[secnet] / ed25519.h

/* -*-c-*-
 *
 * The Ed25519 signature scheme
 *
 * (c) 2017 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of secnet.
 * See README for full list of copyright holders.
 *
 * secnet is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version d of the License, or
 * (at your option) any later version.
 *
 * secnet is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 3 along with secnet; if not, see
 * https://www.gnu.org/licenses/gpl.html.
 *
 * This file was originally part of Catacomb, but has been automatically
 * modified for incorporation into secnet: see `import-catacomb-crypto'
 * for details.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

#ifndef CATACOMB_ED25519_H
#define CATACOMB_ED25519_H

#ifdef __cplusplus
  extern "C" {
#endif

/*----- Notes on the Ed25519 signature scheme -----------------------------*
 *
 * This is Ed25519, as described in Daniel J. Bernstein, Neils Duif, Tanja
 * Lange, Peter Schwabe, and Bo-Yin Yang, `High-speed high-security
 * signatures', CHES 2011, https://ed25519.cr.yp.to/ed25519-20110926.pdf
 *
 * Specifically, this code implements `PureEdDSA', according to the
 * definition in Daniel J. Bernstein, Simon Josefsson, Tanja Lange, Peter
 * Schwabe, and Bo-Yin Yang, `EdDSA for more curves',
 * https://ed25519.cr.yp.to/eddsa-20150704.pdf.  HashEdEDSA can be
 * implemented easily by presenting a hash of a message to the functions
 * here, as the message to be signed or verified.
 *
 * It also implements `Ed25519ctx' and `Ed25519ph' as described in RFC8032,
 * though in the latter case it assumes that you've already done the hashing
 * and have provided the hash as the `message' input.
 */

/*----- Header files ------------------------------------------------------*/

#include "fake-mLib-bits.h"

/*----- Important constants -----------------------------------------------*/

#define ED25519_KEYSZ 32u
#define ED25519_PUBSZ 32u
#define ED25519_SIGSZ 64u

#define ED25519_MAXPERSOSZ 255u

/*----- Functions provided ------------------------------------------------*/

/* --- @ed25519_pubkey@ --- *
 *
 * Arguments:	@octet K[ED25519_PUBSZ]@ = where to put the public key
 *		@const void *k@ = private key
 *		@size_t ksz@ = length of private key
 *
 * Returns:	---
 *
 * Use:		Derives the public key from a private key.
 */

extern void ed25519_pubkey(octet /*K*/[ED25519_PUBSZ],
			   const void */*k*/, size_t /*ksz*/);

/* --- @ed25519_sign@, @ed25519ctx_sign@ --- *
 *
 * Arguments:	@octet sig[ED25519_SIGSZ]@ = where to put the signature
 *		@const void *k@ = private key
 *		@size_t ksz@ = length of private key
 *		@const octet K[ED25519_PUBSZ]@ = public key
 *		@int phflag@ = whether the `message' has been hashed already
 *		@const void *p@ = personalization string
 *		@size_t psz@ = length of personalization string
 *		@const void *m@ = message to sign
 *		@size_t msz@ = length of message
 *
 * Returns:	---
 *
 * Use:		Signs a message.
 *
 *		In @ed25519ctx_sign@, if @phflag@ is @-1@ then you get plain
 *		old Ed25519: the personalization string pointer @p@ will be
 *		ignored.  If @phflag > 0@ then the `message' @m@ should be a
 *		SHA512 hash of the actual message.
 */

extern void ed25519ctx_sign(octet /*sig*/[ED25519_SIGSZ],
			    const void */*k*/, size_t /*ksz*/,
			    const octet /*K*/[ED25519_PUBSZ],
			    int /*phflag*/,
			    const void */*p*/, size_t /*psz*/,
			    const void */*m*/, size_t /*msz*/);

extern void ed25519_sign(octet /*sig*/[ED25519_SIGSZ],
			 const void */*k*/, size_t /*ksz*/,
			 const octet /*K*/[ED25519_PUBSZ],
			 const void */*m*/, size_t /*msz*/);

