idnits 2.17.1 draft-josefsson-eddsa-ed25519-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 7, 2015) is 3366 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 624 -- Looks like a reference, but probably isn't: '0' on line 623 -- Looks like a reference, but probably isn't: '3' on line 626 -- Looks like a reference, but probably isn't: '2' on line 625 ** Obsolete normative reference: RFC 4634 (Obsoleted by RFC 6234) == Outdated reference: A later version (-11) exists of draft-irtf-cfrg-curves-01 Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Josefsson 3 Internet-Draft SJD AB 4 Intended status: Informational February 7, 2015 5 Expires: August 11, 2015 7 EdDSA and Ed25519 8 draft-josefsson-eddsa-ed25519-00 10 Abstract 12 The elliptic curve signature scheme EdDSA and one instance of it 13 called Ed25519 is described. An example implementation and test 14 vectors are provided. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on August 11, 2015. 33 Copyright Notice 35 Copyright (c) 2015 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 51 2. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 3. EdDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 3.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 3 54 3.2. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 3.3. Sign . . . . . . . . . . . . . . . . . . . . . . . . . . 4 56 3.4. Verify . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 4. Ed25519 . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 58 5. Test Vectors for Ed25519 . . . . . . . . . . . . . . . . . . 9 59 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 60 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 61 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 62 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 63 9.1. Normative References . . . . . . . . . . . . . . . . . . 10 64 9.2. Informative References . . . . . . . . . . . . . . . . . 10 65 Appendix A. Ed25519 Python Library . . . . . . . . . . . . . . . 11 66 Appendix B. Library driver . . . . . . . . . . . . . . . . . . . 14 67 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 15 69 1. Introduction 71 The Edwards-curve Digital Signature Algorithm (EdDSA) is a variant of 72 Schnorr's signature system with Twisted Edwards curves. EdDSA needs 73 to be instantiated with certain parameters, and Ed25519 is described 74 in this document. To facilitate adoption in the Internet community 75 of Ed25519, this document describe the signature scheme in an 76 implementation-oriented way, and we provide sample code and test 77 vectors. 79 The advantages with EdDSA and Ed25519 include: 81 1. High-performance on a variety of platforms. 83 2. Does not require the use of a unique random number for each 84 signature. 86 3. Collision resilience, meaning that hash-function collisions do 87 not break this system. 89 4. More resilient to side-channel attacks. 91 5. Small public keys (32 bytes) and signatures (64 bytes). 93 For further background, see the original EdDSA paper [EDDSA]. 95 2. Notation 97 The following notation is used throughout the document: 99 GF(p) finite field with p elements 101 x^y x multiplied by itself y times 103 h_i the i'th byte of h 105 a || b (bit-)string a concatenated with (bit-)string b 107 3. EdDSA 109 EdDSA has seven parameters: 111 1. an integer b >= 10. 113 2. a cryptographic hash function H producing 2b-bit outputs. 115 3. a prime power q congruent to 1 modulo 4. 117 4. a (b-1)-bit encoding of elements of the finite field GF(q). 