mphell_tuto_eddsa.c

Go to the documentation of this file.

/* 
  MPHELL-5.0 
  Author(s): The MPHELL team
 
 (C) Copyright 2015-2021 - Institut Fourier / Univ. Grenoble Alpes (France)
 
 This file is part of the MPHELL Library.
 MPHELL is free software: you can redistribute it and/or modify
 it under the terms of the GNU Lesser General Public License as published by
 the Free Software Foundation, version 3 of the License.
 
 MPHELL is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU Lesser General Public License for more details.
 
 You should have received a copy of the GNU Lesser General Public License
 along with MPHELL.  If not, see <http://www.gnu.org/licenses/>.
*/
 
#include <stdio.h>
#include <time.h>
#include "mphell/mphell.h"
#if MPHELL_USE_MULTITHREADING == 1
#include <omp.h>
#endif
 
struct eddsa_sig 
{
    ec_point R; 
    number *s; 
};
 
typedef struct eddsa_sig eddsa_sig_t;
 
typedef eddsa_sig_t eddsa_sig[1];
 
 
#define PRECOMP_WIN_SIZE 9
#define PRECOMP_SIZE 256
#define HASH_SIZE 64
 
struct ecdsa_precomp 
{
    ec_point prec_G[2*PRECOMP_SIZE]; 
    ec_point prec_K[2*PRECOMP_SIZE]; 
};
 
typedef struct ecdsa_precomp ecdsa_precomp_t;
 
typedef ecdsa_precomp_t ecdsa_precomp[1];
 
void
eddsa_sign_alloc(eddsa_sig *sig, ec_curve_srcptr E, uint8_t size)
{
    (*sig)->s = (number*)malloc(sizeof(number));
    number_init((*sig)->s, size);
    number_set_ui(*((*sig)->s), (block)0);    
 
    ec_point_alloc((*sig)->R, E->k);
    ec_point_init((*sig)->R, E->k);
    ec_point_set_neutral((*sig)->R, E, STACK_1);
}
 
void 
eddsa_sign_free(eddsa_sig *sig, ec_curve_srcptr E)
{
    if ((*sig)->R)
    {
        ec_point_free((*sig)->R, E->k);
    }
    if ((*sig)->s)
    {
        number_free((*sig)->s);
        free((*sig)->s);
    }
}
 
void
ecdsa_precal(ecdsa_precomp *precomp, ec_point *key, ec_curve_ptr E)
{
    uint16_t i;
    uint16_t pr = 2*PRECOMP_SIZE;
    
    /* Allocate */
    for(i = 0; i < pr; i++)
    {
        ec_point_alloc(((*precomp)->prec_G)[i], E->k);
        ec_point_alloc(((*precomp)->prec_K)[i], E->k);
        ec_point_init(((*precomp)->prec_G)[i], E->k);
        ec_point_init(((*precomp)->prec_K)[i], E->k);
    }
    ec_point_set_neutral(((*precomp)->prec_K)[0], E, STACK_1);
    ec_point_set_neutral(((*precomp)->prec_G)[0], E, STACK_1);
    
    ec_point_copy(((*precomp)->prec_G)[1], E->G, E->k);      /* G[0] = G     */
    ec_point_copy(((*precomp)->prec_K)[1], *key, E->k);      /* K[0] = K     */
    
    for(i = 2; i < pr; i++)
    {
        /* tab[i]=(i)* P1 */
        ec_point_add(((*precomp)->prec_G)[i], E->G, ((*precomp)->prec_G)[i-1], E, STACK_1);
        ec_point_add(((*precomp)->prec_K)[i], *key, ((*precomp)->prec_K)[i-1], E, STACK_1);
    }
}
 
void
ecdsa_precal_free(ecdsa_precomp *precomp, ec_curve_ptr E)
{
    uint16_t i;
    uint16_t pr = 2*PRECOMP_SIZE;
    for(i = 0; i < pr; i++)
    {
        ec_point_free(((*precomp)->prec_G)[i], E->k);
        ec_point_free(((*precomp)->prec_K)[i], E->k);
    }
}
 
