idnits 2.17.1 draft-josefsson-eddsa-ed25519-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 12, 2015) is 3265 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 1029 -- Looks like a reference, but probably isn't: '31' on line 346 -- Looks like a reference, but probably isn't: '1' on line 1030 -- Looks like a reference, but probably isn't: '32' on line 368 -- Looks like a reference, but probably isn't: '63' on line 368 -- Looks like a reference, but probably isn't: '3' on line 1032 -- Looks like a reference, but probably isn't: '2' on line 1031 ** Obsolete normative reference: RFC 4634 (Obsoleted by RFC 6234) == Outdated reference: A later version (-11) exists of draft-irtf-cfrg-curves-01 Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Josefsson 3 Internet-Draft SJD AB 4 Intended status: Informational N. Moeller 5 Expires: November 13, 2015 6 May 12, 2015 8 EdDSA and Ed25519 9 draft-josefsson-eddsa-ed25519-03 11 Abstract 13 The elliptic curve signature scheme EdDSA and one instance of it 14 called Ed25519 is described. An example implementation and test 15 vectors are provided. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at http://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on November 13, 2015. 34 Copyright Notice 36 Copyright (c) 2015 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 2. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 3. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 4. EdDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 55 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 4 56 4.2. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 4.3. Sign . . . . . . . . . . . . . . . . . . . . . . . . . . 5 58 4.4. Verify . . . . . . . . . . . . . . . . . . . . . . . . . 5 59 5. Ed25519 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 60 5.1. Modular arithmetic . . . . . . . . . . . . . . . . . . . 6 61 5.2. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 6 62 5.3. Decoding . . . . . . . . . . . . . . . . . . . . . . . . 6 63 5.4. Point addition . . . . . . . . . . . . . . . . . . . . . 7 64 5.5. Key Generation . . . . . . . . . . . . . . . . . . . . . 8 65 5.6. Sign . . . . . . . . . . . . . . . . . . . . . . . . . . 8 66 5.7. Verify . . . . . . . . . . . . . . . . . . . . . . . . . 9 67 5.8. Python illustration . . . . . . . . . . . . . . . . . . . 9 68 6. Test Vectors for Ed25519 . . . . . . . . . . . . . . . . . . 14 69 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 70 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 71 9. Security Considerations . . . . . . . . . . . . . . . . . . . 18 72 9.1. Side-channel leaks . . . . . . . . . . . . . . . . . . . 18 73 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 74 10.1. Normative References . . . . . . . . . . . . . . . . . . 18 75 10.2. Informative References . . . . . . . . . . . . . . . . . 18 76 Appendix A. Ed25519 Python Library . . . . . . . . . . . . . . . 19 77 Appendix B. Library driver . . . . . . . . . . . . . . . . . . . 23 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 80 1. Introduction 82 The Edwards-curve Digital Signature Algorithm (EdDSA) is a variant of 83 Schnorr's signature system with Twisted Edwards curves. EdDSA needs 84 to be instantiated with certain parameters and this document describe 85 Ed25519 - an instantiation of EdDSA in a curve over GF(2^255-19). To 86 facilitate adoption in the Internet community of Ed25519, this 87 document describe the signature scheme in an implementation-oriented 88 way, and we provide sample code and test vectors. 90 The advantages with EdDSA and Ed25519 include: 92 1. High-performance on a variety of platforms. 94 2. Does not require the use of a unique random number for each 95 signature. 97 3. More resilient to side-channel attacks. 99 4. Small public keys (32 bytes) and signatures (64 bytes). 101 5. The formulas are "strongly unified", i.e., they are valid for all 102 points on the curve, with no exceptions. This obviates the need 103 for EdDSA to perform expensive point validation on untrusted 104 public values. 106 6. Collision resilience, meaning that hash-function collisions do 107 not break this system. 