mphell_tuto_eddsa-448+25519.c

Go to the documentation of this file.

/* 
  MPHELL-5.0 
  Author(s): The MPHELL team
 
 (C) Copyright 2015-2021 - Institut Fourier / Univ. Grenoble Alpes (France)
 
 This file is part of the MPHELL Library.
 MPHELL is free software: you can redistribute it and/or modify
 it under the terms of the GNU Lesser General Public License as published by
 the Free Software Foundation, version 3 of the License.
 
 MPHELL is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU Lesser General Public License for more details.
 
 You should have received a copy of the GNU Lesser General Public License
 along with MPHELL.  If not, see <http://www.gnu.org/licenses/>.
*/
 
#include <stdio.h>
#include <time.h>
#include "mphell/mphell.h"
#if MPHELL_USE_MULTITHREADING == 1
#include <omp.h>
#endif
 
struct eddsa_sig 
{
    ec_point R; 
    number *s; 
};
 
typedef struct eddsa_sig eddsa_sig_t;
 
typedef eddsa_sig_t eddsa_sig[1];
 
 
#define PRECOMP_WIN_SIZE 9
#define PRECOMP_SIZE 256
#define HASH_SIZE 64
 
struct ecdsa_precomp 
{
    ec_point prec_G[2*PRECOMP_SIZE]; 
    ec_point prec_K[2*PRECOMP_SIZE]; 
};
 
typedef struct ecdsa_precomp ecdsa_precomp_t;
 
typedef ecdsa_precomp_t ecdsa_precomp[1];
 
void
eddsa_sign_alloc(eddsa_sig *sig, ec_curve_srcptr E, uint8_t size)
{
    (*sig)->s = (number*)malloc(sizeof(number));
    number_init((*sig)->s, size);
    number_set_ui(*((*sig)->s), (block)0);    
 
    ec_point_alloc((*sig)->R, E->k);
    ec_point_init((*sig)->R, E->k);
    ec_point_set_neutral((*sig)->R, E, STACK_1);
}
 
void 
eddsa_sign_free(eddsa_sig *sig, ec_curve_srcptr E)
{
    if ((*sig)->R)
    {
        ec_point_free((*sig)->R, E->k);
    }
    if ((*sig)->s)
    {
        number_free((*sig)->s);
        free((*sig)->s);
    }
}
 
void
ecdsa_precal(ecdsa_precomp *precomp, ec_point *key, ec_curve_ptr E)
{
    uint16_t i;
    uint16_t pr = 2*PRECOMP_SIZE;
    
    /* Allocate */
    for(i = 0; i < pr; i++)
    {
        ec_point_alloc(((*precomp)->prec_G)[i], E->k);
        ec_point_alloc(((*precomp)->prec_K)[i], E->k);
        ec_point_init(((*precomp)->prec_G)[i], E->k);
        ec_point_init(((*precomp)->prec_K)[i], E->k);
    }
    ec_point_set_neutral(((*precomp)->prec_K)[0], E, STACK_1);
    ec_point_set_neutral(((*precomp)->prec_G)[0], E, STACK_1);
    
    ec_point_copy(((*precomp)->prec_G)[1], E->G, E->k);      /* G[0] = G     */
    ec_point_copy(((*precomp)->prec_K)[1], *key, E->k);      /* K[0] = K     */
    
    for(i = 2; i < pr; i++)
    {
        /* tab[i]=(i)* P1 */
        ec_point_add(((*precomp)->prec_G)[i], E->G, ((*precomp)->prec_G)[i-1], E, STACK_1);
        ec_point_add(((*precomp)->prec_K)[i], *key, ((*precomp)->prec_K)[i-1], E, STACK_1);
    }
}
 
void
ecdsa_precal_free(ecdsa_precomp *precomp, ec_curve_ptr E)
{
    uint16_t i;
    uint16_t pr = 2*PRECOMP_SIZE;
    for(i = 0; i < pr; i++)
    {
        ec_point_free(((*precomp)->prec_G)[i], E->k);
        ec_point_free(((*precomp)->prec_K)[i], E->k);
    }
}
 
