idnits 2.17.1 draft-irtf-cfrg-eddsa-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 428: '...f present at all) MUST be empty. This...' RFC 2119 keyword, line 432: '...The context input SHOULD NOT be empty....' RFC 2119 keyword, line 1839: '... following SHOULD be kept in mind wh...' RFC 2119 keyword, line 1841: '... The context SHOULD be a constant ...' RFC 2119 keyword, line 1842: '... using it. It SHOULD NOT incorporat...' (5 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 19, 2016) is 2807 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 2636 -- Looks like a reference, but probably isn't: '31' on line 471 -- Looks like a reference, but probably isn't: '1' on line 2637 -- Looks like a reference, but probably isn't: '32' on line 601 -- Looks like a reference, but probably isn't: '63' on line 601 -- Looks like a reference, but probably isn't: '8' on line 635 == Missing Reference: 'S' is mentioned on line 859, but not defined -- Looks like a reference, but probably isn't: '56' on line 709 -- Looks like a reference, but probably isn't: '57' on line 825 -- Looks like a reference, but probably isn't: '113' on line 825 -- Looks like a reference, but probably isn't: '4' on line 859 -- Looks like a reference, but probably isn't: '3' on line 2639 -- Looks like a reference, but probably isn't: '2' on line 2638 ** Obsolete normative reference: RFC 4634 (Obsoleted by RFC 6234) Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 14 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Josefsson 3 Internet-Draft SJD AB 4 Intended status: Informational I. Liusvaara 5 Expires: February 20, 2017 Independent 6 August 19, 2016 8 Edwards-curve Digital Signature Algorithm (EdDSA) 9 draft-irtf-cfrg-eddsa-08 11 Abstract 13 The elliptic curve signature scheme Edwards-curve Digital Signature 14 Algorithm (EdDSA) is described. The algorithm is instantiated with 15 recommended parameters for the edwards25519 and edwards448 curves. 16 An example implementation and test vectors are provided. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on February 20, 2017. 35 Copyright Notice 37 Copyright (c) 2016 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 53 2. Notation and Conventions . . . . . . . . . . . . . . . . . . 4 54 3. EdDSA Algorithm . . . . . . . . . . . . . . . . . . . . . . . 5 55 3.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 7 56 3.2. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 7 57 3.3. Sign . . . . . . . . . . . . . . . . . . . . . . . . . . 7 58 3.4. Verify . . . . . . . . . . . . . . . . . . . . . . . . . 8 59 4. PureEdDSA, HashEdDSA, and Naming . . . . . . . . . . . . . . 8 60 5. EdDSA Instances . . . . . . . . . . . . . . . . . . . . . . . 8 61 5.1. Ed25519ph, Ed25519ctx and Ed25519 . . . . . . . . . . . . 9 62 5.1.1. Modular arithmetic . . . . . . . . . . . . . . . . . 10 63 5.1.2. Encoding . . . . . . . . . . . . . . . . . . . . . . 10 64 5.1.3. Decoding . . . . . . . . . . . . . . . . . . . . . . 11 65 5.1.4. Point addition . . . . . . . . . . . . . . . . . . . 11 66 5.1.5. Key Generation . . . . . . . . . . . . . . . . . . . 12 67 5.1.6. Sign . . . . . . . . . . . . . . . . . . . . . . . . 13 68 5.1.7. Verify . . . . . . . . . . . . . . . . . . . . . . . 14 69 5.2. Ed448ph and Ed448 . . . . . . . . . . . . . . . . . . . . 14 70 5.2.1. Modular arithmetic . . . . . . . . . . . . . . . . . 16 71 5.2.2. Encoding . . . . . . . . . . . . . . . . . . . . . . 16 72 5.2.3. Decoding . . . . . . . . . . . . . . . . . . . . . . 16 73 5.2.4. Point addition . . . . . . . . . . . . . . . . . . . 17 74 5.2.5. Key Generation . . . . . . . . . . . . . . . . . . . 18 75 5.2.6. Sign . . . . . . . . . . . . . . . . . . . . . . . . 18 76 5.2.7. Verify . . . . . . . . . . . . . . . . . . . . . . . 19 77 6. Ed25519 Python illustration . . . . . . . . . . . . . . . . . 19 78 7. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 24 79 7.1. Test Vectors for Ed25519 . . . . . . . . . . . . . . . . 24 80 7.2. Test Vectors for Ed25519ctx . . . . . . . . . . . . . . . 28 81 7.3. Test Vectors for Ed25519ph . . . . . . . . . . . . . . . 30 82 7.4. Test Vectors for Ed448 . . . . . . . . . . . . . . . . . 30 83 7.5. Test Vectors for Ed448ph . . . . . . . . . . . . . . . . 38 84 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 39 85 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 86 10. Security Considerations . . . . . . . . . . . . . . . . . . . 39 87 10.1. Side-channel leaks . . . . . . . . . . . . . . . . . . . 40 88 10.2. Randomness considerations . . . . . . . . . . . . . . . 40 89 10.3. Use of contexts . . . . . . . . . . . . . . . . . . . . 40 90 10.4. Signature malleability . . . . . . . . . . . . . . . . . 41 91 10.5. Choice of signature primitive . . . . . . . . . . . . . 41 92 10.6. Mixing different prehashes . . . . . . . . . . . . . . . 42 93 10.7. Signing large amounts of data at once . . . . . . . . . 42 94 10.8. Multiplication by cofactor in verification . . . . . . . 42 95 10.9. Use of SHAKE256 as hash function . . . . . . . . . . . . 43 96 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 97 11.1. Normative References . . . . . . . . . . . . . . . . . . 43 98 11.2. Informative References . . . . . . . . . . . . . . . . . 43 99 Appendix A. Ed25519/Ed448 Python Library . . . . . . . . . . . . 45 100 Appendix B. Library driver . . . . . . . . . . . . . . . . . . . 57 101 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58 103 1. Introduction 105 The Edwards-curve Digital Signature Algorithm (EdDSA) is a variant of 106 Schnorr's signature system with (possibly twisted) Edwards curves. 107 EdDSA needs to be instantiated with certain parameters and this 108 document describes some recommended variants. 110 To facilitate adoption in the Internet community of EdDSA, this 111 document describes the signature scheme in an implementation-oriented 112 way, and provides sample code and test vectors. 114 The advantages with EdDSA include: 116 1. High-performance on a variety of platforms, 118 2. Does not require the use of a unique random number for each 119 signature, 121 3. More resilient to side-channel attacks, 123 4. Small public keys (32 or 57 bytes) and signatures (64 or 114 124 bytes) for Ed25519 and Ed448, respectively, 126 5. The formulas are "complete", i.e., they are valid for all points 127 on the curve, with no exceptions. This obviates the need for 128 EdDSA to perform expensive point validation on untrusted public 129 values, 131 6. Collision resilience, meaning that hash-function collisions do 132 not break this system. (Only holds for PureEdDSA.) 134 The original EdDSA paper [EDDSA] and the generalized version 135 described in "EdDSA for more curves" [EDDSA2] provide further 136 background. The [RFC7748] document discusses specific curves, 137 including Curve25519 [CURVE25519] and Ed448-Goldilocks [ED448]. 139 Ed25519 is intended to operate at around the 128-bit security level, 140 and Ed448 at around the 224-bit security level. A sufficiently large 141 quantum computer would be able to break both. Reasonable projections 142 of the abilities of classical computers conclude that Ed25519 is 143 perfectly safe. Ed448 is provided for those applications with 144 relaxed performance requirements and where there is a desire to hedge 145 against analytical attacks on elliptic curves. 147 2. Notation and Conventions 149 The following notation is used throughout the document: 151 p Denotes the prime number defining the underlying field 153 GF(p) finite field with p elements 155 x^y x multiplied by itself y times 157 B generator of the group or subgroup of interest 159 [n]X X added to itself n times 161 h[i] the i'th octet of octet string 163 h_i the i'th bit of h 165 a || b (bit-)string a concatenated with (bit-)string b 167 a <= b a is less than or equal to b 169 a >= b a is greater than or equal to b 171 i+j sum of i and j 173 i*j multiplication of i and j 175 i-j subtraction of j from i 177 i/j division of i by j 179 i x j Cartesian product of i and j 181 (u,v) Elliptic curve point with x coordinate u and y coordinate v 183 SHAKE256(x, y) The y first octets of SHAKE256 [FIPS202] output for 184 input x 186 OCTET(x) The octet with value x 188 OLEN(x) The number of octets in string x 190 dom2(x, y) The blank octet string when signing or verifying Ed25519. 191 Otherwise the octet string: "SigEd25519 no Ed25519 collisions" || 192 octet(x) || octet(OLEN(y)) || y, where x is in range 0-255 and y 193 is octet string of at most 255 octets. "SigEd25519 no Ed25519 194 collisions" is in ASCII (32 octets) 196 dom4(x, y) The octet string "SigEd448" || octet(x) || 197 octet(OLEN(y)) || y, where x is in range 0-255 and y is octet 198 string of at most 255 octets. "SigEd448" is in ASCII (8 octets) 200 Parenthesis (i.e., '(' and ')') are used to group expressions, in 201 order to avoid having the description depend on a binding order 202 between operators. 204 Bit strings are converted to octet strings by taking bits from left 205 to right and packing those from least significant bit of each octet 206 to most significant bit, and moving to the next octet when each octet 207 fills up. The conversion from octet string to bit string is the 208 reverse of this process. E.g. the 16-bit bit string 210 b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15 212 , is converted into two octets x0 and x1 (in this order) as 214 x0 = b7*128+b6*64+b5*32+b4*16+b3*8+b2*4+b1*2+b0 215 x1 = b15*128+b14*64+b13*32+b12*16+b11*8+b10*4+b9*2+b8 217 Little-endian encoding into bits places bits from left to right from 218 least significant to most significant. If combined with bit string 219 to octet string conversion defined above, this results in little- 220 endian encoding into octets (if length is not multiple of 8, the most 221 significant bits of last octet remain unused). 223 3. EdDSA Algorithm 225 EdDSA is a digital signature system with eleven parameters. 227 The generic EdDSA digital signature system with its eleven input 228 parameters is not intended to be implemented directly. Choosing 229 parameters is critical for secure and efficient operation. Instead, 230 you would implement a particular parameter choice for EdDSA (such as 231 Ed25519 or Ed448), sometimes slightly generalized to achieve code re- 232 use to cover Ed25519 and Ed448. 234 Therefore, a precise explanation of the generic EdDSA is thus not 235 particularly useful for implementers. For background and 236 completeness, a succinct description of the generic EdDSA algorithm 237 is given here. 239 The definition of some parameters, such as n and c, may help to 240 explain some non-intuitive steps of the algorithm. 242 This description closely follows [EDDSA2]. 244 EdDSA has eleven parameters: 246 1. An odd prime power p. EdDSA uses an elliptic curve over the 247 finite field GF(p). 249 2. An integer b with 2^(b-1) > p. EdDSA public keys have exactly b 250 bits, and EdDSA signatures have exactly 2*b bits. b is 251 recommended to be multiple of 8, so public key and signature 252 lengths are integral number of octets. 