ed25519

package

v1.3.71 Latest Latest Go to latest Published: Apr 15, 2024 License: BSD-3-Clause Imports: 17 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/linckode/circl

Links

Open Source Insights

Documentation ¶

Overview ¶

Package ed25519 implements Ed25519 signature scheme as described in RFC-8032.

This package provides optimized implementations of the three signature variants and maintaining closer compatibility with crypto/ed25519.

| Scheme Name | Sign Function     | Verification  | Context           |
|-------------|-------------------|---------------|-------------------|
| Ed25519     | Sign              | Verify        | None              |
| Ed25519Ph   | SignPh            | VerifyPh      | Yes, can be empty |
| Ed25519Ctx  | SignWithCtx       | VerifyWithCtx | Yes, non-empty    |
| All above   | (PrivateKey).Sign | VerifyAny     | As above          |

Specific functions for sign and verify are defined. A generic signing function for all schemes is available through the crypto.Signer interface, which is implemented by the PrivateKey type. A correspond all-in-one verification method is provided by the VerifyAny function.

Signing with Ed25519Ph or Ed25519Ctx requires a context string for domain separation. This parameter is passed using a SignerOptions struct defined in this package. While Ed25519Ph accepts an empty context, Ed25519Ctx enforces non-empty context strings.

Compatibility with crypto.ed25519 ¶

These functions are compatible with the “Ed25519” function defined in RFC-8032. However, unlike RFC 8032's formulation, this package's private key representation includes a public key suffix to make multiple signing operations with the same key more efficient. This package refers to the RFC-8032 private key as the “seed”.

References

RFC-8032: https://rfc-editor.org/rfc/rfc8032.txt
Ed25519: https://ed25519.cr.yp.to/
EdDSA: High-speed high-security signatures. https://doi.org/10.1007/s13389-012-0027-1

Example (Ed25519) ¶

package main

import (
	"crypto/rand"
	"fmt"

	"github.com/linckode/circl/sign/ed25519"
)

func main() {
	// import "github.com/linckode/circl/sign/ed25519"
	// import "crypto/rand"

	// Generating Alice's key pair
	pub, priv, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		panic("error on generating keys")
	}

	// Alice signs a message.
	message := []byte("A message to be signed")
	signature := ed25519.Sign(priv, message)

	// Anyone can verify the signature using Alice's public key.
	ok := ed25519.Verify(pub, message, signature)
	fmt.Println(ok)
}

Output:

true

Index ¶

Constants
func GenerateKey(rand io.Reader) (PublicKey, PrivateKey, error)
func Scheme() sign.Scheme
func Sign(privateKey PrivateKey, message []byte) []byte
func SignPh(privateKey PrivateKey, message []byte, ctx string) []byte
func SignWithCtx(privateKey PrivateKey, message []byte, ctx string) []byte
func Verify(public PublicKey, message, signature []byte) bool
func VerifyAny(public PublicKey, message, signature []byte, opts crypto.SignerOpts) bool
func VerifyPh(public PublicKey, message, signature []byte, ctx string) bool
func VerifyWithCtx(public PublicKey, message, signature []byte, ctx string) bool
type PrivateKey
- func NewKeyFromSeed(seed []byte) PrivateKey
type PublicKey
type SchemeID
type SignerOptions

Constants ¶

View Source

const (
	// ContextMaxSize is the maximum length (in bytes) allowed for context.
	ContextMaxSize = 255
	// PublicKeySize is the size, in bytes, of public keys as used in this package.
	PublicKeySize = 32
	// PrivateKeySize is the size, in bytes, of private keys as used in this package.
	PrivateKeySize = 64
	// SignatureSize is the size, in bytes, of signatures generated and verified by this package.
	SignatureSize = 64
	// SeedSize is the size, in bytes, of private key seeds. These are the private key representations used by RFC 8032.
	SeedSize = 32
)

Variables ¶

This section is empty.