void
ec_point_mul_ecdsa(ec_point dst, number_srcptr u1, ec_point_srcptr G,   
                        number_srcptr u2, ec_point_srcptr key, ec_curve_srcptr E)
{
#if MPHELL_USE_MULTITHREADING == 1
    omp_set_num_threads(2);
    ec_point tmp;
    ec_point_get_pool_elt(tmp, E->k, STACK_1);
    #pragma omp parallel
    {
        #pragma omp sections
        {
          #pragma omp section 
          {
              ec_point_mul(tmp, u2, key, E, STACK_1);
          }
          #pragma omp section
          {
              ec_point_mul(dst, u1, G, E, STACK_2);
          }
      }
    }
    ec_point_add(dst, dst, tmp, E, STACK_1);
    ec_point_relax_pool_elt(tmp, E->k, STACK_1);
#else
    ec_point tmp;
    ec_point_get_pool_elt(tmp, E->k, STACK_1);
    ec_point_mul(tmp, u2, key, E, STACK_1);
    ec_point_mul(dst, u1, G, E, STACK_1);
    ec_point_add(dst, dst, tmp, E, STACK_1);
    ec_point_relax_pool_elt(tmp, E->k, STACK_1);
#endif
}
 
void
eddsa_sign(unsigned char *hash, eddsa_sig *sig, number priv_key, ec_point *pub_key, ec_curve *curve)
{
    number *ss = (*sig)->s;
    uint8_t b;                      
    
    
    uint8_t size = (*curve)->k->size;
 
    if(size==bits_to_nblock(448))   /* b=114 for Ed448  b=64 for Ed25519 byte size of the filed elements.. */
    {
        b=114;
    }
    else if (size==bits_to_nblock(256))
    {
        b=64;
    }
 
    uint32_t i;
    unsigned char hashvalue[2*b+1];       /*2*b+1 hex */  
    unsigned char hashvaluebis[2*b+1];  
    unsigned char str[b+64+1];              /* b + 64 hex hashes + 1 */
    uint8_t * message_bin;
    unsigned char hashbin2[b];            /* of the size of the output of hash function */
    char * strx;
    char * stry;                         /* of the size of the field we are working on */
    char strH[4*b+64+1]; /* 2* 2*b (representation of point in hexa) + 64 (size of the message) +1 */
    uint8_t hashbin[64];  /* we use shake256 with an output of 114*8 bits */
    int64_t len_bin;    
    number r,s, test, test2;
    number_tmp_alloc(&r, size, STACK_1);
    number_tmp_alloc(&test, size+1, STACK_1);
    number_tmp_alloc(&s, size, STACK_1);
    number_tmp_alloc(&test2, 2*size+1, STACK_1);
 
 
    /* Computation of the public key */
    number_str(&strx, priv_key, 16);
    message_bin =  (uint8_t *)calloc(strlen(strx)*2, sizeof(uint8_t));
    len_bin= hex2bin(strx, message_bin);
    free(strx);
    
    if(size==bits_to_nblock(448))
    {
        /* Computation of the hash of the private key */
        FIPS202_SHAKE256((unsigned char *)message_bin, len_bin ,hashbin2, 114); 
        /* shake256 is used according to standards (e.g. rfc8032) */
    }
    else if(size==bits_to_nblock(256))
    {
        /* Computation of the hash of the private key */
        sha512(hashbin2, message_bin, len_bin*8);
        /* sha512 is used since we need to have hashes of size 512 bits, another
        * hash function could have been used under this condition, we choosed it
        * because sha512 is implemented already in MPHELL 
        */                
    }
    
    free(message_bin);
        
    /* Computation of s=2^n+\sum_{i=c}^{n-1}2^ih_i (h_i are bits of the hash)*/
    bin2hex(hashbin2, b, hashvalue); 
    /* The input has size b*8 bits we work only with 1st half for pubkey and 2nd half for r*/
 
    /* Computation of h_{bi}|M  with i>=b (hashvalue has size 114*2=228 hex)*/
    for(i=0;i<b;i++)
    {
        str[i]=hashvalue[b+i];
    }
    for(i=b;i<b+64;i++) /*114 + 64 (here M is replaced by its hash ) */
    {
        str[i]=hash[i-b];
    }
    str[b+64]= '\0';
    message_bin =  (uint8_t *)calloc((b+64)*2, sizeof(uint8_t));
    len_bin= hex2bin(str, message_bin);
 