254 3. A (b-1)-bit encoding of elements of the finite field GF(p). 256 4. A cryptographic hash function H producing 2*b-bit output. 257 Conservative hash functions (i.e. hash functions where it is 258 infeasible to create collisions) are recommended and do not have 259 much impact on the total cost of EdDSA. 261 5. An integer c that is 2 or 3. Secret EdDSA scalars are multiples 262 of 2^c. The integer c is the base-2 logarithm of the so called 263 cofactor. 265 6. An integer n with c <= n < b. Secret EdDSA scalars have exactly 266 n + 1 bits, with the top bit (the 2^n position) always set and 267 the bottom c bits always cleared. 269 7. A non-square element d of GF(p). The usual recommendation is to 270 take it as the value nearest to zero that gives an acceptable 271 curve. 273 8. A nonzero square element a of GF(p). The usual recommendation 274 for best performance is a = -1 if p mod 4 = 1, and a = 1 if p 275 mod 4 = 3. 277 9. An element B != (0,1) of the set E = { (x,y) is a member of 278 GF(p) x GF(p) such that a * x^2 + y^2 = 1 + d * x^2 * y^2 }. 280 10. An odd prime L such that [L]B = 0 and 2^c * L = #E. The number 281 #E (the number of points on the curve) is part of the standard 282 data provided for an elliptic curve E, or can be computed as 283 cofactor * order. 285 11. A "prehash" function PH. PureEdDSA means EdDSA where PH is the 286 identity function, i.e., PH(M) = M. HashEdDSA means EdDSA where 287 PH generates a short output, no matter how long the message is; 288 for example, PH(M) = SHA-512(M). 290 Points on the curve form a group under addition, (x3, y3) = (x1, y1) 291 + (x2, y2), with the formulas 292 x1 * y2 + x2 * y1 y1 * y2 - a * x1 * x2 293 x3 = --------------------------, y3 = --------------------------- 294 1 + d * x1 * x2 * y1 * y2 1 - d * x1 * x2 * y1 * y2 296 The neutral element in the group is (0,1). 298 Unlike many other curves used for cryptographic applications, these 299 formulas are "complete", they are valid for all points on the curve, 300 with no exceptions. In particular, the denominators are non-zero for 301 all input points. 303 There are more efficient formulas, which are still complete, use 304 homogeneous coordinates to avoid the expensive modulo p inversions. 305 See [Faster-ECC] and [Edwards-revisited]. 307 3.1. Encoding 309 An integer 0 < S < L - 1 is encoded in little-endian form as a b-bit 310 string ENC(S). 312 An element (x,y) of E is encoded as a b-bit string called ENC(x,y) 313 which is the (b-1)-bit encoding of y concatenated with one bit that 314 is 1 if x is negative and 0 if x is not negative. 316 The encoding of GF(p) is used to define "negative" elements of GF(p): 317 specifically, x is negative if the (b-1)-bit encoding of x is 318 lexicographically larger than the (b-1)-bit encoding of -x. 320 3.2. Keys 322 An EdDSA private key is a b-bit string k. Let the hash H(k) = (h_0, 323 h_1, ..., h_(2b-1)) determine an integer s which is 2^n plus the sum 324 of m = 2^i * h_i for all integer i, c <= i < n. Let s determine the 325 multiple A = [s]B. The EdDSA public key is ENC(A). The bits h_b, 326 ..., h_(2b-1) are used below during signing. 328 3.3. Sign 330 The EdDSA signature of a message M under a private key k is defined 331 as the PureEdDSA signature of PH(M). In other words, EdDSA simply 332 uses PureEdDSA to sign PH(M). 334 The PureEdDSA signature of a message M under a private key k is the 335 2*b-bit string ENC(R) || ENC(S). R and S are derived as follows. 336 First define r = H(h_b || ... || h_(2b-1) || M) interpreting 2*b-bit 337 strings in little-endian form as integers in {0, 1, ..., 2^(2*b) - 338 1}. Let R = [r]B and S = (r + H(ENC(R) || ENC(A) || PH(M)) * s) mod 339 L. The s used here is from the previous section. 341 3.4. Verify 343 To verify a PureEdDSA signature ENC(R) || ENC(S) on a message M under 344 a public key ENC(A), proceed as follows. Parse the inputs so that A 345 and R are elements of E, and S is a member of the set {0, 1, ..., L-1 346 }. Compute h = H(ENC(R) || ENC(A) || M) and check the group equation 347 [2^c * S] B = 2^c * R + [2^c * h] A in E. Signature is rejected if 348 parsing fails (including S being out-of-range) or the group equation 349 does not hold. 351 EdDSA verification for a message M is defined as PureEdDSA 352 verification for PH(M). 354 4. PureEdDSA, HashEdDSA, and Naming 356 One of the parameters of the EdDSA algorithm is the "prehash" 357 function. This may be the identity function, resulting in an 358 algorithm called PureEdDSA, or a collision-resistant hash function 359 such as SHA-512, resulting in an algorithm called HashEdDSA. 361 Choosing which variant to use depends on which property is deemed to 362 be more important between 1) collision resilience, and 2) a single- 363 pass interface for creating signatures. The collision resilience 364 property means EdDSA is secure even if it is feasible to compute 365 collisions for the hash function. The single-pass interface property 366 means that only one pass over the input message is required to create 367 a signature. PureEdDSA requires two passes over the input. Many 368 existing APIs, protocols, and environments assume digital signature 369 algorithms only need one pass over the input, and may have API or 370 bandwidth concerns supporting anything else. 372 Note that single-pass verification is not possible with most uses of 373 signatures, no matter which signature algorithm is chosen. This is 374 because most of the time one can't process the message until 375 signature is validated, which needs a pass on the entire message. 377 This document specify parameters resulting in the HashEdDSA variants 378 Ed25519ph and Ed448ph, and the PureEdDSA variants Ed25519 and Ed448. 380 5. EdDSA Instances 382 This section instantiate the general EdDSA algorithm for the 383 edwards25519 and edwards448 curves, each for the PureEdDSA and 384 HashEdDSA variants (plus contextualized extension of the Ed25519 385 scheme. Thus, five different parameter sets are described. 387 5.1. Ed25519ph, Ed25519ctx and Ed25519 389 Ed25519 is EdDSA instantiated with: 391 +-----------+-------------------------------------------------------+ 392 | Parameter | Value | 393 +-----------+-------------------------------------------------------+ 394 | p | p of edwards25519 in [RFC7748] (i.e. 2^255 - 19) | 395 | | | 396 | b | 256 | 397 | | | 398 | encoding | 255-bit little-endian encoding of {0, 1, ..., p-1} | 399 | of GF(p) | | 400 | | | 401 | H(x) | SHA-512(dom2(phflag,context)||x) [RFC4634] | 402 | | | 403 | c | base 2 logarithm of cofactor of edwards25519 in | 404 | | [RFC7748] (i.e. 3) | 405 | | | 406 | n | 254 | 407 | | | 408 | d | d of edwards25519 in [RFC7748] (i.e. -121665/121666 = | 409 | | 37095705934669439343138083508754565189542113879843219 | 410 | | 016388785533085940283555) | 411 | | | 412 | a | -1 | 413 | | | 414 | B | (X(P),Y(P)) of edwards25519 in [RFC7748] (i.e. (1511 | 415 | | 22213495354007725011514095885315114540126930418572060 | 416 | | 46113283949847762202, 4631683569492647816942839400347 | 417 | | 5163141307993866256225615783033603165251855960)) | 418 | | | 419 | L | order of edwards25519 in [RFC7748] (i.e. | 420 | | 2^252+27742317777372353535851937790883648493). | 421 | | | 422 | PH(x) | x (i.e. the identity function) | 423 +-----------+-------------------------------------------------------+ 425 Table 1: Parameters of Ed25519 427 For Ed25519, dom2(f,c) is the empty string. phflag value is 428 irrelevant. The context (if present at all) MUST be empty. This 429 causes the scheme to be one and the same with Ed25519 scheme 430 published earlier. 432 For Ed25519ctx, phflag=0. The context input SHOULD NOT be empty. 434 For, Ed25519ph, phflag=1 and PH is SHA512 instead. i.e., the input 435 is hashed using SHA-512 before signing with Ed25519. 437 Value of context is set by signer and verifier (maximum of 255 438 octets, the default is empty string, except for Ed25519 which can't 439 have context) and has to match octet by octet for verification to be 440 successful. 442 The curve used is equivalent to Curve25519 [CURVE25519], under a 443 change of coordinates, which means that the difficulty of the 444 discrete logarithm problem is the same as for Curve25519. 446 5.1.1. Modular arithmetic 448 For advice on how to implement arithmetic modulo p = 2^255 - 19 449 efficiently and securely, see Curve25519 [CURVE25519]. For inversion 450 modulo p, it is recommended to use the identity x^-1 = x^(p-2) (mod 451 p). Inverting zero should never happen, as it would either require 452 invalid input, which would have been detected before, or a 453 calculation error. 455 For point decoding or "decompression", square roots modulo p are 456 needed. They can be computed using the Tonelli-Shanks algorithm, or 457 the special case for p = 5 (mod 8). To find a square root of a, 458 first compute the candidate root x = a^((p+3)/8) (mod p). Then there 459 are three cases: 461 x^2 = a (mod p). Then x is a square root. 463 x^2 = -a (mod p). Then 2^((p-1)/4) * x is a square root. 465 a is not a square modulo p. 467 5.1.2. Encoding 469 All values are coded as octet strings, integers are coded using 470 little-endian convention, i.e., a 32-octet string h h[0],...h[31] 471 represents the integer h[0] + 2^8 * h[1] + ... + 2^248 * h[31]. 473 A curve point (x,y), with coordinates in the range 0 <= x,y < p, is 474 coded as follows. First, encode the y-coordinate as a little-endian 475 string of 32 octets. The most significant bit of the final octet is 476 always zero. To form the encoding of the point, copy the least 477 significant bit of the x-coordinate to the most significant bit of 478 the final octet. 480 5.1.3. Decoding 482 Decoding a point, given as a 32-octet string, is a little more 483 complicated. 485 1. First, interpret the string as an integer in little-endian 486 representation. Bit 255 of this number is the least significant 487 bit of the x-coordinate, and denote this value x_0. The 488 y-coordinate is recovered simply by clearing this bit. If the 489 resulting value is >= p, decoding fails. 491 2. To recover the x coordinate, the curve equation implies x^2 = 492 (y^2 - 1) / (d y^2 + 1) (mod p). The denominator is always 493 nonzero mod p. Let u = y^2 - 1 and v = d y^2 + 1. To compute 494 the square root of (u/v), the first step is to compute the 495 candidate root x = (u/v)^((p+3)/8). This can be done using the 496 following trick, to use a single modular powering for both the 497 inversion of v and the square root: 499 (p+3)/8 3 (p-5)/8 500 x = (u/v) = u v (u v^7) (mod p) 502 3. Again, there are three cases: 504 1. If v x^2 = u (mod p), x is a square root. 506 2. If v x^2 = -u (mod p), set x <-- x * 2^((p-1)/4), which is a 507 square root. 509 3. Otherwise, no square root exists modulo p, and decoding 510 fails. 512 4. Finally, use the x_0 bit to select the right square root. If x = 513 0, and x_0 = 1, decoding fails. Otherwise, if x_0 != x mod 2, 514 set x <-- p - x. Return the decoded point (x,y). 