109 For further background, see the original EdDSA paper [EDDSA]. 111 TODO: Support SHA-3-512? 113 2. Notation 115 The following notation is used throughout the document: 117 GF(p) finite field with p elements 119 x^y x multiplied by itself y times 121 B generator of the group or subgroup of interest 123 n B B added to itself n times. 125 h_i the i'th bit of h 127 a || b (bit-)string a concatenated with (bit-)string b 129 3. Background 131 EdDSA is defined using an elliptic curve over GF(p) of the form 133 -x^2 + y^2 = 1 + d x^2 y^2 135 In general, p could be a prime power, but it is usually chosen as a 136 prime number. It is required that p = 1 modulo 4 (which implies that 137 -1 is a square modulo p) and that d is a non-square modulo p. For 138 Ed25519, the curve used is equivalent to Curve25519 [CURVE25519], 139 under a change of coordinates, which means that the difficulty of the 140 discrete logarithm problem is the same as for Curve25519. 142 Points on this curve form a group under addition, (x3, y3) = (x1, y1) 143 + (x2, y2), with the formulas 144 x1 y2 + x2 y1 y1 y2 + x1 x2 145 x3 = -------------------, y3 = ------------------- 146 1 + d x1 x2 y1 y2 1 - d x1 x2 y1 y2 148 The neutral element in the group is (0, 1). 150 Unlike many other curves used for cryptographic applications, these 151 formulas are "strongly unified": they are valid for all points on the 152 curve, with no exceptions. In particular, the denominators are non- 153 zero for all input points. 155 There are more efficient formulas, which are still strongly unified, 156 which use homogeneous coordinates to avoid the expensive modulo p 157 inversions. See [Faster-ECC] and [Edwards-revisited]. 159 4. EdDSA 161 EdDSA is a digital signature system with several parameters. The 162 generic EdDSA digital signature system is normally not implemented 163 directly, but instead a particular instance of EdDSA (like Ed25519) 164 is implemented. A precise explanation of the generic EdDSA is thus 165 not particularly useful for implementers, but for background and 166 completeness, a succinct description of the generic EdDSA algorithm 167 is given here. 169 EdDSA has seven parameters: 171 1. an integer b >= 10. 173 2. a cryptographic hash function H producing 2b-bit outputs. 175 3. a prime power p congruent to 1 modulo 4. 177 4. a (b-1)-bit encoding of elements of the finite field GF(p). 179 5. a non-square element d of GF(p) 181 6. an element B != (0,1) of the set E = { (x,y) is a member of GF(p) 182 x GF(p) such that -x^2 + y^2 = 1 + dx^2y^2 }. 184 7. a prime q, of size b-3 bits, such that qB = (0, 1), i.e., q is 185 the order of B or a multiple thereof. 187 4.1. Encoding 189 An element (x,y) of E is encoded as a b-bit string called ENC(x,y) 190 which is the (b-1)-bit encoding of y concatenated with one bit that 191 is 1 if x is negative and 0 if x is not negative. Negative elements 192 of GF(q) are those x which the (b-1)-bit encoding of x is 193 lexicographically larger than the (b-1)-bit encoding of -x. 195 4.2. Keys 197 An EdDSA secret key is a b-bit string k. Let the hash H(k) = (h_0, 198 h_1, ..., h_(2b-1)) determine an integer a which is 2^(b-2) plus the 199 sum of m = 2^i * h_i for all i equal or larger than 3 and equal to or 200 less than b-3 such that m is a member of the set { 2^(b-2), 2^(b-2) + 201 8, ..., 2^(b-1) - 8 }. The EdDSA public key is ENC(A) = ENC(aB). 202 The bits h_b, ..., h_(2b-1) is used below during signing. 204 4.3. Sign 206 The signature of a message M under a secret key k is the 2b-bit 207 string ENC(R) || ENC'(S), where ENC'(S) is defined as the b-bit 208 little-endian encoding of S. R and S are derived as follows. First 209 define r = H(h_b, ... h_(2b-1)), M) interpreting 2b-bit strings in 210 little-endian form as integers in {0, 1, ..., 2^(2b)-1}. Let R=rB 211 and S=(r+H(ENC(R) || ENC(A) || M)a) mod q. 213 4.4. Verify 215 To verify a signature ENC(R) || ENC'(S) on a message M under a public 216 key ENC(A), proceed as follows. Parse the inputs so that A and R is 217 an element of E, and S is a member of the set {0, 1, ..., l-1 }. 