    /* r = H(h_{bi}|M)  */
    if(size==bits_to_nblock(448))
    {
        FIPS202_SHAKE256((unsigned char *)message_bin, len_bin ,hashbin2, 114); 
    }
    else if(size==bits_to_nblock(256))
    {
        
        sha512(hashbin2, message_bin, len_bin*8);
    }
    free(message_bin);
    bin2hex(hashbin2, b, hashvaluebis); /* The input has size b*8 bytes */
    number_set_str(test2, hashvaluebis, 16);
 
    /* r mod l  (in [EdDSA15] l represents E->n)*/
    number_mod(r,test2,(*curve)->n);
 
    /* Computation of R=rB (in [EdDSA15] B represents E->G)*/
    ec_point_mul_unified((*sig)->R, r, (*curve)->G, (*curve), STACK_1); 
    /* Remove this for optimisation */
    ec_point_norm((*sig)->R, (*curve), STACK_1);   
 
    /* We copy R in strH */
    field_elt_str(&strx, ((*sig)->R)->x, 16, false, (*curve)->k, STACK_1); 
    field_elt_str(&stry, ((*sig)->R)->y, 16, false, (*curve)->k, STACK_1);
    for(i=0;i<strlen(strx);i++)
    {
        strH[i]=strx[i];
    }
    for(i=strlen(strx);i<b;i++)
    {
        strH[i]='0';
    }
    for(i=0;i<strlen(stry);i++)
    {
        strH[i+b]=stry[i];
    }
    for(i=strlen(stry);i<b;i++)
    {
        strH[i+b]='0';
    }
    /* We have to compute again s and A */    
 
    /* Here we need to compute again the public key A*/
    
    /* Computation of s=2^n+\sum_{i=c}^{n-1}2^ih_i */
    number_set_str(test2, hashvalue, 16);
    number_rshift(test2, test2, 4*b);
    number_set_str(test, "1", 16);
    number_lshift(test,test,4*b-1);
    /* we make sure that test2 is of size 4*b*4 bits*/
    if(number_cmp(test,test2)>0)
    {
        number_add(test2, test2, test);
    }
    /* as said before we take only the 1st half of the hashvalue*/
    free(strx);
    number_str(&strx, test2, 2);
    if(size==bits_to_nblock(448))
    {
        strx[0]='0';
        strx[1]='0';
        strx[2]='0';
        strx[3]='0';
        strx[4]='0';
        strx[5]='0';
        strx[6]='0';
        strx[7]='0';
        strx[8]='1';
        strx[454]='0';
        strx[455]='0';
    }
    else if(size==bits_to_nblock(256))
    {
        strx[0]='0';
        strx[1]='1';
        strx[253]='0';
        strx[254]='0';
        strx[255]='0';
        strx[256]='\0';
    }
    number_set_str(test2, strx, 2);
    
    /* Computation of s mod l */
    number_mod(s, test2, (*curve)->n);
 
    /* We concatenate the public key A = sB in strH */
 
    free(strx);
    free(stry);
    field_elt_str(&strx, (*pub_key)->x, 16,false, (*curve)->k, STACK_1);
    field_elt_str(&stry, (*pub_key)->y, 16,false, (*curve)->k, STACK_1);
    for(i=0;i<strlen(strx);i++)
    {
        strH[i+2*b]=strx[i];
    }
    for(i=strlen(strx);i<b;i++)
    {
        strH[i+2*b]='0';
    }
    for(i=0;i<strlen(stry);i++)
    {
        strH[i+3*b]=stry[i];
    }
    for(i=strlen(stry);i<b;i++)
    {
        strH[i+3*b]='0';
    }
    /* We concatenate the M in strH */
    for(i=0;i<64;i++)
    {
        strH[i+4*b]=hash[i];
    }
    strH[4*b+64]= '\0';
    
    message_bin =  (uint8_t *)calloc((4*b+64)*2, sizeof(unsigned char));
    len_bin = hex2bin(strH, message_bin);
    
    if(size==bits_to_nblock(448))
    {
        /* Computation of the hash of R|A|M */
        FIPS202_SHAKE256((unsigned char *)message_bin, len_bin ,hashbin2, 114); 
        /* shake 256 is used according to standards (e.g. rfc8032) */
    }
    else if(size==bits_to_nblock(256))
    {
        sha512(hashbin2, message_bin, len_bin*8);
    }
    free(message_bin);
    
    bin2hex(hashbin2, b, hashvalue); /* The input has size 114*8 bytes */
    number_set_str(test2, hashvalue, 16);
    