516 5.1.4. Point addition 518 For point addition, the following method is recommended. A point 519 (x,y) is represented in extended homogeneous coordinates (X, Y, Z, 520 T), with x = X/Z, y = Y/Z, x * y = T/Z. 522 The neutral point is (0,1), or equivalently in extended homogeneous 523 coordinates (0, Z, Z, 0) for any nonzero Z. 525 The following formulas for adding two points, (x3,y3) = 526 (x1,y1)+(x2,y2) on twisted Edwards curves with a=-1, square a and 527 non-square d are described in [Edwards-revisited], section 3.1, and 528 in [EFD-TWISTED-ADD]. They are complete, i.e., they work for any 529 pair of valid input points. 531 A = (Y1-X1)*(Y2-X2) 532 B = (Y1+X1)*(Y2+X2) 533 C = T1*2*d*T2 534 D = Z1*2*Z2 535 E = B-A 536 F = D-C 537 G = D+C 538 H = B+A 539 X3 = E*F 540 Y3 = G*H 541 T3 = E*H 542 Z3 = F*G 544 For point doubling, (x3,y3) = (x1,y1)+(x1,y1), one could just 545 substitute equal points in above (because of completeness, such 546 substitution is valid), and observe that four multiplications turn 547 into squares. However, using the formulas described in 548 [Edwards-revisited], section 3.2, and in [EFD-TWISTED-DBL] saves a 549 few smaller operations. 551 A = X1^2 552 B = Y1^2 553 C = 2*Z1^2 554 H = A+B 555 E = H-(X1+Y1)^2 556 G = A-B 557 F = C+G 558 X3 = E*F 559 Y3 = G*H 560 T3 = E*H 561 Z3 = F*G 563 5.1.5. Key Generation 565 The private key is 32 octets (256 bits, corresponding to b) of 566 cryptographically-secure random data. See [RFC4086] for a discussion 567 about randomness. 569 The 32-byte public key is generated by the following steps. 571 1. Hash the 32-byte private key using SHA-512, storing the digest in 572 a 64-octet large buffer, denoted h. Only the lower 32 bytes are 573 used for generating the public key. 575 2. Prune the buffer: The lowest 3 bits of the first octet are 576 cleared, the highest bit of the last octet is cleared, and the 577 second highest bit of the last octet is set. 579 3. Interpret the buffer as the little-endian integer, forming a 580 secret scalar s. Perform a fixed-base scalar multiplication 581 [s]B. 583 4. The public key A is the encoding of the point [s]B. First encode 584 the y coordinate (in the range 0 <= y < p) as a little-endian 585 string of 32 octets. The most significant bit of the final octet 586 is always zero. To form the encoding of the point [s]B, copy the 587 least significant bit of the x coordinate to the most significant 588 bit of the final octet. The result is the public key. 590 5.1.6. Sign 592 The inputs to the signing procedure is the private key, a 32-octet 593 string, and a message M of arbitrary size. For Ed25519ctx and 594 Ed25519ph, there is additionally a context C of at most 255 octets 595 and a flag F, 0 for Ed25519ctx and 1 for Ed25519ph. 597 1. Hash the private key, 32-octets, using SHA-512. Let h denote the 598 resulting digest. Construct the secret scalar s from the first 599 half of the digest, and the corresponding public key A, as 600 described in the previous section. Let prefix denote the second 601 half of the hash digest, h[32],...,h[63]. 603 2. Compute SHA-512(dom2(F, C) || prefix || PH(M)), where M is the 604 message to be signed. Interpret the 64-octet digest as a little- 605 endian integer r. 607 3. Compute the point [r]B. For efficiency, do this by first 608 reducing r modulo L, the group order of B. Let the string R be 609 the encoding of this point. 611 4. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the 612 64-octet digest as a little-endian integer k. 614 5. Compute S = (r + k * s) mod L. For efficiency, again reduce k 615 modulo L first. 617 6. Form the signature of the concatenation of R (32 octets) and the 618 little-endian encoding of S (32 octets, three most significant 619 bits of the final octet are always zero). 621 5.1.7. Verify 623 1. To verify a signature on a message M using public key A, with F 624 being 0 for Ed25519ctx, 1 for Ed25519ph, and if Ed25519ctx or 625 Ed25519ph is being used, C being the context, first split the 626 signature into two 32-octet halves. Decode the first half as a 627 point R, and the second half as an integer S, in the range 0 <= s 628 < L. Decode the public key A as point A'. If any of the 629 decodings fails (including S being out-of-range), the signature 630 is invalid. 632 2. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the 633 64-octet digest as a little-endian integer k. 635 3. Check the group equation [8][S]B = [8]R + [8][k]A'. It's 636 sufficient, but not required, to instead check [S]B = R + [k]A'. 638 5.2. Ed448ph and Ed448 639 Ed448 is EdDSA instantiated with: 641 +-----------+-------------------------------------------------------+ 642 | Parameter | Value | 643 +-----------+-------------------------------------------------------+ 644 | p | p of edwards448 in [RFC7748] (i.e. 2^448 - 2^224 - 1) | 645 | | | 646 | b | 456 | 647 | | | 648 | encoding | 455-bit little-endian encoding of {0, 1, ..., p-1} | 649 | of GF(p) | | 650 | | | 651 | H(x) | SHAKE256(dom4(phflag,context)||x, 114) | 652 | | | 653 | phflag | 0 | 654 | | | 655 | c | base 2 logarithm of cofactor of edwards448 in | 656 | | [RFC7748] (i.e. 2) | 657 | | | 658 | n | 447 | 659 | | | 660 | d | d of edwards448 in [RFC7748] (i.e. -39081) | 661 | | | 662 | a | 1 | 663 | | | 664 | B | (X(P),Y(P)) of edwards448 in [RFC7748] (i.e. (224580 | 665 | | 04029592430018760433409989603624678964163256413424612 | 666 | | 54616869504154674060329090291928693579532825780320751 | 667 | | 46446173674602635247710, 2988192100784814926760179304 | 668 | | 43930673437544040154080242095928241372331506189835876 | 669 | | 00353687865541878473398230323350346250053154506283266 | 670 | | 0)) | 671 | | | 672 | L | order of edwards448 in [RFC7748] (i.e. 2^446 - 13818 | 673 | | 06680989511535200738674851542688033669247488217860989 | 674 | | 4547503885). | 675 | | | 676 | PH(x) | x (i.e. the identity function) | 677 +-----------+-------------------------------------------------------+ 679 Table 2: Parameters of Ed448 681 Ed448ph is the same but with PH being SHAKE256(x, 64) and phflag 682 being 1, i.e., the input is hashed before signing with Ed448 with a 683 hash constant modified. 685 Value of context is set by signer and verifier (maximum of 255 686 octets, the default is empty string) and has to match octet by octet 687 for verification to be successful. 689 The curve is equivalent to Ed448-Goldilocks under change of 690 basepoint, which preserves difficulty of the discrete logarithm. 692 5.2.1. Modular arithmetic 694 For advice on how to implement arithmetic modulo p = 2^448 - 2^224 - 695 1 efficiently and securely, see [ED448]. For inversion modulo p, it 696 is recommended to use the identity x^-1 = x^(p-2) (mod p). Inverting 697 zero should never happen, as it would either require invalid input, 698 which would have been detected before, or a calculation error. 700 For point decoding or "decompression", square roots modulo p are 701 needed. They can be computed by first computing candidate root x = a 702 ^ (p+1)/4 (mod p) and then checking if x^2 = a. If it is, then x is 703 square root of a; if it isn't, then a does not have a square root. 705 5.2.2. Encoding 707 All values are coded as octet strings, and integers are coded using 708 little-endian convention, i.e., a 57-octet string h h[0],...h[56] 709 represents the integer h[0] + 2^8 * h[1] + ... + 2^448 * h[56]. 711 A curve point (x,y), with coordinates in the range 0 <= x,y < p, is 712 coded as follows. First, encode the y-coordinate as a little-endian 713 string of 57 octets. The final octet is always zero. To form the 714 encoding of the point, copy the least significant bit of the 715 x-coordinate to the most significant bit of the final octet. 717 5.2.3. Decoding 719 Decoding a point, given as a 57-octet string, is a little more 720 complicated. 722 1. First, interpret the string as an integer in little-endian 723 representation. Bit 455 of this number is the least significant 724 bit of the x-coordinate, and denote this value x_0. The 725 y-coordinate is recovered simply by clearing this bit. If the 726 resulting value is >= p, decoding fails. 728 2. To recover the x coordinate, the curve equation implies x^2 = 729 (y^2 - 1) / (d y^2 - 1) (mod p). The denominator is always 730 nonzero mod p. Let u = y^2 - 1 and v = d y^2 - 1. To compute 731 the square root of (u/v), the first step is to compute the 732 candidate root x = (u/v)^((p+1)/4). This can be done using the 733 following trick, to use a single modular powering for both the 734 inversion of v and the square root: 736 (p+1)/4 3 (p-3)/4 737 x = (u/v) = u v (u^5 v^3) (mod p) 739 3. If v * x^2 = u, the recovered x coordinate is x. Otherwise no 740 square root exists, and the decoding fails. 742 4. Finally, use the x_0 bit to select the right square root. If x = 743 0, and x_0 = 1, decoding fails. Otherwise, if x_0 != x mod 2, 744 set x <-- p - x. Return the decoded point (x,y). 746 5.2.4. Point addition 748 For point addition, the following method is recommended. A point 749 (x,y) is represented in projective coordinates (X, Y, Z), with x = X/ 750 Z, y = Y/Z. 752 The neutral point is (0,1), or equivalently in projective coordinates 753 (0, Z, Z) for any nonzero Z. 755 The following formulas for adding two points, (x3,y3) = 756 (x1,y1)+(x2,y2) on untwisted Edwards curve (i.e. a=1) with non-square 757 d are described in [Faster-ECC] section 4 and in [EFD-ADD]. They are 758 complete, i.e., they work for any pair of valid input points. 760 A = Z1*Z2 761 B = A^2 762 C = X1*X2 763 D = Y1*Y2 764 E = d*C*D 765 F = B-E 766 G = B+E 767 H = (X1+Y1)*(X2+Y2) 768 X3 = A*F*(H-C-D) 769 Y3 = A*G*(D-C) 770 Z3 = F*G 772 Again, similarly as with the other curve, doubling formulas can be 773 obtained by substituting equal points, turning four multiplications 774 into squares. However, this is not even nearly optimal, the 775 following formulas described in [Faster-ECC] section 4 and in 776 [EFD-DBL] save multiple multiplications. 778 B = (X1+Y1)^2 779 C = X1^2 780 D = Y1^2 781 E = C+D 782 H = Z1^2 783 J = E-2*H 784 X3 = (B-E)*J 785 Y3 = E*(C-D) 786 Z3 = E*J 788 5.2.5. Key Generation 790 The private key is 57 octets (456 bits, corresponding to b) of 791 cryptographically-secure random data. See [RFC4086] for a discussion 792 about randomness. 