org.bouncycastle.math.ec.rfc8032
Class Ed448
java.lang.Object
org.bouncycastle.math.ec.rfc8032.Ed448
- public abstract class Ed448
- extends java.lang.Object
A low-level implementation of the Ed448 and Ed448ph instantiations of the Edwards-Curve Digital Signature
Algorithm specified in RFC 8032.
The implementation uses the "signed mult-comb" algorithm (for scalar multiplication by a fixed point) from
Mike Hamburg, "Fast and compact elliptic-curve cryptography". Standard
projective coordinates are
used for most point arithmetic.
Algorithm map.
Key generation — returns a 57-byte seed;
(via ) computes
where is the SHAKE-256-expanded clamped secret scalar
(RFC 8032 sec. 5.2.5), using the constant-time signed multi-comb .
Signing — computes (signed multi-comb) where
, then
(RFC 8032 sec. 5.2.6). Reduction modulo uses
(Barrett-style, straight-line). No variable-base scalar
multiplication is performed.
Verification — uses the basis reduction algorithm of
Pornin via then evaluates the
combined relation with Strauss-Shamir's trick in . Both routines are
deliberately variable-time and operate only on public material (signature, message, public key).
Coordinates — the precomputed base-point comb table lives in
affine form
(matching in ); the signing-side accumulator is
projective (X : Y : Z). Verification uses projective coordinates throughout.
Side-channel scope. The signing path (which operates on the secret seed, the derived secret
scalar, and the secret per-message nonce) is written to be constant-time at the Java level: the comb
walks all precomputed entries via mask-based rather than a
secret-indexed array load, conditional sign application uses XOR-with-mask , scalar
recoding via uses mask-driven , and
is fully unrolled straight-line arithmetic. This is sufficient against a remote network timing attacker
but is not a substitute for a constant-time native implementation against a co-located
cache-line-resolution adversary — JVM-level timing variance from JIT, GC and cache eviction is not
addressable in pure Java. Verification routines (those suffixed ) are deliberately
variable-time and operate only on public material.
|
Constructor Summary |
Ed448()
|
|
Method Summary |
static Xof |
createPrehash()
|
static void |
encodePublicPoint(Ed448.PublicPoint publicPoint,
byte[] pk,
int pkOff)
|
static void |
generatePrivateKey(java.security.SecureRandom random,
byte[] k)
|
static Ed448.PublicPoint |
generatePublicKey(byte[] sk,
int skOff)
|
static void |
generatePublicKey(byte[] sk,
int skOff,
byte[] pk,
int pkOff)
|
static void |
precompute()
|
static void |
scalarMultBaseXY(X448.Friend friend,
byte[] k,
int kOff,
int[] x,
int[] y)
NOTE: Only for use by X448 |
static void |
sign(byte[] sk,
int skOff,
byte[] ctx,
byte[] m,
int mOff,
int mLen,
byte[] sig,
int sigOff)
|
static void |
sign(byte[] sk,
int skOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] m,
int mOff,
int mLen,
byte[] sig,
int sigOff)
|
static void |
signPrehash(byte[] sk,
int skOff,
byte[] ctx,
byte[] ph,
int phOff,
byte[] sig,
int sigOff)
|
static void |
signPrehash(byte[] sk,
int skOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] ph,
int phOff,
byte[] sig,
int sigOff)
|
static void |
signPrehash(byte[] sk,
int skOff,
byte[] pk,
int pkOff,
byte[] ctx,
Xof ph,
byte[] sig,
int sigOff)
|
static void |
signPrehash(byte[] sk,
int skOff,
byte[] ctx,
Xof ph,
byte[] sig,
int sigOff)
|
static boolean |
validatePublicKeyFull(byte[] pk,
int pkOff)
|
static Ed448.PublicPoint |
validatePublicKeyFullExport(byte[] pk,
int pkOff)
|
static boolean |
validatePublicKeyPartial(byte[] pk,
int pkOff)
|
static Ed448.PublicPoint |
validatePublicKeyPartialExport(byte[] pk,
int pkOff)
|
static boolean |