    /* Computation of H(R,A,M) mod l */
    number_mod(test,test2,(*curve)->n);
    
    /* Computation of H(R,A,M)*s mod l */
    number_mul(test2,test,s);
    number_mod(test,test2,(*curve)->n);
    
    /* Computation of r + H(R,A,M)*s mod l */
    number_add(test2,test,r);
    number_mod(*ss,test2,(*curve)->n);
 
    /* We set the signature */
    (*sig)->s = ss;
    
    /* Free memory */
    free(strx);
    free(stry);
    number_tmp_free(&r, size, STACK_1);
    number_tmp_free(&test, size+1, STACK_1);
    number_tmp_free(&s, size, STACK_1);
    number_tmp_free(&test2, 2*size+1, STACK_1);
}
 
int8_t
eddsa_verify(unsigned char *hash, eddsa_sig *sig, ec_point *pub_key, ec_curve *curve, ecdsa_precomp precomp)
{
    if(!edwards_belongs((*sig)->R, (*curve), STACK_1))
    {
        /* Just check that R belongs to the curve */
        return false;
    }
    /* Just check that s \in {0, ... , q-1} */
    if( number_cmp(*((*sig)->s), (*curve)->n)>=0)
    {
        return false;
    } 
 
    uint8_t size = (*curve)->k->size;
    uint8_t b;
    if(size==bits_to_nblock(448))   /* b=114 for Ed448  b=64 for Ed25519 byte size of the filed elements.. */
    {
        b=114;
    }
    else if(size==bits_to_nblock(256)) 
    {
        b=64;
    }
    
    uint8_t hashbin[b+1];
    uint8_t message_bin[(4*b+64)*2];
    unsigned char hashvalue[2*b+1];
    int64_t len_bin;
    uint32_t i;   
    char * strx;
    char * stry;  
    char strH[4*b+64+1]; /* 2* 224 (representation of point in hexadecimal) + 64 (size of the message to sign) +1 */
    number test, test2;
    number_tmp_alloc(&test, size+1, STACK_1);
    number_tmp_alloc(&test2, 2*size+1, STACK_1);
 
    /* First compute R|A|M */
    field_elt_str(&strx, ((*sig)->R)->x, 16, false, (*curve)->k, STACK_1);
    field_elt_str(&stry, ((*sig)->R)->y, 16, false, (*curve)->k, STACK_1);
    for(i=0;i<strlen(strx);i++)
    {
        strH[i]=strx[i];
    }
    for(i=strlen(strx);i<b;i++)
    {
        strH[i]='0';
    }
    for(i=0;i<strlen(stry);i++)
    {
        strH[i+b]=stry[i];
    }
    for(i=strlen(stry);i<b;i++)
    {
        strH[i+b]='0';
    }
    
    free(strx);
    free(stry);
    
    field_elt_str(&strx, (*pub_key)->x, 16, false, (*curve)->k, STACK_1);
    field_elt_str(&stry, (*pub_key)->y, 16, false, (*curve)->k, STACK_1);
 
    for(i=0;i<strlen(strx);i++)
    {
        strH[i+2*b]=strx[i];
    }
    for(i=strlen(strx);i<b;i++)
    {
        strH[i+2*b]='0';
    }
    for(i=0;i<strlen(stry);i++)
    {
        strH[i+3*b]=stry[i];
    }
    for(i=strlen(stry);i<b;i++)
    {
        strH[i+3*b]='0';
    }
    for(i=0;i<64;i++)
    {
        strH[i+4*b]=hash[i];
    }
    strH[4*b+64]= '\0';
    free(strx);
    free(stry);
 
