[cryptotest] Add Ed25519 tests using ACVP test vectors #229
Merged
mkannwischer merged 4 commits intomasterfrom Apr 9, 2026
Merged
[cryptotest] Add Ed25519 tests using ACVP test vectors #229mkannwischer merged 4 commits intomasterfrom
mkannwischer merged 4 commits intomasterfrom
Conversation
mkannwischer
force-pushed
the
mjk/ed25519-testvectors
branch
from
d8441e5 to
5f2f48b
Compare
mkannwischer
force-pushed
the
mjk/ed25519-testvectors
branch
from
5f2f48b to
580cdb3
Compare
The context length check in set_context compared context_length (in bytes) against kEd25519ContextWords (64 words), rejecting any context longer than 64 bytes. The correct limit is 255 bytes as specified by RFC 8032. Change kEd25519ContextBytes to 255 (was 256) and compare against it. Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
If the context length is not a multiple of 32 bytes, the bytes up to the next multiple of 32 must be initialized to prevent DMEM read errors in ACC. set_context only wrote the exact context words, causing occasional failures when signing with context strings of size not divisible by 32. This commit adds zero padding the write to the next multiple of 32 bytes. Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
Extend the test to sign and verify with various context lengths. This covers both context lengths larger than 64 bytes, and context lengths not divisible by 32. This acts as a regression tests for the two bugs fixed in previous commits. Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
mkannwischer
force-pushed
the
mjk/ed25519-testvectors
branch
from
580cdb3 to
5a1938f
Compare
jadephilipoom
approved these changes
Apr 8, 2026
Collaborator
jadephilipoom
left a comment
jadephilipoom
left a comment
There was a problem hiding this comment.
LGTM, thanks Matthias!
pqcfox
approved these changes
Apr 8, 2026
Contributor
pqcfox
left a comment
pqcfox
left a comment
There was a problem hiding this comment.
Looks excellent! Left a few small notes.
Wire up ACVP EDDSA-SigVer and EDDSA-SigGen test vectors for Ed25519ph (HashEdDSA). The parser pre-hashes messages with SHA-512 since the cryptolib only supports the pre-hashed mode. Included: SigVer: 5 tests (15 skipped - pure Ed25519 and Ed448). SigGen: 42 tests (126 skipped - pure Ed25519 and Ed448). Not included: KeyGen: 6 tests - cryptolib does not support keygen yet. KeyVer: 8 tests - cryptolib does not have a pk validation API. Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
mkannwischer
force-pushed
the
mjk/ed25519-testvectors
branch
from
5a1938f to
71f66ce
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds ACVP-based Ed25519 tests. As of now the cryptolib only implements HashEd25519.
ACVP has testvectors for both pure Ed25519 and HashEd25519, while Wycheproof only has pure Ed25519 vectors.
The ACVP testvectors revealed two minor bugs regarding the context strings that the cryptolib could handle; those are fixed in separate commits.
See individual commit messages for the details.