/* --- @ed25519_verify@, @ed25519ctx_verify@ --- *
 *
 * Arguments:	@const octet K[ED25519_PUBSZ]@ = public key
 *		@int phflag@ = whether the `message' has been hashed already
 *		@const void *p@ = personalization string
 *		@size_t psz@ = length of personalization string
 *		@const void *m@ = message to sign
 *		@size_t msz@ = length of message
 *		@const octet sig[ED25519_SIGSZ]@ = signature
 *
 * Returns:	Zero if OK, negative on failure.
 *
 * Use:		Verify a signature.
 *
 *		In @ed25519ctx_verify@, if @phflag@ is @-1@ then you get
 *		plain old Ed25519: the personalization string pointer @p@
 *		will be ignored.  If @phflag > 0@ then the `message' @m@
 *		should be a SHA512 hash of the actual message.
 */

extern int ed25519ctx_verify(const octet /*K*/[ED25519_PUBSZ],
			     int /*phflag*/,
			     const void */*p*/, size_t /*psz*/,
			     const void */*m*/, size_t /*msz*/,
			     const octet /*sig*/[ED25519_SIGSZ]);

extern int ed25519_verify(const octet /*K*/[ED25519_PUBSZ],
			  const void */*m*/, size_t /*msz*/,
			  const octet /*sig*/[ED25519_SIGSZ]);

