[catacomb] / pub / ed25519.h

/* -*-c-*-
 *
 * The Ed25519 signature scheme
 *
 * (c) 2017 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

#ifndef CATACOMB_ED25519_H
#define CATACOMB_ED25519_H

#ifdef __cplusplus
  extern "C" {
#endif

/*----- Notes on the Ed25519 signature scheme -----------------------------*
 *
 * This is Ed25519, as described in Daniel J. Bernstein, Neils Duif, Tanja
 * Lange, Peter Schwabe, and Bo-Yin Yang, `High-speed high-security
 * signatures', CHES 2011, https://ed25519.cr.yp.to/ed25519-20110926.pdf
 *
 * Specifically, this code implements `PureEdDSA', according to the
 * definition in Daniel J. Bernstein, Simon Josefsson, Tanja Lange, Peter
 * Schwabe, and Bo-Yin Yang, `EdDSA for more curves',
 * https://ed25519.cr.yp.to/eddsa-20150704.pdf.  HashEdEDSA can be
 * implemented easily by presenting a hash of a message to the functions
 * here, as the message to be signed or verified.
 *
 * It also implements `Ed25519ctx' and `Ed25519ph' as described in RFC8032,
 * though in the latter case it assumes that you've already done the hashing
 * and have provided the hash as the `message' input.
 */

/*----- Header files ------------------------------------------------------*/

#include <mLib/bits.h>

#ifndef CATACOMB_KEY_H
#  include "key.h"
#endif

/*----- Important constants -----------------------------------------------*/

#define ED25519_KEYSZ 32u
#define ED25519_PUBSZ 32u
#define ED25519_SIGSZ 64u

#define ED25519_MAXPERSOSZ 255u

/*----- Key fetching ------------------------------------------------------*/

typedef struct ed25519_priv { key_bin priv, pub; } ed25519_priv;
typedef struct ed25519_pub { key_bin pub; } ed25519_pub;

extern const key_fetchdef ed25519_pubfetch[], ed25519_privfetch[];
#define ED25519_PUBFETCHSZ 3
#define ED25519_PRIVFETCHSZ 6

/*----- Functions provided ------------------------------------------------*/

/* --- @ed25519_pubkey@ --- *
 *
 * Arguments:	@octet K[ED25519_PUBSZ]@ = where to put the public key
 *		@const void *k@ = private key
 *		@size_t ksz@ = length of private key
 *
 * Returns:	---
 *
 * Use:		Derives the public key from a private key.
 */

extern void ed25519_pubkey(octet /*K*/[ED25519_PUBSZ],
			   const void */*k*/, size_t /*ksz*/);

/* --- @ed25519_sign@, @ed25519ctx_sign@ --- *
 *
 * Arguments:	@octet sig[ED25519_SIGSZ]@ = where to put the signature
 *		@const void *k@ = private key
 *		@size_t ksz@ = length of private key
 *		@const octet K[ED25519_PUBSZ]@ = public key
 *		@int phflag@ = whether the `message' has been hashed already
 *		@const void *p@ = personalization string
 *		@size_t psz@ = length of personalization string
 *		@const void *m@ = message to sign
 *		@size_t msz@ = length of message
 *
 * Returns:	---
 *
 * Use:		Signs a message.
 *
 *		In @ed25519ctx_sign@, if @phflag@ is @-1@ then you get plain
 *		old Ed25519: the personalization string pointer @p@ will be
 *		ignored.  If @phflag > 0@ then the `message' @m@ should be a
 *		SHA512 hash of the actual message.
 */

extern void ed25519ctx_sign(octet /*sig*/[ED25519_SIGSZ],
			    const void */*k*/, size_t /*ksz*/,
			    const octet /*K*/[ED25519_PUBSZ],
			    int /*phflag*/,
			    const void */*p*/, size_t /*psz*/,
			    const void */*m*/, size_t /*msz*/);

extern void ed25519_sign(octet /*sig*/[ED25519_SIGSZ],
			 const void */*k*/, size_t /*ksz*/,
			 const octet /*K*/[ED25519_PUBSZ],
			 const void */*m*/, size_t /*msz*/);