794 The 57-byte public key is generated by the following steps: 796 1. Hash the 57-byte private key using SHAKE256(x, 114), storing the 797 digest in a 114-octet large buffer, denoted h. Only the lower 57 798 bytes are used for generating the public key. 800 2. Prune the buffer: The two least significant bits of the first 801 octet are cleared, all 8 bits the last octet are cleared, and the 802 highest bit of the second to last octet is set. 804 3. Interpret the buffer as the little-endian integer, forming a 805 secret scalar s. Perform a known-base-point scalar 806 multiplication [s]B. 808 4. The public key A is the encoding of the point [s]B. First encode 809 the y coordinate (in the range 0 <= y < p) as a little-endian 810 string of 57 octets. The most significant bit of the final octet 811 is always zero. To form the encoding of the point [s]B, copy the 812 least significant bit of the x coordinate to the most significant 813 bit of the final octet. The result is the public key. 815 5.2.6. Sign 817 The inputs to the signing procedure is the private key, a 57-octet 818 string, a flag F, which is 0 for Ed448, 1 for Ed448ph, context C of 819 at most 255 octets and a message M of arbitrary size. 821 1. Hash the private key, 57-octets, using SHAKE256(x, 114). Let h 822 denote the resulting digest. Construct the secret scalar s from 823 the first half of the digest, and the corresponding public key A, 824 as described in the previous section. Let prefix denote the 825 second half of the hash digest, h[57],...,h[113]. 827 2. Compute SHAKE256(dom4(F, C) || prefix || PH(M), 114), where M is 828 the message to be signed, F is 1 for Ed448ph, 0 for Ed448 and C 829 is the context to use. Interpret the 114-octet digest as a 830 little-endian integer r. 832 3. Compute the point [r]B. For efficiency, do this by first 833 reducing r modulo L, the group order of B. Let the string R be 834 the encoding of this point. 836 4. Compute SHAKE256(dom4(F, C) || R || A || PH(M), 114), and 837 interpret the 114- octet digest as a little-endian integer k. 839 5. Compute S = (r + k * s) mod L. For efficiency, again reduce k 840 modulo L first. 842 6. Form the signature of the concatenation of R (57 octets) and the 843 little-endian encoding of S (57 octets, the ten most significant 844 bits of the final octets are always zero). 846 5.2.7. Verify 848 1. To verify a signature on a message M using context C and public 849 key A, with F being 0 for Ed448, 1 for Ed448ph, first split the 850 signature into two 57-octet halves. Decode the first half as a 851 point R, and the second half as an integer S, in the range 0 <= s 852 < L. Decode the public key A as point A'. If any of the 853 decodings fails (including S being out-of-range), the signature 854 is invalid. 856 2. Compute SHAKE256(dom4(F, C) || R || A || PH(M), 114), and 857 interpret the 114-octet digest as a little-endian integer k. 859 3. Check the group equation [4][S]B = [4]R + [4][k]A'. It's 860 sufficient, but not required, to instead check [S]B = R + [k]A'. 862 6. Ed25519 Python illustration 864 The rest of this section describes how Ed25519 can be implemented in 865 Python (version 3.2 or later) for illustration. See appendix A for 866 the complete implementation and appendix B for a test-driver to run 867 it through some test vectors. 869 Note that this code is not intended for production as it is not 870 proven to be correct for all inputs, nor does it protect against 871 side-channel attacks. The purpose is to illustrate the algorithm to 872 help implementers with their own implementation. 874 First some preliminaries that will be needed. 876 import hashlib 878 def sha512(s): 879 return hashlib.sha512(s).digest() 881 # Base field Z_p 882 p = 2**255 - 19 884 def modp_inv(x): 885 return pow(x, p-2, p) 887 # Curve constant 888 d = -121665 * modp_inv(121666) % p 890 # Group order 891 q = 2**252 + 27742317777372353535851937790883648493 893 def sha512_modq(s): 894 return int.from_bytes(sha512(s), "little") % q 896 Then follows functions to perform point operations. 898 # Points are represented as tuples (X, Y, Z, T) of extended coordinates, 899 # with x = X/Z, y = Y/Z, x*y = T/Z 901 def point_add(P, Q): 902 A = (P[1]-P[0])*(Q[1]-Q[0]) % p 903 B = (P[1]+P[0])*(Q[1]+Q[0]) % p 904 C = 2 * P[3] * Q[3] * d % p 905 D = 2 * P[2] * Q[2] % p 906 E = B-A 907 F = D-C 908 G = D+C 909 H = B+A 910 return (E*F, G*H, F*G, E*H) 912 # Computes Q = s * Q 913 def point_mul(s, P): 914 Q = (0, 1, 1, 0) # Neutral element 915 while s > 0: 916 # Is there any bit-set predicate? 917 if s & 1: 918 Q = point_add(Q, P) 919 P = point_add(P, P) 920 s >>= 1 921 return Q 923 def point_equal(P, Q): 924 # x1 / z1 == x2 / z2 <==> x1 * z2 == x2 * z1 925 if (P[0] * Q[2] - Q[0] * P[2]) % p != 0: 926 return False 927 if (P[1] * Q[2] - Q[1] * P[2]) % p != 0: 928 return False 929 return True 931 Now follows functions for point compression. 933 # Square root of -1 934 modp_sqrt_m1 = pow(2, (p-1) // 4, p) 936 # Compute corresponding x coordinate, with low bit corresponding to 937 # sign, or return None on failure 938 def recover_x(y, sign): 939 if y >= p: 940 return None 941 x2 = (y*y-1) * modp_inv(d*y*y+1) 942 if x2 == 0: 943 if sign: 944 return None 945 else: 947 return 0 949 # Compute square root of x2 950 x = pow(x2, (p+3) // 8, p) 951 if (x*x - x2) % p != 0: 952 x = x * modp_sqrt_m1 % p 953 if (x*x - x2) % p != 0: 954 return None 956 if (x & 1) != sign: 957 x = p - x 958 return x 960 # Base point 961 g_y = 4 * modp_inv(5) % p 962 g_x = recover_x(g_y, 0) 963 G = (g_x, g_y, 1, g_x * g_y % p) 965 def point_compress(P): 966 zinv = modp_inv(P[2]) 967 x = P[0] * zinv % p 968 y = P[1] * zinv % p 969 return int.to_bytes(y | ((x & 1) << 255), 32, "little") 971 def point_decompress(s): 972 if len(s) != 32: 973 raise Exception("Invalid input length for decompression") 974 y = int.from_bytes(s, "little") 975 sign = y >> 255 976 y &= (1 << 255) - 1 978 x = recover_x(y, sign) 979 if x is None: 980 return None 981 else: 982 return (x, y, 1, x*y % p) 984 These are functions for manipulating the private key. 986 def secret_expand(secret): 987 if len(secret) != 32: 988 raise Exception("Bad size of private key") 989 h = sha512(secret) 990 a = int.from_bytes(h[:32], "little") 991 a &= (1 << 254) - 8 992 a |= (1 << 254) 993 return (a, h[32:]) 995 def secret_to_public(secret): 996 (a, dummy) = secret_expand(secret) 997 return point_compress(point_mul(a, G)) 999 The signature function works as below. 1001 def sign(secret, msg): 1002 a, prefix = secret_expand(secret) 1003 A = point_compress(point_mul(a, G)) 1004 r = sha512_modq(prefix + msg) 1005 R = point_mul(r, G) 1006 Rs = point_compress(R) 1007 h = sha512_modq(Rs + A + msg) 1008 s = (r + h * a) % q 1009 return Rs + int.to_bytes(s, 32, "little") 1011 And finally the verification function. 1013 def verify(public, msg, signature): 1014 if len(public) != 32: 1015 raise Exception("Bad public key length") 1016 if len(signature) != 64: 1017 Exception("Bad signature length") 1018 A = point_decompress(public) 1019 if not A: 1020 return False 1021 Rs = signature[:32] 1022 R = point_decompress(Rs) 1023 if not R: 1024 return False 1025 s = int.from_bytes(signature[32:], "little") 1026 if s >= q: return False 1027 h = sha512_modq(Rs + public + msg) 1028 sB = point_mul(s, G) 1029 hA = point_mul(h, A) 1030 return point_equal(sB, point_add(R, hA)) 1032 7. Test Vectors 1034 This section contains test vectors for Ed25519ph, Ed25519ctx, 1035 Ed448ph, Ed25519 and Ed448. 1037 Each section contains sequence of test vectors. The octets are hex 1038 encoded and whitespace is inserted for readability. Ed25519 1039 Ed25519ctx and Ed25519ph private and public keys are 32 octets, 1040 signatures are 64 octets. Ed448 and Ed448ph private and public keys 1041 are 57 octets, signatures are 114 octets. Messages are of arbitrary 1042 length. If context is non-empty, it is given as 1-255 octets. 1044 7.1. Test Vectors for Ed25519 1046 These test vectors are taken from [ED25519-TEST-VECTORS] (but we 1047 removed the public key as a suffix of the private key, and removed 1048 the message from the signature) and [ED25519-LIBGCRYPT-TEST-VECTORS]. 1050 -----TEST 1 1052 ALGORITHM: 1053 Ed25519 1055 SECRET KEY: 1056 9d61b19deffd5a60ba844af492ec2cc4 1057 4449c5697b326919703bac031cae7f60 1059 PUBLIC KEY: 1060 d75a980182b10ab7d54bfed3c964073a 1061 0ee172f3daa62325af021a68f707511a 1063 MESSAGE (length 0 bytes): 1065 SIGNATURE: 1066 e5564300c360ac729086e2cc806e828a 1067 84877f1eb8e5d974d873e06522490155 1068 5fb8821590a33bacc61e39701cf9b46b 1069 d25bf5f0595bbe24655141438e7a100b 1071 -----TEST 2 1073 ALGORITHM: 1074 Ed25519 1076 SECRET KEY: 1077 4ccd089b28ff96da9db6c346ec114e0f 1078 5b8a319f35aba624da8cf6ed4fb8a6fb 1079 PUBLIC KEY: 1080 3d4017c3e843895a92b70aa74d1b7ebc 1081 9c982ccf2ec4968cc0cd55f12af4660c 1083 MESSAGE (length 1 byte): 1084 72 1086 SIGNATURE: 1087 92a009a9f0d4cab8720e820b5f642540 1088 a2b27b5416503f8fb3762223ebdb69da 1089 085ac1e43e15996e458f3613d0f11d8c 1090 387b2eaeb4302aeeb00d291612bb0c00 1092 -----TEST 3 1094 ALGORITHM: 1095 Ed25519 1097 SECRET KEY: 1098 c5aa8df43f9f837bedb7442f31dcb7b1 1099 66d38535076f094b85ce3a2e0b4458f7 1101 PUBLIC KEY: 1102 fc51cd8e6218a1a38da47ed00230f058 1103 0816ed13ba3303ac5deb911548908025 1105 MESSAGE (length 2 bytes): 1106 af82 1108 SIGNATURE: 1109 6291d657deec24024827e69c3abe01a3 1110 0ce548a284743a445e3680d7db5ac3ac 1111 18ff9b538d16f290ae67f760984dc659 1112 4a7c15e9716ed28dc027beceea1ec40a 1114 -----TEST 1024 1116 ALGORITHM: 1117 Ed25519 1119 SECRET KEY: 1120 f5e5767cf153319517630f226876b86c 1121 8160cc583bc013744c6bf255f5cc0ee5 1123 PUBLIC KEY: 1124 278117fc144c72340f67d0f2316e8386 1125 ceffbf2b2428c9c51fef7c597f1d426e 1126 MESSAGE (length 1023 bytes): 1127 08b8b2b733424243760fe426a4b54908 1128 632110a66c2f6591eabd3345e3e4eb98 1129 fa6e264bf09efe12ee50f8f54e9f77b1 1130 e355f6c50544e23fb1433ddf73be84d8 1131 79de7c0046dc4996d9e773f4bc9efe57 1132 38829adb26c81b37c93a1b270b20329d 1133 658675fc6ea534e0810a4432826bf58c 1134 941efb65d57a338bbd2e26640f89ffbc 1135 1a858efcb8550ee3a5e1998bd177e93a 1136 7363c344fe6b199ee5d02e82d522c4fe 1137 ba15452f80288a821a579116ec6dad2b 1138 3b310da903401aa62100ab5d1a36553e 1139 06203b33890cc9b832f79ef80560ccb9 1140 a39ce767967ed628c6ad573cb116dbef 1141 efd75499da96bd68a8a97b928a8bbc10 1142 3b6621fcde2beca1231d206be6cd9ec7 1143 aff6f6c94fcd7204ed3455c68c83f4a4 1144 1da4af2b74ef5c53f1d8ac70bdcb7ed1 1145 85ce81bd84359d44254d95629e9855a9 1146 4a7c1958d1f8ada5d0532ed8a5aa3fb2 1147 d17ba70eb6248e594e1a2297acbbb39d 1148 502f1a8c6eb6f1ce22b3de1a1f40cc24 1149 554119a831a9aad6079cad88425de6bd 1150 e1a9187ebb6092cf67bf2b13fd65f270 1151 88d78b7e883c8759d2c4f5c65adb7553 1152 878ad575f9fad878e80a0c9ba63bcbcc 1153 2732e69485bbc9c90bfbd62481d9089b 1154 eccf80cfe2df16a2cf65bd92dd597b07 1155 07e0917af48bbb75fed413d238f5555a 1156 7a569d80c3414a8d0859dc65a46128ba 1157 b27af87a71314f318c782b23ebfe808b 1158 82b0ce26401d2e22f04d83d1255dc51a 1159 ddd3b75a2b1ae0784504df543af8969b 1160 e3ea7082ff7fc9888c144da2af58429e 1161 c96031dbcad3dad9af0dcbaaaf268cb8 1162 fcffead94f3c7ca495e056a9b47acdb7 1163 51fb73e666c6c655ade8297297d07ad1 1164 ba5e43f1bca32301651339e22904cc8c 1165 42f58c30c04aafdb038dda0847dd988d 1166 cda6f3bfd15c4b4c4525004aa06eeff8 1167 ca61783aacec57fb3d1f92b0fe2fd1a8 1168 5f6724517b65e614ad6808d6f6ee34df 1169 f7310fdc82aebfd904b01e1dc54b2927 1170 094b2db68d6f903b68401adebf5a7e08 1171 d78ff4ef5d63653a65040cf9bfd4aca7 1172 984a74d37145986780fc0b16ac451649 1173 de6188a7dbdf191f64b5fc5e2ab47b57 1174 f7f7276cd419c17a3ca8e1b939ae49e4 1175 88acba6b965610b5480109c8b17b80e1 1176 b7b750dfc7598d5d5011fd2dcc5600a3 1177 2ef5b52a1ecc820e308aa342721aac09 1178 43bf6686b64b2579376504ccc493d97e 1179 6aed3fb0f9cd71a43dd497f01f17c0e2 