cx448 0.1.1

A pure-Rust implementation of Ed448 and Curve448 and Decaf. This crate also includes signing and verifying of Ed448 signatures, and x448.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147

use crate::sign::{InnerSignature, HASH_HEAD};
use crate::{
    EdwardsPoint, Scalar, ScalarBytes, SecretKey, SigningError, VerifyingKey, WideScalarBytes,
    SECRET_KEY_LENGTH,
};
use sha3::digest::ExtendableOutputReset;
use sha3::{
    digest::{ExtendableOutput, Update, XofReader},
    Shake256,
};
use zeroize::{Zeroize, ZeroizeOnDrop};

#[derive(Clone)]
pub struct ExpandedSecretKey {
    pub(crate) seed: SecretKey,
    pub(crate) scalar: Scalar,
    pub(crate) public_key: VerifyingKey,
    pub(crate) hash_prefix: ScalarBytes,
}

impl Zeroize for ExpandedSecretKey {
    fn zeroize(&mut self) {
        self.seed.zeroize();
        self.scalar.zeroize();
        self.hash_prefix.zeroize();
    }
}

impl Drop for ExpandedSecretKey {
    fn drop(&mut self) {
        self.zeroize();
    }
}

impl From<&SecretKey> for ExpandedSecretKey {
    fn from(secret_key: &SecretKey) -> Self {
        Self::from_seed(secret_key)
    }
}

impl ZeroizeOnDrop for ExpandedSecretKey {}

impl ExpandedSecretKey {
    pub fn from_seed(seed: &SecretKey) -> Self {
        let mut reader = Shake256::default().chain(seed).finalize_xof();
        let mut bytes = WideScalarBytes::default();
        reader.read(&mut bytes);
        let mut scalar_bytes = ScalarBytes::default();
        scalar_bytes.copy_from_slice(&bytes[..SECRET_KEY_LENGTH]);

        // The two least significant bits of the first byte are cleared
        // All eight most significant bits of the last byte are cleared
        // with the highest bit of the second byte set.
        scalar_bytes[0] &= 0xFC;
        scalar_bytes[56] = 0;
        scalar_bytes[55] |= 0x80;

        let scalar = Scalar::from_bytes_mod_order(&scalar_bytes);

        let mut hash_prefix = ScalarBytes::default();
        hash_prefix.copy_from_slice(&bytes[SECRET_KEY_LENGTH..]);

        let point = EdwardsPoint::GENERATOR * scalar;
        let public_key = VerifyingKey {
            compressed: point.compress(),
            point,
        };

        Self {
            seed: *seed,
            scalar,
            public_key,
            hash_prefix,
        }
    }

    /// Signs a message.
    ///
    /// This is the "Ed448" mode of RFC 8032 (no pre-hashing),
    /// also known as "PureEdDSA on Curve448". No context is provided;
    /// this is equivalent to `sign_ctx()` with an empty (zero-length)
    /// context.
    pub fn sign_raw(&self, m: &[u8]) -> Result<InnerSignature, SigningError> {
        self.sign_inner(0, &[], m)
    }

    /// Signs a message (with context).
    ///
    /// This is the "Ed448" mode of RFC 8032 (no pre-hashing),
    /// also known as "PureEdDSA on Curve448". A context string is also
    /// provided; it MUST have length at most 255 bytes.
    pub fn sign_ctx(&self, ctx: &[u8], m: &[u8]) -> Result<InnerSignature, SigningError> {
        self.sign_inner(0, ctx, m)
    }

    /// Signs a pre-hashed message.
    ///
    /// This is the "Ed448ph" mode of RFC 8032 (message is pre-hashed),
    /// also known as "HashEdDSA on Curve448". The hashed message `hm`
    /// is provided (presumably, that hash value was obtained with
    /// SHAKE256 and an output of 64 bytes; the caller does the hashing
    /// itself). A context string is also provided; it MUST have length
    /// at most 255 bytes.
    pub fn sign_prehashed(&self, ctx: &[u8], m: &[u8]) -> Result<InnerSignature, SigningError> {
        self.sign_inner(1, ctx, m)
    }

    fn sign_inner(&self, phflag: u8, ctx: &[u8], m: &[u8]) -> Result<InnerSignature, SigningError> {
        if ctx.len() > 255 {
            return Err(SigningError::PrehashedContextLength);
        }
        // SHAKE256(dom4(F, C) || prefix || PH(M), 114) -> scalar r
        let clen = ctx.len() as u8;
        let mut reader = Shake256::default()
            .chain(HASH_HEAD)
            .chain([phflag])
            .chain([clen])
            .chain(ctx)
            .chain(self.hash_prefix)
            .chain(m)
            .finalize_xof_reset();
        let mut bytes = WideScalarBytes::default();
        reader.read(&mut bytes);
        let r = Scalar::from_bytes_mod_order_wide(&bytes);

        // R = r*B
        let big_r = EdwardsPoint::GENERATOR * r;
        let compressed_r = big_r.compress();

        // SHAKE256(dom4(F, C) || R || A || PH(M), 114) -> scalar k
        reader = Shake256::default()
            .chain(HASH_HEAD)
            .chain([phflag])
            .chain([clen])
            .chain(ctx)
            .chain(compressed_r.as_bytes())
            .chain(self.public_key.compressed.as_bytes())
            .chain(m)
            .finalize_xof();
        reader.read(&mut bytes);
        let k = Scalar::from_bytes_mod_order_wide(&bytes);
        Ok(InnerSignature {
            r: big_r,
            s: r + k * self.scalar,
        })
    }
}