if (h1) memcpy(h1, b + 32, 32);
}
+#define PREFIX_BUFSZ 290
+static size_t prefix(octet b[PREFIX_BUFSZ],
+ int phflag, const octet *p, size_t psz)
+{
+ if (phflag < 0) return (0);
+ memcpy(b, "SigEd25519 no Ed25519 collisions", 32);
+ b[32] = phflag;
+ assert(psz < ED25519_MAXPERSOSZ); b[33] = psz; memcpy(b + 34, p, psz);
+ return (psz + 34);
+}
+
/*----- Main code ---------------------------------------------------------*/
/* --- @ed25519_pubkey@ --- *
ptencode(K, &AX, &AY, &AZ);
}
-/* --- @ed25519_sign@ --- *
+/* --- @ed25519_sign@, @ed25519ctx_sign@ --- *
*
* Arguments: @octet sig[ED25519_SIGSZ]@ = where to put the signature
* @const void *k@ = private key
* @size_t ksz@ = length of private key
* @const octet K[ED25519_PUBSZ]@ = public key
+ * @int phflag@ = whether the `message' has been hashed already
+ * @const void *p@ = personalization string
+ * @size_t psz@ = length of personalization string
* @const void *m@ = message to sign
* @size_t msz@ = length of message
*
* Returns: ---
*
* Use: Signs a message.
+ *
+ * In @ed25519ctx_sign@, if @phflag@ is @-1@ then you get plain
+ * old Ed25519: the personalization string pointer @p@ will be
+ * ignored. If @phflag > 0@ then the `message' @m@ should be a
+ * SHA512 hash of the actual message.
*/
-void ed25519_sign(octet sig[ED25519_SIGSZ],
- const void *k, size_t ksz,
- const octet K[ED25519_PUBSZ],
- const void *m, size_t msz)
+void ed25519ctx_sign(octet sig[ED25519_SIGSZ],
+ const void *k, size_t ksz, const octet K[ED25519_PUBSZ],
+ int phflag, const void *p, size_t psz,
+ const void *m, size_t msz)
{
sha512_ctx h;
scaf_piece a[NPIECE], r[NPIECE], t[NPIECE], scratch[3*NPIECE + 1];
scaf_dblpiece tt[2*NPIECE];
f25519 RX, RY, RZ;
- octet h1[32], b[SHA512_HASHSZ];
+ octet h1[32], pb[PREFIX_BUFSZ], rb[SHA512_HASHSZ];
unsigned i;
/* Get my private key. */
unpack_key(a, h1, k, ksz);
+ /* Determine the prefix string. */
+ psz = prefix(pb, phflag, p, psz);
+
/* Select the nonce and the vector part. */
sha512_init(&h);
+ sha512_hash(&h, pb, psz);
sha512_hash(&h, h1, 32);
sha512_hash(&h, m, msz);
- sha512_done(&h, b);
- scaf_loaddbl(tt, b, 64, 2*NPIECE, PIECEWD);
+ sha512_done(&h, rb);
+ scaf_loaddbl(tt, rb, 64, 2*NPIECE, PIECEWD);
scaf_reduce(r, tt, l, mu, NPIECE, PIECEWD, scratch);
ptmul(&RX, &RY, &RZ, r, BX, BY, BZ);
ptencode(sig, &RX, &RY, &RZ);
/* Calculate the scalar part. */
sha512_init(&h);
+ sha512_hash(&h, pb, psz);
sha512_hash(&h, sig, 32);
sha512_hash(&h, K, 32);
sha512_hash(&h, m, msz);
- sha512_done(&h, b);
- scaf_loaddbl(tt, b, 64, 2*NPIECE, PIECEWD);
+ sha512_done(&h, rb);
+ scaf_loaddbl(tt, rb, 64, 2*NPIECE, PIECEWD);
scaf_reduce(t, tt, l, mu, NPIECE, PIECEWD, scratch);
scaf_mul(tt, t, a, NPIECE);
for (i = 0; i < NPIECE; i++) tt[i] += r[i];
scaf_store(sig + 32, 32, t, NPIECE, PIECEWD);
}
-/* --- @ed25519_verify@ --- *
+void ed25519_sign(octet sig[ED25519_SIGSZ],
+ const void *k, size_t ksz, const octet K[ED25519_PUBSZ],
+ const void *m, size_t msz)
+ { ed25519ctx_sign(sig, k, ksz, K, -1, 0, 0, m, msz); }
+
+/* --- @ed25519_verify@, @ed25519ctx_verify@ --- *
*
* Arguments: @const octet K[ED25519_PUBSZ]@ = public key
+ * @int phflag@ = whether the `message' has been hashed already
+ * @const void *p@ = personalization string
+ * @size_t psz@ = length of personalization string
* @const void *m@ = message to sign
* @size_t msz@ = length of message
* @const octet sig[ED25519_SIGSZ]@ = signature
* Returns: Zero if OK, negative on failure.