    /*message_bin =  (uint8_t *)calloc(strlen(strH)*4, sizeof(uint8_t));*/
    len_bin = hex2bin(strH, message_bin);
    /* Computation of the hash of R,A,M */
    if(size==bits_to_nblock(448))   /* b=114 for Ed448  b=64 for Ed25519 byte size of the filed elements.. */
    {
        FIPS202_SHAKE256((unsigned char *)message_bin, len_bin ,hashbin, 114); 
        /* shake256 is used according to standards (e.g. rfc 8032)  */
    }
    else if (size==bits_to_nblock(256))
    {
        sha512(hashbin,message_bin,len_bin*8);
    }    
    bin2hex(hashbin, b, hashvalue); 
 
    /* Computation of the values optimised */
    number_set_str(test2,hashvalue,16);
    /* Computation of -H(R,A,M) mod l (in [EdDSA15] l represents E->n)*/
    number_mod(test,test2,(*curve)->n);
    number_sub(test2,(*curve)->n,test);
    number_mod(test,test2,(*curve)->n);
 
    /* Multiplication of -H(R,A,M) by the cofactor 2**c of the curve */
    number_mul(test2,(*curve)->h, test);
    number_mod(test, test2,(*curve)->n);
 
    /* x = (2**c)S*B - 2**c*H(R,A,M)*A (in [EdDSA15] B represents E->G, A is publickey)*/
    ec_point x;
    ec_point_get_pool_elt(x, (*curve)->k, STACK_1);
    number_mul(test2,(*curve)->h,*((*sig)->s));
    number_mod(test2, test2, (*curve)->n);
    ec_point_2mul_with_precomp(x, test2, (precomp)->prec_G, test, (precomp)->prec_K, PRECOMP_WIN_SIZE, *curve, STACK_1);
     
    /* y = 2**c*R */
    ec_point y;
    ec_point_get_pool_elt(y, (*curve)->k, STACK_1);
    ec_point_mul(y, (*curve)->h, (*sig)->R, *curve, STACK_1);
    /*Get the result by comparing x with y */        
    bool result = ec_point_are_equal(x, y, *curve, STACK_1);
 
    /* Free memory */
    ec_point_relax_pool_elt(x, (*curve)->k, STACK_1);
    ec_point_relax_pool_elt(y, (*curve)->k, STACK_1);
    number_tmp_free(&test, size+1, STACK_1);
    number_tmp_free(&test2, 2*size+1, STACK_1);
 
    return result;
}
 
int8_t 
eddsa_pub_key_validation(ec_point *pub_key, ec_curve *curve)
{
    
    if(!ec_belongs(*pub_key, *curve, STACK_1))
    {
        /* pubkey does not belong  to the curve */
        return false;   
    }   
    if(ec_point_is_neutral(*pub_key, *curve, STACK_1))
    {
        /* pubkey is the neutral element */
        return false;
    }
    /* We finally test the order of the curve */
    ec_point x;
    ec_point_get_pool_elt(x, (*curve)->k, STACK_1);    
    ec_point_mul(x, (*curve)->n, *pub_key, *curve, STACK_1);
    if(!ec_point_is_neutral(x, *curve, STACK_1))
    {
        /* pubkey is the neutral element */
        ec_point_relax_pool_elt(x, (*curve)->k, STACK_1);
        return false;
    }
    ec_point_relax_pool_elt(x, (*curve)->k, STACK_1);
    return true;
}
 
/* If no arguments are given the function is used on Ed448 otherwise on Ed25519 */
int main(int argc, char **argv)
{
    /* Initialise MPHELL with 256 bits of security strength for the entropy, RANDOM_AES256 as DRBG and DEVURANDOM as entropy source */
    
    init_mphell(256, RANDOM_AES256, DEVURANDOM);
    int nb_iteration = 10000;
    uint8_t message[200];
 
    struct timespec start, end;
    field k;
    ec_curve E;
    if(argc<2 || (argc>1 && atoi(argv[1])==448))
    {
        field_alloc(k, FP, bits_to_nblock(448), NULL);
        