void
ec_point_mul_ecdsa(ec_point dst, number_srcptr u1, ec_point_srcptr G,   
                        number_srcptr u2, ec_point_srcptr key, ec_curve_srcptr E)
{
#if MPHELL_USE_MULTITHREADING == 1
    omp_set_num_threads(2);
    ec_point tmp;
    ec_point_get_pool_elt(tmp, E->k, STACK_1);
    #pragma omp parallel
    {
        #pragma omp sections
        {
          #pragma omp section 
          {
              ec_point_mul(tmp, u2, key, E, STACK_1);
          }
          #pragma omp section
          {
              ec_point_mul(dst, u1, G, E, STACK_2);
          }
      }
    }
    ec_point_add(dst, dst, tmp, E, STACK_1);
    ec_point_relax_pool_elt(tmp, E->k, STACK_1);
#else
    ec_point tmp;
    ec_point_get_pool_elt(tmp, E->k, STACK_1);
    ec_point_mul(tmp, u2, key, E, STACK_1);
    ec_point_mul(dst, u1, G, E, STACK_1);
    ec_point_add(dst, dst, tmp, E, STACK_1);
    ec_point_relax_pool_elt(tmp, E->k, STACK_1);
#endif
}
 
void
eddsa_sign(unsigned char *hash, eddsa_sig *sig, number priv_key, ec_point *pub_key, ec_curve *curve)
{
    number *ss = (*sig)->s;
    
    uint8_t size = (*curve)->k->size;
 
    uint32_t i;
    unsigned char hashvalue[129];  
    unsigned char hashvaluebis[129];  
    unsigned char str[97];
    uint8_t * message_bin;
    char * strx;
    char * stry; 
    char strH[321]; /* 2* 128 (representation of point in hexa) + 64 (size of the message) +1 */
    uint8_t hashbin[64];  
    int64_t len_bin;    
    number r,s, test, test2;
    number_init(&r, bits_to_nblock(256));
    number_init(&test, bits_to_nblock(257));
    number_init(&s, bits_to_nblock(256));
    number_init(&test2, bits_to_nblock(512));
 
    /* Computation of the public key */
    number_str(&strx, priv_key, 16);
    message_bin =  (uint8_t *)calloc(strlen(strx)*4, sizeof(uint8_t));
    len_bin= hex2bin(strx, message_bin);
    free(strx);
    
    /* Computation of the hash of the private key */
    sha512(hashbin, message_bin, len_bin*8);
    /* sha512 is used since we need to have hashes of size 512 bits, another
     * hash function could have been used under this condition, we choosed it
     * because sha512 is implemented already in MPHELL 
     */
    free(message_bin);
    
    /* Computation of s=2^n+\sum_{i=c}^{n-1}2^ih_i (h_i are bits of the hash)*/
    bin2hex(hashbin, 64, hashvalue);
 
    /* Computation of h_{bi}|M  with i>=b (here 256)*/
    for(i=0;i<32;i++)
    {
        str[i]=hashvalue[32+i];
    }
    for(i=32;i<96;i++)
    {
        str[i]=hash[i];
    }
    str[96]= '\0';
    message_bin =  (uint8_t *)calloc(strlen(str)*4, sizeof(uint8_t));
    len_bin= hex2bin(str, message_bin);
 
    /* r = H(h_{bi}|M)  */
    sha512(hashbin, message_bin, len_bin*8);
    free(message_bin);
    bin2hex(hashbin, 64, hashvaluebis);
    number_set_str(test2, hashvaluebis, 16);
 
    /* r mod l  (in [EdDSA15] l represents E->n)*/
    number_mod(r,test2,(*curve)->n);
 
