ed25519.h File Reference

Ed25519 elliptic curve (constant-time implementation) More...

#include "core/crypto.h"
#include "ecc/eddsa.h"
#include "hash/sha512.h"

Go to the source code of this file.

Data Structures
struct	Ed25519Point
	Extended point representation. More...
struct	Ed25519SubState
	Working state (scalar multiplication) More...
struct	Ed25519GeneratePublicKeyState
	Working state (public key generation) More...
struct	Ed25519GenerateSignatureState
	Working state (signature generation) More...
struct	Ed25519VerifySignatureState
	Working state (signature verification) More...

Macros
#define	ED25519_PRIVATE_KEY_LEN   32
#define	ED25519_PUBLIC_KEY_LEN   32
#define	ED25519_SIGNATURE_LEN   64
#define	ED25519_PH_FLAG   1
#define	ED25519_PH_SIZE   64

Functions
error_t	ed25519GenerateKeyPair (const PrngAlgo *prngAlgo, void *prngContext, uint8_t *privateKey, uint8_t *publicKey)
	EdDSA key pair generation. More...
error_t	ed25519GeneratePrivateKey (const PrngAlgo *prngAlgo, void *prngContext, uint8_t *privateKey)
	EdDSA private key generation. More...
error_t	ed25519GeneratePublicKey (const uint8_t *privateKey, uint8_t *publicKey)
	Derive the public key from an EdDSA private key. More...
error_t	ed25519GenerateSignature (const uint8_t *privateKey, const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, uint8_t *signature)
	EdDSA signature generation. More...
error_t	ed25519GenerateSignatureEx (const uint8_t *privateKey, const uint8_t *publicKey, const DataChunk *message, uint_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, uint8_t *signature)
	EdDSA signature generation. More...
error_t	ed25519VerifySignature (const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
	EdDSA signature verification. More...
error_t	ed25519VerifySignatureEx (const uint8_t *publicKey, const DataChunk *message, uint_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
	EdDSA signature verification. More...
void	ed25519Mul (Ed25519SubState *state, Ed25519Point *r, const uint8_t *k, const Ed25519Point *p)
	Scalar multiplication (regular calculation) More...
void	ed25519TwinMul (Ed25519SubState *state, Ed25519Point *r, const uint8_t *k1, const Ed25519Point *p, const uint8_t *k2, const Ed25519Point *q)
	Twin multiplication. More...
void	ed25519Add (Ed25519SubState *state, Ed25519Point *r, const Ed25519Point *p, const Ed25519Point *q)
	Point addition. More...
void	ed25519Double (Ed25519SubState *state, Ed25519Point *r, const Ed25519Point *p)
	Point doubling. More...
void	ed25519Encode (Ed25519Point *p, uint8_t *data)
	Point encoding. More...
uint32_t	ed25519Decode (Ed25519Point *p, const uint8_t *data)
	Point decoding. More...
void	ed25519RedInt (uint8_t *r, const uint8_t *a)
	Reduce an integer modulo L. More...
void	ed25519AddInt (uint8_t *r, const uint8_t *a, const uint8_t *b, uint_t n)
	Addition of two integers. More...
uint8_t	ed25519SubInt (uint8_t *r, const uint8_t *a, const uint8_t *b, uint_t n)
	Subtraction of two integers. More...
void	ed25519MulInt (uint8_t *rl, uint8_t *rh, const uint8_t *a, const uint8_t *b, uint_t n)
	Multiplication of two integers. More...
void	ed25519CopyInt (uint8_t *a, const uint8_t *b, uint_t n)
	Copy an integer. More...
void	ed25519SelectInt (uint8_t *r, const uint8_t *a, const uint8_t *b, uint8_t c, uint_t n)
	Select an integer. More...
uint8_t	ed25519CompInt (const uint8_t *a, const uint8_t *b, uint_t n)
	Compare integers. More...

Detailed Description

Ed25519 elliptic curve (constant-time implementation)

License

SPDX-License-Identifier: GPL-2.0-or-later

Copyright (C) 2010-2025 Oryx Embedded SARL. All rights reserved.

This file is part of CycloneCRYPTO Open.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

Author

Oryx Embedded SARL (www.oryx-embedded.com)

Version

2.5.0

Definition in file ed25519.h.

Macro Definition Documentation

ED25519_PH_FLAG

#define ED25519_PH_FLAG   1

Definition at line 47 of file ed25519.h.

ED25519_PH_SIZE

#define ED25519_PH_SIZE   64

Definition at line 49 of file ed25519.h.

ED25519_PRIVATE_KEY_LEN

#define ED25519_PRIVATE_KEY_LEN   32

Definition at line 40 of file ed25519.h.

ED25519_PUBLIC_KEY_LEN

#define ED25519_PUBLIC_KEY_LEN   32

Definition at line 42 of file ed25519.h.

ED25519_SIGNATURE_LEN

#define ED25519_SIGNATURE_LEN   64

Definition at line 44 of file ed25519.h.

Function Documentation

ed25519Add()

void ed25519Add	(	Ed25519SubState *	state,
		Ed25519Point *	r,
		const Ed25519Point *	p,
		const Ed25519Point *	q
	)

Point addition.

Parameters

[in]	state	Pointer to the working state
[out]	r	Resulting point R = P + Q
[in]	p	First operand
[in]	q	Second operand

Definition at line 685 of file ed25519.c.

ed25519AddInt()

void ed25519AddInt	(	uint8_t *	r,
		const uint8_t *	a,
		const uint8_t *	b,
		uint_t	n
	)

Addition of two integers.

