Make the hash-and-sign nature of Ed25519ph and Ed448ph explicit

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-11-22 22:35:43 +01:00 · 2021-03-01 10:28:29 +01:00 · 2021-03-01 10:28:29 +01:00 · b13ead816c
commit b13ead816c
parent e36f8aa1b0
1 changed files with 24 additions and 3 deletions
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@ -1410,10 +1410,21 @@
 *
 * This algorithm is Ed25519 as specified in RFC 8032.
 * The curve is Edwards25519.
- * The input is first hashed with SHA-512.
+ * The prehash is SHA-512.
 * The hash function used internally is SHA-512, with
 * `dom2(0, "") = ASCII("SigEd25519 no Ed25519 collisions") || 0x00 0x00`
 * prepended to the input.
+ *
+ * This is a hash-and-sign algorithm: to calculate a signature,
+ * you can either:
+ * - call psa_sign_message() on the message;
+ * - or calculate the SHA-512 hash of the message
+ *   with psa_hash_compute()
+ *   or with a multi-part hash operation started with psa_hash_setup(),
+ *   using the hash algorithm #PSA_ALG_SHA_512,
+ *   then sign the calculated hash with psa_sign_hash().
+ * Verifying a signature is similar, using psa_verify_message() or
+ * psa_verify_hash() instead of the signature function.
 */
 #define PSA_ALG_ED25519PH                               \
    (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHA_512 & PSA_ALG_HASH_MASK))
@ -1425,12 +1436,22 @@
 *
 * This algorithm is Ed448 as specified in RFC 8032.
 * The curve is Edwards448.
- * The input is first hashed by taking the first 64 bytes of the SHAKE256
- * output.
+ * The prehash is the first 64 bytes of the SHAKE256 output.
 * The hash function used internally is the first 114 bytes of the
 * SHAKE256 output, with
 * `dom4(0, "") = ASCII("SigEd448") || 0x00 0x00`
 * prepended to the input.
+ *
+ * This is a hash-and-sign algorithm: to calculate a signature,
+ * you can either:
+ * - call psa_sign_message() on the message;
+ * - or calculate the first 64 bytes of the SHAKE256 output of the message
+ *   with psa_hash_compute()
+ *   or with a multi-part hash operation started with psa_hash_setup(),
+ *   using the hash algorithm #PSA_ALG_SHAKE256_64,
+ *   then sign the calculated hash with psa_sign_hash().
+ * Verifying a signature is similar, using psa_verify_message() or
+ * psa_verify_hash() instead of the signature function.
 */
 #define PSA_ALG_ED448PH                                 \
    (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHAKE256_64 & PSA_ALG_HASH_MASK))