218 Compute H' = H(ENC(R) || ENC(A) || M) and check the group equation 219 8SB = 8R + 8H'A in E. Verification is rejected if parsing fails or 220 the group equation does not hold. 222 5. Ed25519 224 Theoretically, Ed25519 is EdDSA instantiated with b=256, H being 225 SHA-512 [RFC4634], p is the prime 2^255-19, the 255-bit encoding of 226 GF(2^255-19) being the little-endian encoding of {0, 1, ..., 227 2^255-20}, q is the prime 2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed, 228 d = -121665/121666 which is a member of GF(p), and B is the unique 229 point (x, 4/5) in E for which x is "positive", which with the 230 encoding used simply means that the least significant bit of x is 0. 231 The curve p, prime q, d and B follows from [I-D.irtf-cfrg-curves]. 233 Written out explicitly, B is the point (15112221349535400772501151409 234 588531511454012693041857206046113283949847762202, 4631683569492647816 235 9428394003475163141307993866256225615783033603165251855960). 237 5.1. Modular arithmetic 239 For advise on how to implement arithmetic modulo p = 2^255 - 1 240 efficiently and securely, see Curve25519 [CURVE25519]. For inversion 241 modulo p, it is recommended to use the identity x^-1 = x^(p-2) (mod 242 p). 244 For point decoding or "decompression", square roots modulo p are 245 needed. They can be computed using the Tonelli-Shanks algorithm, or 246 the special case for p = 5 (mod 8). To find a square root of a, 247 first compute the candidate root x = a^((p+3)/8) (mod p). Then there 248 are three cases: 250 x^2 = a (mod p). Then x is a square root. 252 x^2 = -a (mod p). Then 2^((p-1)/4) x is a square root. 254 a is not a square modulo p. 256 5.2. Encoding 258 All values are coded as octet strings, and integers are coded using 259 little endian convention. I.e., a 32-octet string h h[0],...h[31] 260 represents the integer h[0] + 2^8 h[1] + ... + 2^248 h[31]. 262 A curve point (x,y), with coordinates in the range 0 <= x,y < p, is 263 coded as follows. First encode the y-coordinate as a little-endian 264 string of 32 octets. The most significant bit of the final octet is 265 always zero. To form the encoding of the point, copy the least 266 significant bit of the x-coordinate to the most significant bit of 267 the final octet. 269 5.3. Decoding 271 Decoding a point, given as a 32-octet string, is a little more 272 complicated. 274 1. First interpret the string as an integer in little-endian 275 representation. Bit 255 of this number is the least significant 276 bit of the x-coordinate, and denote this value x_0. The 277 y-coordinate is recovered simply by clearing this bit. If the 278 resulting value is >= p, decoding fails. 280 2. To recover the x coordinate, the curve equation implies x^2 = 281 (y^2 - 1) / (d y^2 + 1) (mod p). Since d is a non-square and -1 282 is a square, the numerator, (d y^2 + 1), is always invertible 283 modulo p. Let u = y^2 - 1 and v = d y^2 + 1. To compute the 284 square root of (u/v), the first step is to compute the candidate 285 root x = (u/v)^((p+3)/8). This can be done using the following 286 trick, to use a single modular powering for both the inversion of 287 v and the square root: 289 (p+3)/8 3 (p-5)/8 290 x = (u/v) = u v (u v^7) (mod p) 292 3. Again, there are three cases: 294 1. If v x^2 = u (mod p), x is a square root. 296 2. If v x^2 = -u (mod p), set x <-- x 2^((p-1)/4), which is a 297 square root. 299 3. Otherwise, no square root exists modulo p, and decoding 300 fails. 302 4. Finally, use the x_0 bit to select the right square root. If x = 303 0, and x_0 = 1, decoding fails. Otherwise, if x_0 != x mod 2, 304 set x <-- p - x. Return the decoded point (x,y). 306 5.4. Point addition 308 For point addition, the following method is recommended. A point 309 (x,y) is represented in extended homogeneous coordinates (X, Y, Z, 310 T), with x = X/Z, y = Y/Z, x y = T/Z. 312 The following formulas for adding two points, (x3,y3) = 313 (x1,y1)+(x2,y2) are described in [Edwards-revisited], section 3.1. 314 They are strongly unified, i.e., they work for any pair of valid 315 input points. 317 A = (Y1-X1)*(Y2-X2) 318 B = (Y1+X1)*(Y2+X2) 319 C = T1*2*d*T2 320 D = Z1*2*Z2 321 E = B-A 322 F = D-C 323 G = D+C 324 H = B+A 325 X3 = E*F 326 Y3 = G*H 327 T3 = E*H 328 Z3 = F*G 330 5.5. Key Generation 332 The secret is 32 octets (256 bits, corresponding to b) of 333 cryptographically-secure random data. See [RFC4086] for a discussion 334 about randomness. 