summary refs log tree commit diff
path: root/crypto
diff options
context:
space:
mode:
authorPeter Dettman <peter.dettman@bouncycastle.org>2022-11-26 23:25:56 +0700
committerPeter Dettman <peter.dettman@bouncycastle.org>2022-11-26 23:25:56 +0700
commit589bbac9b3c56e2eba76744179f00443bac3f118 (patch)
tree12ed57b36f1130f31b42aaf029d2f7045d55f303 /crypto
parentEdDSA: Hold decoded pubilc point in public keys (diff)
downloadBouncyCastle.NET-ed25519-589bbac9b3c56e2eba76744179f00443bac3f118.tar.xz
Refactoring in Math.EC.Rfc8032
Diffstat (limited to 'crypto')
-rw-r--r--crypto/src/math/ec/rfc8032/Ed25519.cs24
-rw-r--r--crypto/src/math/ec/rfc8032/Ed448.cs191
2 files changed, 124 insertions, 91 deletions
diff --git a/crypto/src/math/ec/rfc8032/Ed25519.cs b/crypto/src/math/ec/rfc8032/Ed25519.cs
index 2479d94d4..baacc75fa 100644
--- a/crypto/src/math/ec/rfc8032/Ed25519.cs
+++ b/crypto/src/math/ec/rfc8032/Ed25519.cs
@@ -1566,16 +1566,16 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             int cOff = (PrecompSpacing - 1) * PrecompTeeth;
             for (;;)
             {
-                for (int b = 0; b < PrecompBlocks; ++b)
+                for (int block = 0; block < PrecompBlocks; ++block)
                 {
-                    uint w = n[b] >> cOff;
+                    uint w = n[block] >> cOff;
                     int sign = (int)(w >> (PrecompTeeth - 1)) & 1;
                     int abs = ((int)w ^ -sign) & PrecompMask;
 
                     Debug.Assert(sign == 0 || sign == 1);
                     Debug.Assert(0 <= abs && abs < PrecompPoints);
 
-                    PointLookup(b, abs, ref p);
+                    PointLookup(block, abs, ref p);
 
                     F.CNegate(resultSign ^ sign, r.x);
                     F.CNegate(resultSign ^ sign, r.u);
@@ -1771,7 +1771,8 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             ImplSign(sk, skOff, ctx, phflag, m, mOff, mLen, sig, sigOff);
         }
 
-        public static void Sign(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] m, int mOff, int mLen, byte[] sig, int sigOff)
+        public static void Sign(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] m, int mOff, int mLen, byte[] sig,
+            int sigOff)
         {
             byte[] ctx = null;
             byte phflag = 0x00;
@@ -1786,7 +1787,8 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             ImplSign(sk, skOff, ctx, phflag, m, mOff, mLen, sig, sigOff);
         }
 
-        public static void Sign(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] m, int mOff, int mLen, byte[] sig, int sigOff)
+        public static void Sign(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] m, int mOff, int mLen,
+            byte[] sig, int sigOff)
         {
             byte phflag = 0x00;
 
@@ -1800,7 +1802,8 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             ImplSign(sk, skOff, ctx, phflag, ph, phOff, PrehashSize, sig, sigOff);
         }
 
-        public static void SignPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] ph, int phOff, byte[] sig, int sigOff)
+        public static void SignPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] ph, int phOff,
+            byte[] sig, int sigOff)
         {
             byte phflag = 0x01;
 
@@ -1818,7 +1821,8 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             ImplSign(sk, skOff, ctx, phflag, m, 0, m.Length, sig, sigOff);
         }
 
-        public static void SignPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, IDigest ph, byte[] sig, int sigOff)
+        public static void SignPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, IDigest ph, byte[] sig,
+            int sigOff)
         {
             byte[] m = new byte[PrehashSize];
             if (PrehashSize != ph.DoFinal(m, 0))
@@ -2001,14 +2005,16 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             return ImplVerify(sig, sigOff, publicPoint, ctx, phflag, m, mOff, mLen);
         }
 
-        public static bool Verify(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[] ctx, byte[] m, int mOff, int mLen)
+        public static bool Verify(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[] ctx, byte[] m, int mOff,
+            int mLen)
         {
             byte phflag = 0x00;
 
             return ImplVerify(sig, sigOff, pk, pkOff, ctx, phflag, m, mOff, mLen);
         }
 