/* --- @ed25519_verify@, @ed25519ctx_verify@ --- *
 *
 * Arguments:	@const octet K[ED25519_PUBSZ]@ = public key
 *		@int phflag@ = whether the `message' has been hashed already
 *		@const void *p@ = personalization string
 *		@size_t psz@ = length of personalization string
 *		@const void *m@ = message to sign
 *		@size_t msz@ = length of message
 *		@const octet sig[ED25519_SIGSZ]@ = signature
 *
 * Returns:	Zero if OK, negative on failure.
 *
 * Use:		Verify a signature.
 *
 *		In @ed25519ctx_verify@, if @phflag@ is @-1@ then you get
 *		plain old Ed25519: the personalization string pointer @p@
 *		will be ignored.  If @phflag > 0@ then the `message' @m@
 *		should be a SHA512 hash of the actual message.
 */

extern int ed25519ctx_verify(const octet /*K*/[ED25519_PUBSZ],
			     int /*phflag*/,
			     const void */*p*/, size_t /*psz*/,
			     const void */*m*/, size_t /*msz*/,
			     const octet /*sig*/[ED25519_SIGSZ]);

extern int ed25519_verify(const octet /*K*/[ED25519_PUBSZ],
			  const void */*m*/, size_t /*msz*/,
			  const octet /*sig*/[ED25519_SIGSZ]);