Functions ¶

func GenerateKey ¶

func GenerateKey(rand io.Reader) (PublicKey, PrivateKey, error)

GenerateKey generates a public/private key pair using entropy from rand. If rand is nil, crypto/rand.Reader will be used.

func Scheme ¶

func Scheme() sign.Scheme

Scheme returns a signature interface.

func Sign ¶

func Sign(privateKey PrivateKey, message []byte) []byte

Sign signs the message with privateKey and returns a signature. This function supports the signature variant defined in RFC-8032: Ed25519, also known as the pure version of EdDSA. It will panic if len(privateKey) is not PrivateKeySize.

func SignPh ¶

func SignPh(privateKey PrivateKey, message []byte, ctx string) []byte

SignPh creates a signature of a message with private key and context. This function supports the signature variant defined in RFC-8032: Ed25519ph, meaning it internally hashes the message using SHA-512, and optionally accepts a context string. It will panic if len(privateKey) is not PrivateKeySize. Context could be passed to this function, which length should be no more than ContextMaxSize=255. It can be empty.

Example ¶

package main

import (
	"crypto/rand"
	"fmt"

	"github.com/linckode/circl/sign/ed25519"
)

func main() {
	// import "github.com/linckode/circl/sign/ed25519"
	// import "crypto/rand"

	// Generating Alice's key pair
	pub, priv, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		panic("error on generating keys")
	}

	// Alice signs a message.
	message := []byte("A message to be signed")
	ctx := "an optional context string"

	signature := ed25519.SignPh(priv, message, ctx)

	// Anyone can verify the signature using Alice's public key.
	ok := ed25519.VerifyPh(pub, message, signature, ctx)
	fmt.Println(ok)
}

Output:

true

func SignWithCtx ¶

func SignWithCtx(privateKey PrivateKey, message []byte, ctx string) []byte

SignWithCtx creates a signature of a message with private key and context. This function supports the signature variant defined in RFC-8032: Ed25519ctx, meaning it accepts a non-empty context string. It will panic if len(privateKey) is not PrivateKeySize. Context must be passed to this function, which length should be no more than ContextMaxSize=255 and cannot be empty.

Example ¶

package main

import (
	"crypto/rand"
	"fmt"

	"github.com/linckode/circl/sign/ed25519"
)

func main() {
	// import "github.com/linckode/circl/sign/ed25519"
	// import "crypto/rand"

	// Generating Alice's key pair
	pub, priv, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		panic("error on generating keys")
	}

	// Alice signs a message.
	message := []byte("A message to be signed")
	ctx := "a non-empty context string"

	signature := ed25519.SignWithCtx(priv, message, ctx)

	// Anyone can verify the signature using Alice's public key.
	ok := ed25519.VerifyWithCtx(pub, message, signature, ctx)
	fmt.Println(ok)
}

Output:

true

func Verify ¶

func Verify(public PublicKey, message, signature []byte) bool

Verify returns true if the signature is valid. Failure cases are invalid signature, or when the public key cannot be decoded. This function supports the signature variant defined in RFC-8032: Ed25519, also known as the pure version of EdDSA.

func VerifyAny ¶

func VerifyAny(public PublicKey, message, signature []byte, opts crypto.SignerOpts) bool

VerifyAny returns true if the signature is valid. Failure cases are invalid signature, or when the public key cannot be decoded. This function supports all the three signature variants defined in RFC-8032, namely Ed25519 (or pure EdDSA), Ed25519Ph, and Ed25519Ctx. The opts.HashFunc() must return zero to specify either Ed25519 or Ed25519Ctx variant. This can be achieved by passing crypto.Hash(0) as the value for opts. The opts.HashFunc() must return SHA512 to specify the Ed25519Ph variant. This can be achieved by passing crypto.SHA512 as the value for opts. Use a SignerOptions struct to pass a context string for signing.