336 The 32-byte public key is generated by the following steps. 338 1. Hash the 32-byte secret using SHA-512, storing the digest in a 339 64-octet large buffer, denoted h. Only the lower 32 bytes are 340 used for generating the public key. 342 2. Prune the buffer. In C terminology: 344 h[0] &= ~0x07; 345 h[31] &= 0x7F; 346 h[31] |= 0x40; 348 3. Interpret the buffer as the little-endian integer, forming a 349 secret scalar a. Perform a known-base-point scalar 350 multiplication a B. 352 4. The public key A is the encoding of the point aB. First encode 353 the y coordinate (in the range 0 <= y < p) as a little-endian 354 string of 32 octets. The most significant bit of the final octet 355 is always zero. To form the encoding of the point aB, copy the 356 least significant bit of the x coordinate to the most significant 357 bit of the final octet. The result is the public key. 359 5.6. Sign 361 The inputs to the signing procedure is the secret key, a 32-octet 362 string, and a message M of arbitrary size. 364 1. Hash the secret key, 32-octets, using SHA-512. Let h denote the 365 resulting digest. Construct the secret scalar a from the first 366 half of the digest, and the corresponding public key A, as 367 described in the previous section. Let prefix denote the second 368 half of the hash digest, h[32],...,h[63]. 370 2. Compute SHA-512(prefix || M), where M is the message to be 371 signed. Interpret the 64-octet digest as a little-endian integer 372 r. 374 3. Compute the point rB. For efficiency, do this by first reducing 375 r modulo q, the group order of B. Let the string R be the 376 encoding of this point. 378 4. Compute SHA512(R || A || M), and interpret the 64-octet digest as 379 a little-endian integer k. 381 5. Compute s = (r + k a) mod q. For efficiency, again reduce k 382 modulo q first. 384 6. Form the signature of the concatenation of R (32 octets) and the 385 little-endian encoding of s (32 octets, three most significant 386 bits of the final octets always zero). 388 5.7. Verify 390 1. To verify a signature on a message M, first split the signature 391 into two 32-octet halves. Decode the first half as a point R, 392 and the second half as an integer s, in the range 0 <= s < q. If 393 the decoding fails, the signature is invalid. 395 2. Compute SHA512(R || A || M), and interpret the 64-octet digest as 396 a little-endian integer k. 398 3. Check the group equation 8s B = 8 R + 8k A. It's sufficient, but 399 not required, to instead check s B = R + k A. 401 5.8. Python illustration 403 The rest of this section describes how Ed25519 can be implemented in 404 Python (version 3.2 or later) for illustration. See appendix A for 405 the complete implementation and appendix B for a test-driver to run 406 it through some test vectors. 408 First some preliminaries that will be needed. 410 import hashlib 412 def sha512(s): 413 return hashlib.sha512(s).digest() 415 # Base field Z_p 416 p = 2**255 - 19 418 def modp_inv(x): 419 return pow(x, p-2, p) 421 # Curve constant 422 d = -121665 * modp_inv(121666) % p 424 # Group order 425 q = 2**252 + 27742317777372353535851937790883648493 427 def sha512_modq(s): 428 return int.from_bytes(sha512(s), "little") % q 430 Then follows functions to perform point operations. 432 # Points are represented as tuples (X, Y, Z, T) of extended coordinates, 433 # with x = X/Z, y = Y/Z, x*y = T/Z 435 def point_add(P, Q): 436 A = (P[1]-P[0])*(Q[1]-Q[0]) % p 437 B = (P[1]+P[0])*(Q[1]+Q[0]) % p 438 C = 2 * P[3] * Q[3] * d % p 439 D = 2 * P[2] * Q[2] % p 440 E = B-A 441 F = D-C 442 G = D+C 443 H = B+A 444 return (E*F, G*H, F*G, E*H) 446 # Computes Q = s * Q 447 def point_mul(s, P): 448 Q = (0, 1, 1, 0) # Neutral element 449 while s > 0: 450 # Is there any bit-set predicate? 451 if s & 1: 452 Q = point_add(Q, P) 453 P = point_add(P, P) 454 s >>= 1 455 return Q 457 def point_equal(P, Q): 458 # x1 / z1 == x2 / z2 <==> x1 * z2 == x2 * z1 459 if (P[0] * Q[2] - Q[0] * P[2]) % p != 0: 460 return False 461 if (P[1] * Q[2] - Q[1] * P[2]) % p != 0: 462 return False 463 return True 465 Now follows functions for point compression. 