    /* Computation of R=rB (in [EdDSA15] B represents E->G)*/
    ec_point_mul_unified((*sig)->R, r, (*curve)->G, (*curve), STACK_1); 
    /* Remove this for optimisation */
    ec_point_norm((*sig)->R, (*curve), STACK_1);   
 
    field_elt_str(&strx, ((*sig)->R)->x, 16, false, (*curve)->k, STACK_1); 
    field_elt_str(&stry, ((*sig)->R)->y, 16, false, (*curve)->k, STACK_1);
    for(i=0;i<strlen(strx);i++)
    {
        strH[i]=strx[i];
    }
    for(i=strlen(strx);i<64;i++)
    {
        strH[i]='0';
    }
    for(i=0;i<strlen(stry);i++)
    {
        strH[i+64]=stry[i];
    }
    for(i=strlen(stry);i<64;i++)
    {
        strH[i+64]='0';
    }
    free(strx);
    free(stry);
    /* We have to compute again s and A */    
 
    /* Here we need to compute again the public key A*/
    number_set_str(test, "1", 16);
    number_lshift(test, test, 256);
    
    /* Computation of s=2^n+\sum_{i=c}^{n-1}2^ih_i */
    number_set_str(test2, hashvalue, 16);
    char *test3;
    number_str(&test3, test2, 2);
    test3[0]='0';
    test3[1]='1';
    test3[253]='0';
    test3[254]='0';
    test3[255]='0';
    test3[256]='\0';
    
    number_set_str(test2, test3, 2);
    free(test3);
    /* Computation of s mod l */
    number_mod(s, test2, (*curve)->n);
 
    /* Computation of A=sB */
    /*
    ec_point p_key;
    ec_point_get_pool_elt(p_key, (*curve)->k, STACK_1);
    ec_point_mul(p_key, s, (*curve)->G, (*curve), STACK_1);
    ec_point_norm(p_key, (*curve), STACK_1);  
    */
 
    field_elt_str(&strx, (*pub_key)->x, 16,false, (*curve)->k, STACK_1);
    field_elt_str(&stry, (*pub_key)->y, 16,false, (*curve)->k, STACK_1);
 
    for(i=0;i<strlen(strx);i++)
    {
        strH[i+128]=strx[i];
    }
    for(i=strlen(strx);i<64;i++)
    {
        strH[i+128]='0';
    }
    for(i=0;i<strlen(stry);i++)
    {
        strH[i+192]=stry[i];
    }
    for(i=strlen(stry);i<64;i++)
    {
        strH[i+192]='0';
    }
    for(i=0;i<64;i++)
    {
        strH[i+256]=hash[i];
    }
    strH[320]= '\0';
    
    free(strx);
    free(stry);
 
    message_bin =  (uint8_t *)calloc(strlen(strH)*4, sizeof(uint8_t));
    len_bin = hex2bin(strH, message_bin);
 
    /* Computation of the hash of R|A|M */
    sha512(hashbin,message_bin,len_bin*8);
    free(message_bin);
    bin2hex(hashbin, 64, hashvalue);
    number_set_str(test2, hashvalue, 16);
    
    /* Computation of H(R,A,M) mod l */
    number_mod(test,test2,(*curve)->n);
    
    /* Computation of H(R,A,M)*s mod l */
    number_mul(test2,test,s);
    number_mod(test,test2,(*curve)->n);
    
    /* Computation of r + H(R,A,M)*s mod l */
    number_add(test2,test,r);
    number_mod(*ss,test2,(*curve)->n);
 
    /* We set the signature */
    (*sig)->s = ss;
    
    /* Free memory */
    number_free(&r);
    number_free(&s);
    number_free(&test);
    number_free(&test2);
}
 
int8_t
eddsa_verify(unsigned char *hash, eddsa_sig *sig, ec_point *pub_key, ec_curve *curve, ecdsa_precomp precomp)
{
    if(!edwards_belongs((*sig)->R, (*curve), STACK_1))
    {
        /* Just check that R belongs to the curve */
        return false;
    }
    /* Just check that s \in {0, ... , q-1} */
    if( number_cmp(*((*sig)->s), (*curve)->n)>=0)
    {
        return false;
    } 
 
    char * str;
    uint8_t size = (*curve)->k->size;
    uint8_t hashbin[64];
    uint8_t * message_bin;
    unsigned char hashvalue[129];
    int64_t len_bin;
    uint32_t i;   
    unsigned char resultat[193]; /* 2*64 + 64 (size of the message to sign) +1 */ 
    char * strx;
    char * stry;  
    char strH[321]; /* 2* 128 (representation of point in hexadecimal) + 64 (size of the message to sign) +1 */
    number test, test2;
    number_init(&test, bits_to_nblock(256));
    number_init(&test2, bits_to_nblock(512));
 
