- Notifications
You must be signed in to change notification settings - Fork162
Portable C implementation of Ed25519, a high-speed high-security public-key signature system.
License
orlp/ed25519
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
This is a portable implementation ofEd25519 basedon the SUPERCOP "ref10" implementation. Additionally there is key exchangingand scalar addition included to further aid building a PKI using Ed25519. Allcode is licensed under the permissive zlib license.
All code is pure ANSI C without any dependencies, except for the random seedgeneration which uses standard OS cryptography APIs (CryptGenRandom onWindows,/dev/urandom on nix). If you wish to be entirely portable defineED25519_NO_SEED. This disables theed25519_create_seed function, so if yourapplication requires key generation you must supply your own seeding function(which is simply a 256 bit (32 byte) cryptographic random number generator).
On a Windows machine with an Intel Pentium B970 @ 2.3GHz I got the followingspeeds (running on only one a single core):
Seed generation: 64us (15625 per second)Key generation: 88us (11364 per second)Message signing (short message): 87us (11494 per second)Message verifying (short message): 228us (4386 per second)Scalar addition: 100us (10000 per second)Key exchange: 220us (4545 per second)The speeds on other machines may vary. Sign/verify times will be higher withlonger messages. The implementation significantly benefits from 64 bitarchitectures, if possible compile as 64 bit.
Simply add all .c and .h files in thesrc/ folder to your project and includeed25519.h in any file you want to use the API. If you prefer to use a sharedlibrary, only copyed25519.h and defineED25519_DLL before importing. Awindows DLL is pre-built.
There are no defined types for seeds, private keys, public keys, shared secretsor signatures. Instead simpleunsigned char buffers are used with thefollowing sizes:
unsignedcharseed[32];unsignedcharsignature[64];unsignedcharpublic_key[32];unsignedcharprivate_key[64];unsignedcharscalar[32];unsignedcharshared_secret[32];
Note: this library stores private keys in a different format than some otherlibraries, notablylibsodium. They tend to store the concatenation of theseedandpublic_key as their private key representation. If you wish to be compatiblewith these libraries you must keep the seed around.
inted25519_create_seed(unsignedchar*seed);
Creates a 32 byte random seed inseed for key generation.seed must be awritable 32 byte buffer. Returns 0 on success, and nonzero on failure.
voided25519_create_keypair(unsignedchar*public_key,unsignedchar*private_key,constunsignedchar*seed);
Creates a new key pair from the given seed.public_key must be a writable 32byte buffer,private_key must be a writable 64 byte buffer andseed must bea 32 byte buffer.
voided25519_sign(unsignedchar*signature,constunsignedchar*message,size_tmessage_len,constunsignedchar*public_key,constunsignedchar*private_key);
Creates a signature of the given message with the given key pair.signaturemust be a writable 64 byte buffer.message must have at leastmessage_lenbytes to be read.
inted25519_verify(constunsignedchar*signature,constunsignedchar*message,size_tmessage_len,constunsignedchar*public_key);
Verifies the signature on the given message usingpublic_key.signaturemust be a readable 64 byte buffer.message must have at leastmessage_lenbytes to be read. Returns 1 if the signature matches, 0 otherwise.
voided25519_add_scalar(unsignedchar*public_key,unsignedchar*private_key,constunsignedchar*scalar);
Addsscalar to the given key pair where scalar is a 32 byte buffer (possiblygenerated withed25519_create_seed), generating a new key pair. You cancalculate the public key sum without knowing the private key and vice versa bypassing inNULL for the key you don't know. This is useful for enforcingrandomness on a key pair by a third party while only knowing the public key,among other things. Warning: the last bit of the scalar is ignored - ifcomparing scalars make sure to clear it withscalar[31] &= 127.
voided25519_key_exchange(unsignedchar*shared_secret,constunsignedchar*public_key,constunsignedchar*private_key);
Performs a key exchange on the given public key and private key, producing ashared secret. It is recommended to hash the shared secret before using it.shared_secret must be a 32 byte writable buffer where the shared secret willbe stored.
unsignedcharseed[32],public_key[32],private_key[64],signature[64];unsignedcharother_public_key[32],other_private_key[64],shared_secret[32];constunsignedcharmessage[]="TEST MESSAGE";/* create a random seed, and a key pair out of that seed */if (ed25519_create_seed(seed)) {printf("error while generating seed\n");exit(1);}ed25519_create_keypair(public_key,private_key,seed);/* create signature on the message with the key pair */ed25519_sign(signature,message,strlen(message),public_key,private_key);/* verify the signature */if (ed25519_verify(signature,message,strlen(message),public_key)) {printf("valid signature\n");}else {printf("invalid signature\n");}/* create a dummy keypair to use for a key exchange, normally you'd only havethe public key and receive it through some communication channel */if (ed25519_create_seed(seed)) {printf("error while generating seed\n");exit(1);}ed25519_create_keypair(other_public_key,other_private_key,seed);/* do a key exchange with other_public_key */ed25519_key_exchange(shared_secret,other_public_key,private_key);/* the magic here is that ed25519_key_exchange(shared_secret, public_key, other_private_key); would result in the same shared_secret*/
All code is released under the zlib license. See license.txt for details.