        ec_alloc(E, k);
        ec_use_curve(E, k, ED_448, EXTENDED_EDWARDS, STACK_1);
        printf("Ed448 \t");
    }
    else
    {    
        /* Code for Ed25519 */
 
        field_alloc(k, FP, bits_to_nblock(256), NULL);
        
        ec_alloc(E, k);
        ec_use_curve(E, k, ED_25519, EXTENDED_EDWARDS, STACK_1);
        printf("Ed25519 \t");
    }      
    
    uint8_t b2;
    uint8_t size = (E)->k->size;;
    
    if(size==bits_to_nblock(448))
    {
        b2=114;
    }
    else if(size==bits_to_nblock(256))
    {
        b2=64;
    }
 
    unsigned char hashvalue[2*b2+1];  
    unsigned char hashvaluebis[2*b2+1];  
    uint8_t * message_bin;
    char * str;
    char test3[4*b2];   
    uint8_t hashbin[b2];  
    uint8_t hashbin2[b2];  
    unsigned char hashval[nb_iteration][HASH_SIZE+1];
    int64_t len_bin;  
    eddsa_sig *lib_sig = (eddsa_sig*)malloc(sizeof(eddsa_sig)*nb_iteration);
    int i,err;
    number test, test2;
    number_init(&test, size + 1);
    number_init(&test2, 2*size + 1);
    number priv_key;
    number_init(&priv_key, size + 1);
    number_set_ui(test, 1);
    number_lshift(test,test,4*b2);    
    number_dec(test, test);    
    /* The private key is a number of b bits with b the size of the security 
     * desired.
     * Here the private key does not need to come from a random value between 
     * 0 and the size of the group generated by G:E->n.
     */
          
    number_random1(priv_key, test, STACK_1);
    printf("\nThe private key has been created its value is:\n");
    number_print(priv_key, 16); printf("\n");
    printf("priv_key > n : %d\n", number_isgreater(priv_key, E->n)); 
 
    /* Create digest */
    for(i = 0; i < nb_iteration; i++)
    {
        sprintf((char *)message, "This is the %d message to sign and verify on stm32F4", i);
        len_bin=strlen((char *)message);
        message_bin = (uint8_t *)calloc(len_bin, sizeof(uint8_t));
        /* Convert ascii message into binary message */
        string2bin((char *)message, message_bin);
        /* Hash binary message */
        sha256(hashbin, message_bin, len_bin*8);
        free(message_bin);
        /* Convert binary hash into hexadecimal string */
        bin2hex(hashbin, HASH_SIZE/2, hashval[i]);
    }
 
    /* Computation of the public key */
    number_inc(test, test);
    number_rshift(test,test,1);
    number_str(&str, priv_key, 16);
    message_bin =  (uint8_t *)calloc(strlen(str)*2, sizeof(uint8_t));
    len_bin = hex2bin(str, message_bin);
    printf("\nBefore loop: len_bin: %d strlen(str): %d", len_bin, strlen(str));
    if(size==bits_to_nblock(448))
    {
        /* Computation of the hash of the private key */
        FIPS202_SHAKE256((unsigned char *)message_bin, len_bin , hashbin2, 114); 
        /* sha3 is used according to standards (e.g. rfc 8032)*/
    }
    else if(size==bits_to_nblock(256))
    {
        /* Computation of the hash of the private key */
        sha512(hashbin2, message_bin, len_bin*8);
        /* sha512 is used according to standards (e.g. rfc 8032)  */
    }
    free(message_bin);
    /* Computation of s=2^n+\sum_{i=c}^{n-1}2^ih_i (h_i are bits of the hash)*/
    bin2hex(hashbin2, b2, hashvaluebis); 
    /*2nd half of the hash bits are necessary for the public hence 114 in input */
 
    number_set_str(test2, hashvaluebis, 16);
    printf("\n0: test2 = "); number_print(test2, 16); printf("\n");
    
    printf("1: test2 = "); number_print(test2, 16); printf("\n");
    
