jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
507 Commits
2 Branches
1.6 MiB
 
 
 
 
 
Tree: 7527e91a56
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7527e91a56'
${ noResults }
ed448goldilocks/src/GENERATED/include/decaf/ed448.h

252 lines
9.2 KiB
Raw Blame History 

  1. /**

  2.  * @file decaf/ed448.h

  3.  * @author Mike Hamburg

  4.  *

  5.  * @copyright

  6.  *   Copyright (c) 2015-2016 Cryptography Research, Inc.  \n

  7.  *   Released under the MIT License.  See LICENSE.txt for license information.

  8.  *

  9.  * @brief A group of prime order p, based on Ed448-Goldilocks.

  10.  *

  11.  * @warning This file was automatically generated in Python.

  12.  * Please do not edit it.

  13.  */

  14. 

  15. #ifndef __DECAF_ED448_H__

  16. #define __DECAF_ED448_H__ 1

  17. 

  18. #include <decaf/point_448.h>

  19. #include <decaf/shake.h>

  20. #include <decaf/sha512.h>

  21. 

  22. #ifdef __cplusplus

  23. extern "C" {

  24. #endif

  25. 

  26. /** Number of bytes in an EdDSA public key. */

  27. #define DECAF_EDDSA_448_PUBLIC_BYTES 57

  28. 

  29. /** Number of bytes in an EdDSA private key. */

  30. #define DECAF_EDDSA_448_PRIVATE_BYTES DECAF_EDDSA_448_PUBLIC_BYTES

  31. 

  32. /** Number of bytes in an EdDSA private key. */

  33. #define DECAF_EDDSA_448_SIGNATURE_BYTES (DECAF_EDDSA_448_PUBLIC_BYTES + DECAF_EDDSA_448_PRIVATE_BYTES)

  34. 

  35. /** Does EdDSA support non-contextual signatures? */

  36. #define DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS 0

  37. 

  38. /** Prehash context renaming macros. */

  39. #define decaf_ed448_prehash_ctx_s   decaf_shake256_ctx_s

  40. #define decaf_ed448_prehash_ctx_t   decaf_shake256_ctx_t

  41. #define decaf_ed448_prehash_update  decaf_shake256_update

  42. #define decaf_ed448_prehash_destroy decaf_shake256_destroy

  43. 

  44. /** EdDSA encoding ratio. */

  45. #define DECAF_448_EDDSA_ENCODE_RATIO 4

  46. 

  47. /** EdDSA decoding ratio. */

  48. #define DECAF_448_EDDSA_DECODE_RATIO (4 / 4)

  49. 

  50. /**

  51.  * @brief EdDSA key generation.  This function uses a different (non-Decaf)

  52.  * encoding.

  53.  *

  54.  * @param [out] pubkey The public key.

  55.  * @param [in] privkey The private key.

  56.  */    

  57. void decaf_ed448_derive_public_key (

  58.     uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],

  59.     const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]

  60. ) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

  61. 

  62. /**

  63.  * @brief EdDSA signing.

  64.  *

  65.  * @param [out] signature The signature.

  66.  * @param [in] privkey The private key.

  67.  * @param [in] pubkey The public key.

  68.  * @param [in] message The message to sign.

  69.  * @param [in] message_len The length of the message.

  70.  * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.

  71.  * @param [in] context A "context" for this signature of up to 255 bytes.

  72.  * @param [in] context_len Length of the context.

  73.  *

  74.  * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed

  75.  * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is

  76.  * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives

  77.  * you no seat belt.

  78.  */  

  79. void decaf_ed448_sign (

  80.     uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],

  81.     const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],

  82.     const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],

  83.     const uint8_t *message,

  84.     size_t message_len,

  85.     uint8_t prehashed,

  86.     const uint8_t *context,

  87.     uint8_t context_len

  88. ) DECAF_API_VIS __attribute__((nonnull(1,2,3))) DECAF_NOINLINE;

  89. 

  90. /**

  91.  * @brief EdDSA signing with prehash.

  92.  *

  93.  * @param [out] signature The signature.

  94.  * @param [in] privkey The private key.

  95.  * @param [in] pubkey The public key.

  96.  * @param [in] hash The hash of the message.  This object will not be modified by the call.

  97.  * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.

  98.  * @param [in] context_len Length of the context.

  99.  *

  100.  * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed

  101.  * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is

  102.  * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives

  103.  * you no seat belt.

  104.  */  

  105. void decaf_ed448_sign_prehash (

  106.     uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],

  107.     const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],

  108.     const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],

  109.     const decaf_ed448_prehash_ctx_t hash,

  110.     const uint8_t *context,

  111.     uint8_t context_len

  112. ) DECAF_API_VIS __attribute__((nonnull(1,2,3,4))) DECAF_NOINLINE;

  113.     

  114. /**

  115.  * @brief Prehash initialization, with contexts if supported.

  116.  *

  117.  * @param [out] hash The hash object to be initialized.

  118.  */

  119. void decaf_ed448_prehash_init (

  120.     decaf_ed448_prehash_ctx_t hash

  121. ) DECAF_API_VIS __attribute__((nonnull(1))) DECAF_NOINLINE;

  122. 

  123. /**

  124.  * @brief EdDSA signature verification.

  125.  *

  126.  * Uses the standard (i.e. less-strict) verification formula.

