7f,0xf8,0x76,
    0x39,0x49,0x9b,0xb9,0x4e,0x6d,0xae,0x41,
    0x31,0xf8,0x50,0x42,0x46,0x3c,0x2a,0x35,
    0x5a,0x20,0x03,0xd0,0x62,0xad,0xf5,0xaa,
    0xa1,0x0b,0x8c,0x61,0xe6,0x36,0x06,0x2a,
    0xaa,0xd1,0x1c,0x2a,0x26,0x08,0x34,0x06
 }, {
    0x55,0xa4,0xcc,0x2f,0x70,0xa5,0x4e,0x04,
    0x28,0x8c,0x5f,0x4c,0xd1,0xe4,0x5a,0x7b,
    0xb5,0x20,0xb3,0x62,0x92,0x91,0x18,0x76,
    0xca,0xda,0x73,0x23,0x19,0x8d,0xd8,0x7a,
    0x8b,0x36,0x95,0x0b,0x95,0x13,0x00,0x22,
    0x90,0x7a,0x7f,0xb7,0xc4,0xe9,0xb2,0xd5,
    0xf6,0xcc,0xa6,0x85,0xa5,0x87,0xb4,0xb2,
    0x1f,0x4b,0x88,0x8e,0x4e,0x7e,0xdb,0x0d
 }, {
    0xfc,0x60,0xd5,0x87,0x2f,0xc4,0x6b,0x3a,
    0xa6,0x9f,0x8b,0x5b,0x43,0x51,0xd5,0x80,
    0x8f,0x92,0xbc,0xc0,0x44,0x60,0x6d,0xb0,
    0x97,0xab,0xab,0x6d,0xbc,0xb1,0xae,0xe3,
    0x21,0x6c,0x48,0xe8,0xb3,0xb6,0x64,0x31,
    0xb5,0xb1,0x86,0xd1,0xd2,0x8f,0x8e,0xe1,
    0x5a,0x5c,0xa2,0xdf,0x66,0x68,0x34,0x62,
    0x91,0xc2,0x04,0x3d,0x4e,0xb3,0xe9,0x0d
 }};
 template<> const bool Tests<IsoEd25519>::eddsa_prehashed[] = {
    false,
    false,
    false,
    true
    true,
    false,
    false
 };
 template<> const Block Tests<IsoEd25519>::eddsa_sk[] = {
    Block(ed25519_eddsa_sk[0],32),
    Block(ed25519_eddsa_sk[1],32),
    Block(ed25519_eddsa_sk[2],32),
    Block(ed25519_eddsa_sk[3],32),
    Block(ed25519_eddsa_sk[4],32),
    Block(ed25519_eddsa_sk[4],32),
    Block(NULL,0)
 };
 template<> const Block Tests<IsoEd25519>::eddsa_pk[] = {
    Block(ed25519_eddsa_pk[0],32),
    Block(ed25519_eddsa_pk[1],32),
    Block(ed25519_eddsa_pk[2],32),
    Block(ed25519_eddsa_pk[3],32)
    Block(ed25519_eddsa_pk[3],32),
    Block(ed25519_eddsa_pk[4],32),
    Block(ed25519_eddsa_pk[4],32)
 };
 template<> const Block Tests<IsoEd25519>::eddsa_context[] = {
    Block(NULL,0),
    Block(NULL,0),
    Block(NULL,0),
    Block(NULL,0)
    Block(NULL,0),
    Block(ed25519_eddsa_context[0],3),
    Block(ed25519_eddsa_context[1],3)
 };
 template<> const bool Tests<IsoEd25519>::eddsa_no_context[] = {
    true,
    true,
    true,
    false,
    false,
    false
 };
 template<> const Block Tests<IsoEd25519>::eddsa_message[] = {
    Block(ed25519_eddsa_message[0],0),
    Block(ed25519_eddsa_message[1],1),
    Block(ed25519_eddsa_message[2],2),
    Block(ed25519_eddsa_message[3],3)
    Block(ed25519_eddsa_message[3],3),
    Block(ed25519_eddsa_message[4],16),
    Block(ed25519_eddsa_message[4],16)
 };
 template<> const Block Tests<IsoEd25519>::eddsa_sig[] = {
    Block(ed25519_eddsa_sig[0],64),
    Block(ed25519_eddsa_sig[1],64),
    Block(ed25519_eddsa_sig[2],64),
    Block(ed25519_eddsa_sig[3],64)
    Block(ed25519_eddsa_sig[3],64),
    Block(ed25519_eddsa_sig[4],64),
    Block(ed25519_eddsa_sig[5],64)
 };