    /* First compute R|A|M */
    field_elt_str(&strx, ((*sig)->R)->x, 16, false, (*curve)->k, STACK_1);
    field_elt_str(&stry, ((*sig)->R)->y, 16, false, (*curve)->k, STACK_1);
    for(i=0;i<strlen(strx);i++)
    {
        strH[i]=strx[i];
    }
    for(i=strlen(strx);i<64;i++)
    {
        strH[i]='0';
    }
    for(i=0;i<strlen(stry);i++)
    {
        strH[i+64]=stry[i];
    }
    for(i=strlen(stry);i<64;i++)
    {
        strH[i+64]='0';
    }
    free(strx);
    free(stry);
    
    field_elt_str(&strx, (*pub_key)->x, 16, false, (*curve)->k, STACK_1);
    field_elt_str(&stry, (*pub_key)->y, 16, false, (*curve)->k, STACK_1);
 
    for(i=0;i<strlen(strx);i++)
    {
        strH[i+128]=strx[i];
    }
    for(i=strlen(strx);i<64;i++)
    {
        strH[i+128]='0';
    }
    for(i=0;i<strlen(stry);i++)
    {
        strH[i+192]=stry[i];
    }
    for(i=strlen(stry);i<64;i++)
    {
        strH[i+192]='0';
    }
    for(i=0;i<64;i++)
    {
        strH[i+256]=hash[i];
    }
    strH[320]= '\0';
    free(strx);
    free(stry);
 
    message_bin =  (uint8_t *)calloc(strlen(strH)*4, sizeof(uint8_t));
    len_bin= hex2bin(strH, message_bin);
    
    /* Computation of the hash of R,A,M */
    sha512(hashbin,message_bin,len_bin*8);
    /* sha512 is used since we need to have hashes of size 512 bits, another
     * hash function could have been used under this condition, we choosed it
     * because sha512 is implemented already in MPHELL 
     */
    free(message_bin);
    bin2hex(hashbin, 64, hashvalue);
 
    /* Computation of the values optimised */
    number_set_str(test2,hashvalue,16);
    /* Computation of -H(R,A,M) mod l (in [EdDSA15] l represents E->n)*/
    number_mod(test,test2,(*curve)->n);
    number_sub(test2,(*curve)->n,test);
    number_mod(test,test2,(*curve)->n);
 
    /* Multiplication of -H(R,A,M) by the cofactor 2**c of the curve */
    number_mul(test2,(*curve)->h, test);
    number_mod(test, test2,(*curve)->n);
 
    /* x = (2**c)S*B - 2**c*H(R,A,M)*A (in [EdDSA15] B represents E->G, A is publickey)*/
    ec_point x;
    ec_point_get_pool_elt(x, (*curve)->k, STACK_1);
    number_mul(test2,(*curve)->h,*((*sig)->s));
    number_mod(test2, test2, (*curve)->n);
    ec_point_2mul_with_precomp(x, test2, (precomp)->prec_G, test, (precomp)->prec_K, PRECOMP_WIN_SIZE, *curve, STACK_1);
     
    /* y = 2**c*R */
    ec_point y;
    ec_point_get_pool_elt(y, (*curve)->k, STACK_1);
    ec_point_mul(y, (*curve)->h, (*sig)->R, *curve, STACK_1);
    /*Get the result by comparing x with y */        
    bool result = ec_point_are_equal(x, y, *curve, STACK_1);
 