1180 cb3797aa2a2f256656168e6c496afc5f 1181 b93246f6b1116398a346f1a641f3b041 1182 e989f7914f90cc2c7fff357876e506b5 1183 0d334ba77c225bc307ba537152f3f161 1184 0e4eafe595f6d9d90d11faa933a15ef1 1185 369546868a7f3a45a96768d40fd9d034 1186 12c091c6315cf4fde7cb68606937380d 1187 b2eaaa707b4c4185c32eddcdd306705e 1188 4dc1ffc872eeee475a64dfac86aba41c 1189 0618983f8741c5ef68d3a101e8a3b8ca 1190 c60c905c15fc910840b94c00a0b9d0 1192 SIGNATURE: 1193 0aab4c900501b3e24d7cdf4663326a3a 1194 87df5e4843b2cbdb67cbf6e460fec350 1195 aa5371b1508f9f4528ecea23c436d94b 1196 5e8fcd4f681e30a6ac00a9704a188a03 1198 -----TEST SHA(abc) 1200 ALGORITHM: 1201 Ed25519 1203 SECRET KEY: 1204 833fe62409237b9d62ec77587520911e 1205 9a759cec1d19755b7da901b96dca3d42 1207 PUBLIC KEY: 1208 ec172b93ad5e563bf4932c70e1245034 1209 c35467ef2efd4d64ebf819683467e2bf 1211 MESSAGE (length 64 bytes): 1212 ddaf35a193617abacc417349ae204131 1213 12e6fa4e89a97ea20a9eeee64b55d39a 1214 2192992a274fc1a836ba3c23a3feebbd 1215 454d4423643ce80e2a9ac94fa54ca49f 1217 SIGNATURE: 1218 dc2a4459e7369633a52b1bf277839a00 1219 201009a3efbf3ecb69bea2186c26b589 1220 09351fc9ac90b3ecfdfbc7c66431e030 1221 3dca179c138ac17ad9bef1177331a704 1222 ----- 1224 7.2. Test Vectors for Ed25519ctx 1226 -----foo 1228 ALGORITHM: 1229 Ed25519ctx 1231 SECRET KEY: 1232 0305334e381af78f141cb666f6199f57 1233 bc3495335a256a95bd2a55bf546663f6 1235 PUBLIC KEY: 1236 dfc9425e4f968f7f0c29f0259cf5f9ae 1237 d6851c2bb4ad8bfb860cfee0ab248292 1239 MESSAGE (length 16 bytes): 1240 f726936d19c800494e3fdaff20b276a8 1242 CONTEXT: 1243 666f6f 1245 SIGNATURE: 1246 55a4cc2f70a54e04288c5f4cd1e45a7b 1247 b520b36292911876cada7323198dd87a 1248 8b36950b95130022907a7fb7c4e9b2d5 1249 f6cca685a587b4b21f4b888e4e7edb0d 1251 -----bar 1253 ALGORITHM: 1254 Ed25519ctx 1256 SECRET KEY: 1257 0305334e381af78f141cb666f6199f57 1258 bc3495335a256a95bd2a55bf546663f6 1260 PUBLIC KEY: 1261 dfc9425e4f968f7f0c29f0259cf5f9ae 1262 d6851c2bb4ad8bfb860cfee0ab248292 1264 MESSAGE (length 16 bytes): 1265 f726936d19c800494e3fdaff20b276a8 1267 CONTEXT: 1268 626172 1269 SIGNATURE: 1270 fc60d5872fc46b3aa69f8b5b4351d580 1271 8f92bcc044606db097abab6dbcb1aee3 1272 216c48e8b3b66431b5b186d1d28f8ee1 1273 5a5ca2df6668346291c2043d4eb3e90d 1275 -----foo2 1277 ALGORITHM: 1278 Ed25519ctx 1280 SECRET KEY: 1281 0305334e381af78f141cb666f6199f57 1282 bc3495335a256a95bd2a55bf546663f6 1284 PUBLIC KEY: 1285 dfc9425e4f968f7f0c29f0259cf5f9ae 1286 d6851c2bb4ad8bfb860cfee0ab248292 1288 MESSAGE (length 16 bytes): 1289 508e9e6882b979fea900f62adceaca35 1291 CONTEXT: 1292 666f6f 1294 SIGNATURE: 1295 8b70c1cc8310e1de20ac53ce28ae6e72 1296 07f33c3295e03bb5c0732a1d20dc6490 1297 8922a8b052cf99b7c4fe107a5abb5b2c 1298 4085ae75890d02df26269d8945f84b0b 1300 -----foo3 1302 ALGORITHM: 1303 Ed25519ctx 1305 SECRET KEY: 1306 ab9c2853ce297ddab85c993b3ae14bca 1307 d39b2c682beabc27d6d4eb20711d6560 1309 PUBLIC KEY: 1310 0f1d1274943b91415889152e893d80e9 1311 3275a1fc0b65fd71b4b0dda10ad7d772 1313 MESSAGE (length 16 bytes): 1314 f726936d19c800494e3fdaff20b276a8 1316 CONTEXT: 1318 666f6f 1320 SIGNATURE: 1321 21655b5f1aa965996b3f97b3c849eafb 1322 a922a0a62992f73b3d1b73106a84ad85 1323 e9b86a7b6005ea868337ff2d20a7f5fb 1324 d4cd10b0be49a68da2b2e0dc0ad8960f 1325 ----- 1327 7.3. Test Vectors for Ed25519ph 1329 -----TEST abc 1331 ALGORITHM: 1332 Ed25519ph 1334 SECRET KEY: 1335 833fe62409237b9d62ec77587520911e 1336 9a759cec1d19755b7da901b96dca3d42 1338 PUBLIC KEY: 1339 ec172b93ad5e563bf4932c70e1245034 1340 c35467ef2efd4d64ebf819683467e2bf 1342 MESSAGE (length 3 bytes): 1343 616263 1345 SIGNATURE: 1346 98a70222f0b8121aa9d30f813d683f80 1347 9e462b469c7ff87639499bb94e6dae41 1348 31f85042463c2a355a2003d062adf5aa 1349 a10b8c61e636062aaad11c2a26083406 1350 ----- 1352 7.4. Test Vectors for Ed448 1354 -----Blank 1356 ALGORITHM: 1357 Ed448 1359 SECRET KEY: 1360 6c82a562cb808d10d632be89c8513ebf 1361 6c929f34ddfa8c9f63c9960ef6e348a3 1362 528c8a3fcc2f044e39a3fc5b94492f8f 1363 032e7549a20098f95b 1365 PUBLIC KEY: 1367 5fd7449b59b461fd2ce787ec616ad46a 1368 1da1342485a70e1f8a0ea75d80e96778 1369 edf124769b46c7061bd6783df1e50f6c 1370 d1fa1abeafe8256180 1372 MESSAGE (length 0 bytes): 1374 SIGNATURE: 1375 533a37f6bbe457251f023c0d88f976ae 1376 2dfb504a843e34d2074fd823d41a591f 1377 2b233f034f628281f2fd7a22ddd47d78 1378 28c59bd0a21bfd3980ff0d2028d4b18a 1379 9df63e006c5d1c2d345b925d8dc00b41 1380 04852db99ac5c7cdda8530a113a0f4db 1381 b61149f05a7363268c71d95808ff2e65 1382 2600 1384 -----1 octet 1386 ALGORITHM: 1387 Ed448 1389 SECRET KEY: 1390 c4eab05d357007c632f3dbb48489924d 1391 552b08fe0c353a0d4a1f00acda2c463a 1392 fbea67c5e8d2877c5e3bc397a659949e 1393 f8021e954e0a12274e 1395 PUBLIC KEY: 1396 43ba28f430cdff456ae531545f7ecd0a 1397 c834a55d9358c0372bfa0c6c6798c086 1398 6aea01eb00742802b8438ea4cb82169c 1399 235160627b4c3a9480 1401 MESSAGE (length 1 byte): 1402 03 1404 SIGNATURE: 1405 26b8f91727bd62897af15e41eb43c377 1406 efb9c610d48f2335cb0bd0087810f435 1407 2541b143c4b981b7e18f62de8ccdf633 1408 fc1bf037ab7cd779805e0dbcc0aae1cb 1409 cee1afb2e027df36bc04dcecbf154336 1410 c19f0af7e0a6472905e799f1953d2a0f 1411 f3348ab21aa4adafd1d234441cf807c0 1412 3a00 1414 -----1 octet (with context) 1415 ALGORITHM: 1416 Ed448 1418 SECRET KEY: 1419 c4eab05d357007c632f3dbb48489924d 1420 552b08fe0c353a0d4a1f00acda2c463a 1421 fbea67c5e8d2877c5e3bc397a659949e 1422 f8021e954e0a12274e 1424 PUBLIC KEY: 1425 43ba28f430cdff456ae531545f7ecd0a 1426 c834a55d9358c0372bfa0c6c6798c086 1427 6aea01eb00742802b8438ea4cb82169c 1428 235160627b4c3a9480 1430 MESSAGE (length 1 byte): 1431 03 1433 CONTEXT: 1434 666f6f 1436 SIGNATURE: 1437 d4f8f6131770dd46f40867d6fd5d5055 1438 de43541f8c5e35abbcd001b32a89f7d2 1439 151f7647f11d8ca2ae279fb842d60721 1440 7fce6e042f6815ea000c85741de5c8da 1441 1144a6a1aba7f96de42505d7a7298524 1442 fda538fccbbb754f578c1cad10d54d0d 1443 5428407e85dcbc98a49155c13764e66c 1444 3c00 1446 -----11 octets 1448 ALGORITHM: 1449 Ed448 1451 SECRET KEY: 1452 cd23d24f714274e744343237b93290f5 1453 11f6425f98e64459ff203e8985083ffd 1454 f60500553abc0e05cd02184bdb89c4cc 1455 d67e187951267eb328 1457 PUBLIC KEY: 1458 dcea9e78f35a1bf3499a831b10b86c90 1459 aac01cd84b67a0109b55a36e9328b1e3 1460 65fce161d71ce7131a543ea4cb5f7e9f 1461 1d8b00696447001400 1462 MESSAGE (length 11 bytes): 1463 0c3e544074ec63b0265e0c 1465 SIGNATURE: 1466 1f0a8888ce25e8d458a21130879b840a 1467 9089d999aaba039eaf3e3afa090a09d3 1468 89dba82c4ff2ae8ac5cdfb7c55e94d5d 1469 961a29fe0109941e00b8dbdeea6d3b05 1470 1068df7254c0cdc129cbe62db2dc957d 1471 bb47b51fd3f213fb8698f064774250a5 1472 028961c9bf8ffd973fe5d5c206492b14 1473 0e00 1475 -----12 octets 1477 ALGORITHM: 1478 Ed448 1480 SECRET KEY: 1481 258cdd4ada32ed9c9ff54e63756ae582 1482 fb8fab2ac721f2c8e676a72768513d93 1483 9f63dddb55609133f29adf86ec9929dc 1484 cb52c1c5fd2ff7e21b 1486 PUBLIC KEY: 1487 3ba16da0c6f2cc1f30187740756f5e79 1488 8d6bc5fc015d7c63cc9510ee3fd44adc 1489 24d8e968b6e46e6f94d19b945361726b 1490 d75e149ef09817f580 1492 MESSAGE (length 12 bytes): 1493 64a65f3cdedcdd66811e2915 1495 SIGNATURE: 1496 7eeeab7c4e50fb799b418ee5e3197ff6 1497 bf15d43a14c34389b59dd1a7b1b85b4a 1498 e90438aca634bea45e3a2695f1270f07 1499 fdcdf7c62b8efeaf00b45c2c96ba457e 1500 b1a8bf075a3db28e5c24f6b923ed4ad7 1501 47c3c9e03c7079efb87cb110d3a99861 1502 e72003cbae6d6b8b827e4e6c143064ff 1503 3c00 1505 -----13 octets 1507 ALGORITHM: 1508 Ed448 1509 SECRET KEY: 1510 7ef4e84544236752fbb56b8f31a23a10 1511 e42814f5f55ca037cdcc11c64c9a3b29 1512 49c1bb60700314611732a6c2fea98eeb 1513 c0266a11a93970100e 1515 PUBLIC KEY: 1516 b3da079b0aa493a5772029f0467baebe 1517 e5a8112d9d3a22532361da294f7bb381 1518 5c5dc59e176b4d9f381ca0938e13c6c0 1519 7b174be65dfa578e80 1521 MESSAGE (length 13 bytes): 1522 64a65f3cdedcdd66811e2915e7 1524 SIGNATURE: 1525 6a12066f55331b6c22acd5d5bfc5d712 1526 28fbda80ae8dec26bdd306743c5027cb 1527 4890810c162c027468675ecf645a8317 1528 6c0d7323a2ccde2d80efe5a1268e8aca 1529 1d6fbc194d3f77c44986eb4ab4177919 1530 ad8bec33eb47bbb5fc6e28196fd1caf5 1531 6b4e7e0ba5519234d047155ac727a105 1532 3100 1534 -----64 octets 1536 ALGORITHM: 1537 Ed448 1539 SECRET KEY: 1540 d65df341ad13e008567688baedda8e9d 1541 cdc17dc024974ea5b4227b6530e339bf 1542 f21f99e68ca6968f3cca6dfe0fb9f4fa 1543 b4fa135d5542ea3f01 1545 PUBLIC KEY: 1546 df9705f58edbab802c7f8363cfe5560a 1547 b1c6132c20a9f1dd163483a26f8ac53a 1548 39d6808bf4a1dfbd261b099bb03b3fb5 1549 0906cb28bd8a081f00 1551 MESSAGE (length 64 bytes): 1552 bd0f6a3747cd561bdddf4640a332461a 1553 4a30a12a434cd0bf40d766d9c6d458e5 1554 512204a30c17d1f50b5079631f64eb31 1555 12182da3005835461113718d1a5ef944 1556 SIGNATURE: 1557 554bc2480860b49eab8532d2a533b7d5 1558 78ef473eeb58c98bb2d0e1ce488a98b1 1559 8dfde9b9b90775e67f47d4a1c3482058 1560 efc9f40d2ca033a0801b63d45b3b722e 1561 f552bad3b4ccb667da350192b61c508c 1562 f7b6b5adadc2c8d9a446ef003fb05cba 1563 5f30e88e36ec2703b349ca229c267083 1564 3900 1566 -----256 octets 1568 ALGORITHM: 1569 Ed448 1571 SECRET KEY: 1572 2ec5fe3c17045abdb136a5e6a913e32a 1573 b75ae68b53d2fc149b77e504132d3756 1574 9b7e766ba74a19bd6162343a21c8590a 1575 a9cebca9014c636df5 1577 PUBLIC KEY: 1578 79756f014dcfe2079f5dd9e718be4171 1579 e2ef2486a08f25186f6bff43a9936b9b 1580 fe12402b08ae65798a3d81e22e9ec80e 1581 7690862ef3d4ed3a00 1583 MESSAGE (length 256 bytes): 1584 15777532b0bdd0d1389f636c5f6b9ba7 1585 34c90af572877e2d272dd078aa1e567c 1586 fa80e12928bb542330e8409f31745041 1587 07ecd5efac61ae7504dabe2a602ede89 1588 e5cca6257a7c77e27a702b3ae39fc769 1589 fc54f2395ae6a1178cab4738e543072f 1590 c1c177fe71e92e25bf03e4ecb72f47b6 1591 4d0465aaea4c7fad372536c8ba516a60 1592 39c3c2a39f0e4d832be432dfa9a706a6 1593 e5c7e19f397964ca4258002f7c0541b5 1594 90316dbc5622b6b2a6fe7a4abffd9610 1595 5eca76ea7b98816af0748c10df048ce0 1596 12d901015a51f189f3888145c03650aa 1597 23ce894c3bd889e030d565071c59f409 1598 a9981b51878fd6fc110624dcbcde0bf7 1599 a69ccce38fabdf86f3bef6044819de11 1601 SIGNATURE: 1602 c650ddbb0601c19ca11439e1640dd931 1603 f43c518ea5bea70d3dcde5f4191fe53f 1604 00cf966546b72bcc7d58be2b9badef28 1605 743954e3a44a23f880e8d4f1cfce2d7a 1606 61452d26da05896f0a50da66a239a8a1 1607 88b6d825b3305ad77b73fbac0836ecc6 1608 0987fd08527c1a8e80d5823e65cafe2a 1609 3d00 1611 -----1023 octets 1613 ALGORITHM: 1614 Ed448 1616 SECRET KEY: 1617 872d093780f5d3730df7c212664b37b8 1618 a0f24f56810daa8382cd4fa3f77634ec 1619 44dc54f1c2ed9bea86fafb7632d8be19 1620 9ea165f5ad55dd9ce8 1622 PUBLIC KEY: 1623 a81b2e8a70a5ac94ffdbcc9badfc3feb 1624 0801f258578bb114ad44ece1ec0e799d 1625 a08effb81c5d685c0c56f64eecaef8cd 1626 f11cc38737838cf400 1628 MESSAGE (length 1023 bytes): 1629 6ddf802e1aae4986935f7f981ba3f035 1630 1d6273c0a0c22c9c0e8339168e675412 1631 a3debfaf435ed651558007db4384b650 1632 fcc07e3b586a27a4f7a00ac8a6fec2cd 1633 86ae4bf1570c41e6a40c931db27b2faa 1634 15a8cedd52cff7362c4e6e23daec0fbc 1635 3a79b6806e316efcc7b68119bf46bc76 1636 a26067a53f296dafdbdc11c77f7777e9 1637 72660cf4b6a9b369a6665f02e0cc9b6e 1638 dfad136b4fabe723d2813db3136cfde9 1639 b6d044322fee2947952e031b73ab5c60 1640 3349b307bdc27bc6cb8b8bbd7bd32321 1641 9b8033a581b59eadebb09b3c4f3d2277 1642 d4f0343624acc817804728b25ab79717 1643 2b4c5c21a22f9c7839d64300232eb66e 