-        public static bool Verify(byte[] sig, int sigOff, PublicPoint publicPoint, byte[] ctx, byte[] m, int mOff, int mLen)
+        public static bool Verify(byte[] sig, int sigOff, PublicPoint publicPoint, byte[] ctx, byte[] m, int mOff,
+            int mLen)
         {
             byte phflag = 0x00;
 
diff --git a/crypto/src/math/ec/rfc8032/Ed448.cs b/crypto/src/math/ec/rfc8032/Ed448.cs
index 8ffbccfa4..d3a9caf4d 100644
--- a/crypto/src/math/ec/rfc8032/Ed448.cs
+++ b/crypto/src/math/ec/rfc8032/Ed448.cs
@@ -102,6 +102,12 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             internal uint[] x, y, z;
         }
 
+        // Temp space to avoid allocations in point formulae.
+        private struct PointTemp
+        {
+            internal uint[] r0, r1, r2, r3, r4, r5, r6, r7;
+        }
+
         private static byte[] CalculateS(byte[] r, byte[] k, byte[] s)
         {
             uint[] t = new uint[ScalarUints * 2];   Scalar448.Decode(r, t);
@@ -578,8 +584,8 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             ImplSign(d, h, s, pk, 0, ctx, phflag, m, mOff, mLen, sig, sigOff);
         }
 
-        private static void ImplSign(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte phflag,
-            byte[] m, int mOff, int mLen, byte[] sig, int sigOff)
+        private static void ImplSign(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte phflag, byte[] m,
+            int mOff, int mLen, byte[] sig, int sigOff)
         {
             if (!CheckContextVar(ctx))
                 throw new ArgumentException("ctx");
@@ -596,8 +602,8 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             ImplSign(d, h, s, pk, pkOff, ctx, phflag, m, mOff, mLen, sig, sigOff);
         }
 
-        private static bool ImplVerify(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[] ctx, byte phflag,
-            byte[] m, int mOff, int mLen)
+        private static bool ImplVerify(byte[] sig, int sigOff, byte[] pk, int pkOff, byte[] ctx, byte phflag, byte[] m,
+            int mOff, int mLen)
         {
             if (!CheckContextVar(ctx))
                 throw new ArgumentException("ctx");
@@ -803,6 +809,18 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             r.z = F.Create();
         }
 
+        private static void Init(out PointTemp r)
+        {
+            r.r0 = F.Create();
+            r.r1 = F.Create();
+            r.r2 = F.Create();
+            r.r3 = F.Create();
+            r.r4 = F.Create();
+            r.r5 = F.Create();
+            r.r6 = F.Create();
+            r.r7 = F.Create();
+        }
+
         private static void InvertZs(PointProjective[] points)
         {
             int count = points.Length;
@@ -859,15 +877,15 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             return IsNeutralElementVar(p.x, p.y, p.z);
         }
 
-        private static void PointAdd(ref PointAffine p, ref PointProjective r)
+        private static void PointAdd(ref PointAffine p, ref PointProjective r, ref PointTemp t)
         {
-            uint[] b = F.Create();
-            uint[] c = F.Create();
-            uint[] d = F.Create();
-            uint[] e = F.Create();
-            uint[] f = F.Create();
-            uint[] g = F.Create();
-            uint[] h = F.Create();
+            uint[] b = t.r1;
+            uint[] c = t.r2;
+            uint[] d = t.r3;
+            uint[] e = t.r4;
+            uint[] f = t.r5;
+            uint[] g = t.r6;
+            uint[] h = t.r7;
 
             F.Sqr(r.z, b);
             F.Mul(p.x, r.x, c);
@@ -892,16 +910,16 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             F.Mul(f, g, r.z);
         }
 
-        private static void PointAdd(ref PointProjective p, ref PointProjective r)
+        private static void PointAdd(ref PointProjective p, ref PointProjective r, ref PointTemp t)
         {
-            uint[] a = F.Create();
-            uint[] b = F.Create();
-            uint[] c = F.Create();
-            uint[] d = F.Create();
-            uint[] e = F.Create();
-            uint[] f = F.Create();
-            uint[] g = F.Create();
-            uint[] h = F.Create();
+            uint[] a = t.r0;
+            uint[] b = t.r1;
+            uint[] c = t.r2;
+            uint[] d = t.r3;
+            uint[] e = t.r4;
+            uint[] f = t.r5;
+            uint[] g = t.r6;
+            uint[] h = t.r7;
 