    /* Free memory */
    ec_point_relax_pool_elt(x, (*curve)->k, STACK_1);
    ec_point_relax_pool_elt(y, (*curve)->k, STACK_1);
    number_free(&test);
    number_free(&test2);
 
    return result;
}
 
int8_t 
eddsa_pub_key_validation(ec_point *pub_key, ec_curve *curve)
{
    
    if(!ec_belongs(*pub_key, *curve, STACK_1))
    {
        /* pubkey does not belong  to the curve */
        return false;   
    }   
    if(ec_point_is_neutral(*pub_key, *curve, STACK_1))
    {
        /* pubkey is the neutral element */
        return false;
    }
    /* We finally test the order of the curve */
    ec_point x;
    ec_point_get_pool_elt(x, (*curve)->k, STACK_1);    
    ec_point_mul(x, (*curve)->n, *pub_key, *curve, STACK_1);
    if(!ec_point_is_neutral(x, *curve, STACK_1))
    {
        /* pubkey is the neutral element */
        ec_point_relax_pool_elt(x, (*curve)->k, STACK_1);
        return false;
    }
    ec_point_relax_pool_elt(x, (*curve)->k, STACK_1);
    return true;
}
 
int main()
{
    /* Initialise MPHELL with 256 bits of security strength for the entropy, RANDOM_AES256 as DRBG and DEVURANDOM as entropy source */
    
    init_mphell(256, RANDOM_AES256, DEVURANDOM);
    int nb_iteration = 100;
    uint8_t message[200];
 
    struct timespec start, end;
    
    /* Allocate a field of size 4*block_SIZE = 4*64 = 256 on 64 bits architecture */
    
    field k;
    field_alloc(k, FP, bits_to_nblock(256), NULL);
    
    /* Allocate a number of size 4*block_SIZE = 4*64 = 256 on 64 bits architecture */
    
    number p;
    number_init(&p, bits_to_nblock(256));
    
    /* Set the number p from a string in base 16 */
    
    number_set_str(p, "7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed", 16);
#if MPHELL_USE_AMNS == 1
    amns AMNS;
#if MPHELL_USE_AMNS_32 == 0
    amns_alloc_init_str(&AMNS, "[7, 5, [-2, 0, 0, 0, 0, 1], 54, 18452995865838783329900129877370266585014740033535441780974987498391596057242, [961252216531765, -808644316442835, 1045474214679914, 876400205157459, 80702276750246], [215521628593942615, 6036461283567564605, 7224436840646086003, 10819948880990321094, 2770174224844310327], [1261219955914665, 2245748633013857, 1942034862299073, 1713436964429893, 1484033610923007], [982299117090493, 2384806805124374, 473263249613373, 1302309306467128, 767899215173126]]", p);
#else
    amns_alloc_init_str(&AMNS, "[1, 13, [-2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1], 24, 27348853913383126840958695328985844583331474485808319900533972989426705703935, [295765, -240077, -384002, 86822, 427979, -178061, 355024, 35335, -47509, 293623, -162279, 239276, -54823], [304002351, 603274027, 987322065, 611192953, 899268748, 456421020, 1804479788, 151565031, 3376928416, 3404037305, 3106617823, 3555398377, 1245081753], [420571, 1005149, 1316639, 803101, 880079, 1425571, 78727, 673803, 292695, 429454, 603140, -81310, 484327], [-78425, 649592, 1210799, 537480, 931731, 330032, 587956, 604351, 932082, 256513, 633201, 50270, 916590]]", p);
#endif
    field_set_amns(k, AMNS);
#endif
    
    /* Create the field of characteristic p */
    
    field_create(k, "", STACK_1, 1, p);
    
    /* Allocate curve */
    
    ec_curve E;
    ec_alloc (E, k);
    ec_init(E, k);
    