func VerifyPh ¶

func VerifyPh(public PublicKey, message, signature []byte, ctx string) bool

VerifyPh returns true if the signature is valid. Failure cases are invalid signature, or when the public key cannot be decoded. This function supports the signature variant defined in RFC-8032: Ed25519ph, meaning it internally hashes the message using SHA-512. Context could be passed to this function, which length should be no more than 255. It can be empty.

func VerifyWithCtx ¶

func VerifyWithCtx(public PublicKey, message, signature []byte, ctx string) bool

VerifyWithCtx returns true if the signature is valid. Failure cases are invalid signature, or when the public key cannot be decoded, or when context is not provided. This function supports the signature variant defined in RFC-8032: Ed25519ctx, meaning it does not handle prehashed messages. Non-empty context string must be provided, and must not be more than 255 of length.

Types ¶

type PrivateKey ¶

type PrivateKey []byte

PrivateKey is the type of Ed25519 private keys. It implements crypto.Signer.

func NewKeyFromSeed ¶

func NewKeyFromSeed(seed []byte) PrivateKey

NewKeyFromSeed calculates a private key from a seed. It will panic if len(seed) is not SeedSize. This function is provided for interoperability with RFC 8032. RFC 8032's private keys correspond to seeds in this package.

func (PrivateKey) Equal ¶

func (priv PrivateKey) Equal(x crypto.PrivateKey) bool

Equal reports whether priv and x have the same value.

func (PrivateKey) MarshalBinary ¶

func (priv PrivateKey) MarshalBinary() (data []byte, err error)

func (PrivateKey) Public ¶

func (priv PrivateKey) Public() crypto.PublicKey

Public returns the PublicKey corresponding to priv.

func (PrivateKey) Scheme ¶

func (priv PrivateKey) Scheme() sign.Scheme

func (PrivateKey) Seed ¶

func (priv PrivateKey) Seed() []byte

Seed returns the private key seed corresponding to priv. It is provided for interoperability with RFC 8032. RFC 8032's private keys correspond to seeds in this package.

func (PrivateKey) Sign ¶

func (priv PrivateKey) Sign(
	rand io.Reader,
	message []byte,
	opts crypto.SignerOpts,
) (signature []byte, err error)

Sign creates a signature of a message with priv key. This function is compatible with crypto.ed25519 and also supports the three signature variants defined in RFC-8032, namely Ed25519 (or pure EdDSA), Ed25519Ph, and Ed25519Ctx. The opts.HashFunc() must return zero to specify either Ed25519 or Ed25519Ctx variant. This can be achieved by passing crypto.Hash(0) as the value for opts. The opts.HashFunc() must return SHA512 to specify the Ed25519Ph variant. This can be achieved by passing crypto.SHA512 as the value for opts. Use a SignerOptions struct (defined in this package) to pass a context string for signing.

type PublicKey ¶

type PublicKey cryptoEd25519.PublicKey

PublicKey is the type of Ed25519 public keys.

func (PublicKey) Equal ¶

func (pub PublicKey) Equal(x crypto.PublicKey) bool

Equal reports whether pub and x have the same value.

func (PublicKey) MarshalBinary ¶

func (pub PublicKey) MarshalBinary() (data []byte, err error)

func (PublicKey) Scheme ¶

func (pub PublicKey) Scheme() sign.Scheme

type SchemeID ¶

type SchemeID uint

SchemeID is an identifier for each signature scheme.

const (
	ED25519 SchemeID = iota
	ED25519Ph
	ED25519Ctx
)

type SignerOptions ¶

type SignerOptions struct {
	// Hash must be crypto.Hash(0) for Ed25519/Ed25519ctx, or crypto.SHA512
	// for Ed25519ph.
	crypto.Hash

	// Context is an optional domain separation string for Ed25519ph and a
	// must for Ed25519ctx. Its length must be less or equal than 255 bytes.
	Context string

	// Scheme is an identifier for choosing a signature scheme. The zero value
	// is ED25519.
	Scheme SchemeID
}

SignerOptions implements crypto.SignerOpts and augments with parameters that are specific to the Ed25519 signature schemes.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL