public override Boolean Verify(byte[] publicKey, byte[] message, byte[] signature, byte[] rgbContext = null)
{
EdDSAPoint A = DecodePoint(publicKey);
byte[] r = new byte[signature.Length / 2];
Array.Copy(signature, r, r.Length);
EdDSAPoint R = DecodePoint(r);
byte[] s = new byte[signature.Length / 2];
Array.Copy(signature, r.Length, s, 0, r.Length);
Array.Reverse(s);
BigInteger S = new BigInteger(1, s);
message = PreHash(message);
ShakeDigest sha256 = new ShakeDigest(256);
byte[] rgbDom = Dom(rgbContext);
sha256.BlockUpdate(rgbDom, 0, rgbDom.Length);
sha256.BlockUpdate(r, 0, r.Length);
sha256.BlockUpdate(publicKey, 0, publicKey.Length);
sha256.BlockUpdate(message, 0, message.Length);
byte[] h = new byte[114];
sha256.DoFinal(h, 0, 114);
Array.Reverse(h);
BigInteger k = new BigInteger(1, h).Mod(EdDSAPoint448.L);
EdDSAPoint left = EdDSAPoint448.B.MultipleByScalar(S).Normalize();
EdDSAPoint right = EdDSAPoint448.Add((EdDSAPoint448)R, (EdDSAPoint448)A.MultipleByScalar(k)).Normalize();
return(left.equal(right));
}
public override byte[] Sign(byte[] publicKey, byte[] privateKey, byte[] M, byte[] context = null)
{
ShakeDigest sha512 = new ShakeDigest(256);
sha512.BlockUpdate(privateKey, 0, privateKey.Length);
byte[] h = new byte[114];
sha512.DoFinal(h, 0, 114);
byte[] x = new byte[57];
Array.Copy(h, x, 57);
x[0] &= 0xfc; // Clear lowest 2 bits
x[56] = 0; // Clear the highest byte
x[55] |= 0x80; // Set the highest bit
Array.Reverse(x);
BigInteger a = new BigInteger(1, x);
byte[] A = publicKey;
byte[] prefix = new byte[57];
Array.Copy(h, 57, prefix, 0, 57);
M = PreHash(M);
sha512.Reset();
byte[] domBytes = Dom(context);
sha512.BlockUpdate(domBytes, 0, domBytes.Length);
sha512.BlockUpdate(prefix, 0, prefix.Length);
sha512.BlockUpdate(M, 0, M.Length);
byte[] r1 = new byte[114];
sha512.DoFinal(r1, 0, 114);
Array.Reverse(r1);
BigInteger r = new BigInteger(1, r1).Mod(EdDSAPoint448.L);
EdDSAPoint rB = EdDSAPoint448.B.MultipleByScalar(r);
byte[] R = rB.Encode();
sha512.Reset();
sha512.BlockUpdate(domBytes, 0, domBytes.Length);
sha512.BlockUpdate(R, 0, R.Length);
sha512.BlockUpdate(A, 0, A.Length);
sha512.BlockUpdate(M, 0, M.Length);
byte[] kBytes = new byte[114];
sha512.DoFinal(kBytes, 0, 114);
Array.Reverse(kBytes);
BigInteger k = new BigInteger(1, kBytes).Mod(EdDSAPoint448.L);
BigInteger S = r.Add(k.Multiply(a)).Mod(EdDSAPoint448.L);
byte[] hash = new byte[57 * 2];
byte[] rgbS = S.ToByteArrayUnsigned();
Array.Copy(rgbS, 0, hash, 57 - rgbS.Length, rgbS.Length);
Array.Reverse(hash);
Array.Copy(R, hash, 57);
return(hash);
}
override public byte[] Encode()
{
EdDSAPoint point = this.Normalize();
byte[] rgbY = new byte[57];
byte[] y = point.Y.ToByteArrayUnsigned();
Array.Copy(y, 0, rgbY, 57 - y.Length, y.Length);
rgbY[0] |= (byte)(point.X.TestBit(0) ? 0x80 : 0);
Array.Reverse(rgbY);
return(rgbY);
}
public Boolean equal(EdDSAPoint other)
{
if (!this.X.Equals(other.X))
{
return(false);
}
if (!this.Y.Equals(other.Y))
{
return(false);
}
return(true);
}
static public void SelfTest()
{
BigInteger privateKey = new BigInteger("9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60", 16);
byte[] message0 = new byte[0];
EdDSA25517 x = new EdDSA25517();
EdDSAPoint publicKey = x.GetPublic(privateKey.ToByteArrayUnsigned());
publicKey = (EdDSAPoint25517)publicKey.Normalize();
byte[] rgbPublicKey = publicKey.Encode();
EdDSAPoint pt2 = x.DecodePoint(rgbPublicKey);
byte[] signature = x.Sign(rgbPublicKey, privateKey.ToByteArrayUnsigned(), message0);
x.Verify(rgbPublicKey, message0, signature);
}
public static void SelfTest()
{
BigInteger secretkey = new BigInteger("6c82a562cb808d10d632be89c8513ebf6c929f34ddfa8c9f63c9960ef6e348a3528c8a3fcc2f044e39a3fc5b94492f8f032e7549a20098f95b", 16);
BigInteger publicKey = new BigInteger("b3da079b0aa493a5772029f0467baebee5a8112d9d3a22532361da294f7bb3815c5dc59e176b4d9f381ca0938e13c6c07b174be65dfa578e80", 16);
//byte[] rgbMessage = new byte[] { 0x64, 0xa6, 0x5f, 0x3c, 0xde, 0xdc, 0xdd, 0x66, 0x81, 0x1e, 0x29, 0x15, 0xe7 };
byte[] rgbMessage = new byte[0];
EdDSA448 x = new EdDSA448();
BigInteger signature = new BigInteger("6a12066f55331b6c22acd5d5bfc5d71228fbda80ae8dec26bdd306743c5027cb4890810c162c027468675ecf645a83176c0d7323a2ccde2d80efe5a1268e8aca1d6fbc194d3f77c44986eb4ab4177919ad8bec33eb47bbb5fc6e28196fd1caf56b4e7e0ba5519234d047155ac727a1053100", 16);
EdDSAPoint publicPoint = x.GetPublic(secretkey.ToByteArrayUnsigned());
byte[] rgbPublic = publicPoint.Normalize().Encode();
byte[] rgbSig = x.Sign(rgbPublic, secretkey.ToByteArrayUnsigned(), rgbMessage);
EdDSAPoint decodePoint = x.DecodePoint(rgbPublic);
x.Verify(rgbPublic, rgbMessage, rgbSig);
}
public byte[] Sign(EdDSAPoint publicPoint, byte[] privateKey, byte[] M, byte[] rgbContext = null)
{
return(Sign(publicPoint.Encode(), privateKey, M, rgbContext));
}