             F.Mul(p.z, r.z, a);
             F.Sqr(a, b);
@@ -927,15 +945,15 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             F.Mul(f, g, r.z);
         }
 
-        private static void PointAddVar(bool negate, ref PointAffine p, ref PointProjective r)
+        private static void PointAddVar(bool negate, ref PointAffine p, ref PointProjective r, ref PointTemp t)
         {
-            uint[] b = F.Create();
-            uint[] c = F.Create();
-            uint[] d = F.Create();
-            uint[] e = F.Create();
-            uint[] f = F.Create();
-            uint[] g = F.Create();
-            uint[] h = F.Create();
+            uint[] b = t.r1;
+            uint[] c = t.r2;
+            uint[] d = t.r3;
+            uint[] e = t.r4;
+            uint[] f = t.r5;
+            uint[] g = t.r6;
+            uint[] h = t.r7;
 
             uint[] nb, ne, nf, ng;
             if (negate)
@@ -971,16 +989,16 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             F.Mul(f, g, r.z);
         }
 
-        private static void PointAddVar(bool negate, ref PointProjective p, ref PointProjective r)
+        private static void PointAddVar(bool negate, ref PointProjective p, ref PointProjective r, ref PointTemp t)
         {
-            uint[] a = F.Create();
-            uint[] b = F.Create();
-            uint[] c = F.Create();
-            uint[] d = F.Create();
-            uint[] e = F.Create();
-            uint[] f = F.Create();
-            uint[] g = F.Create();
-            uint[] h = F.Create();
+            uint[] a = t.r0;
+            uint[] b = t.r1;
+            uint[] c = t.r2;
+            uint[] d = t.r3;
+            uint[] e = t.r4;
+            uint[] f = t.r5;
+            uint[] g = t.r6;
+            uint[] h = t.r7;
 
             uint[] nb, ne, nf, ng;
             if (negate)
@@ -1031,14 +1049,14 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             F.Copy(p.z, 0, r.z, 0);
         }
 
-        private static void PointDouble(ref PointProjective r)
+        private static void PointDouble(ref PointProjective r, ref PointTemp t)
         {
-            uint[] b = F.Create();
-            uint[] c = F.Create();
-            uint[] d = F.Create();
-            uint[] e = F.Create();
-            uint[] h = F.Create();
-            uint[] j = F.Create();
+            uint[] b = t.r1;
+            uint[] c = t.r2;
+            uint[] d = t.r3;
+            uint[] e = t.r4;
+            uint[] h = t.r7;
+            uint[] j = t.r0;
 
             F.Add(r.x, r.y, b);
             F.Sqr(b, b);
@@ -1129,7 +1147,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             F.Copy(table, off, r.z, 0);
         }
 
-        private static uint[] PointPrecompute(ref PointProjective p, int count)
+        private static uint[] PointPrecompute(ref PointProjective p, int count, ref PointTemp t)
         {
             Debug.Assert(count > 0);
 
@@ -1138,7 +1156,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
 
             Init(out PointProjective d);
             PointCopy(ref q, ref d);
-            PointDouble(ref d);
+            PointDouble(ref d, ref t);
 
             uint[] table = F.CreateTable(count * 3);
             int off = 0;
@@ -1153,19 +1171,20 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
                 if (++i == count)
                     break;
 
-                PointAdd(ref d, ref q);
+                PointAdd(ref d, ref q, ref t);
             }
 
             return table;
         }
 
-        private static void PointPrecompute(ref PointAffine p, PointProjective[] points, int pointsOff, int pointsLen)
+        private static void PointPrecompute(ref PointAffine p, PointProjective[] points, int pointsOff, int pointsLen,
+            ref PointTemp t)
         {
             Debug.Assert(pointsLen > 0);
 
             Init(out PointProjective d);
             PointCopy(ref p, ref d);
-            PointDouble(ref d);
+            PointDouble(ref d, ref t);
 
             Init(out points[pointsOff]);
             PointCopy(ref p, ref points[pointsOff]);
@@ -1174,7 +1193,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             {
                 Init(out points[pointsOff + i]);
                 PointCopy(ref points[pointsOff + i - 1], ref points[pointsOff + i]);
-                PointAdd(ref d, ref points[pointsOff + i]);
+                PointAdd(ref d, ref points[pointsOff + i], ref t);
             }
         }
 
@@ -1200,18 +1219,19 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
                 int totalPoints = wnafPoints * 2 + combPoints;
 