467 # Square root of -1 468 modp_sqrt_m1 = pow(2, (p-1) // 4, p) 470 # Compute corresponding x coordinate, with low bit corresponding to sign, 471 # or return None on failure 472 def recover_x(y, sign): 473 x2 = (y*y-1) * modp_inv(d*y*y+1) 474 if x2 == 0: 475 if sign: 476 return None 477 else: 478 return 0 480 # Compute square root of x2 481 x = pow(x2, (p+3) // 8, p) 482 if (x*x - x2) % p != 0: 483 x = x * modp_sqrt_m1 % p 484 if (x*x - x2) % p != 0: 485 return None 487 if (x & 1) != sign: 488 x = p - x 489 return x 491 # Base point 492 g_y = 4 * modp_inv(5) % p 493 g_x = recover_x(g_y, 0) 494 G = (g_x, g_y, 1, g_x * g_y % p) 496 def point_compress(P): 497 zinv = modp_inv(P[2]) 498 x = P[0] * zinv % p 499 y = P[1] * zinv % p 500 return int.to_bytes(y | ((x & 1) << 255), 32, "little") 502 def point_decompress(s): 503 if len(s) != 32: 504 raise Exception("Invalid input length for decompression") 505 y = int.from_bytes(s, "little") 506 sign = y >> 255 507 y &= (1 << 255) - 1 509 x = recover_x(y, sign) 510 if x is None: 511 return None 512 else: 513 return (x, y, 1, x*y % p) 515 These are functions for manipulating the secret. 517 def secret_expand(secret): 518 if len(secret) != 32: 519 raise Exception("Bad size of private key") 520 h = sha512(secret) 521 a = int.from_bytes(h[:32], "little") 522 a &= (1 << 254) - 8 523 a |= (1 << 254) 524 return (a, h[32:]) 526 def secret_to_public(secret): 527 (a, dummy) = secret_expand(secret) 528 return point_compress(point_mul(a, G)) 530 The signature function works as below. 532 def sign(secret, msg): 533 a, prefix = secret_expand(secret) 534 A = point_compress(point_mul(a, G)) 535 r = sha512_modq(prefix + msg) 536 R = point_mul(r, G) 537 Rs = point_compress(R) 538 h = sha512_modq(Rs + A + msg) 539 s = (r + h * a) % q 540 return Rs + int.to_bytes(s, 32, "little") 542 And finally the verification function. 544 def verify(public, msg, signature): 545 if len(public) != 32: 546 raise Exception("Bad public-key length") 547 if len(signature) != 64: 548 Exception("Bad signature length") 549 A = point_decompress(public) 550 if not A: 551 return False 552 Rs = signature[:32] 553 R = point_decompress(Rs) 554 if not R: 555 return False 556 s = int.from_bytes(signature[32:], "little") 557 h = sha512_modq(Rs + public + msg) 558 sB = point_mul(s, G) 559 hA = point_mul(h, A) 560 return point_equal(sB, point_add(R, hA)) 562 6. Test Vectors for Ed25519 564 Below is a sequence of octets with test vectors for the the Ed25519 565 signature algorithm. The octets are hex encoded and whitespace is 566 inserted for readability. Private keys are 64 bytes, public keys 32 567 bytes, message of arbitrary length, and signatures are 64 bytes. The 568 test vectors are taken from [ED25519-TEST-VECTORS] (but we removed 569 the public key as a suffix of the secret key, and removed the message 570 from the signature) and [ED25519-LIBGCRYPT-TEST-VECTORS]. 572 -----TEST 1 573 SECRET KEY: 574 9d61b19deffd5a60ba844af492ec2cc4 575 4449c5697b326919703bac031cae7f60 577 PUBLIC KEY: 578 d75a980182b10ab7d54bfed3c964073a 579 0ee172f3daa62325af021a68f707511a 581 MESSAGE (length 0 bytes): 583 SIGNATURE: 584 e5564300c360ac729086e2cc806e828a 585 84877f1eb8e5d974d873e06522490155 586 5fb8821590a33bacc61e39701cf9b46b 587 d25bf5f0595bbe24655141438e7a100b 589 -----TEST 2 590 SECRET KEY: 591 4ccd089b28ff96da9db6c346ec114e0f 592 5b8a319f35aba624da8cf6ed4fb8a6fb 594 PUBLIC KEY: 595 3d4017c3e843895a92b70aa74d1b7ebc 596 9c982ccf2ec4968cc0cd55f12af4660c 598 MESSAGE (length 1 byte): 599 72 601 SIGNATURE: 602 92a009a9f0d4cab8720e820b5f642540 603 a2b27b5416503f8fb3762223ebdb69da 604 085ac1e43e15996e458f3613d0f11d8c 605 387b2eaeb4302aeeb00d291612bb0c00 607 -----TEST 3 608 SECRET KEY: 609 c5aa8df43f9f837bedb7442f31dcb7b1 610 66d38535076f094b85ce3a2e0b4458f7 612 PUBLIC KEY: 613 fc51cd8e6218a1a38da47ed00230f058 614 0816ed13ba3303ac5deb911548908025 616 MESSAGE (length 2 bytes): 617 af82 619 SIGNATURE: 620 6291d657deec24024827e69c3abe01a3 621 0ce548a284743a445e3680d7db5ac3ac 622 18ff9b538d16f290ae67f760984dc659 623 4a7c15e9716ed28dc027beceea1ec40a 625 -----TEST 1024 626 SECRET KEY: 627 