verify(byte[] sig,
int sigOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] m,
int mOff,
int mLen)
|
static boolean |
verify(byte[] sig,
int sigOff,
Ed448.PublicPoint publicPoint,
byte[] ctx,
byte[] m,
int mOff,
int mLen)
|
static boolean |
verifyPrehash(byte[] sig,
int sigOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] ph,
int phOff)
|
static boolean |
verifyPrehash(byte[] sig,
int sigOff,
byte[] pk,
int pkOff,
byte[] ctx,
Xof ph)
|
static boolean |
verifyPrehash(byte[] sig,
int sigOff,
Ed448.PublicPoint publicPoint,
byte[] ctx,
byte[] ph,
int phOff)
|
static boolean |
verifyPrehash(byte[] sig,
int sigOff,
Ed448.PublicPoint publicPoint,
byte[] ctx,
Xof ph)
|
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
PREHASH_SIZE
public static final int PREHASH_SIZE
- See Also:
- Constant Field Values
PUBLIC_KEY_SIZE
public static final int PUBLIC_KEY_SIZE
- See Also:
- Constant Field Values
SECRET_KEY_SIZE
public static final int SECRET_KEY_SIZE
- See Also:
- Constant Field Values
SIGNATURE_SIZE
public static final int SIGNATURE_SIZE
- See Also:
- Constant Field Values
Ed448
public Ed448()
createPrehash
public static Xof createPrehash()
encodePublicPoint
public static void encodePublicPoint(Ed448.PublicPoint publicPoint,
byte[] pk,
int pkOff)
generatePrivateKey
public static void generatePrivateKey(java.security.SecureRandom random,
byte[] k)
generatePublicKey
public static void generatePublicKey(byte[] sk,
int skOff,
byte[] pk,
int pkOff)
generatePublicKey
public static Ed448.PublicPoint generatePublicKey(byte[] sk,
int skOff)
precompute
public static void precompute()
scalarMultBaseXY
public static void scalarMultBaseXY(X448.Friend friend,
byte[] k,
int kOff,
int[] x,
int[] y)
- NOTE: Only for use by X448
sign
public static void sign(byte[] sk,
int skOff,
byte[] ctx,
byte[] m,
int mOff,
int mLen,
byte[] sig,
int sigOff)
sign
public static void sign(byte[] sk,
int skOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] m,
int mOff,
int mLen,
byte[] sig,
int sigOff)
signPrehash
public static void signPrehash(byte[] sk,
int skOff,
byte[] ctx,
byte[] ph,
int phOff,
byte[] sig,
int sigOff)
signPrehash
public static void signPrehash(byte[] sk,
int skOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] ph,
int phOff,
byte[] sig,
int sigOff)
signPrehash
public static void signPrehash(byte[] sk,
int skOff,
byte[] ctx,
Xof ph,
byte[] sig,
int sigOff)
signPrehash
public static void signPrehash(byte[] sk,
int skOff,
byte[] pk,
int pkOff,
byte[] ctx,
Xof ph,
byte[] sig,
int sigOff)
validatePublicKeyFull
public static boolean validatePublicKeyFull(byte[] pk,
int pkOff)
validatePublicKeyFullExport
public static Ed448.PublicPoint validatePublicKeyFullExport(byte[] pk,
int pkOff)
validatePublicKeyPartial
public static boolean validatePublicKeyPartial(byte[] pk,
int pkOff)
validatePublicKeyPartialExport
public static Ed448.PublicPoint validatePublicKeyPartialExport(byte[] pk,
int pkOff)
verify
public static boolean verify(byte[] sig,
int sigOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] m,
int mOff,
int mLen)
verify
public static boolean verify(byte[] sig,
int sigOff,
Ed448.PublicPoint publicPoint,
byte[] ctx,
byte[] m,
int mOff,
int mLen)
verifyPrehash
public static boolean verifyPrehash(byte[] sig,
int sigOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] ph,
int phOff)
verifyPrehash
public static boolean verifyPrehash(byte[] sig,
int sigOff,
Ed448.PublicPoint publicPoint,
byte[] ctx,
byte[] ph,
int phOff)
verifyPrehash
public static boolean verifyPrehash(byte[] sig,
int sigOff,
byte[] pk,
int pkOff,
byte[] ctx,
Xof ph)
verifyPrehash
public static boolean verifyPrehash(byte[] sig,
int sigOff,
Ed448.PublicPoint publicPoint,
byte[] ctx,
Xof ph)