1 /* Edwards curve signature system
2 * Daniel Beer <dlbeer@gmail.com>, 22 Apr 2014
4 * This file is in the public domain.
14 /* This is the Ed25519 signature system, as described in:
16 * Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, Bo-Yin
17 * Yang. High-speed high-security signatures. Journal of Cryptographic
18 * Engineering 2 (2012), 77–89. Document ID:
19 * a1a62a2f76d23f65d622484ddd09caf8. URL:
20 * http://cr.yp.to/papers.html#ed25519. Date: 2011.09.26.
22 * The format and calculation of signatures is compatible with the
23 * Ed25519 implementation in SUPERCOP. Note, however, that our secret
24 * keys are half the size: we don't store a copy of the public key in
25 * the secret key (we generate it on demand).
28 /* Any string of 32 random bytes is a valid secret key. There is no
29 * clamping of bits, because we don't use the key directly as an
30 * exponent (the exponent is derived from part of a key expansion).
32 #define EDSIGN_SECRET_KEY_SIZE 32
34 /* Given a secret key, produce the public key (a packed Edwards-curve
37 #define EDSIGN_PUBLIC_KEY_SIZE 32
39 void edsign_sec_to_pub(void *pub
, const void *secret
);
41 /* Produce a signature for a message. */
42 #define EDSIGN_SIGNATURE_SIZE 64
44 void edsign_sign(uint8_t *signature
, const uint8_t *pub
,
45 const uint8_t *secret
,
46 const uint8_t *message
, size_t len
);
48 struct edsign_verify_state
{
49 struct sha512_state sha
;
52 void edsign_verify_init(struct edsign_verify_state
*st
, const void *sig
,
56 edsign_verify_add(struct edsign_verify_state
*st
, const void *data
, int len
)
58 sha512_add(&st
->sha
, data
, len
);
61 /* Verify a message signature. Returns non-zero if ok. */
62 bool edsign_verify(struct edsign_verify_state
*st
, const void *sig
, const void *pub
);