public abstract class Ed448
extends java.lang.Object
The implementation uses the "signed mult-comb" algorithm (for scalar multiplication by a fixed point) from Mike Hamburg, "Fast and compact elliptic-curve cryptography". Standard projective coordinates are used for most point arithmetic.
Algorithm map.
generatePrivateKey returns a 57-byte seed;
generatePublicKey (via scalarMultBaseEncoded) computes
A = s * B where s is the SHAKE-256-expanded clamped secret scalar
(RFC 8032 sec. 5.2.5), using the constant-time signed multi-comb scalarMultBase.sign computes R = r * B (signed multi-comb) where
r = SHAKE-256(dom4(F, C) || prefix || M, 912 bits) mod L, then
S = (r + k * s) mod L (RFC 8032 sec. 5.2.6). Reduction modulo L uses
Scalar448.reduce912 (Barrett-style, straight-line). No variable-base scalar
multiplication is performed.verify uses the basis reduction algorithm of
Pornin via Scalar448.reduceBasisVar then evaluates the
combined relation with Strauss-Shamir's trick in scalarMultStraus225Var. Both routines are
deliberately variable-time and operate only on public material (signature, message, public key).PointAffine in pointLookup); the signing-side accumulator is
projective (X : Y : Z). Verification uses projective coordinates throughout.
Side-channel scope. The signing path (which operates on the secret seed, the derived secret
scalar, and the secret per-message nonce) is written to be constant-time at the Java level: the comb
scalarMultBase walks all precomputed entries via mask-based cmov rather than a
secret-indexed array load, conditional sign application uses XOR-with-mask cnegate, scalar
recoding via toSignedDigits uses mask-driven caddTo, and Scalar448.reduce912
is fully unrolled straight-line arithmetic. This is sufficient against a remote network timing attacker
but is not a substitute for a constant-time native implementation against a co-located
cache-line-resolution adversary — JVM-level timing variance from JIT, GC and cache eviction is not
addressable in pure Java. Verification routines (those suffixed Var) are deliberately
variable-time and operate only on public material.
| Modifier and Type | Class and Description |
|---|---|
static class |
Ed448.Algorithm |
static class |
Ed448.PublicPoint |
| Modifier and Type | Field and Description |
|---|---|
static int |
PREHASH_SIZE |
static int |
PUBLIC_KEY_SIZE |
static int |
SECRET_KEY_SIZE |
static int |
SIGNATURE_SIZE |
| Constructor and Description |
|---|
Ed448() |
| Modifier and Type | Method and Description |
|---|---|
static Xof |
createPrehash() |
static void |
encodePublicPoint(Ed448.PublicPoint publicPoint,
byte[] pk,
int pkOff) |
static void |
generatePrivateKey(java.security.SecureRandom random,
byte[] k) |
static Ed448.PublicPoint |
generatePublicKey(byte[] sk,
int skOff) |
static void |
generatePublicKey(byte[] sk,
int skOff,
byte[] pk,
int pkOff) |
static void |
precompute() |
static void |
scalarMultBaseXY(X448.Friend friend,
byte[] k,
int kOff,
int[] x,
int[] y)
NOTE: Only for use by X448
|
static void |
sign(byte[] sk,
int skOff,
byte[] ctx,
byte[] m,
int mOff,
int mLen,
byte[] sig,
int sigOff) |
static void |
sign(byte[] sk,
int skOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] m,
int mOff,
int mLen,
byte[] sig,
int sigOff) |
static void |
signPrehash(byte[] sk,
int skOff,
byte[] ctx,
byte[] ph,
int phOff,
byte[] sig,
int sigOff) |
static void |
signPrehash(byte[] sk,
int skOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] ph,
int phOff,
byte[] sig,
int sigOff) |
static void |
signPrehash(byte[] sk,