1644 53f31c723fa37fe387c7d3e50bdf9813 1645 a30e5bb12cf4cd930c40cfb4e1fc6225 1646 92a49588794494d56d24ea4b40c89fc0 1647 596cc9ebb961c8cb10adde976a5d602b 1648 1c3f85b9b9a001ed3c6a4d3b1437f520 1649 96cd1956d042a597d561a596ecd3d173 1650 5a8d570ea0ec27225a2c4aaff26306d1 1651 526c1af3ca6d9cf5a2c98f47e1c46db9 1652 a33234cfd4d81f2c98538a09ebe76998 1653 d0d8fd25997c7d255c6d66ece6fa56f1 1654 1144950f027795e653008f4bd7ca2dee 1655 85d8e90f3dc315130ce2a00375a318c7 1656 c3d97be2c8ce5b6db41a6254ff264fa6 1657 155baee3b0773c0f497c573f19bb4f42 1658 40281f0b1f4f7be857a4e59d416c06b4 1659 c50fa09e1810ddc6b1467baeac5a3668 1660 d11b6ecaa901440016f389f80acc4db9 1661 77025e7f5924388c7e340a732e554440 1662 e76570f8dd71b7d640b3450d1fd5f041 1663 0a18f9a3494f707c717b79b4bf75c984 1664 00b096b21653b5d217cf3565c9597456 1665 f70703497a078763829bc01bb1cbc8fa 1666 04eadc9a6e3f6699587a9e75c94e5bab 1667 0036e0b2e711392cff0047d0d6b05bd2 1668 a588bc109718954259f1d86678a579a3 1669 120f19cfb2963f177aeb70f2d4844826 1670 262e51b80271272068ef5b3856fa8535 1671 aa2a88b2d41f2a0e2fda7624c2850272 1672 ac4a2f561f8f2f7a318bfd5caf969614 1673 9e4ac824ad3460538fdc25421beec2cc 1674 6818162d06bbed0c40a387192349db67 1675 a118bada6cd5ab0140ee273204f628aa 1676 d1c135f770279a651e24d8c14d75a605 1677 9d76b96a6fd857def5e0b354b27ab937 1678 a5815d16b5fae407ff18222c6d1ed263 1679 be68c95f32d908bd895cd76207ae7264 1680 87567f9a67dad79abec316f683b17f2d 1681 02bf07e0ac8b5bc6162cf94697b3c27c 1682 d1fea49b27f23ba2901871962506520c 1683 392da8b6ad0d99f7013fbc06c2c17a56 1684 9500c8a7696481c1cd33e9b14e40b82e 1685 79a5f5db82571ba97bae3ad3e0479515 1686 bb0e2b0f3bfcd1fd33034efc6245eddd 1687 7ee2086ddae2600d8ca73e214e8c2b0b 1688 db2b047c6a464a562ed77b73d2d841c4 1689 b34973551257713b753632efba348169 1690 abc90a68f42611a40126d7cb21b58695 1691 568186f7e569d2ff0f9e745d0487dd2e 1692 b997cafc5abf9dd102e62ff66cba87 1694 SIGNATURE: 1695 e301345a41a39a4d72fff8df69c98075 1696 a0cc082b802fc9b2b6bc503f926b65bd 1697 df7f4c8f1cb49f6396afc8a70abe6d8a 1698 ef0db478d4c6b2970076c6a0484fe76d 1699 76b3a97625d79f1ce240e7c576750d29 1700 5528286f719b413de9ada3e8eb78ed57 1701 3603ce30d8bb761785dc30dbc320869e 1702 1a00 1703 ----- 1705 7.5. Test Vectors for Ed448ph 1707 -----TEST abc 1709 ALGORITHM: 1710 Ed448ph 1712 SECRET KEY: 1713 833fe62409237b9d62ec77587520911e 1714 9a759cec1d19755b7da901b96dca3d42 1715 ef7822e0d5104127dc05d6dbefde69e3 1716 ab2cec7c867c6e2c49 1718 PUBLIC KEY: 1719 259b71c19f83ef77a7abd26524cbdb31 1720 61b590a48f7d17de3ee0ba9c52beb743 1721 c09428a131d6b1b57303d90d8132c276 1722 d5ed3d5d01c0f53880 1724 MESSAGE (length 3 bytes): 1725 616263 1727 SIGNATURE: 1728 822f6901f7480f3d5f562c592994d969 1729 3602875614483256505600bbc281ae38 1730 1f54d6bce2ea911574932f52a4e6cadd 1731 78769375ec3ffd1b801a0d9b3f4030cd 1732 433964b6457ea39476511214f97469b5 1733 7dd32dbc560a9a94d00bff07620464a3 1734 ad203df7dc7ce360c3cd3696d9d9fab9 1735 0f00 1737 -----TEST abc (with context) 1739 ALGORITHM: 1740 Ed448ph 1742 SECRET KEY: 1743 833fe62409237b9d62ec77587520911e 1744 9a759cec1d19755b7da901b96dca3d42 1745 ef7822e0d5104127dc05d6dbefde69e3 1746 ab2cec7c867c6e2c49 1747 PUBLIC KEY: 1748 259b71c19f83ef77a7abd26524cbdb31 1749 61b590a48f7d17de3ee0ba9c52beb743 1750 c09428a131d6b1b57303d90d8132c276 1751 d5ed3d5d01c0f53880 1753 MESSAGE (length 3 bytes): 1754 616263 1756 CONTEXT: 1757 666f6f 1759 SIGNATURE: 1760 c32299d46ec8ff02b54540982814dce9 1761 a05812f81962b649d528095916a2aa48 1762 1065b1580423ef927ecf0af5888f90da 1763 0f6a9a85ad5dc3f280d91224ba9911a3 1764 653d00e484e2ce232521481c8658df30 1765 4bb7745a73514cdb9bf3e15784ab7128 1766 4f8d0704a608c54a6b62d97beb511d13 1767 2100 1768 ----- 1770 8. Acknowledgements 1772 EdDSA and Ed25519 was initially described in a paper due to Daniel J. 1773 Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. 1774 The Ed448 curves is due to Mike Hamburg. 1776 This draft is based on an earlier draft co-authored by Niels Moeller. 1778 Feedback on this document was received from Werner Koch, Damien 1779 Miller, Bob Bradley, Franck Rondepierre, Alexey Melnikov, Kenny 1780 Paterson, and Robert Edmonds. 1782 The Ed25519 test vectors were double checked by Bob Bradley using 3 1783 separate implementations (one based on TweetNaCl and 2 different 1784 implementations based on code from SUPERCOP). 1786 9. IANA Considerations 1788 None. 1790 10. Security Considerations 1791 10.1. Side-channel leaks 1793 For implementations performing signatures, secrecy of the private key 1794 is fundamental. It is possible to protect against some side-channel 1795 attacks by ensuring that the implementation executes exactly the same 1796 sequence of instructions and performs exactly the same memory 1797 accesses, for any value of the private key. 1799 To make an implementation side-channel silent in this way, the modulo 1800 p arithmetic must not use any data-dependent branches, e.g., related 1801 to carry propagation. Side channel-silent point addition is 1802 straightforward, thanks to the unified formulas. 1804 Scalar multiplication, multiplying a point by an integer, needs some 1805 additional effort to implement in a side-channel silent manner. One 1806 simple approach is to implement a side-channel silent conditional 1807 assignment, and use together with the binary algorithm to examine one 1808 bit of the integer at a time. 1810 Compared to other signature schemes, avoiding data-dependent branches 1811 is easier due to side-channel silent modulo p arithmetic being easier 1812 (with recommended curves) and having complete addition formulas 1813 instead of having number of special cases. 1815 Note that the example implementations in this document do not attempt 1816 to be side-channel silent. 1818 10.2. Randomness considerations 1820 EdDSA signatures are deterministic. This protects against attacks 1821 arising from signing with bad randomness, effects of which can 1822 depending on algorithm range up to full private key compromise. It 1823 can be surprisingly hard to ensure good-quality random numbers and 1824 there have been numerous security failures relating to this. 1826 Obviously, private key generation requires randomness, but due to the 1827 fact that private key is hashed before use, a few missing bits of 1828 entropy aren't a disaster. 1830 The basic signature verification is also deterministic. However some 1831 speedups by verifying multiple signatures at once do require random 1832 numbers. 1834 10.3. Use of contexts 1836 Contexts can be used to separate uses of the protocol between 1837 different protocols (which is very hard to reliably do otherwise) and 1838 between different uses within the same protocol. However, the 1839 following SHOULD be kept in mind when using this facility: 1841 The context SHOULD be a constant string specified by the protocol 1842 using it. It SHOULD NOT incorporate variable elements from the 1843 message itself. 1845 Contexts SHOULD NOT be used opportunistically, as that kind of use 1846 is very error-prone. If contexts are used, one SHOULD require all 1847 signature schemes available for use in that purpose support 1848 contexts. 1850 Contexts are an extra input, which percolates out of APIs, as 1851 such, even if signature scheme supports contexts, those may not be 1852 available for use. This problem is compounded by the fact that 1853 many times the application is not invoking the signing and 1854 verification functions directly, but via some other protocol. 1856 10.4. Signature malleability 1858 Some systems assume signatures are not malleable: That is, given a 1859 valid signature for some message under some key, the attacker can't 1860 produce another valid signature for the same message and key. 1862 Ed25519 and Ed448 signatures are not malleable due to the 1863 verification check that decoded S is smaller than l. Without this 1864 check, one can add multiple of l into scalar part and still pass 1865 signature verification, resulting in malleable signatures. 1867 10.5. Choice of signature primitive 1869 The Ed25519 and Ed25519ph have nominal strength of 128 bits, whereas 1870 Ed448 and Ed448ph have strength of 224. While the lower strength is 1871 sufficient for the foreseeable future, the higher level brings some 1872 defense against possible future cryptographic advances. Both are 1873 demolished by quantum computers just about the same. 1875 The Ed25519ph and Ed448ph variants are prehashed. This is mainly 1876 useful for inter-operation with legacy APIs, since in most of the 1877 cases, either the amount of data signed is not large, or the protocol 1878 is in position to do digesting in ways better than just prehashing 1879 (e.g. tree hashing or splitting the data). The prehashing also 1880 makes the functions greatly more vulnerable to weaknesses in hash 1881 functions used. These variants SHOULD NOT be used. 1883 Ed25519ctx and Ed448 have contexts. However, this is balanced by the 1884 problems noted in section about contexts. 1886 On implementation front, Ed25519 is widely implemented, and has many 1887 high-quality implementations. The others have much worse support. 1889 As summary, if high 128-bit security level is enough, use of Ed25519 1890 is RECOMMENDED, otherwise Ed448 is RECOMMENDED. 1892 10.6. Mixing different prehashes 1894 The schemes described in this document are designed to be resistant 1895 to mixing prehashes. That is, it is infeasible to find a message 1896 that verifies using the same signature under another scheme, even if 1897 original signed message was chosen. Thus one can use the same 1898 keypair for both Ed25519, Ed25519ctx and Ed25519ph and 1899 correspondingly with Ed448 and Ed448ph. 1901 The "SigEd25519 no Ed25519 collisions" constant is chosen to be 1902 textual string such that it does not decode as a point. Because the 1903 inner hash input in Ed25519 signature always starts with a valid 1904 point, there is no way trivial collision can be constructed. In the 1905 case of seed hash, trivial collisions are so unlikely, even with 1906 attacker choosing all inputs, that it is much more probable that 1907 something else goes catastrophically wrong. 1909 10.7. Signing large amounts of data at once 1911 Avoid signing large amounts of data at once (where "large" depends on 1912 expected verifier). In particular, unless the underlying protocol 1913 does not require it, the receiver MUST buffer the entire message (or 1914 enough information to reconstruct it, e.g. compressed or encrypted 1915 version) to be verified. 1917 This is needed because most of the time, it is unsafe to process 1918 unverified data, and verifying the signature makes a pass through 1919 whole message, causing ultimately at least two passes through. 1921 As API consideration, this means that any IUF (Initialize Update 1922 Finalize) verification interface is prone to misuse 1924 It is a bad idea to modify Ed25519 or Ed448 signing to be able to 1925 create valid Ed25519/Ed448 signatures using IUF interface with only 1926 constant buffering. Pretty much any error in such would cause 1927 catastrophic security failure. 