*
* Use: Verify a signature.
+ *
+ * In @ed25519ctx_verify@, if @phflag@ is @-1@ then you get
+ * plain old Ed25519: the personalization string pointer @p@
+ * will be ignored. If @phflag > 0@ then the `message' @m@
+ * should be a SHA512 hash of the actual message.
*/
-int ed25519_verify(const octet K[ED25519_PUBSZ],
- const void *m, size_t msz,
- const octet sig[ED25519_SIGSZ])
+int ed25519ctx_verify(const octet K[ED25519_PUBSZ],
+ int phflag, const void *p, size_t psz,
+ const void *m, size_t msz,
+ const octet sig[ED25519_SIGSZ])
{
sha512_ctx h;
scaf_piece s[NPIECE], t[NPIECE], scratch[3*NPIECE + 1];
scaf_dblpiece tt[2*NPIECE];
f25519 AX, AY, AZ, RX, RY, RZ;
- octet b[SHA512_HASHSZ];
+ octet b[PREFIX_BUFSZ];
/* Unpack the public key. Negate it: we're meant to subtract the term
* involving the public key point, and this is easier than negating the
if (memcmp(b, sig + 32, 32) != 0) return (-1);
/* Check the signature. */
+ psz = prefix(b, phflag, p, psz);
sha512_init(&h);
+ sha512_hash(&h, b, psz);
sha512_hash(&h, sig, 32);
sha512_hash(&h, K, 32);
sha512_hash(&h, m, msz);
return (0);
}
+int ed25519_verify(const octet K[ED25519_PUBSZ],
+ const void *m, size_t msz,
+ const octet sig[ED25519_SIGSZ])
+ { return (ed25519ctx_verify(K, -1, 0, 0, m, msz, sig)); }
+
/*----- Test rig ----------------------------------------------------------*/
#ifdef TEST_RIG
return (ok);
}
-static int vrf_sign(dstr dv[])
+static int vrf_sign(dstr *priv, int phflag, dstr *perso,
+ dstr *msg, dstr *want)
{
+ sha512_ctx h;
octet K[ED25519_PUBSZ];
- dstr dsig = DSTR_INIT;
+ dstr d = DSTR_INIT, dsig = DSTR_INIT, *m;
int ok = 1;
- if (dv[2].len != ED25519_SIGSZ) die(1, "bad result length");
+ if (want->len != ED25519_SIGSZ) die(1, "bad result length");
dstr_ensure(&dsig, ED25519_SIGSZ); dsig.len = ED25519_SIGSZ;
- ed25519_pubkey(K, dv[0].buf, dv[0].len);
- ed25519_sign((octet *)dsig.buf, dv[0].buf, dv[0].len, K,
- dv[1].buf, dv[1].len);
- if (memcmp(dsig.buf, dv[2].buf, ED25519_SIGSZ) != 0) {
+ if (phflag <= 0)
+ m = msg;
+ else {
+ dstr_ensure(&d, SHA512_HASHSZ); d.len = SHA512_HASHSZ;
+ sha512_init(&h);
+ sha512_hash(&h, msg->buf, msg->len);
+ sha512_done(&h, d.buf);
+ m = &d;
+ }
+ ed25519_pubkey(K, priv->buf, priv->len);
+ ed25519ctx_sign((octet *)dsig.buf, priv->buf, priv->len, K,
+ phflag, perso ? perso->buf : 0, perso ? perso->len : 0,
+ m->buf, m->len);
+ if (memcmp(dsig.buf, want->buf, ED25519_SIGSZ) != 0) {
ok = 0;
fprintf(stderr, "failed!");
- fprintf(stderr, "\n\tpriv = "); type_hex.dump(&dv[0], stderr);
- fprintf(stderr, "\n\t msg = "); type_hex.dump(&dv[1], stderr);
+ fprintf(stderr, "\n\tpriv = "); type_hex.dump(priv, stderr);
+ if (phflag >= 0) {
+ fprintf(stderr, "\n\t ph = %d", phflag);
+ fprintf(stderr, "\n\tpers = "); type_hex.dump(perso, stderr);
+ }
+ fprintf(stderr, "\n\t msg = "); type_hex.dump(msg, stderr);
+ if (phflag > 0)
+ { fprintf(stderr, "\n\thash = "); type_hex.dump(m, stderr); }
fprintf(stderr, "\n\tcalc = "); type_hex.dump(&dsig, stderr);