int skOff,
byte[] pk,
int pkOff,
byte[] ctx,
Xof ph,
byte[] sig,
int sigOff) |
static void |
signPrehash(byte[] sk,
int skOff,
byte[] ctx,
Xof ph,
byte[] sig,
int sigOff) |
static boolean |
validatePublicKeyFull(byte[] pk,
int pkOff) |
static Ed448.PublicPoint |
validatePublicKeyFullExport(byte[] pk,
int pkOff) |
static boolean |
validatePublicKeyPartial(byte[] pk,
int pkOff) |
static Ed448.PublicPoint |
validatePublicKeyPartialExport(byte[] pk,
int pkOff) |
static boolean |
verify(byte[] sig,
int sigOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] m,
int mOff,
int mLen) |
static boolean |
verify(byte[] sig,
int sigOff,
Ed448.PublicPoint publicPoint,
byte[] ctx,
byte[] m,
int mOff,
int mLen) |
static boolean |
verifyPrehash(byte[] sig,
int sigOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] ph,
int phOff) |
static boolean |
verifyPrehash(byte[] sig,
int sigOff,
byte[] pk,
int pkOff,
byte[] ctx,
Xof ph) |
static boolean |
verifyPrehash(byte[] sig,
int sigOff,
Ed448.PublicPoint publicPoint,
byte[] ctx,
byte[] ph,
int phOff) |
static boolean |
verifyPrehash(byte[] sig,
int sigOff,
Ed448.PublicPoint publicPoint,
byte[] ctx,
Xof ph) |
public static final int PREHASH_SIZE
public static final int PUBLIC_KEY_SIZE
public static final int SECRET_KEY_SIZE
public static final int SIGNATURE_SIZE
public static Xof createPrehash()
public static void encodePublicPoint(Ed448.PublicPoint publicPoint, byte[] pk, int pkOff)
public static void generatePrivateKey(java.security.SecureRandom random,
byte[] k)
public static void generatePublicKey(byte[] sk,
int skOff,
byte[] pk,
int pkOff)
public static Ed448.PublicPoint generatePublicKey(byte[] sk, int skOff)
public static void precompute()
public static void scalarMultBaseXY(X448.Friend friend, byte[] k, int kOff, int[] x, int[] y)
public static void sign(byte[] sk,
int skOff,
byte[] ctx,
byte[] m,
int mOff,
int mLen,
byte[] sig,
int sigOff)
public static void sign(byte[] sk,
int skOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] m,
int mOff,
int mLen,
byte[] sig,
int sigOff)
public static void signPrehash(byte[] sk,
int skOff,
byte[] ctx,
byte[] ph,
int phOff,
byte[] sig,
int sigOff)
public static void signPrehash(byte[] sk,
int skOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] ph,
int phOff,
byte[] sig,
int sigOff)
public static void signPrehash(byte[] sk,
int skOff,
byte[] ctx,
Xof ph,
byte[] sig,
int sigOff)
public static void signPrehash(byte[] sk,
int skOff,
byte[] pk,
int pkOff,
byte[] ctx,
Xof ph,
byte[] sig,
int sigOff)
public static boolean validatePublicKeyFull(byte[] pk,
int pkOff)
public static Ed448.PublicPoint validatePublicKeyFullExport(byte[] pk, int pkOff)
public static boolean validatePublicKeyPartial(byte[] pk,
int pkOff)
public static Ed448.PublicPoint validatePublicKeyPartialExport(byte[] pk, int pkOff)
public static boolean verify(byte[] sig,
int sigOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] m,
int mOff,
int mLen)
public static boolean verify(byte[] sig,
int sigOff,
Ed448.PublicPoint publicPoint,
byte[] ctx,
byte[] m,
int mOff,
int mLen)
public static boolean verifyPrehash(byte[] sig,
int sigOff,
byte[] pk,
int pkOff,
byte[] ctx,
byte[] ph,
int phOff)
public static boolean verifyPrehash(byte[] sig,
int sigOff,
Ed448.PublicPoint publicPoint,
byte[] ctx,
byte[] ph,
int phOff)
public static boolean verifyPrehash(byte[] sig,
int sigOff,
byte[] pk,
int pkOff,
byte[] ctx,
Xof ph)
public static boolean verifyPrehash(byte[] sig,
int sigOff,
Ed448.PublicPoint publicPoint,
byte[] ctx,
Xof ph)