1929 10.8. Multiplication by cofactor in verification 1931 The given verification formulas for both Ed25519 and Ed448 multiply 1932 points by the cofactor. While this is not strictly necessary for 1933 security (in fact, any signature that meets the non-multiplied 1934 equation will satisfy the multiplied one), in some applications it is 1935 undesirable for implementations to disagree about exact set of valid 1936 signatures. Such disagreements could open up e.g. fingerprinting 1937 attacks. 1939 10.9. Use of SHAKE256 as hash function 1941 Ed448 uses SHAKE256 as hash function, even if SHAKE256 is 1942 specifically defined not to be a hash function. 1944 The first potentially troublesome property is that shorter outputs 1945 are prefixes of longer ones. This is acceptable because output 1946 lengths are fixed. 1948 The second potentially troublesome property is failing to meet 1949 standard hash security notions (especially with preimages). However, 1950 the estimated 256-bit security level against collisions and preimages 1951 is sufficient to pair with 224-bit level elliptic curve. 1953 11. References 1955 11.1. Normative References 1957 [RFC4634] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms 1958 (SHA and HMAC-SHA)", RFC 4634, DOI 10.17487/RFC4634, July 1959 2006, . 1961 [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves 1962 for Security", RFC 7748, DOI 10.17487/RFC7748, January 1963 2016, . 1965 [FIPS202] National Institute of Standards and Technology, U.S. 1966 Department of Commerce, "SHA-3 Standard: Permutation-Based 1967 Hash and Extendable-Output Functions", FIPS 202, August 1968 2015. 1970 11.2. Informative References 1972 [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, 1973 "Randomness Requirements for Security", BCP 106, RFC 4086, 1974 DOI 10.17487/RFC4086, June 2005, 1975 . 1977 [EDDSA] Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B. 1978 Yang, "High-speed high-security signatures", 1979 WWW http://ed25519.cr.yp.to/ed25519-20110926.pdf, 1980 September 2011. 1982 [EDDSA2] Bernstein, D., Josefsson, S., Lange, T., Schwabe, P., and 1983 B. Yang, "EdDSA for more curves", 1984 WWW http://ed25519.cr.yp.to/eddsa-20150704.pdf, July 2015. 1986 [Faster-ECC] 1987 Bernstein, D. and T. Lange, "Faster addition and doubling 1988 on elliptic curves", WWW http://eprint.iacr.org/2007/286, 1989 July 2007. 1991 [Edwards-revisited] 1992 Hisil, H., Wong, K., Carter, G., and E. Dawson, "Twisted 1993 Edwards Curves Revisited", 1994 WWW http://eprint.iacr.org/2008/522, December 2008. 1996 [EFD-TWISTED-ADD] 1997 Hisil, H., Wong, K., Carter, G., and E. Dawson, "EFD / 1998 Genus-1 large-characteristic / Extended coordinates with 1999 a=-1 for twisted Edwards curves", WWW 2000 http://www.hyperelliptic.org/EFD/g1p/ 2001 auto-twisted-extended-1.html#addition-add-2008-hwcd-3, 2002 December 2008. 2004 [EFD-TWISTED-DBL] 2005 Hisil, H., Wong, K., Carter, G., and E. Dawson, "EFD / 2006 Genus-1 large-characteristic / Extended coordinates with 2007 a=-1 for twisted Edwards curves", WWW 2008 http://www.hyperelliptic.org/EFD/g1p/ 2009 auto-twisted-extended-1.html#doubling-dbl-2008-hwcd, 2010 December 2008. 2012 [CURVE25519] 2013 Bernstein, D., "Curve25519: new Diffie-Hellman speed 2014 records", WWW http://cr.yp.to/ecdh.html, February 2006. 2016 [ED448] Hamburg, M., "Ed448-Goldilocks, a new elliptic curve", 2017 WWW http://eprint.iacr.org/2015/625, June 2015. 2019 [ED25519-TEST-VECTORS] 2020 Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B. 2021 Yang, "Ed25519 test vectors", 2022 WWW http://ed25519.cr.yp.to/python/sign.input, July 2011. 2024 [ED25519-LIBGCRYPT-TEST-VECTORS] 2025 Koch, W., "Ed25519 Libgcrypt test vectors", WWW 2026 http://git.gnupg.org/cgi- 2027 bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=tests/t-ed25519.in 2028 p;h=e13566f826321eece65e02c593bc7d885b3dbe23;hb=refs/ 2029 heads/master, July 2014. 2031 [EFD-ADD] Bernstein, D. and T. Lange, "Explicit-Formulas Database / 2032 Genus-1 large-characteristic / Projective coordinates for 2033 Edwards curves", WWW http://www.hyperelliptic.org/EFD/g1p/ 2034 auto-edwards-projective.html#addition-add-2007-bl, 2007. 2036 [EFD-DBL] Bernstein, D. and T. Lange, "Explicit-Formulas Database / 2037 Genus-1 large-characteristic / Projective coordinates for 2038 Edwards curves", WWW http://www.hyperelliptic.org/EFD/g1p/ 2039 auto-edwards-projective.html#doubling-dbl-2007-bl, 2007. 2041 Appendix A. Ed25519/Ed448 Python Library 2043 Below is an example implementation of Ed25519/Ed448 written in 2044 Python, version 3.2 or higher is required. 2046 Note: This code is not intended for production. Although it should 2047 produce correct results for every input, it is slow and makes no 2048 attempt to avoid side-channel attacks. 2050 [A note to RFC-Editor: Please don't change the relative indentations 2051 here: This code is written in programming language where relative 2052 indentations are meaningful, so changing those changes program 2053 meaning (authors: check this still works in AUTH48). Remove this 2054 note before publication.] 2056 import hashlib; 2057 import os; 2059 #Compute candidate square root of x modulo p, with p = 3 (mod 4). 2060 def sqrt4k3(x,p): return pow(x,(p + 1)//4,p) 2062 #Compute candidate square root of x modulo p, with p = 5 (mod 8). 2063 def sqrt8k5(x,p): 2064 y = pow(x,(p+3)//8,p) 2065 #If the square root exists, it is either y, or y*2^(p-1)/4. 2066 if (y * y) % p == x % p: return y 2067 else: 2068 z = pow(2,(p - 1)//4,p) 2069 return (y * z) % p 2071 #Decode a hexadecimal string representation of integer. 2072 def hexi(s): return int.from_bytes(bytes.fromhex(s),byteorder="big") 2074 #Rotate a word x by b places to the left. 2075 def rol(x,b): return ((x << b) | (x >> (64 - b))) & (2**64-1) 2077 #From little-endian. 2078 def from_le(s): return int.from_bytes(s, byteorder="little") 2079 #Do the SHA-3 state transform on state s. 2080 def sha3_transform(s): 2081 ROTATIONS = [0,1,62,28,27,36,44,6,55,20,3,10,43,25,39,41,45,15,\ 2082 21,8,18,2,61,56,14] 2083 PERMUTATION = [1,6,9,22,14,20,2,12,13,19,23,15,4,24,21,8,16,5,3,\ 2084 18,17,11,7,10] 2085 RC = [0x0000000000000001,0x0000000000008082,0x800000000000808a,\ 2086 0x8000000080008000,0x000000000000808b,0x0000000080000001,\ 2087 0x8000000080008081,0x8000000000008009,0x000000000000008a,\ 2088 0x0000000000000088,0x0000000080008009,0x000000008000000a,\ 2089 0x000000008000808b,0x800000000000008b,0x8000000000008089,\ 2090 0x8000000000008003,0x8000000000008002,0x8000000000000080,\ 2091 0x000000000000800a,0x800000008000000a,0x8000000080008081,\ 2092 0x8000000000008080,0x0000000080000001,0x8000000080008008] 2093 for rnd in range(0,24): 2094 #AddColumnParity (Theta) 2095 c = [0]*5; 2096 d = [0]*5; 2097 for i in range(0,25): c[i%5]^=s[i] 2098 for i in range(0,5): d[i]=c[(i+4)%5]^rol(c[(i+1)%5],1) 2099 for i in range(0,25): s[i]^=d[i%5] 2100 #RotateWords (Rho). 2101 for i in range(0,25): s[i]=rol(s[i],ROTATIONS[i]) 2102 #PermuteWords (Pi) 2103 t = s[PERMUTATION[0]] 2104 for i in range(0,len(PERMUTATION)-1): 2105 s[PERMUTATION[i]]=s[PERMUTATION[i+1]] 2106 s[PERMUTATION[-1]]=t; 2107 #NonlinearMixRows (Chi) 2108 for i in range(0,25,5): 2109 t=[s[i],s[i+1],s[i+2],s[i+3],s[i+4],s[i],s[i+1]] 2110 for j in range(0,5): s[i+j]=t[j]^((~t[j+1])&(t[j+2])) 2111 #AddRoundConstant (Iota) 2112 s[0]^=RC[rnd] 2114 #Reinterpret octet array b to word array and XOR it to state s. 2115 def reinterpret_to_words_and_xor(s,b): 2116 for j in range(0,len(b)//8): 2117 s[j]^=from_le(b[8*j:][:8]) 2119 #Reinterpret word array w to octet array and return it. 2120 def reinterpret_to_octets(w): 2121 mp=bytearray() 2122 for j in range(0,len(w)): 2123 mp+=w[j].to_bytes(8,byteorder="little") 2124 return mp 2126 #(semi-)generic SHA-3 implementation 2127 def sha3_raw(msg,r_w,o_p,e_b): 2128 r_b=8*r_w 2129 s=[0]*25 2130 #Handle whole blocks. 2131 idx=0 2132 blocks=len(msg)//r_b 2133 for i in range(0,blocks): 2134 reinterpret_to_words_and_xor(s,msg[idx:][:r_b]) 2135 idx+=r_b 2136 sha3_transform(s) 2137 #Handle last block padding. 2138 m=bytearray(msg[idx:]) 2139 m.append(o_p) 2140 while len(m) < r_b: m.append(0) 2141 m[len(m)-1]|=128 2142 #Handle padded last block. 2143 reinterpret_to_words_and_xor(s,m) 2144 sha3_transform(s) 2145 #Output. 2146 out = bytearray() 2147 while len(out)>((b-1)&7) 2233 #Decode y. If this fails, fail. 2234 y = self.base_field.frombytes(s,b) 2235 if y is None: return (None,None) 2236 #Try to recover x. If it does not exist, or is zero and xs is 2237 #wrong, fail. 2238 x=self.solve_x2(y).sqrt() 2239 if x is None or (x.iszero() and xs!=x.sign()): 2240 return (None,None) 2241 #If sign of x isn't correct, flip it. 2242 if x.sign()!=xs: x=-x 2243 # Return the constructed point. 2244 return (x,y) 2245 def encode_base(self,b): 2246 xp,yp=self.x/self.z,self.y/self.z 2247 #Encode y. 2248 s=bytearray(yp.tobytes(b)) 2249 #Add sign bit of x to encoding. 2250 if xp.sign()!=0: s[(b-1)//8]|=1<<(b-1)%8 2251 return s 2252 def __mul__(self,x): 2253 r=self.zero_elem() 2254 s=self 2255 while x > 0: 2256 if (x%2)>0: 2257 r=r+s 2258 s=s.double() 2259 x=x//2 2260 return r 2261 #Check two points are equal. 2262 def __eq__(self,y): 2263 #Need to check x1/z1 == x2/z2 and similarly for y, so cross- 2264 #multiply to eliminate divisions. 2265 xn1=self.x*y.z 2266 xn2=y.x*self.z 2267 yn1=self.y*y.z 2268 yn2=y.y*self.z 2269 return xn1==xn2 and yn1==yn2 2270 #Check two points are not equal. 2272 def __ne__(self,y): return not (self==y) 2274 #A point on Edwards25519 2275 class Edwards25519Point(EdwardsPoint): 2276 #Create a new point on curve. 2277 base_field=Field(1,2**255-19) 2278 d=-base_field.make(121665)/base_field.make(121666) 2279 f0=base_field.make(0) 2280 f1=base_field.make(1) 2281 xb=base_field.make(hexi("216936D3CD6E53FEC0A4E231FDD6DC5C692CC76"+\ 2282 "09525A7B2C9562D608F25D51A")) 2283 yb=base_field.make(hexi("666666666666666666666666666666666666666"+\ 2284 "6666666666666666666666658")) 2285 #The standard base point. 2286 @staticmethod 2287 def stdbase(): 2288 return Edwards25519Point(Edwards25519Point.xb,\ 2289 Edwards25519Point.yb) 2290 def __init__(self,x,y): 2291 #Check the point is actually on the curve. 2292 if y*y-x*x!=self.f1+self.d*x*x*y*y: 2293 raise ValueError("Invalid point") 2294 self.initpoint(x, y) 2295 self.t=x*y 2296 #Decode a point representation. 2297 def decode(self,s): 2298 x,y=self.decode_base(s,256); 2299 return Edwards25519Point(x, y) if x is not None else None 2300 #Encode a point representation 2301 def encode(self): 2302 return self.encode_base(256) 2303 #Construct neutral point on this curve. 2304 def zero_elem(self): 2305 return Edwards25519Point(self.f0,self.f1) 2306 #Solve for x^2. 2307 def solve_x2(self,y): 2308 return ((y*y-self.f1)/(self.d*y*y+self.f1)) 2309 #Point addition. 2310 def __add__(self,y): 2311 #The formulas are from EFD. 2312 tmp=self.zero_elem() 2313 zcp=self.z*y.z 2314 A=(self.y-self.x)*(y.y-y.x) 2315 B=(self.y+self.x)*(y.y+y.x) 2316 C=(self.d+self.d)*self.t*y.t 2317 D=zcp+zcp 2318 E,H=B-A,B+A 2319 F,G=D-C,D+C 2320 tmp.x,tmp.y,tmp.z,tmp.t=E*F,G*H,F*G,E*H 2321 return tmp 2322 #Point doubling. 