ed25519.c File Reference

Ed25519 elliptic curve (constant-time implementation) More...

#include "core/crypto.h"
#include "ecc/ec_curves.h"
#include "ecc/curve25519.h"
#include "ecc/ed25519.h"
#include "debug.h"

Go to the source code of this file.

Macros

#define TRACE_LEVEL   CRYPTO_TRACE_LEVEL
 

Functions

error_t ed25519GenerateKeyPair (const PrngAlgo *prngAlgo, void *prngContext, uint8_t *privateKey, uint8_t *publicKey)
 EdDSA key pair generation. More...
 
error_t ed25519GeneratePrivateKey (const PrngAlgo *prngAlgo, void *prngContext, uint8_t *privateKey)
 EdDSA private key generation. More...
 
error_t ed25519GeneratePublicKey (const uint8_t *privateKey, uint8_t *publicKey)
 Derive the public key from an EdDSA private key. More...
 
error_t ed25519GenerateSignature (const uint8_t *privateKey, const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, uint8_t *signature)
 EdDSA signature generation. More...
 
error_t ed25519GenerateSignatureEx (const uint8_t *privateKey, const uint8_t *publicKey, const DataChunk *messageChunks, const void *context, uint8_t contextLen, uint8_t flag, uint8_t *signature)
 EdDSA signature generation. More...
 
error_t ed25519VerifySignature (const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
 EdDSA signature verification. More...
 
error_t ed25519VerifySignatureEx (const uint8_t *publicKey, const DataChunk *messageChunks, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
 EdDSA signature verification. More...
 
__weak_func void ed25519Mul (Ed25519State *state, Ed25519Point *r, const uint8_t *k, const Ed25519Point *p)
 Scalar multiplication on Ed25519 curve. More...
 
void ed25519Add (Ed25519State *state, Ed25519Point *r, const Ed25519Point *p, const Ed25519Point *q)
 Point addition. More...
 
void ed25519Double (Ed25519State *state, Ed25519Point *r, const Ed25519Point *p)
 Point doubling. More...
 
void ed25519Encode (Ed25519Point *p, uint8_t *data)
 Point encoding. More...
 
uint32_t ed25519Decode (Ed25519Point *p, const uint8_t *data)
 Point decoding. More...
 
void ed25519RedInt (uint8_t *r, const uint8_t *a)
 Reduce an integer modulo L. More...
 
void ed25519AddInt (uint8_t *r, const uint8_t *a, const uint8_t *b, uint_t n)
 Addition of two integers. More...
 
uint8_t ed25519SubInt (uint8_t *r, const uint8_t *a, const uint8_t *b, uint_t n)
 Subtraction of two integers. More...
 
void ed25519MulInt (uint8_t *rl, uint8_t *rh, const uint8_t *a, const uint8_t *b, uint_t n)
 Multiplication of two integers. More...
 
void ed25519CopyInt (uint8_t *a, const uint8_t *b, uint_t n)
 Copy an integer. More...
 
void ed25519SelectInt (uint8_t *r, const uint8_t *a, const uint8_t *b, uint8_t c, uint_t n)
 Select an integer. More...
 
uint8_t ed25519CompInt (const uint8_t *a, const uint8_t *b, uint_t n)
 Compare integers. More...
 

Detailed Description

Ed25519 elliptic curve (constant-time implementation)

License

SPDX-License-Identifier: GPL-2.0-or-later

Copyright (C) 2010-2024 Oryx Embedded SARL. All rights reserved.

This file is part of CycloneCRYPTO Open.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

Author
Oryx Embedded SARL (www.oryx-embedded.com)
Version
2.4.4

Definition in file ed25519.c.

Macro Definition Documentation

◆ TRACE_LEVEL

#define TRACE_LEVEL   CRYPTO_TRACE_LEVEL

Definition at line 32 of file ed25519.c.

Function Documentation

◆ ed25519Add()

void ed25519Add ( Ed25519State state,
Ed25519Point r,
const Ed25519Point p,
const Ed25519Point q 
)

Point addition.

Parameters
[in]statePointer to the working state
[out]rResulting point R = P + Q
[in]pFirst operand
[in]qSecond operand

Definition at line 621 of file ed25519.c.

◆ ed25519AddInt()

void ed25519AddInt ( uint8_t *  r,
const uint8_t *  a,
const uint8_t *  b,
uint_t  n 
)

Addition of two integers.