/*----- That's all, folks -------------------------------------------------*/

#ifdef __cplusplus
  }
#endif

#endif
Commit	Line	Data
d56fd9d1 MW	1	/* --c--
	2	*
	3	* The Ed25519 signature scheme
	4	*
	5	* (c) 2017 Straylight/Edgeware
	6	*/
	7
	8	/----- Licensing notice --------------------------------------------------
	9	*
	10	* This file is part of Catacomb.
	11	*
	12	* Catacomb is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU Library General Public License as
	14	* published by the Free Software Foundation; either version 2 of the
	15	* License, or (at your option) any later version.
	16	*
	17	* Catacomb is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU Library General Public License for more details.
	21	*
	22	* You should have received a copy of the GNU Library General Public
	23	* License along with Catacomb; if not, write to the Free
	24	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	25	* MA 02111-1307, USA.
	26	*/
	27
	28	#ifndef CATACOMB_ED25519_H
	29	#define CATACOMB_ED25519_H
	30
	31	#ifdef __cplusplus
	32	extern "C" {
	33	#endif
	34
	35	/----- Notes on the Ed25519 signature scheme -----------------------------
	36	*
	37	* This is Ed25519, as described in Daniel J. Bernstein, Neils Duif, Tanja
	38	* Lange, Peter Schwabe, and Bo-Yin Yang, `High-speed high-security
	39	* signatures', CHES 2011, https://ed25519.cr.yp.to/ed25519-20110926.pdf
	40	*
	41	* Specifically, this code implements `PureEdDSA', according to the
	42	* definition in Daniel J. Bernstein, Simon Josefsson, Tanja Lange, Peter
	43	* Schwabe, and Bo-Yin Yang, `EdDSA for more curves',
	44	* https://ed25519.cr.yp.to/eddsa-20150704.pdf. HashEdEDSA can be
	45	* implemented easily by presenting a hash of a message to the functions
	46	* here, as the message to be signed or verified.
a7aa36f2 MW	47	*
	48	* It also implements `Ed25519ctx' and `Ed25519ph' as described in RFC8032,
	49	* though in the latter case it assumes that you've already done the hashing
	50	* and have provided the hash as the `message' input.
d56fd9d1 MW	51	*/
	52
	53	/----- Header files ------------------------------------------------------/
	54
	55	#include <mLib/bits.h>
	56
	57	#ifndef CATACOMB_KEY_H
	58	# include "key.h"
	59	#endif
	60
	61	/----- Important constants -----------------------------------------------/
	62
	63	#define ED25519_KEYSZ 32u
	64	#define ED25519_PUBSZ 32u
	65	#define ED25519_SIGSZ 64u
	66
a7aa36f2 MW	67	#define ED25519_MAXPERSOSZ 255u
a7aa36f2 MW	68
d56fd9d1 MW	69	/----- Key fetching ------------------------------------------------------/
	70
	71	typedef struct ed25519_priv { key_bin priv, pub; } ed25519_priv;
	72	typedef struct ed25519_pub { key_bin pub; } ed25519_pub;
	73
	74	extern const key_fetchdef ed25519_pubfetch[], ed25519_privfetch[];
	75	#define ED25519_PUBFETCHSZ 3
	76	#define ED25519_PRIVFETCHSZ 6
	77
	78	/----- Functions provided ------------------------------------------------/
	79
	80	/* --- @ed25519_pubkey@ --- *
	81	*
	82	* Arguments: @octet K[ED25519_PUBSZ]@ = where to put the public key
	83	* @const void *k@ = private key
	84	* @size_t ksz@ = length of private key
	85	*
	86	* Returns: ---
	87	*
	88	* Use: Derives the public key from a private key.
	89	*/
	90
	91	extern void ed25519_pubkey(octet /K/[ED25519_PUBSZ],
	92	const void /k/, size_t /ksz*/);
	93
a7aa36f2	94	/* --- @ed25519_sign@, @ed25519ctx_sign@ --- *
d56fd9d1 MW	95	*
	96	* Arguments: @octet sig[ED25519_SIGSZ]@ = where to put the signature
	97	* @const void *k@ = private key
	98	* @size_t ksz@ = length of private key
	99	* @const octet K[ED25519_PUBSZ]@ = public key
a7aa36f2 MW	100	* @int phflag@ = whether the `message' has been hashed already
	101	* @const void *p@ = personalization string
	102	* @size_t psz@ = length of personalization string
d56fd9d1 MW	103	* @const void *m@ = message to sign
	104	* @size_t msz@ = length of message
	105	*
	106	* Returns: ---
	107	*
	108	* Use: Signs a message.
a7aa36f2 MW	109	*
	110	* In @ed25519ctx_sign@, if @phflag@ is @-1@ then you get plain
	111	* old Ed25519: the personalization string pointer @p@ will be
	112	* ignored. If @phflag > 0@ then the `message' @m@ should be a
	113	* SHA512 hash of the actual message.
d56fd9d1 MW	114	*/
d56fd9d1 MW	115
a7aa36f2 MW	116	extern void ed25519ctx_sign(octet /sig/[ED25519_SIGSZ],
	117	const void /k/, size_t /ksz*/,
	118	const octet /K/[ED25519_PUBSZ],
	119	int /phflag/,
	120	const void /p/, size_t /psz*/,
	121	const void /m/, size_t /msz*/);
	122
d56fd9d1 MW	123	extern void ed25519_sign(octet /sig/[ED25519_SIGSZ],
	124	const void /k/, size_t /ksz*/,
	125	const octet /K/[ED25519_PUBSZ],
	126	const void /m/, size_t /msz*/);
	127
a7aa36f2	128	/* --- @ed25519_verify@, @ed25519ctx_verify@ --- *
d56fd9d1 MW	129	*
d56fd9d1 MW	130	* Arguments: @const octet K[ED25519_PUBSZ]@ = public key
a7aa36f2 MW	131	* @int phflag@ = whether the `message' has been hashed already
	132	* @const void *p@ = personalization string
	133	* @size_t psz@ = length of personalization string
d56fd9d1 MW	134	* @const void *m@ = message to sign
	135	* @size_t msz@ = length of message
	136	* @const octet sig[ED25519_SIGSZ]@ = signature
	137	*
	138	* Returns: Zero if OK, negative on failure.
	139	*
	140	* Use: Verify a signature.
a7aa36f2 MW	141	*
	142	* In @ed25519ctx_verify@, if @phflag@ is @-1@ then you get
	143	* plain old Ed25519: the personalization string pointer @p@
	144	* will be ignored. If @phflag > 0@ then the `message' @m@
	145	* should be a SHA512 hash of the actual message.
d56fd9d1 MW	146	*/
d56fd9d1 MW	147
a7aa36f2 MW	148	extern int ed25519ctx_verify(const octet /K/[ED25519_PUBSZ],
	149	int /phflag/,
	150	const void /p/, size_t /psz*/,
	151	const void /m/, size_t /msz*/,
	152	const octet /sig/[ED25519_SIGSZ]);
	153
d56fd9d1 MW	154	extern int ed25519_verify(const octet /K/[ED25519_PUBSZ],
	155	const void /m/, size_t /msz*/,
	156	const octet /sig/[ED25519_SIGSZ]);
	157
	158	/----- That's all, folks -------------------------------------------------/
	159
	160	#ifdef __cplusplus
	161	}
	162	#endif
	163
	164	#endif