f5e5767cf153319517630f226876b86c 628 8160cc583bc013744c6bf255f5cc0ee5 630 PUBLIC KEY: 631 278117fc144c72340f67d0f2316e8386 632 ceffbf2b2428c9c51fef7c597f1d426e 634 MESSAGE (length 1023 bytes): 635 08b8b2b733424243760fe426a4b54908 636 632110a66c2f6591eabd3345e3e4eb98 637 fa6e264bf09efe12ee50f8f54e9f77b1 638 e355f6c50544e23fb1433ddf73be84d8 639 79de7c0046dc4996d9e773f4bc9efe57 640 38829adb26c81b37c93a1b270b20329d 641 658675fc6ea534e0810a4432826bf58c 642 941efb65d57a338bbd2e26640f89ffbc 643 1a858efcb8550ee3a5e1998bd177e93a 644 7363c344fe6b199ee5d02e82d522c4fe 645 ba15452f80288a821a579116ec6dad2b 646 3b310da903401aa62100ab5d1a36553e 647 06203b33890cc9b832f79ef80560ccb9 648 a39ce767967ed628c6ad573cb116dbef 649 efd75499da96bd68a8a97b928a8bbc10 650 3b6621fcde2beca1231d206be6cd9ec7 651 aff6f6c94fcd7204ed3455c68c83f4a4 652 1da4af2b74ef5c53f1d8ac70bdcb7ed1 653 85ce81bd84359d44254d95629e9855a9 654 4a7c1958d1f8ada5d0532ed8a5aa3fb2 655 d17ba70eb6248e594e1a2297acbbb39d 656 502f1a8c6eb6f1ce22b3de1a1f40cc24 657 554119a831a9aad6079cad88425de6bd 658 e1a9187ebb6092cf67bf2b13fd65f270 659 88d78b7e883c8759d2c4f5c65adb7553 660 878ad575f9fad878e80a0c9ba63bcbcc 661 2732e69485bbc9c90bfbd62481d9089b 662 eccf80cfe2df16a2cf65bd92dd597b07 663 07e0917af48bbb75fed413d238f5555a 664 7a569d80c3414a8d0859dc65a46128ba 665 b27af87a71314f318c782b23ebfe808b 666 82b0ce26401d2e22f04d83d1255dc51a 667 ddd3b75a2b1ae0784504df543af8969b 668 e3ea7082ff7fc9888c144da2af58429e 669 c96031dbcad3dad9af0dcbaaaf268cb8 670 fcffead94f3c7ca495e056a9b47acdb7 671 51fb73e666c6c655ade8297297d07ad1 672 ba5e43f1bca32301651339e22904cc8c 673 42f58c30c04aafdb038dda0847dd988d 674 cda6f3bfd15c4b4c4525004aa06eeff8 675 ca61783aacec57fb3d1f92b0fe2fd1a8 676 5f6724517b65e614ad6808d6f6ee34df 677 f7310fdc82aebfd904b01e1dc54b2927 678 094b2db68d6f903b68401adebf5a7e08 679 d78ff4ef5d63653a65040cf9bfd4aca7 680 984a74d37145986780fc0b16ac451649 681 de6188a7dbdf191f64b5fc5e2ab47b57 682 f7f7276cd419c17a3ca8e1b939ae49e4 683 88acba6b965610b5480109c8b17b80e1 684 b7b750dfc7598d5d5011fd2dcc5600a3 685 2ef5b52a1ecc820e308aa342721aac09 686 43bf6686b64b2579376504ccc493d97e 687 6aed3fb0f9cd71a43dd497f01f17c0e2 688 cb3797aa2a2f256656168e6c496afc5f 689 b93246f6b1116398a346f1a641f3b041 690 e989f7914f90cc2c7fff357876e506b5 691 0d334ba77c225bc307ba537152f3f161 692 0e4eafe595f6d9d90d11faa933a15ef1 693 369546868a7f3a45a96768d40fd9d034 694 12c091c6315cf4fde7cb68606937380d 695 b2eaaa707b4c4185c32eddcdd306705e 696 4dc1ffc872eeee475a64dfac86aba41c 697 0618983f8741c5ef68d3a101e8a3b8ca 698 c60c905c15fc910840b94c00a0b9d0 700 SIGNATURE: 701 0aab4c900501b3e24d7cdf4663326a3a 702 87df5e4843b2cbdb67cbf6e460fec350 703 aa5371b1508f9f4528ecea23c436d94b 704 5e8fcd4f681e30a6ac00a9704a188a03 705 -----TEST 1A 706 -----An additional test with the data from test 1 but using an 707 -----uncompressed public key. 708 SECRET KEY: 709 9d61b19deffd5a60ba844af492ec2cc4 710 4449c5697b326919703bac031cae7f60 712 PUBLIC KEY: 713 0455d0e09a2b9d34292297e08d60d0f6 714 20c513d47253187c24b12786bd777645 715 ce1a5107f7681a02af2523a6daf372e1 716 0e3a0764c9d3fe4bd5b70ab18201985a 717 d7 719 MSG (length 0 bytes): 721 SIGNATURE: 722 e5564300c360ac729086e2cc806e828a 723 84877f1eb8e5d974d873e06522490155 724 5fb8821590a33bacc61e39701cf9b46b 725 d25bf5f0595bbe24655141438e7a100b 727 -----TEST 1B 728 -----An additional test with the data from test 1 but using an 729 -----compressed prefix. 730 SECRET KEY: 731 9d61b19deffd5a60ba844af492ec2cc4 732 4449c5697b326919703bac031cae7f60 734 PUBLIC KEY: 735 40d75a980182b10ab7d54bfed3c96407 736 3a0ee172f3daa62325af021a68f70751 737 1a 739 MESSAGE (length 0 bytes): 741 SIGNATURE: 742 e5564300c360ac729086e2cc806e828a 743 84877f1eb8e5d974d873e06522490155 744 5fb8821590a33bacc61e39701cf9b46b 745 d25bf5f0595bbe24655141438e7a100b 746 ----- 748 7. Acknowledgements 750 Feedback on this document was received from Werner Koch, Damien 751 Miller, Bob Bradley, and Franck Rondepierre. The test vectors were 752 double checked by Bob Bradley using 3 separate implementations (one 753 based on TweetNaCl and 2 different implementations based on code from 754 SUPERCOP). 