3 * The Ed25519 signature scheme
5 * (c) 2017 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
28 #ifndef CATACOMB_ED25519_H
29 #define CATACOMB_ED25519_H
35 /*----- Notes on the Ed25519 signature scheme -----------------------------*
37 * This is Ed25519, as described in Daniel J. Bernstein, Neils Duif, Tanja
38 * Lange, Peter Schwabe, and Bo-Yin Yang, `High-speed high-security
39 * signatures', CHES 2011, https://ed25519.cr.yp.to/ed25519-20110926.pdf
41 * Specifically, this code implements `PureEdDSA', according to the
42 * definition in Daniel J. Bernstein, Simon Josefsson, Tanja Lange, Peter
43 * Schwabe, and Bo-Yin Yang, `EdDSA for more curves',
44 * https://ed25519.cr.yp.to/eddsa-20150704.pdf. HashEdEDSA can be
45 * implemented easily by presenting a hash of a message to the functions
46 * here, as the message to be signed or verified.
48 * It also implements `Ed25519ctx' and `Ed25519ph' as described in RFC8032,
49 * though in the latter case it assumes that you've already done the hashing
50 * and have provided the hash as the `message' input.
53 /*----- Header files ------------------------------------------------------*/
55 #include <mLib/bits.h>
57 #ifndef CATACOMB_KEY_H
61 /*----- Important constants -----------------------------------------------*/
63 #define ED25519_KEYSZ 32u
64 #define ED25519_PUBSZ 32u
65 #define ED25519_SIGSZ 64u
67 #define ED25519_MAXPERSOSZ 255u
69 /*----- Key fetching ------------------------------------------------------*/
71 typedef struct ed25519_priv
{ key_bin priv
, pub
; } ed25519_priv
;
72 typedef struct ed25519_pub
{ key_bin pub
; } ed25519_pub
;
74 extern const key_fetchdef ed25519_pubfetch
[], ed25519_privfetch
[];
75 #define ED25519_PUBFETCHSZ 3
76 #define ED25519_PRIVFETCHSZ 6
78 /*----- Functions provided ------------------------------------------------*/
80 /* --- @ed25519_pubkey@ --- *
82 * Arguments: @octet K[ED25519_PUBSZ]@ = where to put the public key
83 * @const void *k@ = private key
84 * @size_t ksz@ = length of private key
88 * Use: Derives the public key from a private key.
91 extern void ed25519_pubkey(octet
/*K*/[ED25519_PUBSZ
],
92 const void */
*k*/
, size_t /*ksz*/);
94 /* --- @ed25519_sign@, @ed25519ctx_sign@ --- *
96 * Arguments: @octet sig[ED25519_SIGSZ]@ = where to put the signature
97 * @const void *k@ = private key
98 * @size_t ksz@ = length of private key
99 * @const octet K[ED25519_PUBSZ]@ = public key
100 * @int phflag@ = whether the `message' has been hashed already
101 * @const void *p@ = personalization string
102 * @size_t psz@ = length of personalization string
103 * @const void *m@ = message to sign
104 * @size_t msz@ = length of message
108 * Use: Signs a message.
110 * In @ed25519ctx_sign@, if @phflag@ is @-1@ then you get plain
111 * old Ed25519: the personalization string pointer @p@ will be
112 * ignored. If @phflag > 0@ then the `message' @m@ should be a
113 * SHA512 hash of the actual message.
116 extern void ed25519ctx_sign(octet
/*sig*/[ED25519_SIGSZ
],
117 const void */
*k*/
, size_t /*ksz*/,
118 const octet
/*K*/[ED25519_PUBSZ
],
120 const void */
*p*/
, size_t /*psz*/,
121 const void */
*m*/
, size_t /*msz*/);
123 extern void ed25519_sign(octet
/*sig*/[ED25519_SIGSZ
],
124 const void */
*k*/
, size_t /*ksz*/,
125 const octet
/*K*/[ED25519_PUBSZ
],
126 const void */
*m*/
, size_t /*msz*/);
128 /* --- @ed25519_verify@, @ed25519ctx_verify@ --- *
130 * Arguments: @const octet K[ED25519_PUBSZ]@ = public key
131 * @int phflag@ = whether the `message' has been hashed already
132 * @const void *p@ = personalization string
133 * @size_t psz@ = length of personalization string
134 * @const void *m@ = message to sign
135 * @size_t msz@ = length of message
136 * @const octet sig[ED25519_SIGSZ]@ = signature
138 * Returns: Zero if OK, negative on failure.
140 * Use: Verify a signature.
142 * In @ed25519ctx_verify@, if @phflag@ is @-1@ then you get
143 * plain old Ed25519: the personalization string pointer @p@
144 * will be ignored. If @phflag > 0@ then the `message' @m@
145 * should be a SHA512 hash of the actual message.
148 extern int ed25519ctx_verify(const octet
/*K*/[ED25519_PUBSZ
],
150 const void */
*p*/
, size_t /*psz*/,
151 const void */
*m*/
, size_t /*msz*/,
152 const octet
/*sig*/[ED25519_SIGSZ
]);
154 extern int ed25519_verify(const octet
/*K*/[ED25519_PUBSZ
],
155 const void */
*m*/
, size_t /*msz*/,
156 const octet
/*sig*/[ED25519_SIGSZ
]);
158 /*----- That's all, folks -------------------------------------------------*/