    /* Create curve */
 
    field_elt a, b;
    ec_point G;
    number n, h;
    
    field_elt_alloc(&a, k);
    field_elt_init(a, k);
    field_elt_alloc(&b, k);
    field_elt_init(b, k);
    ec_point_alloc(G, k);
    ec_point_init(G, k);
    number_init(&n, bits_to_nblock(256));
    number_init(&h, bits_to_nblock(256));
    
    field_elt_set_str(a, "0000000000000000000000000000000000000000000000000000000000000001", 16, false, k, STACK_1);
    field_elt_set_str(b, "2dfc9311d490018c7338bf8688861767ff8ff5b2bebe27548a14b235eca6874a", 16, false, k, STACK_1);
    ec_point_set_aff_str(G, "159a6849e44c3c7f061b3d570fc4ed5b5d14c8ba4253df49cc7edf80f533ad9b", "6666666666666666666666666666666666666666666666666666666666666658", false, 16, EDWARDS, k, STACK_1);
    number_set_str(h, "8", 16);
    number_set_str(n, "1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed", 16);
    
    ec_create (E, "Ed25519", k, a, b, G, h, n, EDWARDS, EXTENDED_EDWARDS, STACK_1);
    
    printf("E: \n"); ec_curve_print(E, 16, STACK_1); printf("\n");
    
    ec_point_free(G, k);
    field_elt_free(&a, k);
    field_elt_free(&b, k);
    number_free(&h);
    number_free(&n);
 
    unsigned char hashvalue[129];  
    uint8_t * message_bin;
    char * str;   
    uint8_t hashbin[64];  
    unsigned char hashval[nb_iteration][HASH_SIZE+1];
    int64_t len_bin;  
    eddsa_sig *lib_sig = (eddsa_sig*)malloc(sizeof(eddsa_sig)*nb_iteration);
    int i,err;
    number test, test2;
    number_init(&test, bits_to_nblock(257));
    number_init(&test2, bits_to_nblock(512));
    number priv_key;
    number_init(&priv_key, bits_to_nblock(256));
    number_set_ui(test, 1);
    number_lshift(test,test,256);    
    number_dec(test, test);    
    /* The private key is a number of b bits with b the size of the security 
     * desired.
     * Here the private key does not need to come from a random value between 
     * 0 and the size of the group generated by G:E->n.
     */
          
    number_random1(priv_key, test, STACK_1);
    printf("\nThe private key has been created its value is:\n");
    number_print(priv_key, 16); printf("\n");
    printf("priv_key > n : %d\n", number_isgreater(priv_key, E->n)); 
 
    /* Create digest */
    for(i = 0; i < nb_iteration; i++)
    {
        sprintf((char *)message, "This is the %d message to sign and verify on stm32F4", i);
        len_bin=strlen((char *)message);
        message_bin = (uint8_t *)calloc(len_bin, sizeof(uint8_t));
        /* Convert ascii message into binary message */
        string2bin((char *)message, message_bin);
        /* Hash binary message */
        sha256(hashbin, message_bin, len_bin*8);
        free(message_bin);
        /* Convert binary hash into hexadecimal string */
        bin2hex(hashbin, HASH_SIZE/2, hashval[i]);
    }
 
    /* Computation of the public key */
    number_inc(test, test);
    number_str(&str, priv_key, 16);
    message_bin =  (uint8_t *)calloc(strlen(str)*4, sizeof(uint8_t));
    len_bin = hex2bin(str, message_bin);
    /* Computation of the hash of the private key */
    sha512(hashbin, message_bin, len_bin*8);
    /* sha512 is used since we need to have hashes of size 512 bits, another
     * hash function could have been used under this condition, we choosed it
     * because sha512 is implemented already in MPHELL 
     */
    free(str);
    free(message_bin);
    /* Computation of s=2^n+\sum_{i=c}^{n-1}2^ih_i (h_i are bits of the hash)*/
    bin2hex(hashbin, 64, hashvalue);
    
    number_set_str(test2, hashvalue, 16);    
    printf("\n1: test2 = "); number_print(test2, 16); printf("\n");
    printf("\n1: test2 = "); number_print(test2, 2); printf("\n");
    
    char *test3;
    number_str(&test3, test2, 2);
    test3[0]='0';
    test3[1]='1';
    test3[253]='0';
    test3[254]='0';
    test3[255]='0';
    test3[256]='\0';
    
    number_set_str(test2, test3, 2);
    free(test3);
 
    printf("2: test2 = "); number_print(test2, 16); printf("\n");
    printf("2: test2 = "); number_print(test2, 2); printf("\n");
 