    number_rshift(test2, test2, 4*b2);
    /* we make sure that test2 is of size 4*4*b bits*/
    if(number_cmp(test,test2)>0)
    {
        number_add(test2, test2, test);
    }
    free(str);
    number_str(&str, test2, 2);
    if(size==bits_to_nblock(448))
    {
        str[0]='0';
        str[1]='0';
        str[2]='0';
        str[3]='0';
        str[4]='0';
        str[5]='0';
        str[6]='0';
        str[7]='0';
        str[8]='1';
        str[454]='0';
        str[455]='0';
    }
    else if(size==bits_to_nblock(256))
    {
        str[0]='0';
        str[1]='1';
        str[253]='0';
        str[254]='0';
        str[255]='0';
        str[256]='\0';    
    }
    number_set_str(test2, str, 2);
    free(str);
 
    printf("\n2: test2 = "); number_print(test2, 16); printf("\n");
    /* Computation of s mod l (in [EdDSA15] l represents E->n) */
    number_mod(test, test2, E->n);
    
    printf("3: test = "); number_print(test, 16); printf("\n");
        
    /* Computation of A=sB (in [EdDSA15] B represents E->G)*/
    ec_point pub_key;
    ec_point_alloc(pub_key, E->k);
    ec_point_init(pub_key, E->k);
    ec_point_mul_unified(pub_key, test, E->G, E, STACK_1);
    
    /* Free memory done for the test */
    number_free(&test);
    number_free(&test2);
 
    /* Print the public key A */
    ec_point_norm(pub_key, E, STACK_1);  
    printf("\nThe pubkey has been computed:\n");  
    ec_point_print(pub_key, 16, true, k, STACK_1); 
 
    /* This test is optional.*/
    printf("\nThe validity of the public key is a:\n");
    int ret = eddsa_pub_key_validation(&pub_key, &E);
    if( ret < 1 )
    {
        printf("ERROR\n");
    }
    else
    {
        printf("SUCCESS\n");
    }
    
    /* Allocate ecsdsa_sig structure */
    eddsa_sig sig;
    eddsa_sign_alloc(&sig, E, bits_to_nblock(456));
 
    /* Allocate nb_iteration ecdsa_sig structure */
    for (i = 0; i < nb_iteration; i++)
    {
        eddsa_sign_alloc(&(lib_sig[i]), E, bits_to_nblock(456));
    }
 
    /* Precomputation (to speed up verification) */
    ecdsa_precomp precomp;
    ecdsa_precal(&precomp, &pub_key, E);
    
    /* Sign the digest */
    
    printf("Vector test size %d \n", nb_iteration);
    printf("Curve         \t Signature \t\t Verification \n");
    if(argc<2 || (argc>1 && atoi(argv[1])==448))
    {
        printf("Ed448 \t\t");  
    }
    else
    {
        printf("Ed25519 \t\t");
    }
    
    clock_gettime(CLOCK_MONOTONIC_RAW, &start);    
    for(i = 0; i < nb_iteration; i++)
    {
        eddsa_sign((unsigned char *)hashval[i], &(lib_sig[i]), priv_key, &pub_key, &E);
    }
    clock_gettime(CLOCK_MONOTONIC_RAW, &end);
    printf(" %lu.%03u \t\t\t", get_s(&start, &end), get_ns(&start, &end));
    
    /* Verify the signature */
    err=0;
 
    clock_gettime(CLOCK_MONOTONIC_RAW, &start);
    for(i = 0; i < nb_iteration; i++)
    {
        ret = eddsa_verify((unsigned char *)hashval[i], &(lib_sig[i]), &pub_key, &E, precomp);
        if( ret < 1 )
        {
            err++;
        }
    }
    clock_gettime(CLOCK_MONOTONIC_RAW, &end);
    printf(" %lu.%03u \n", get_s(&start, &end), get_ns(&start, &end));
    
    if( ret < 1 )
    {
        printf("ERROR :%d\n", err);
    }
    else
    {
        printf("SUCCESS \n");
    }
    
    /* Free memory */
    ec_point_free(pub_key, k);
    number_free(&priv_key);
    eddsa_sign_free(&sig, E);
    ecdsa_precal_free(&precomp, E);
    field_free(k);
    for (i = 0; i < nb_iteration; i++)
    {
        eddsa_sign_free(&(lib_sig[i]), E);
    }
    free(lib_sig);
    ec_free(E);
    
    free_mphell();
 
    return 0;
}