119 5. a non-square element d of GF(q) 121 6. a prime l between 2^(b-4) and 2^(b-3) satisfying lB=0 where nB 122 means the n'th multiple of B in the group E. 124 7. an element B != (0,1) of the set E = { (x,y) is a member of GF(q) 125 x GF(q) such that -x^2 + y^2 = 1 + dx^2y^2 }. 127 3.1. Encoding 129 An element (x,y) of E is encoded as a b-bit string called ENC(x,y) 130 which is the (b-1)-bit encoding of y concatenated with one bit that 131 is 1 if x is negative and 0 if x is not negative. Negative elements 132 of GF(q) are those x which the (b-1)-bit encoding of x is 133 lexicographically larger than the (b-1)-bit encoding of -x. 135 3.2. Keys 137 An EdDSA secret key is a b-bit string k. Let the hash H(k) = (h_0, 138 h_1, ..., h_(2b-1)) determine an integer a which is 2^(b-2) plus the 139 sum of m = 2^i * h_i for all i equal or larger than 3 and equal to or 140 less than b-3 such that m is a member of the set { 2^(b-2), 2^(b-2) + 141 8, ..., 2^(b-1) - 8 }. The EdDSA public key is ENC(A) = ENC(aB). 142 The bits h_b, ..., h_(2b-1) is used below during signing. 144 3.3. Sign 146 The signature of a message M under a secret key k is the 2b-bit 147 string ENC(R) || ENC'(S), where ENC'(S) is defined as the b-bit 148 little-endian encoding of S. R and S are derived as follows. First 149 define r = H(h_b, ... h_(2b-1)), M) interpreting 2b-bit strings in 150 little-endian form as integers in {0, 1, ..., 2^(2b)-1}. Let R=rB 151 and S=(r+H(ENC(R) || ENC(A) || M)a) mod l. 153 3.4. Verify 155 To verify a signature ENC(R) || ENC'(S) on a message M under a public 156 key ENC(A), proceed as follows. Parse the inputs so that A and R is 157 an element of E, and S is a member of the set {0, 1, ..., l-1 }. 158 Compute H' = H(ENC(R) || ENC(A) || M) and check the group equation 159 8SB = 8R + 8H'A in E. Verification is rejected if parsing fails or 160 the group equation does not hold. 162 4. Ed25519 164 Ed25519 is EdDSA instantiated with b=256, H being SHA-512 [RFC4634], 165 q is the prime 2^255-19, the 255-bit encoding of GF(2^255-19) being 166 the little-endian encoding of {0, 1, ..., 2^255-20}, l is the prime 167 2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed, d = -121665/121666 which 168 is a member of GF(q), and B is the unique point (x, 4/5) in E for 169 which x is positive. The curve q, prime l, d and B follows from 170 [I-D.irtf-cfrg-curves]. 172 The rest of this section describes how Ed25519 can be implemented in 173 Python (version 3.2 or later) for illustration. See appendix A for 174 the complete implementation and appendix B for a test-driver to run 175 it through some test vectors. 177 First some preliminaries that will be needed. 179 import hashlib 181 def sha512(s): 182 return hashlib.sha512(s).digest() 184 # Base field Z_p 185 p = 2**255 - 19 187 def modp_inv(x): 188 return pow(x, p-2, p) 190 # Curve constant 191 d = -121665 * modp_inv(121666) % p 193 # Group order 194 q = 2**252 + 27742317777372353535851937790883648493 196 def sha512_modq(s): 197 return int.from_bytes(sha512(s), "little") % q 199 Then follows functions to perform point operations. 201 # Points are represented as tuples (X, Y, Z, T) of extended coordinates, 202 # with x = X/Z, y = Y/Z, x*y = T/Z 204 def point_add(P, Q): 205 A = (P[1]-P[0])*(Q[1]-Q[0]) % p 206 B = (P[1]+P[0])*(Q[1]+Q[0]) % p 207 C = 2 * P[3] * Q[3] * d % p 208 D = 2 * P[2] * Q[2] % p 209 E = B-A 210 F = D-C 211 G = D+C 212 H = B+A 213 return (E*F, G*H, F*G, E*H) 215 # Computes Q = s * Q 216 def point_mul(s, P): 217 Q = (0, 1, 1, 0) # Neutral element 218 while s > 0: 219 # Is there any bit-set predicate? 