/*----- That's all, folks -------------------------------------------------*/

#ifdef __cplusplus
  }
#endif

#endif
Commit	Line	Data
a1a6042e MW	1	/* --c--
	2	*
	3	* The Ed25519 signature scheme
	4	*
	5	* (c) 2017 Straylight/Edgeware
	6	*/
	7
	8	/----- Licensing notice --------------------------------------------------
	9	*
	10	* This file is part of secnet.
	11	* See README for full list of copyright holders.
	12	*
	13	* secnet is free software; you can redistribute it and/or modify it
	14	* under the terms of the GNU General Public License as published by
	15	* the Free Software Foundation; either version d of the License, or
	16	* (at your option) any later version.
	17	*
	18	* secnet is distributed in the hope that it will be useful, but
	19	* WITHOUT ANY WARRANTY; without even the implied warranty of
	20	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	21	* General Public License for more details.
	22	*
	23	* You should have received a copy of the GNU General Public License
	24	* version 3 along with secnet; if not, see
	25	* https://www.gnu.org/licenses/gpl.html.
	26	*
	27	* This file was originally part of Catacomb, but has been automatically
	28	* modified for incorporation into secnet: see `import-catacomb-crypto'
	29	* for details.
	30	*
	31	* Catacomb is free software; you can redistribute it and/or modify
	32	* it under the terms of the GNU Library General Public License as
	33	* published by the Free Software Foundation; either version 2 of the
	34	* License, or (at your option) any later version.
	35	*
	36	* Catacomb is distributed in the hope that it will be useful,
	37	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	38	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	39	* GNU Library General Public License for more details.
	40	*
	41	* You should have received a copy of the GNU Library General Public
	42	* License along with Catacomb; if not, write to the Free
	43	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	44	* MA 02111-1307, USA.
	45	*/
	46
	47	#ifndef CATACOMB_ED25519_H
	48	#define CATACOMB_ED25519_H
	49
	50	#ifdef __cplusplus
	51	extern "C" {
	52	#endif
	53
	54	/----- Notes on the Ed25519 signature scheme -----------------------------
	55	*
	56	* This is Ed25519, as described in Daniel J. Bernstein, Neils Duif, Tanja
	57	* Lange, Peter Schwabe, and Bo-Yin Yang, `High-speed high-security
	58	* signatures', CHES 2011, https://ed25519.cr.yp.to/ed25519-20110926.pdf
	59	*
	60	* Specifically, this code implements `PureEdDSA', according to the
	61	* definition in Daniel J. Bernstein, Simon Josefsson, Tanja Lange, Peter
	62	* Schwabe, and Bo-Yin Yang, `EdDSA for more curves',
	63	* https://ed25519.cr.yp.to/eddsa-20150704.pdf. HashEdEDSA can be
	64	* implemented easily by presenting a hash of a message to the functions
65	* here, as the message to be signed or verified.
66	*
67	* It also implements `Ed25519ctx' and `Ed25519ph' as described in RFC8032,
68	* though in the latter case it assumes that you've already done the hashing
69	* and have provided the hash as the `message' input.
70	*/
71
72	/----- Header files ------------------------------------------------------/
73
74	#include "fake-mLib-bits.h"
75
76	/----- Important constants -----------------------------------------------/
77
78	#define ED25519_KEYSZ 32u
79	#define ED25519_PUBSZ 32u
80	#define ED25519_SIGSZ 64u
81
82	#define ED25519_MAXPERSOSZ 255u
83
84	/----- Functions provided ------------------------------------------------/
85
86	/* --- @ed25519_pubkey@ --- *
87	*
88	* Arguments: @octet K[ED25519_PUBSZ]@ = where to put the public key
89	* @const void *k@ = private key
90	* @size_t ksz@ = length of private key
91	*
92	* Returns: ---
93	*
94	* Use: Derives the public key from a private key.
95	*/
96
97	extern void ed25519_pubkey(octet /K/[ED25519_PUBSZ],
98	const void /k/, size_t /ksz*/);
99
100	/* --- @ed25519_sign@, @ed25519ctx_sign@ --- *
101	*
102	* Arguments: @octet sig[ED25519_SIGSZ]@ = where to put the signature
103	* @const void *k@ = private key
104	* @size_t ksz@ = length of private key
105	* @const octet K[ED25519_PUBSZ]@ = public key
106	* @int phflag@ = whether the `message' has been hashed already
107	* @const void *p@ = personalization string
108	* @size_t psz@ = length of personalization string
109	* @const void *m@ = message to sign
110	* @size_t msz@ = length of message
111	*
112	* Returns: ---
113	*
114	* Use: Signs a message.
115	*
116	* In @ed25519ctx_sign@, if @phflag@ is @-1@ then you get plain
117	* old Ed25519: the personalization string pointer @p@ will be
118	* ignored. If @phflag > 0@ then the `message' @m@ should be a
119	* SHA512 hash of the actual message.
120	*/
121
122	extern void ed25519ctx_sign(octet /sig/[ED25519_SIGSZ],
123	const void /k/, size_t /ksz*/,
124	const octet /K/[ED25519_PUBSZ],
125	int /phflag/,
126	const void /p/, size_t /psz*/,
127	const void /m/, size_t /msz*/);
128
129	extern void ed25519_sign(octet /sig/[ED25519_SIGSZ],
130	const void /k/, size_t /ksz*/,
131	const octet /K/[ED25519_PUBSZ],
132	const void /m/, size_t /msz*/);
133
134	/* --- @ed25519_verify@, @ed25519ctx_verify@ --- *
135	*
136	* Arguments: @const octet K[ED25519_PUBSZ]@ = public key
137	* @int phflag@ = whether the `message' has been hashed already
138	* @const void *p@ = personalization string
139	* @size_t psz@ = length of personalization string
140	* @const void *m@ = message to sign
141	* @size_t msz@ = length of message
142	* @const octet sig[ED25519_SIGSZ]@ = signature
143	*
144	* Returns: Zero if OK, negative on failure.
145	*
146	* Use: Verify a signature.
147	*
148	* In @ed25519ctx_verify@, if @phflag@ is @-1@ then you get
149	* plain old Ed25519: the personalization string pointer @p@
150	* will be ignored. If @phflag > 0@ then the `message' @m@
151	* should be a SHA512 hash of the actual message.
152	*/
153
154	extern int ed25519ctx_verify(const octet /K/[ED25519_PUBSZ],
155	int /phflag/,
156	const void /p/, size_t /psz*/,
157	const void /m/, size_t /msz*/,
158	const octet /sig/[ED25519_SIGSZ]);
159
160	extern int ed25519_verify(const octet /K/[ED25519_PUBSZ],
161	const void /m/, size_t /msz*/,
162	const octet /sig/[ED25519_SIGSZ]);
163
164	/----- That's all, folks -------------------------------------------------/
165
166	#ifdef __cplusplus
167	}
168	#endif
169
170	#endif