Parameters
[out]rResulting integer R = A + B
[in]aAn integer such as 0 <= A < (2^8)^n
[in]bAn integer such as 0 <= B < (2^8)^n
[in]nSize of the operands, in bytes

Definition at line 827 of file ed25519.c.

◆ ed25519CompInt()

uint8_t ed25519CompInt ( const uint8_t *  a,
const uint8_t *  b,
uint_t  n 
)

Compare integers.

Parameters
[in]aPointer to the first integer
[in]bPointer to the second integer
[in]nSize of the integers, in bytes
Returns
The function returns 0 if the A = B, else 1

Definition at line 982 of file ed25519.c.

◆ ed25519CopyInt()

void ed25519CopyInt ( uint8_t *  a,
const uint8_t *  b,
uint_t  n 
)

Copy an integer.

Parameters
[out]aPointer to the destination integer
[in]bPointer to the source integer
[in]nSize of the integers, in bytes

Definition at line 935 of file ed25519.c.

◆ ed25519Decode()

uint32_t ed25519Decode ( Ed25519Point p,
const uint8_t *  data 
)

Point decoding.

Parameters
[in]pPoint representation
[out]dataOctet string to be converted

Definition at line 725 of file ed25519.c.

◆ ed25519Double()

void ed25519Double ( Ed25519State state,
Ed25519Point r,
const Ed25519Point p 
)

Point doubling.

Parameters
[in]statePointer to the working state
[out]rResulting point R = 2 * P
[in]pInput point P

Definition at line 664 of file ed25519.c.

◆ ed25519Encode()

void ed25519Encode ( Ed25519Point p,
uint8_t *  data 
)

Point encoding.

Parameters
[in]pPoint representation
[out]dataOctet string resulting from the conversion

Definition at line 700 of file ed25519.c.

◆ ed25519GenerateKeyPair()

error_t ed25519GenerateKeyPair ( const PrngAlgo prngAlgo,
void *  prngContext,
uint8_t *  privateKey,
uint8_t *  publicKey 
)

EdDSA key pair generation.

Parameters
[in]prngAlgoPRNG algorithm
[in]prngContextPointer to the PRNG context
[out]privateKeyEdDSA private key (32 bytes)
[out]publicKeyEdDSA public key (32 bytes)
Returns
Error code

Definition at line 116 of file ed25519.c.

◆ ed25519GeneratePrivateKey()

error_t ed25519GeneratePrivateKey ( const PrngAlgo prngAlgo,
void *  prngContext,
uint8_t *  privateKey 
)

EdDSA private key generation.

Parameters
[in]prngAlgoPRNG algorithm
[in]prngContextPointer to the PRNG context
[out]privateKeyEdDSA private key (32 bytes)
Returns
Error code

Definition at line 144 of file ed25519.c.

◆ ed25519GeneratePublicKey()

error_t ed25519GeneratePublicKey ( const uint8_t *  privateKey,
uint8_t *  publicKey 
)

Derive the public key from an EdDSA private key.

Parameters
[in]privateKeyEdDSA private key (32 bytes)
[out]publicKeyEdDSA public key (32 bytes)
Returns
Error code

Definition at line 168 of file ed25519.c.

◆ ed25519GenerateSignature()

error_t ed25519GenerateSignature ( const uint8_t *  privateKey,
const uint8_t *  publicKey,
const void *  message,
size_t  messageLen,
const void *  context,
uint8_t  contextLen,
uint8_t  flag,
uint8_t *  signature 
)

EdDSA signature generation.

Parameters
[in]privateKeySigner's EdDSA private key (32 bytes)
[in]publicKeySigner's EdDSA public key (32 bytes)
[in]messagePointer to the message to be signed
[in]messageLenLength of the message, in bytes
[in]contextConstant string specified by the protocol using it
[in]contextLenLength of the context, in bytes
[in]flagPrehash flag for Ed25519ph scheme
[out]signatureEdDSA signature (64 bytes)
Returns
Error code

Definition at line 236 of file ed25519.c.

◆ ed25519GenerateSignatureEx()

error_t ed25519GenerateSignatureEx ( const uint8_t *  privateKey,
const uint8_t *  publicKey,
const DataChunk messageChunks,
const void *  context,
uint8_t  contextLen,
uint8_t  flag,
uint8_t *  signature 
)

EdDSA signature generation.