2323 def double(self): 2324 #The formulas are from EFD (with assumption a=-1 propagated). 2325 tmp=self.zero_elem() 2326 A=self.x*self.x 2327 B=self.y*self.y 2328 Ch=self.z*self.z 2329 C=Ch+Ch 2330 H=A+B 2331 xys=self.x+self.y 2332 E=H-xys*xys 2333 G=A-B 2334 F=C+G 2335 tmp.x,tmp.y,tmp.z,tmp.t=E*F,G*H,F*G,E*H 2336 return tmp 2337 #Order of basepoint. 2338 def l(self): 2339 return hexi("1000000000000000000000000000000014def9dea2f79cd"+\ 2340 "65812631a5cf5d3ed") 2341 #The logarithm of cofactor. 2342 def c(self): return 3 2343 #The highest set bit 2344 def n(self): return 254 2345 #The coding length 2346 def b(self): return 256 2347 #Validity check (for debugging) 2348 def is_valid_point(self): 2349 x,y,z,t=self.x,self.y,self.z,self.t 2350 x2=x*x 2351 y2=y*y 2352 z2=z*z 2353 lhs=(y2-x2)*z2 2354 rhs=z2*z2+self.d*x2*y2 2355 assert(lhs == rhs) 2356 assert(t*z == x*y) 2358 #A point on Edward448 2359 class Edwards448Point(EdwardsPoint): 2360 #Create a new point on curve. 2361 base_field=Field(1,2**448-2**224-1) 2362 d=base_field.make(-39081) 2363 f0=base_field.make(0) 2364 f1=base_field.make(1) 2365 xb=base_field.make(hexi("4F1970C66BED0DED221D15A622BF36DA9E14657"+\ 2366 "0470F1767EA6DE324A3D3A46412AE1AF72AB66511433B80E18B00938E26"+\ 2367 "26A82BC70CC05E")) 2369 yb=base_field.make(hexi("693F46716EB6BC248876203756C9C7624BEA737"+\ 2370 "36CA3984087789C1E05A0C2D73AD3FF1CE67C39C4FDBD132C4ED7C8AD98"+\ 2371 "08795BF230FA14")) 2372 #The standard base point. 2373 @staticmethod 2374 def stdbase(): 2375 return Edwards448Point(Edwards448Point.xb,Edwards448Point.yb) 2376 def __init__(self,x,y): 2377 #Check the point is actually on the curve. 2378 if y*y+x*x!=self.f1+self.d*x*x*y*y: 2379 raise ValueError("Invalid point") 2380 self.initpoint(x, y) 2381 #Decode a point representation. 2382 def decode(self,s): 2383 x,y=self.decode_base(s,456); 2384 return Edwards448Point(x, y) if x is not None else None 2385 #Encode a point representation 2386 def encode(self): 2387 return self.encode_base(456) 2388 #Construct neutral point on this curve. 2389 def zero_elem(self): 2390 return Edwards448Point(self.f0,self.f1) 2391 #Solve for x^2. 2392 def solve_x2(self,y): 2393 return ((y*y-self.f1)/(self.d*y*y-self.f1)) 2394 #Point addition. 2395 def __add__(self,y): 2396 #The formulas are from EFD. 2397 tmp=self.zero_elem() 2398 xcp,ycp,zcp=self.x*y.x,self.y*y.y,self.z*y.z 2399 B=zcp*zcp 2400 E=self.d*xcp*ycp 2401 F,G=B-E,B+E 2402 tmp.x=zcp*F*((self.x+self.y)*(y.x+y.y)-xcp-ycp) 2403 tmp.y,tmp.z=zcp*G*(ycp-xcp),F*G 2404 return tmp 2405 #Point doubling. 2406 def double(self): 2407 #The formulas are from EFD. 2408 tmp=self.zero_elem() 2409 x1s,y1s,z1s=self.x*self.x,self.y*self.y,self.z*self.z 2410 xys=self.x+self.y 2411 F=x1s+y1s 2412 J=F-(z1s+z1s) 2413 tmp.x,tmp.y,tmp.z=(xys*xys-x1s-y1s)*J,F*(x1s-y1s),F*J 2414 return tmp 2415 #Order of basepoint. 2416 def l(self): 2418 return hexi("3ffffffffffffffffffffffffffffffffffffffffffffff"+\ 2419 "fffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c2"+\ 2420 "92ab5844f3") 2421 #The logarithm of cofactor. 2422 def c(self): return 2 2423 #The highest set bit 2424 def n(self): return 447 2425 #The coding length 2426 def b(self): return 456 2427 #Validity check (for debugging) 2428 def is_valid_point(self): 2429 x,y,z=self.x,self.y,self.z 2430 x2=x*x 2431 y2=y*y 2432 z2=z*z 2433 lhs=(x2+y2)*z2 2434 rhs=z2*z2+self.d*x2*y2 2435 assert(lhs == rhs) 2437 #Simple self-check. 2438 def curve_self_check(point): 2439 p=point 2440 q=point.zero_elem() 2441 z=q 2442 l=p.l()+1 2443 p.is_valid_point() 2444 q.is_valid_point() 2445 for i in range(0,point.b()): 2446 if (l>>i)&1 != 0: 2447 q=q+p 2448 q.is_valid_point() 2449 p=p.double() 2450 p.is_valid_point() 2451 assert q.encode() == point.encode() 2452 assert q.encode() != p.encode() 2453 assert q.encode() != z.encode() 2455 #Simple self-check. 2456 def self_check_curves(): 2457 curve_self_check(Edwards25519Point.stdbase()) 2458 curve_self_check(Edwards448Point.stdbase()) 2460 #PureEdDSA scheme. 2461 #Limitation: Only b mod 8 = 0 is handled. 2462 class PureEdDSA: 2463 #Create a new object. 2464 def __init__(self,properties): 2465 self.B=properties["B"] 2466 self.H=properties["H"] 2467 self.l=self.B.l() 2468 self.n=self.B.n() 2469 self.b=self.B.b() 2470 self.c=self.B.c() 2471 #Clamp a private scalar. 2472 def __clamp(self,a): 2473 _a = bytearray(a) 2474 for i in range(0,self.c): _a[i//8]&=~(1<<(i%8)) 2475 _a[self.n//8]|=1<<(self.n%8) 2476 for i in range(self.n+1,self.b): _a[i//8]&=~(1<<(i%8)) 2477 return _a 2478 #Generate a key. If privkey is None, random one is generated. 2479 #In any case, privkey, pubkey pair is returned. 2480 def keygen(self,privkey): 2481 #If no private key data given, generate random. 2482 if privkey is None: privkey=os.urandom(self.b//8) 2483 #Expand key. 2484 khash=self.H(privkey,None,None) 2485 a=from_le(self.__clamp(khash[:self.b//8])) 2486 #Return the keypair (public key is A=Enc(aB). 2487 return privkey,(self.B*a).encode() 2488 #Sign with keypair. 2489 def sign(self,privkey,pubkey,msg,ctx,hflag): 2490 #Expand key. 2491 khash=self.H(privkey,None,None) 2492 a=from_le(self.__clamp(khash[:self.b//8])) 2493 seed=khash[self.b//8:] 2494 #Calculate r and R (R only used in encoded form) 2495 r=from_le(self.H(seed+msg,ctx,hflag))%self.l 2496 R=(self.B*r).encode() 2497 #Calculate h. 2498 h=from_le(self.H(R+pubkey+msg,ctx,hflag))%self.l 2499 #Calculate s. 2500 S=((r+h*a)%self.l).to_bytes(self.b//8,byteorder="little") 2501 #The final signature is concatenation of R and S. 2502 return R+S 2503 #Verify signature with public key. 2504 def verify(self,pubkey,msg,sig,ctx,hflag): 2505 #Sanity-check sizes. 2506 if len(sig)!=self.b//4: return False 2507 if len(pubkey)!=self.b//8: return False 2508 #Split signature into R and S, and parse. 2509 Rraw,Sraw=sig[:self.b//8],sig[self.b//8:] 2510 R,S=self.B.decode(Rraw),from_le(Sraw) 2511 #Parse public key. 2512 A=self.B.decode(pubkey) 2513 #Check parse results. 2515 if (R is None) or (A is None) or S>=self.l: return False 2516 #Calculate h. 2517 h=from_le(self.H(Rraw+pubkey+msg,ctx,hflag))%self.l 2518 #Calculate left and right sides of check eq. 2519 rhs=R+(A*h) 2520 lhs=self.B*S 2521 for i in range(0, self.c): 2522 lhs = lhs.double() 2523 rhs = rhs.double() 2524 #Check eq. holds? 2525 return lhs==rhs 2527 def Ed25519_inthash(data,ctx,hflag): 2528 if (ctx is not None and len(ctx) > 0) or hflag: 2529 raise ValueError("Contexts/hashes not supported") 2530 return hashlib.sha512(data).digest() 2532 #The base PureEdDSA schemes. 2533 pEd25519=PureEdDSA({\ 2534 "B":Edwards25519Point.stdbase(),\ 2535 "H":Ed25519_inthash\ 2536 }) 2538 def Ed25519ctx_inthash(data,ctx,hflag): 2539 dompfx = b"" 2540 PREFIX=b"SigEd25519 no Ed25519 collisions" 2541 if ctx is not None: 2542 if len(ctx) > 255: raise ValueError("Context too big") 2543 dompfx=PREFIX+bytes([1 if hflag else 0,len(ctx)])+ctx 2544 return hashlib.sha512(dompfx+data).digest() 2546 pEd25519ctx=PureEdDSA({\ 2547 "B":Edwards25519Point.stdbase(),\ 2548 "H":Ed25519ctx_inthash\ 2549 }) 2551 def Ed448_inthash(data,ctx,hflag): 2552 dompfx = b"" 2553 if ctx is not None: 2554 if len(ctx) > 255: raise ValueError("Context too big") 2555 dompfx=b"SigEd448"+bytes([1 if hflag else 0,len(ctx)])+ctx 2556 return shake256(dompfx+data,114) 2558 pEd448 = PureEdDSA({\ 2559 "B":Edwards448Point.stdbase(),\ 2560 "H":Ed448_inthash\ 2561 }) 2562 #EdDSA scheme. 2563 class EdDSA: 2564 #Create a new scheme object, with specified PureEdDSA base scheme 2565 #and specified prehash. 2566 def __init__(self,pure_scheme,prehash): 2567 self.__pflag = True 2568 self.__pure=pure_scheme 2569 self.__prehash=prehash 2570 if self.__prehash is None: 2571 self.__prehash = lambda x,y:x 2572 self.__pflag = False 2573 # Generate a key. If privkey is none, generates a random 2574 # privkey key, otherwise uses specified private key. 2575 # Returns pair (privkey, pubkey). 2576 def keygen(self,privkey): return self.__pure.keygen(privkey) 2577 # Sign message msg using specified keypair. 2578 def sign(self,privkey,pubkey,msg,ctx=None): 2579 if ctx is None: ctx=b""; 2580 return self.__pure.sign(privkey,pubkey,self.__prehash(msg,ctx),\ 2581 ctx,self.__pflag) 2582 # Verify signature sig on message msg using public key pubkey. 2583 def verify(self,pubkey,msg,sig,ctx=None): 2584 if ctx is None: ctx=b""; 2585 return self.__pure.verify(pubkey,self.__prehash(msg,ctx),sig,\ 2586 ctx,self.__pflag) 2588 def Ed448ph_prehash(data,ctx): 2589 return shake256(data,64) 2591 #Our signature schemes. 2592 Ed25519 = EdDSA(pEd25519,None) 2593 Ed25519ctx = EdDSA(pEd25519ctx,None) 2594 Ed25519ph = EdDSA(pEd25519ctx,lambda x,y:hashlib.sha512(x).digest()) 2595 Ed448 = EdDSA(pEd448,None) 2596 Ed448ph = EdDSA(pEd448,Ed448ph_prehash) 2598 def eddsa_obj(name): 2599 if name == "Ed25519": return Ed25519 2600 if name == "Ed25519ctx": return Ed25519ctx 2601 if name == "Ed25519ph": return Ed25519ph 2602 if name == "Ed448": return Ed448 2603 if name == "Ed448ph": return Ed448ph 2604 raise NotImplementedError("Algorithm not implemented") 2606 Appendix B. Library driver 2608 Below is a command-line tool that uses the library above to perform 2609 computations, for interactive use or for self-checking. 2611 [A note to RFC-Editor: Please don't change the relative indentations 2612 here: This code is written in programming language where relative 2613 indentations are meaningful, so changing those changes program 2614 meaning (authors: check this still works in AUTH48). Remove this 2615 note before publication.] 2616 import sys 2617 import binascii 2619 from eddsa2 import Ed25519 2621 def munge_string(s, pos, change): 2622 return (s[:pos] + 2623 int.to_bytes(s[pos] ^ change, 1, "little") + 2624 s[pos+1:]) 2626 # Read a file in the format of 2627 # http://ed25519.cr.yp.to/python/sign.input 2628 lineno = 0 2629 while True: 2630 line = sys.stdin.readline() 2631 if not line: 2632 break 2633 lineno = lineno + 1 2634 print(lineno) 2635 fields = line.split(":") 2636 secret = (binascii.unhexlify(fields[0]))[:32] 2637 public = binascii.unhexlify(fields[1]) 2638 msg = binascii.unhexlify(fields[2]) 2639 signature = binascii.unhexlify(fields[3])[:64] 2641 privkey,pubkey = Ed25519.keygen(secret) 2642 assert public == pubkey 2643 assert signature == Ed25519.sign(privkey, pubkey, msg) 2644 assert Ed25519.verify(public, msg, signature) 2645 if len(msg) == 0: 2646 bad_msg = b"x" 2647 else: 2648 bad_msg = munge_string(msg, len(msg) // 3, 4) 2649 assert not Ed25519.verify(public, bad_msg, signature) 2650 bad_signature = munge_string(signature, 20, 8) 2651 assert not Ed25519.verify(public, msg, bad_signature) 2652 bad_signature = munge_string(signature, 40, 16) 2653 assert not Ed25519.verify(public, msg, bad_signature) 2655 Authors' Addresses 2657 Simon Josefsson 2658 SJD AB 2660 Email: simon@josefsson.org 2661 URI: http://josefsson.org/ 2662 Ilari Liusvaara 2663 Independent 2665 Email: ilariliusvaara@welho.com