756 8. IANA Considerations 758 None. 760 9. Security Considerations 762 9.1. Side-channel leaks 764 For implementations performing signatures, secrecy of the key is 765 fundamental. It is possible to protect against some side-channel 766 attacks by ensuring that the implementation executes exactly the same 767 sequence of instructions and performs exactly the same memory 768 accesses, for any value of the secret key. 770 To make an implementation side-channel silent in this way, the modulo 771 p arithmetic must not use any data-dependent branches, e.g., related 772 to carry propagation. Side channel-silent point addition is 773 straight-forward, thanks to the unified formulas. 775 Scalar multiplication, multiplying a point by an integer, needs some 776 additional effort to implement in a side-channel silent manner. One 777 simple approach is to implement a side-channel silent conditional 778 assignment, and use together with the binary algorithm to examine one 779 bit of the integer at a time. 781 Note that the example implementation in this document does not 782 attempt to be side-channel silent. 784 10. References 786 10.1. Normative References 788 [RFC4634] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms 789 (SHA and HMAC-SHA)", RFC 4634, July 2006. 791 [I-D.irtf-cfrg-curves] 792 Langley, A., Salz, R., and S. Turner, "Elliptic Curves for 793 Security", draft-irtf-cfrg-curves-01 (work in progress), 794 January 2015. 796 10.2. Informative References 798 [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness 799 Requirements for Security", BCP 106, RFC 4086, June 2005. 801 [EDDSA] Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B. 802 Yang, "High-speed high-security signatures", WWW 803 http://ed25519.cr.yp.to/ed25519-20110926.pdf, September 804 2011. 806 [Faster-ECC] 807 Bernstein, D. and T. Lange, "Faster addition and doubling 808 on elliptic curves", WWW http://eprint.iacr.org/2007/286, 809 July 2007. 811 [Edwards-revisited] 812 Hisil, H., Wong, K., Carter, G., and E. Dawson, "Twisted 813 Edwards Curves Revisited", WWW 814 http://eprint.iacr.org/2008/522, December 2008. 816 [CURVE25519] 817 Bernstein, D., "Curve25519: new Diffie-Hellman speed 818 records", WWW http://cr.yp.to/ecdh.html, February 2006. 820 [ED25519-TEST-VECTORS] 821 Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B. 822 Yang, "Ed25519 test vectors", WWW 823 http://ed25519.cr.yp.to/python/sign.input, July 2011. 825 [ED25519-LIBGCRYPT-TEST-VECTORS] 826 Koch, W., "Ed25519 Libgcrypt test vectors", WWW 827 http://git.gnupg.org/cgi- 828 bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=tests/t-ed25519.in 829 p;h=e13566f826321eece65e02c593bc7d885b3dbe23;hb=refs/ 830 heads/master, July 2014. 832 Appendix A. Ed25519 Python Library 834 Below is an example implementation of Ed25519 written in Python, 835 version 3.2 or higher is required. 837 # Loosely based on the public domain code at 838 # http://ed25519.cr.yp.to/software.html 839 # 840 # Needs python-3.2 842 import hashlib 844 def sha512(s): 845 return hashlib.sha512(s).digest() 847 # Base field Z_p 848 p = 2**255 - 19 850 def modp_inv(x): 851 return pow(x, p-2, p) 853 # Curve constant 854 d = -121665 * modp_inv(121666) % p 856 # Group order 857 q = 2**252 + 27742317777372353535851937790883648493 859 def sha512_modq(s): 860 return int.from_bytes(sha512(s), "little") % q 862 # Points are represented as tuples (X, Y, Z, T) of extended coordinates, 863 # with x = X/Z, y = Y/Z, x*y = T/Z 865 def point_add(P, Q): 866 A = (P[1]-P[0])*(Q[1]-Q[0]) % p 867 B = (P[1]+P[0])*(Q[1]+Q[0]) % p 868 C = 2 * P[3] * Q[3] * d % p 869 D = 2 * P[2] * Q[2] % p 870 E = B-A 871 F = D-C 872 G = D+C 873 H = B+A 874 return (E*F, G*H, F*G, E*H) 876 # Computes Q = s * Q 877 def point_mul(s, P): 878 Q = (0, 1, 1, 0) # Neutral element 879 while s > 0: 880 # Is there any bit-set predicate? 