                 PointProjective[] points = new PointProjective[totalPoints];
+                Init(out PointTemp t);
 
                 Init(out PointAffine B);
                 F.Copy(B_x, 0, B.x, 0);
                 F.Copy(B_y, 0, B.y, 0);
 
-                PointPrecompute(ref B, points, 0, wnafPoints);
+                PointPrecompute(ref B, points, 0, wnafPoints, ref t);
 
                 Init(out PointAffine B225);
                 F.Copy(B225_x, 0, B225.x, 0);
                 F.Copy(B225_y, 0, B225.y, 0);
 
-                PointPrecompute(ref B225, points, wnafPoints, wnafPoints);
+                PointPrecompute(ref B225, points, wnafPoints, wnafPoints, ref t);
 
                 Init(out PointProjective p);
                 PointCopy(ref B, ref p);
@@ -1236,17 +1256,17 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
                         }
                         else
                         {
-                            PointAdd(ref p, ref sum);
+                            PointAdd(ref p, ref sum, ref t);
                         }
 
-                        PointDouble(ref p);
+                        PointDouble(ref p, ref t);
                         PointCopy(ref p, ref toothPowers[tooth]);
 
                         if (block + tooth != PrecompBlocks + PrecompTeeth - 2)
                         {
                             for (int spacing = 1; spacing < PrecompSpacing; ++spacing)
                             {
-                                PointDouble(ref p);
+                                PointDouble(ref p, ref t);
                             }
                         }
                     }
@@ -1260,7 +1280,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
                         {
                             Init(out points[pointsIndex]);
                             PointCopy(ref points[pointsIndex - size], ref points[pointsIndex]);
-                            PointAdd(ref toothPowers[tooth], ref points[pointsIndex]);
+                            PointAdd(ref toothPowers[tooth], ref points[pointsIndex], ref t);
                         }
                     }
                 }
@@ -1344,25 +1364,26 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             // NOTE: Bit 448 is handled explicitly by an initial addition
             Debug.Assert(n[ScalarUints] == 1U);
 
-            uint[] table = PointPrecompute(ref p, 8);
             Init(out PointProjective q);
+            Init(out PointTemp t);
+            uint[] table = PointPrecompute(ref p, 8, ref t);
 
             // Replace first 4 doublings (2^4 * P) with 1 addition (P + 15 * P)
             PointLookup15(table, ref r);
-            PointAdd(ref p, ref r);
+            PointAdd(ref p, ref r, ref t);
 
             int w = 111;
             for (;;)
             {
                 PointLookup(n, w, table, ref q);
-                PointAdd(ref q, ref r);
+                PointAdd(ref q, ref r, ref t);
 
                 if (--w < 0)
                     break;
 
                 for (int i = 0; i < 4; ++i)
                 {
-                    PointDouble(ref r);
+                    PointDouble(ref r, ref t);
                 }
             }
         }
@@ -1392,6 +1413,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             Scalar448.ToSignedDigits(PrecompRange, n, n);
 
             Init(out PointAffine p);
+            Init(out PointTemp t);
 
             PointSetNeutral(ref r);
 
@@ -1400,14 +1422,14 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             {
                 int tPos = cOff;
 
-                for (int b = 0; b < PrecompBlocks; ++b)
+                for (int block = 0; block < PrecompBlocks; ++block)
                 {
                     uint w = 0;
-                    for (int t = 0; t < PrecompTeeth; ++t)
+                    for (int tooth = 0; tooth < PrecompTeeth; ++tooth)
                     {
                         uint tBit = n[tPos >> 5] >> (tPos & 0x1F);
-                        w &= ~(1U << t);
-                        w ^= (tBit << t);
+                        w &= ~(1U << tooth);
+                        w ^= (tBit << tooth);
                         tPos += PrecompSpacing;
                     }
 
@@ -1417,17 +1439,17 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
                     Debug.Assert(sign == 0 || sign == 1);
                     Debug.Assert(0 <= abs && abs < PrecompPoints);
 
-                    PointLookup(b, abs, ref p);
+                    PointLookup(block, abs, ref p);
 
                     F.CNegate(sign, p.x);
 
-                    PointAdd(ref p, ref r);
+                    PointAdd(ref p, ref r, ref t);
                 }
 
                 if (--cOff < 0)
                     break;
 
-                PointDouble(ref r);
+                PointDouble(ref r, ref t);
             }
         }
 