- fprintf(stderr, "\n\twant = "); type_hex.dump(&dv[2], stderr);
+ fprintf(stderr, "\n\twant = "); type_hex.dump(want, stderr);
fprintf(stderr, "\n");
}
return (ok);
}
-static int vrf_verify(dstr dv[])
+static int vrf_sign_trad(dstr *dv)
+ { return (vrf_sign(&dv[0], -1, 0, &dv[1], &dv[2])); }
+
+static int vrf_sign_ctx(dstr *dv)
+ { return (vrf_sign(&dv[0], *(int *)dv[1].buf, &dv[2], &dv[3], &dv[4])); }
+
+static int vrf_verify(dstr *pub, int phflag, dstr *perso,
+ dstr *msg, dstr *sig, int rc_want)
{
- int rc_want, rc_calc;
+ sha512_ctx h;
+ int rc_calc;
+ dstr d = DSTR_INIT, *m;
int ok = 1;
- if (dv[0].len != ED25519_PUBSZ) die(1, "bad pub length");
- if (dv[2].len != ED25519_SIGSZ) die(1, "bad sig length");
- rc_want = *(int *)dv[3].buf;
-
- rc_calc = ed25519_verify((const octet *)dv[0].buf,
- dv[1].buf, dv[1].len,
- (const octet *)dv[2].buf);
+ if (pub->len != ED25519_PUBSZ) die(1, "bad pub length");
+ if (sig->len != ED25519_SIGSZ) die(1, "bad sig length");
+
+ if (phflag <= 0)
+ m = msg;
+ else {
+ dstr_ensure(&d, SHA512_HASHSZ); d.len = SHA512_HASHSZ;
+ sha512_init(&h);
+ sha512_hash(&h, msg->buf, msg->len);
+ sha512_done(&h, d.buf);
+ m = &d;
+ }
+ rc_calc = ed25519ctx_verify((const octet *)pub->buf,
+ phflag, perso ? perso->buf : 0,
+ perso ? perso->len : 0,
+ m->buf, m->len,
+ (const octet *)sig->buf);
if (!rc_want != !rc_calc) {
ok = 0;
fprintf(stderr, "failed!");
- fprintf(stderr, "\n\t pub = "); type_hex.dump(&dv[0], stderr);
- fprintf(stderr, "\n\t msg = "); type_hex.dump(&dv[1], stderr);
- fprintf(stderr, "\n\t sig = "); type_hex.dump(&dv[2], stderr);
+ fprintf(stderr, "\n\t pub = "); type_hex.dump(pub, stderr);
+ if (phflag >= 0) {
+ fprintf(stderr, "\n\t ph = %d", phflag);
+ fprintf(stderr, "\n\tpers = "); type_hex.dump(perso, stderr);
+ }
+ fprintf(stderr, "\n\t msg = "); type_hex.dump(msg, stderr);
+ if (phflag > 0)
+ { fprintf(stderr, "\n\thash = "); type_hex.dump(m, stderr); }
+ fprintf(stderr, "\n\t sig = "); type_hex.dump(sig, stderr);
fprintf(stderr, "\n\tcalc = %d", rc_calc);
fprintf(stderr, "\n\twant = %d", rc_want);
fprintf(stderr, "\n");
return (ok);
}
+static int vrf_verify_trad(dstr *dv)
+ { return (vrf_verify(&dv[0], -1, 0, &dv[1], &dv[2], *(int *)dv[3].buf)); }
+
+static int vrf_verify_ctx(dstr *dv)
+{
+ return (vrf_verify(&dv[0], *(int *)dv[1].buf, &dv[2],
+ &dv[3], &dv[4], *(int *)dv[5].buf));
+}
+
static test_chunk tests[] = {
- { "pubkey", vrf_pubkey, { &type_hex, &type_hex } },
- { "sign", vrf_sign, { &type_hex, &type_hex, &type_hex } },
- { "verify", vrf_verify, { &type_hex, &type_hex, &type_hex, &type_int } },
+ { "pubkey", vrf_pubkey,
+ { &type_hex, &type_hex } },
+ { "sign", vrf_sign_trad,
+ { &type_hex, &type_hex, &type_hex } },
+ { "verify", vrf_verify_trad,
+ { &type_hex, &type_hex, &type_hex, &type_int } },
+ { "sign-ctx", vrf_sign_ctx,
+ { &type_hex, &type_int, &type_hex, &type_hex, &type_hex } },
+ { "verify-ctx", vrf_verify_ctx,
+ { &type_hex, &type_int, &type_hex, &type_hex, &type_hex, &type_int } },
{ 0, 0, { 0 } }
};
~mdw / catacomb / blobdiff