Skip to main content

5.2.7 Verify

5.2.7 Verify

  1. To verify a signature on a message M using context C and public key A, with F being 0 for Ed448 and 1 for Ed448ph, first split the signature into two 57-octet halves. Decode the first half as a point R, and the second half as an integer S, in the range 0 <= s < L. Decode the public key A as point A'. If any of the decodings fail (including S being out of range), the signature is invalid.

  2. Compute SHAKE256(dom4(F, C) || R || A || PH(M), 114), and interpret the 114-octet digest as a little-endian integer k.

  3. Check the group equation [4][S]B = [4]R + [4][k]A'. It's sufficient, but not required, to instead check [S]B = R + [k]A'.

Last updated on