Parameters
[in]privateKeySigner's EdDSA private key (32 bytes)
[in]publicKeySigner's EdDSA public key (32 bytes)
[in]messageChunksArray of data chunks representing the message to be signed
[in]contextConstant string specified by the protocol using it
[in]contextLenLength of the context, in bytes
[in]flagPrehash flag for Ed25519ph scheme
[out]signatureEdDSA signature (64 bytes)
Returns
Error code

Definition at line 271 of file ed25519.c.

◆ ed25519Mul()

__weak_func void ed25519Mul ( Ed25519State state,
Ed25519Point r,
const uint8_t *  k,
const Ed25519Point p 
)

Scalar multiplication on Ed25519 curve.

Parameters
[in]statePointer to the working state
[out]rResulting point R = k * P
[in]kInput scalar
[in]pInput point

Definition at line 575 of file ed25519.c.

◆ ed25519MulInt()

void ed25519MulInt ( uint8_t *  rl,
uint8_t *  rh,
const uint8_t *  a,
const uint8_t *  b,
uint_t  n 
)

Multiplication of two integers.

Parameters
[out]rlLow part of the result R = (A + B) mod (2^8)^n
[out]rhHigh part of the result R = (A + B) / (2^8)^n
[in]aAn integer such as 0 <= A < (2^8)^n
[in]bAn integer such as 0 <= B < (2^8)^n
[in]nSize of the operands, in bytes

Definition at line 880 of file ed25519.c.

◆ ed25519RedInt()

void ed25519RedInt ( uint8_t *  r,
const uint8_t *  a 
)

Reduce an integer modulo L.

This function implements Barrett reduction with b = 2^8 and k = 32. The algorithm requires the precomputation of the quantity mu = b^(2 * k) / L

Parameters
[out]rResulting integer R = A mod L
[in]aAn integer such as 0 <= A < b^(2 * k)

Definition at line 792 of file ed25519.c.

◆ ed25519SelectInt()

void ed25519SelectInt ( uint8_t *  r,
const uint8_t *  a,
const uint8_t *  b,
uint8_t  c,
uint_t  n 
)

Select an integer.

Parameters
[out]rPointer to the destination integer
[in]aPointer to the first source integer
[in]bPointer to the second source integer
[in]cCondition variable
[in]nSize of the integers, in bytes

Definition at line 956 of file ed25519.c.

◆ ed25519SubInt()

uint8_t ed25519SubInt ( uint8_t *  r,
const uint8_t *  a,
const uint8_t *  b,
uint_t  n 
)

Subtraction of two integers.

Parameters
[out]rResulting integer R = A - B
[in]aAn integer such as 0 <= A < (2^8)^n
[in]bAn integer such as 0 <= B < (2^8)^n
[in]nSize of the operands, in bytes
Returns
1 if the result is negative, else 0

Definition at line 852 of file ed25519.c.

◆ ed25519VerifySignature()

error_t ed25519VerifySignature ( const uint8_t *  publicKey,
const void *  message,
size_t  messageLen,
const void *  context,
uint8_t  contextLen,
uint8_t  flag,
const uint8_t *  signature 
)

EdDSA signature verification.

Parameters
[in]publicKeySigner's EdDSA public key (32 bytes)
[in]messageMessage whose signature is to be verified
[in]messageLenLength of the message, in bytes
[in]contextConstant string specified by the protocol using it
[in]contextLenLength of the context, in bytes
[in]flagPrehash flag for Ed25519ph scheme
[in]signatureEdDSA signature (64 bytes)
Returns
Error code

Definition at line 429 of file ed25519.c.

◆ ed25519VerifySignatureEx()

error_t ed25519VerifySignatureEx ( const uint8_t *  publicKey,
const DataChunk messageChunks,
const void *  context,
uint8_t  contextLen,
uint8_t  flag,
const uint8_t *  signature 
)

EdDSA signature verification.

Parameters
[in]publicKeySigner's EdDSA public key (32 bytes)
[in]messageChunksArray of data chunks representing the message whose signature is to be verified
[in]contextConstant string specified by the protocol using it
[in]contextLenLength of the context, in bytes
[in]flagPrehash flag for Ed25519ph scheme
[in]signatureEdDSA signature (64 bytes)
Returns
Error code

Definition at line 463 of file ed25519.c.