  127.  *

  128.  * @param [in] signature The signature.

  129.  * @param [in] pubkey The public key.

  130.  * @param [in] message The message to verify.

  131.  * @param [in] message_len The length of the message.

  132.  * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.

  133.  * @param [in] context A "context" for this signature of up to 255 bytes.

  134.  * @param [in] context_len Length of the context.

  135.  *

  136.  * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed

  137.  * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is

  138.  * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives

  139.  * you no seat belt.

  140.  */

  141. decaf_error_t decaf_ed448_verify (

  142.     const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],

  143.     const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],

  144.     const uint8_t *message,

  145.     size_t message_len,

  146.     uint8_t prehashed,

  147.     const uint8_t *context,

  148.     uint8_t context_len

  149. ) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE;

  150. 

  151. /**

  152.  * @brief EdDSA signature verification.

  153.  *

  154.  * Uses the standard (i.e. less-strict) verification formula.

  155.  *

  156.  * @param [in] signature The signature.

  157.  * @param [in] pubkey The public key.

  158.  * @param [in] hash The hash of the message.  This object will not be modified by the call.

  159.  * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.

  160.  * @param [in] context_len Length of the context.

  161.  *

  162.  * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed

  163.  * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is

  164.  * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives

  165.  * you no seat belt.

  166.  */

  167. decaf_error_t decaf_ed448_verify_prehash (

  168.     const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],

  169.     const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],

  170.     const decaf_ed448_prehash_ctx_t hash,

  171.     const uint8_t *context,

  172.     uint8_t context_len

  173. ) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE;

  174. 

  175. /**

  176.  * @brief EdDSA point encoding.  Used internally, exposed externally.

  177.  * Multiplies by DECAF_448_EDDSA_ENCODE_RATIO first.

  178.  *

  179.  * The multiplication is required because the EdDSA encoding represents

  180.  * the cofactor information, but the Decaf encoding ignores it (which

  181.  * is the whole point).  So if you decode from EdDSA and re-encode to

  182.  * EdDSA, the cofactor info must get cleared, because the intermediate

  183.  * representation doesn't track it.

  184.  *

  185.  * The way libdecaf handles this is to multiply by

  186.  * DECAF_448_EDDSA_DECODE_RATIO when decoding, and by

  187.  * DECAF_448_EDDSA_ENCODE_RATIO when encoding.  The product of these

  188.  * ratios is always exactly the cofactor 4, so the cofactor

  189.  * ends up cleared one way or another.  But exactly how that shakes

  190.  * out depends on the base points specified in RFC 8032.

  191.  *

  192.  * The upshot is that if you pass the Decaf/Ristretto base point to

  193.  * this function, you will get DECAF_448_EDDSA_ENCODE_RATIO times the

  194.  * EdDSA base point.

  195.  *

  196.  * @param [out] enc The encoded point.

  197.  * @param [in] p The point.

  198.  */       

  199. void decaf_448_point_mul_by_ratio_and_encode_like_eddsa (

  200.     uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES],

  201.     const decaf_448_point_t p

  202. ) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

  203. 

  204. /**

  205.  * @brief EdDSA point decoding.  Multiplies by DECAF_448_EDDSA_DECODE_RATIO,

  206.  * and ignores cofactor information.

  207.  *

  208.  * See notes on decaf_448_point_mul_by_ratio_and_encode_like_eddsa

  209.  *

  210.  * @param [out] enc The encoded point.

  211.  * @param [in] p The point.

  212.  */       

  213. decaf_error_t decaf_448_point_decode_like_eddsa_and_mul_by_ratio (

  214.     decaf_448_point_t p,

  215.     const uint8_t enc[DECAF_EDDSA_448_PUBLIC_BYTES]

  216. ) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

  217. 

  218. /**

  219.  * @brief EdDSA to ECDH public key conversion

  220.  * Deserialize the point to get y on Edwards curve,

  221.  * Convert it to u coordinate on Montgomery curve.

  222.  *

  223.  * @warning This function does not check that the public key being converted

  224.  * is a valid EdDSA public key (FUTURE?)

  225.  *

  226.  * @param[out] x The ECDH public key as in RFC7748(point on Montgomery curve)

  227.  * @param[in] ed The EdDSA public key(point on Edwards curve)

  228.  */

  229. void decaf_ed448_convert_public_key_to_x448 (

  230.     uint8_t x[DECAF_X448_PUBLIC_BYTES],

  231.     const uint8_t ed[DECAF_EDDSA_448_PUBLIC_BYTES]

  232. ) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

  233. 

  234. /**

  235.  * @brief EdDSA to ECDH private key conversion

  236.  * Using the appropriate hash function, hash the EdDSA private key

  237.  * and keep only the lower bytes to get the ECDH private key

  238.  *

  239.  * @param[out] x The ECDH private key as in RFC7748

  240.  * @param[in] ed The EdDSA private key

  241.  */

  242. void decaf_ed448_convert_private_key_to_x448 (

  243.     uint8_t x[DECAF_X448_PRIVATE_BYTES],

  244.     const uint8_t ed[DECAF_EDDSA_448_PRIVATE_BYTES]

  245. ) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;

  246. 

  247. #ifdef __cplusplus

  248. } /* extern "C" */

  249. #endif

  250. 

  251. #endif /* __DECAF_ED448_H__ */