220 if s & 1: 221 Q = point_add(Q, P) 222 P = point_add(P, P) 223 s >>= 1 224 return Q 226 def point_equal(P, Q): 227 # x1 / z1 == x2 / z2 <==> x1 * z2 == x2 * z1 228 if (P[0] * Q[2] - Q[0] * P[2]) % p != 0: 229 return False 230 if (P[1] * Q[2] - Q[1] * P[2]) % p != 0: 231 return False 232 return True 234 Now follows functions for point compression. 236 # Square root of -1 237 modp_sqrt_m1 = pow(2, (p-1) // 4, p) 239 # Compute corresponding x coordinate, with low bit corresponding to sign, 240 # or return None on failure 241 def recover_x(y, sign): 242 x2 = (y*y-1) * modp_inv(d*y*y+1) 243 if x2 == 0: 244 if sign: 245 return None 246 else: 247 return 0 249 # Compute square root of x2 250 x = pow(x2, (p+3) // 8, p) 251 if (x*x - x2) % p != 0: 252 x = x * modp_sqrt_m1 % p 253 if (x*x - x2) % p != 0: 254 return None 256 if (x & 1) != sign: 257 x = p - x 258 return x 260 # Base point 261 g_y = 4 * modp_inv(5) % p 262 g_x = recover_x(g_y, 0) 263 G = (g_x, g_y, 1, g_x * g_y % p) 265 def point_compress(P): 266 zinv = modp_inv(P[2]) 267 x = P[0] * zinv % p 268 y = P[1] * zinv % p 269 return int.to_bytes(y | ((x & 1) << 255), 32, "little") 271 def point_decompress(s): 272 if len(s) != 32: 273 raise Exception("Invalid input length for decompression") 274 y = int.from_bytes(s, "little") 275 sign = y >> 255 276 y &= (1 << 255) - 1 278 x = recover_x(y, sign) 279 if x is None: 280 return None 281 else: 282 return (x, y, 1, x*y % p) 284 These are functions for manipulating the secret. 286 def secret_expand(secret): 287 if len(secret) != 32: 288 raise Exception("Bad size of private key") 289 h = sha512(secret) 290 a = int.from_bytes(h[:32], "little") 291 a &= (1 << 254) - 8 292 a |= (1 << 254) 293 return (a, h[32:]) 295 def secret_to_public(secret): 296 (a, dummy) = secret_expand(secret) 297 return point_compress(point_mul(a, G)) 299 The signature function works as below. 301 def sign(secret, msg): 302 a, prefix = secret_expand(secret) 303 A = point_compress(point_mul(a, G)) 304 r = sha512_modq(prefix + msg) 305 R = point_mul(r, G) 306 Rs = point_compress(R) 307 h = sha512_modq(Rs + A + msg) 308 s = (r + h * a) % q 309 return Rs + int.to_bytes(s, 32, "little") 311 And finally the verification function. 313 def verify(public, msg, signature): 314 if len(public) != 32: 315 raise Exception("Bad public-key length") 316 if len(signature) != 64: 317 Exception("Bad signature length") 318 A = point_decompress(public) 319 if not A: 320 return False 321 Rs = signature[:32] 322 R = point_decompress(Rs) 323 if not R: 324 return False 325 s = int.from_bytes(signature[32:], "little") 326 h = sha512_modq(Rs + public + msg) 327 sB = point_mul(s, G) 328 hA = point_mul(h, A) 329 return point_equal(sB, point_add(R, hA)) 331 5. Test Vectors for Ed25519 333 Below is a sequence of octets with test vectors for the the Ed25519 334 signature algorithm. The octets are hex encoded and whitespace is 335 inserted for readability. Private keys are 64 bytes, public keys 32 336 bytes, message of arbitrary length, and signatures are 64 bytes. 338 ----- 339 PRIVATE KEY: 340 9d61b19deffd5a60ba844af492ec2cc4 341 4449c5697b326919703bac031cae7f60 342 d75a980182b10ab7d54bfed3c964073a 343 0ee172f3daa62325af021a68f707511a 345 PUBLIC KEY: 346 d75a980182b10ab7d54bfed3c964073a 347 0ee172f3daa62325af021a68f707511a 349 MESSAGE (length 0 bytes): 351 SIGNATURE: 352 e5564300c360ac729086e2cc806e828a 353 84877f1eb8e5d974d873e06522490155 354 5fb8821590a33bacc61e39701cf9b46b 355 d25bf5f0595bbe24655141438e7a100b 356 ----- 357 PRIVATE KEY: 358 4ccd089b28ff96da9db6c346ec114e0f 359 5b8a319f35aba624da8cf6ed4fb8a6fb 360 3d4017c3e843895a92b70aa74d1b7ebc 