    /* Computation of s mod l (in [EdDSA15] l represents E->n) */
    number_mod(test, test2, E->n);
    
    printf("3: test = "); number_print(test, 16); printf("\n");
    printf("3: test = "); number_print(test, 2); printf("\n");
    
    /* Computation of A=sB (in [EdDSA15] B represents E->G)*/
    ec_point pub_key;
    ec_point_alloc(pub_key, E->k);
    ec_point_init(pub_key, E->k);
    ec_point_mul_unified(pub_key, test, E->G, E, STACK_1);
    
    /* Free memory done for the test */
    number_free(&test);
    number_free(&test2);
 
    /* Print the public key A */
    ec_point_norm(pub_key, E, STACK_1);  
    printf("\nThe pubkey has been computed:\n");  
    ec_point_print(pub_key, 16, true, k, STACK_1); 
 
    /* This test is optional.*/
    printf("\nThe validity of the public key is a:\n");
    int ret = eddsa_pub_key_validation(&pub_key, &E);
    if( ret < 1 )
    {
        printf("ERROR\n");
    }
    else
    {
        printf("SUCCESS\n");
    }
    
    /* Allocate ecsdsa_sig structure */
    eddsa_sig sig;
    eddsa_sign_alloc(&sig, E, bits_to_nblock(256));
 
    /* Allocate nb_iteration ecdsa_sig structure */
    for (i = 0; i < nb_iteration; i++)
    {
        eddsa_sign_alloc(&(lib_sig[i]), E, bits_to_nblock(256));
    }
 
    /* Precomputation (to speed up verification) */
    ecdsa_precomp precomp;
    ecdsa_precal(&precomp, &pub_key, E);
    
    /* Sign the digest */
    
    printf("Vector test size %d \n", nb_iteration);
    printf("Curve         \t Signature \t\t Verification \n");
    printf("Ed25519 \t");  
    
    clock_gettime(CLOCK_MONOTONIC_RAW, &start);    
    for(i = 0; i < nb_iteration; i++)
    {
        eddsa_sign((unsigned char *)hashval[i], &(lib_sig[i]), priv_key, &pub_key, &E);
    }
    clock_gettime(CLOCK_MONOTONIC_RAW, &end);
    printf(" %lu.%03u \t\t\t", get_s(&start, &end), get_ns(&start, &end));
    
    /* Verify the signature */
    err=0;
 
    clock_gettime(CLOCK_MONOTONIC_RAW, &start);
    for(i = 0; i < nb_iteration; i++)
    {
        ret = eddsa_verify((unsigned char *)hashval[i], &(lib_sig[i]), &pub_key, &E, precomp);
        if( ret < 1 )
        {
            err++;
        }
    }
    clock_gettime(CLOCK_MONOTONIC_RAW, &end);
    printf(" %lu.%03u \n", get_s(&start, &end), get_ns(&start, &end));
    
    if( ret < 1 )
    {
        printf("ERROR :%d\n", err);
    }
    else
    {
        printf("SUCCESS \n");
    }
    
    /* Free memory */
    ec_point_free(pub_key, k);
    number_free(&priv_key);
    eddsa_sign_free(&sig, E);
    number_free(&p);
    ecdsa_precal_free(&precomp, E);
    field_free(k);
#if MPHELL_USE_AMNS == 1
    amns_free(&AMNS);
#endif
    for (i = 0; i < nb_iteration; i++)
    {
        eddsa_sign_free(&(lib_sig[i]), E);
    }
    free(lib_sig);
    ec_free(E);
    
    free_mphell();
 
    return 0;
}