881 if s & 1: 882 Q = point_add(Q, P) 883 P = point_add(P, P) 884 s >>= 1 885 return Q 887 def point_equal(P, Q): 888 # x1 / z1 == x2 / z2 <==> x1 * z2 == x2 * z1 889 if (P[0] * Q[2] - Q[0] * P[2]) % p != 0: 890 return False 892 if (P[1] * Q[2] - Q[1] * P[2]) % p != 0: 893 return False 894 return True 896 # Square root of -1 897 modp_sqrt_m1 = pow(2, (p-1) // 4, p) 899 # Compute corresponding x coordinate, with low bit corresponding to sign, 900 # or return None on failure 901 def recover_x(y, sign): 902 x2 = (y*y-1) * modp_inv(d*y*y+1) 903 if x2 == 0: 904 if sign: 905 return None 906 else: 907 return 0 909 # Compute square root of x2 910 x = pow(x2, (p+3) // 8, p) 911 if (x*x - x2) % p != 0: 912 x = x * modp_sqrt_m1 % p 913 if (x*x - x2) % p != 0: 914 return None 916 if (x & 1) != sign: 917 x = p - x 918 return x 920 # Base point 921 g_y = 4 * modp_inv(5) % p 922 g_x = recover_x(g_y, 0) 923 G = (g_x, g_y, 1, g_x * g_y % p) 925 def point_compress(P): 926 zinv = modp_inv(P[2]) 927 x = P[0] * zinv % p 928 y = P[1] * zinv % p 929 return int.to_bytes(y | ((x & 1) << 255), 32, "little") 931 def point_decompress(s): 932 if len(s) != 32: 933 raise Exception("Invalid input length for decompression") 934 y = int.from_bytes(s, "little") 935 sign = y >> 255 936 y &= (1 << 255) - 1 937 x = recover_x(y, sign) 938 if x is None: 939 return None 940 else: 941 return (x, y, 1, x*y % p) 943 def secret_expand(secret): 944 if len(secret) != 32: 945 raise Exception("Bad size of private key") 946 h = sha512(secret) 947 a = int.from_bytes(h[:32], "little") 948 a &= (1 << 254) - 8 949 a |= (1 << 254) 950 return (a, h[32:]) 952 def secret_to_public(secret): 953 (a, dummy) = secret_expand(secret) 954 return point_compress(point_mul(a, G)) 956 def sign(secret, msg): 957 a, prefix = secret_expand(secret) 958 A = point_compress(point_mul(a, G)) 959 r = sha512_modq(prefix + msg) 960 R = point_mul(r, G) 961 Rs = point_compress(R) 962 h = sha512_modq(Rs + A + msg) 963 s = (r + h * a) % q 964 return Rs + int.to_bytes(s, 32, "little") 966 def verify(public, msg, signature): 967 if len(public) != 32: 968 raise Exception("Bad public-key length") 969 if len(signature) != 64: 970 Exception("Bad signature length") 971 A = point_decompress(public) 972 if not A: 973 return False 974 Rs = signature[:32] 975 R = point_decompress(Rs) 976 if not R: 977 return False 978 s = int.from_bytes(signature[32:], "little") 979 h = sha512_modq(Rs + public + msg) 980 sB = point_mul(s, G) 981 hA = point_mul(h, A) 982 return point_equal(sB, point_add(R, hA)) 984 Appendix B. Library driver 986 Below is a command-line tool that uses the library above to perform 987 computations, for interactive use or for self-checking. 989 import sys 990 import binascii 992 from ed25519 import * 994 def point_valid(P): 995 zinv = modp_inv(P[2]) 996 x = P[0] * zinv % p 997 y = P[1] * zinv % p 998 assert (x*y - P[3]*zinv) % p == 0 999 return (-x*x + y*y - 1 - d*x*x*y*y) % p == 0 1001 assert point_valid(G) 1002 Z = (0, 1, 1, 0) 1003 assert point_valid(Z) 1005 assert point_equal(Z, point_add(Z, Z)) 1006 assert point_equal(G, point_add(Z, G)) 1007 assert point_equal(Z, point_mul(0, G)) 1008 assert point_equal(G, point_mul(1, G)) 1009 assert point_equal(point_add(G, G), point_mul(2, G)) 1010 for i in range(0, 100): 1011 assert point_valid(point_mul(i, G)) 1012 assert point_equal(Z, point_mul(q, G)) 1014 def munge_string(s, pos, change): 1015 return (s[:pos] + 1016 int.to_bytes(s[pos] ^ change, 1, "little") + 1017 s[pos+1:]) 1019 # Read a file in the format of 1020 # http://ed25519.cr.yp.to/python/sign.input 1021 lineno = 0 1022 while True: 1023 line = sys.stdin.readline() 1024 if not line: 1025 break 1026 lineno = lineno + 1 1027 print(lineno) 1028 fields = line.split(":") 1029 secret = (binascii.unhexlify(fields[0]))[:32] 1030 public = binascii.unhexlify(fields[1]) 1031 msg = binascii.unhexlify(fields[2]) 1032 signature = binascii.unhexlify(fields[3])[:64] 1034 assert public == secret_to_public(secret) 1035 assert signature == sign(secret, msg) 1036 assert verify(public, msg, signature) 1037 if len(msg) == 0: 1038 bad_msg = b"x" 1039 else: 1040 bad_msg = munge_string(msg, len(msg) // 3, 4) 1041 assert not verify(public, bad_msg, signature) 1042 bad_signature = munge_string(signature, 20, 8) 1043 assert not verify(public, msg, bad_signature) 1044 bad_signature = munge_string(signature, 40, 16) 1045 assert not verify(public, msg, bad_signature) 1047 Authors' Addresses 1049 Simon Josefsson 1050 SJD AB 1052 Email: simon@josefsson.org 1053 URI: http://josefsson.org/ 1055 Niels Moeller 1057 Email: nisse@lysator.liu.se