361 9c982ccf2ec4968cc0cd55f12af4660c 363 PUBLIC KEY: 364 3d4017c3e843895a92b70aa74d1b7ebc 365 9c982ccf2ec4968cc0cd55f12af4660c 367 MESSAGE (length 1 byte): 368 72 370 SIGNATURE: 371 92a009a9f0d4cab8720e820b5f642540 372 a2b27b5416503f8fb3762223ebdb69da 373 085ac1e43e15996e458f3613d0f11d8c 374 387b2eaeb4302aeeb00d291612bb0c00 375 ----- 376 PRIVATE KEY: 377 c5aa8df43f9f837bedb7442f31dcb7b1 378 66d38535076f094b85ce3a2e0b4458f7 379 fc51cd8e6218a1a38da47ed00230f058 380 0816ed13ba3303ac5deb911548908025 382 PUBLIC KEY: 383 fc51cd8e6218a1a38da47ed00230f058 384 0816ed13ba3303ac5deb911548908025 386 MESSAGE (length 2 bytes): 387 af82 389 SIGNATURE: 390 6291d657deec24024827e69c3abe01a3 391 0ce548a284743a445e3680d7db5ac3ac 392 18ff9b538d16f290ae67f760984dc659 393 4a7c15e9716ed28dc027beceea1ec40a 394 ----- 396 6. Acknowledgements 398 The Python code was written by Niels Moeller. 400 7. IANA Considerations 402 None. 404 8. Security Considerations 406 TBA. 408 9. References 410 9.1. Normative References 412 [RFC4634] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms 413 (SHA and HMAC-SHA)", RFC 4634, July 2006. 415 [I-D.irtf-cfrg-curves] 416 Langley, A., Salz, R., and S. Turner, "Elliptic Curves for 417 Security", draft-irtf-cfrg-curves-01 (work in progress), 418 January 2015. 420 9.2. Informative References 422 [EDDSA] Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B. 423 Yang, "High-speed high-security signatures", WWW 424 http://ed25519.cr.yp.to/ed25519-20110926.pdf, September 425 2011. 427 Appendix A. Ed25519 Python Library 429 Below is an example implementation of Ed25519 written in Python, 430 version 3.2 or higher is required. 432 # Loosely based on the public domain code at 433 # http://ed25519.cr.yp.to/software.html 434 # 435 # Needs python-3.2 437 import hashlib 439 def sha512(s): 440 return hashlib.sha512(s).digest() 442 # Base field Z_p 443 p = 2**255 - 19 445 def modp_inv(x): 446 return pow(x, p-2, p) 448 # Curve constant 449 d = -121665 * modp_inv(121666) % p 451 # Group order 452 q = 2**252 + 27742317777372353535851937790883648493 454 def sha512_modq(s): 455 return int.from_bytes(sha512(s), "little") % q 457 # Points are represented as tuples (X, Y, Z, T) of extended coordinates, 458 # with x = X/Z, y = Y/Z, x*y = T/Z 460 def point_add(P, Q): 461 A = (P[1]-P[0])*(Q[1]-Q[0]) % p 462 B = (P[1]+P[0])*(Q[1]+Q[0]) % p 463 C = 2 * P[3] * Q[3] * d % p 464 D = 2 * P[2] * Q[2] % p 465 E = B-A 466 F = D-C 467 G = D+C 468 H = B+A 469 return (E*F, G*H, F*G, E*H) 471 # Computes Q = s * Q 472 def point_mul(s, P): 473 Q = (0, 1, 1, 0) # Neutral element 474 while s > 0: 475 # Is there any bit-set predicate? 476 if s & 1: 477 Q = point_add(Q, P) 478 P = point_add(P, P) 479 s >>= 1 480 return Q 482 def point_equal(P, Q): 483 # x1 / z1 == x2 / z2 <==> x1 * z2 == x2 * z1 484 if (P[0] * Q[2] - Q[0] * P[2]) % p != 0: 485 return False 486 if (P[1] * Q[2] - Q[1] * P[2]) % p != 0: 487 return False 488 return True 490 # Square root of -1 491 modp_sqrt_m1 = pow(2, (p-1) // 4, p) 493 # Compute corresponding x coordinate, with low bit corresponding to sign, 494 # or return None on failure 495 def recover_x(y, sign): 496 x2 = (y*y-1) * modp_inv(d*y*y+1) 497 if x2 == 0: 498 if sign: 499 return None 500 else: 501 return 0 503 # Compute square root of x2 504 x = pow(x2, (p+3) // 8, p) 505 if (x*x - x2) % p != 0: 506 x = x * modp_sqrt_m1 % p 507 if (x*x - x2) % p != 0: 508 return None 510 if (x & 1) != sign: 511 x = p - x 512 return x 514 # Base point 515 g_y = 4 * modp_inv(5) % p 516 g_x = recover_x(g_y, 0) 517 G = (g_x, g_y, 1, g_x * g_y % p) 519 def point_compress(P): 520 zinv = modp_inv(P[2]) 521 x = P[0] * zinv % p 522 y = P[1] * zinv % p 523 return int.to_bytes(y | ((x & 1) << 255), 32, "little") 525 def point_decompress(s): 526 if len(s) != 32: 527 raise Exception("Invalid input length for decompression") 528 y = int.from_bytes(s, "little") 529 sign = y >> 255 530 y &= (1 << 255) - 1 532 x = recover_x(y, sign) 533 if x is None: 534 return None 535 else: 536 return (x, y, 1, x*y % p) 538 def secret_expand(secret): 539 if len(secret) != 32: 540 raise Exception("Bad size of private key") 541 h = sha512(secret) 542 a = int.from_bytes(h[:32], "little") 543 a &= (1 << 254) - 8 544 a |= (1 << 254) 545 return (a, h[32:]) 547 def secret_to_public(secret): 548 (a, dummy) = secret_expand(secret) 549 return point_compress(point_mul(a, G)) 551 def sign(secret, msg): 552 a, prefix = secret_expand(secret) 553 A = point_compress(point_mul(a, G)) 554 r = sha512_modq(prefix + msg) 555 R = point_mul(r, G) 556 Rs = point_compress(R) 557 h = sha512_modq(Rs + A + msg) 558 s = (r + h * a) % q 559 return Rs + int.to_bytes(s, 32, "little") 561 def verify(public, msg, signature): 562 if len(public) != 32: 563 raise Exception("Bad public-key length") 564 if len(signature) != 64: 565 Exception("Bad signature length") 566 A = point_decompress(public) 567 if not A: 568 return False 569 Rs = signature[:32] 570 R = point_decompress(Rs) 571 if not R: 572 return False 573 s = int.from_bytes(signature[32:], "little") 574 h = sha512_modq(Rs + public + msg) 575 sB = point_mul(s, G) 576 hA = point_mul(h, A) 577 return point_equal(sB, point_add(R, hA)) 579 Appendix B. Library driver 581 Below is a command-line tool that uses the library above to perform 582 computations, for interactive use or for self-checking. 584 import sys 585 import binascii 587 from ed25519 import * 589 def point_valid(P): 590 zinv = modp_inv(P[2]) 591 x = P[0] * zinv % p 592 y = P[1] * zinv % p 593 assert (x*y - P[3]*zinv) % p == 0 594 return (-x*x + y*y - 1 - d*x*x*y*y) % p == 0 596 assert point_valid(G) 597 Z = (0, 1, 1, 0) 598 assert point_valid(Z) 600 assert point_equal(Z, point_add(Z, Z)) 601 assert point_equal(G, point_add(Z, G)) 602 assert point_equal(Z, point_mul(0, G)) 603 assert point_equal(G, point_mul(1, G)) 604 assert point_equal(point_add(G, G), point_mul(2, G)) 605 for i in range(0, 100): 606 assert point_valid(point_mul(i, G)) 607 assert point_equal(Z, point_mul(q, G)) 608 def munge_string(s, pos, change): 609 return (s[:pos] + 610 int.to_bytes(s[pos] ^ change, 1, "little") + 611 s[pos+1:]) 613 # Read a file in the format of 614 # http://ed25519.cr.yp.to/python/sign.input 615 lineno = 0 616 while True: 617 line = sys.stdin.readline() 618 if not line: 619 break 620 lineno = lineno + 1 621 print(lineno) 622 fields = line.split(":") 623 secret = (binascii.unhexlify(fields[0]))[:32] 624 public = binascii.unhexlify(fields[1]) 625 msg = binascii.unhexlify(fields[2]) 626 signature = binascii.unhexlify(fields[3])[:64] 628 assert public == secret_to_public(secret) 629 assert signature == sign(secret, msg) 630 assert verify(public, msg, signature) 631 if len(msg) == 0: 632 bad_msg = b"x" 633 else: 634 bad_msg = munge_string(msg, len(msg) // 3, 4) 635 assert not verify(public, bad_msg, signature) 636 bad_signature = munge_string(signature, 20, 8) 637 assert not verify(public, msg, bad_signature) 638 bad_signature = munge_string(signature, 40, 16) 639 assert not verify(public, msg, bad_signature) 641 Author's Address 643 Simon Josefsson 644 SJD AB 646 Email: simon@josefsson.org 647 URI: http://josefsson.org/