From 3f3c87bc44494a5625d262409da6408b2a9d2217 Mon Sep 17 00:00:00 2001
From: armfazh <armfazh@cloudflare.com>
Date: Tue, 25 Aug 2020 17:13:14 -0700
Subject: [PATCH] Rebasing on top of master.

---
 sign/ed25519/ed25519_test.go |  9 +++++++++
 sign/ed448/ed448.go          | 21 ++++++++++-----------
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/sign/ed25519/ed25519_test.go b/sign/ed25519/ed25519_test.go
index 2ac6d7ff1..4d8596a10 100644
--- a/sign/ed25519/ed25519_test.go
+++ b/sign/ed25519/ed25519_test.go
@@ -7,6 +7,15 @@ import (
 	"github.com/cloudflare/circl/sign/ed25519"
 )
 
+type zeroReader struct{}
+
+func (zeroReader) Read(buf []byte) (int, error) {
+	for i := range buf {
+		buf[i] = 0
+	}
+	return len(buf), nil
+}
+
 func TestMalleability(t *testing.T) {
 	// https://tools.ietf.org/html/rfc8032#section-5.1.7 adds an additional test
 	// that s be in [0, order). This prevents someone from adding a multiple of
diff --git a/sign/ed448/ed448.go b/sign/ed448/ed448.go
index 6fcab355b..70ad2a041 100644
--- a/sign/ed448/ed448.go
+++ b/sign/ed448/ed448.go
@@ -28,14 +28,12 @@ import (
 	"crypto"
 	cryptoRand "crypto/rand"
 	"crypto/subtle"
-	"errors"
 	"fmt"
 	"io"
-	"strconv"
 
-	"github.com/cloudflare/circl/ecc/goldilocks"
 	sha3 "github.com/cloudflare/circl/internal/shake"
 	"github.com/cloudflare/circl/sign"
+	"github.com/cloudflare/circl/sign/ed448/internal/goldilocks"
 )
 
 const (
@@ -66,7 +64,8 @@ type SignerOptions struct {
 	// Its length must be less or equal than 255 bytes.
 	Context string
 
-	// Scheme is an identifier for choosing a signature scheme.
+	// Scheme is an identifier for choosing a signature scheme. The zero value
+	// is ED448.
 	Scheme SchemeID
 }
 
@@ -154,7 +153,7 @@ func (priv PrivateKey) Sign(
 	case scheme == ED448Ph && opts.HashFunc() == crypto.Hash(0):
 		return SignPh(priv, message, ctx), nil
 	default:
-		return nil, errors.New("ed448: bad hash algorithm")
+		return nil, fmt.Errorf("ed448: bad hash algorithm")
 	}
 }
 
@@ -170,9 +169,9 @@ func GenerateKey(rand io.Reader) (PublicKey, PrivateKey, error) {
 		return nil, nil, err
 	}
 
-	privateKey := NewKeyFromSeed(seed)
-	publicKey := make([]byte, PublicKeySize)
-	copy(publicKey, privateKey[SeedSize:])
+	privateKey := make(PrivateKey, PrivateKeySize)
+	publicKey := make(PublicKey, PublicKeySize)
+	newKeyFromSeed(privateKey, publicKey, seed)
 
 	return publicKey, privateKey, nil
 }
@@ -187,9 +186,9 @@ func NewKeyFromSeed(seed []byte) PrivateKey {
 	return privateKey
 }
 
-func newKeyFromSeed(privateKey, seed []byte) {
+func newKeyFromSeed(privateKey PrivateKey, publicKey PublicKey, seed []byte) {
 	if l := len(seed); l != SeedSize {
-		panic("ed448: bad seed length: " + strconv.Itoa(l))
+		panic(fmt.Errorf("ed448: bad seed length: %v", l))
 	}
 
 	var h [hashSize]byte
@@ -213,7 +212,7 @@ func newKeyFromSeed(privateKey, seed []byte) {
 
 func signAll(signature []byte, privateKey PrivateKey, message, ctx []byte, preHash bool) {
 	if len(ctx) > ContextMaxSize {
-		panic(fmt.Errorf("ed448: bad context length: " + strconv.Itoa(len(ctx))))
+		panic(fmt.Errorf("ed448: bad context length:  %v", len(ctx)))
 	}
 
 	H := sha3.NewShake256()