@@ -1501,7 +1523,8 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
 
             int count = 1 << (WnafWidth225 - 2);
             PointProjective[] tp = new PointProjective[count];
-            PointPrecompute(ref p, tp, 0, count);
+            Init(out PointTemp t);
+            PointPrecompute(ref p, tp, 0, count, ref t);
 
             PointSetNeutral(ref r);
 
@@ -1511,13 +1534,13 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
                 if (wp != 0)
                 {
                     int index = (wp >> 1) ^ (wp >> 31);
-                    PointAddVar(wp < 0, ref tp[index], ref r);
+                    PointAddVar(wp < 0, ref tp[index], ref r, ref t);
                 }
 
                 if (--bit < 0)
                     break;
 
-                PointDouble(ref r);
+                PointDouble(ref r, ref t);
             }
         }
 
@@ -1555,8 +1578,9 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             int count = 1 << (WnafWidth225 - 2);
             PointProjective[] tp = new PointProjective[count];
             PointProjective[] tq = new PointProjective[count];
-            PointPrecompute(ref p, tp, 0, count);
-            PointPrecompute(ref q, tq, 0, count);
+            Init(out PointTemp t);
+            PointPrecompute(ref p, tp, 0, count, ref t);
+            PointPrecompute(ref q, tq, 0, count, ref t);
 
             PointSetNeutral(ref r);
 
@@ -1567,35 +1591,35 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
                 if (wb != 0)
                 {
                     int index = (wb >> 1) ^ (wb >> 31);
-                    PointAddVar(wb < 0, ref PrecompBaseWnaf[index], ref r);
+                    PointAddVar(wb < 0, ref PrecompBaseWnaf[index], ref r, ref t);
                 }
 
                 int wb225 = ws_b[225 + bit];
                 if (wb225 != 0)
                 {
                     int index = (wb225 >> 1) ^ (wb225 >> 31);
-                    PointAddVar(wb225 < 0, ref PrecompBase225Wnaf[index], ref r);
+                    PointAddVar(wb225 < 0, ref PrecompBase225Wnaf[index], ref r, ref t);
                 }
 
                 int wp = ws_p[bit];
                 if (wp != 0)
                 {
                     int index = (wp >> 1) ^ (wp >> 31);
-                    PointAddVar(wp < 0, ref tp[index], ref r);
+                    PointAddVar(wp < 0, ref tp[index], ref r, ref t);
                 }
 
                 int wq = ws_q[bit];
                 if (wq != 0)
                 {
                     int index = (wq >> 1) ^ (wq >> 31);
-                    PointAddVar(wq < 0, ref tq[index], ref r);
+                    PointAddVar(wq < 0, ref tq[index], ref r, ref t);
                 }
 
-                PointDouble(ref r);
+                PointDouble(ref r, ref t);
             }
 
             // NOTE: Together with the final PointDouble of the loop, this clears the cofactor of 4
-            PointDouble(ref r);
+            PointDouble(ref r, ref t);
         }
 
         public static void Sign(byte[] sk, int skOff, byte[] ctx, byte[] m, int mOff, int mLen, byte[] sig, int sigOff)
@@ -1605,7 +1629,8 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             ImplSign(sk, skOff, ctx, phflag, m, mOff, mLen, sig, sigOff);
         }
 
-        public static void Sign(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] m, int mOff, int mLen, byte[] sig, int sigOff)
+        public static void Sign(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] m, int mOff, int mLen,
+            byte[] sig, int sigOff)
         {
             byte phflag = 0x00;
 
@@ -1619,7 +1644,8 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             ImplSign(sk, skOff, ctx, phflag, ph, phOff, PrehashSize, sig, sigOff);
         }
 
-        public static void SignPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] ph, int phOff, byte[] sig, int sigOff)
+        public static void SignPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, byte[] ph, int phOff,
+            byte[] sig, int sigOff)
         {
             byte phflag = 0x01;
 
@@ -1637,7 +1663,8 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             ImplSign(sk, skOff, ctx, phflag, m, 0, m.Length, sig, sigOff);
         }
 
-        public static void SignPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, IXof ph, byte[] sig, int sigOff)
+        public static void SignPrehash(byte[] sk, int skOff, byte[] pk, int pkOff, byte[] ctx, IXof ph, byte[] sig,
+            int sigOff)
         {
             byte[] m = new byte[PrehashSize];
             if (PrehashSize != ph.OutputFinal(m, 0, PrehashSize))