Parameters

[out]	r	Resulting integer R = A + B
[in]	a	An integer such as 0 <= A < (2^8)^n
[in]	b	An integer such as 0 <= B < (2^8)^n
[in]	n	Size of the operands, in bytes

Definition at line 909 of file ed25519.c.

ed25519CompInt()

uint8_t ed25519CompInt	(	const uint8_t *	a,
		const uint8_t *	b,
		uint_t	n
	)

Compare integers.

Parameters

[in]	a	Pointer to the first integer
[in]	b	Pointer to the second integer
[in]	n	Size of the integers, in bytes

Returns

The function returns 0 if the A = B, else 1

Definition at line 1064 of file ed25519.c.

ed25519CopyInt()

void ed25519CopyInt	(	uint8_t *	a,
		const uint8_t *	b,
		uint_t	n
	)

Copy an integer.

Parameters

[out]	a	Pointer to the destination integer
[in]	b	Pointer to the source integer
[in]	n	Size of the integers, in bytes

Definition at line 1017 of file ed25519.c.

ed25519Decode()

uint32_t ed25519Decode	(	Ed25519Point *	p,
		const uint8_t *	data
	)

Point decoding.

Parameters

[out]	p	Point representation
[in]	data	Octet string to be converted

Definition at line 803 of file ed25519.c.

ed25519Double()

void ed25519Double	(	Ed25519SubState *	state,
		Ed25519Point *	r,
		const Ed25519Point *	p
	)

Point doubling.

Parameters

[in]	state	Pointer to the working state
[out]	r	Resulting point R = 2 * P
[in]	p	Input point P

Definition at line 732 of file ed25519.c.

ed25519Encode()

void ed25519Encode	(	Ed25519Point *	p,
		uint8_t *	data
	)

Point encoding.

Parameters

[in]	p	Point representation
[out]	data	Octet string resulting from the conversion

Definition at line 773 of file ed25519.c.

ed25519GenerateKeyPair()

error_t ed25519GenerateKeyPair	(	const PrngAlgo *	prngAlgo,
		void *	prngContext,
		uint8_t *	privateKey,
		uint8_t *	publicKey
	)

EdDSA key pair generation.

Parameters

[in]	prngAlgo	PRNG algorithm
[in]	prngContext	Pointer to the PRNG context
[out]	privateKey	EdDSA private key (32 bytes)
[out]	publicKey	EdDSA public key (32 bytes)

Returns

Error code

Definition at line 116 of file ed25519.c.

ed25519GeneratePrivateKey()

error_t ed25519GeneratePrivateKey	(	const PrngAlgo *	prngAlgo,
		void *	prngContext,
		uint8_t *	privateKey
	)

EdDSA private key generation.

Parameters

[in]	prngAlgo	PRNG algorithm
[in]	prngContext	Pointer to the PRNG context
[out]	privateKey	EdDSA private key (32 bytes)

Returns

Error code

Definition at line 144 of file ed25519.c.

ed25519GeneratePublicKey()

error_t ed25519GeneratePublicKey	(	const uint8_t *	privateKey,
		uint8_t *	publicKey
	)

Derive the public key from an EdDSA private key.

Parameters

[in]	privateKey	EdDSA private key (32 bytes)
[out]	publicKey	EdDSA public key (32 bytes)

Returns

Error code

Definition at line 168 of file ed25519.c.

ed25519GenerateSignature()

error_t ed25519GenerateSignature	(	const uint8_t *	privateKey,
		const uint8_t *	publicKey,
		const void *	message,
		size_t	messageLen,
		const void *	context,
		uint8_t	contextLen,
		uint8_t	flag,
		uint8_t *	signature
	)

EdDSA signature generation.

Parameters

[in]	privateKey	Signer's EdDSA private key (32 bytes)
[in]	publicKey	Signer's EdDSA public key (32 bytes)
[in]	message	Pointer to the message to be signed
[in]	messageLen	Length of the message, in bytes
[in]	context	Constant string specified by the protocol using it
[in]	contextLen	Length of the context, in bytes
[in]	flag	Prehash flag for Ed25519ph scheme
[out]	signature	EdDSA signature (64 bytes)

Returns

Error code

Definition at line 234 of file ed25519.c.

ed25519GenerateSignatureEx()

error_t ed25519GenerateSignatureEx	(	const uint8_t *	privateKey,
		const uint8_t *	publicKey,
		const DataChunk *	message,
		uint_t	messageLen,
		const void *	context,
		uint8_t	contextLen,
		uint8_t	flag,
		uint8_t *	signature
	)

EdDSA signature generation.

Parameters

[in]	privateKey	Signer's EdDSA private key (32 bytes)
[in]	publicKey	Signer's EdDSA public key (32 bytes)
[in]	message	Array of data chunks representing the message to be signed
[in]	messageLen	Number of data chunks representing the message
[in]	context	Constant string specified by the protocol using it
[in]	contextLen	Length of the context, in bytes
[in]	flag	Prehash flag for Ed25519ph scheme
[out]	signature	EdDSA signature (64 bytes)

Returns

Error code

Definition at line 268 of file ed25519.c.

ed25519Mul()

void ed25519Mul	(	Ed25519SubState *	state,
		Ed25519Point *	r,
		const uint8_t *	k,
		const Ed25519Point *	p
	)

Scalar multiplication (regular calculation)

Parameters

[in]	state	Pointer to the working state
[out]	r	Resulting point R = k * P
[in]	k	Input scalar
[in]	p	Input point

Definition at line 573 of file ed25519.c.

ed25519MulInt()

void ed25519MulInt	(	uint8_t *	rl,
		uint8_t *	rh,
		const uint8_t *	a,
		const uint8_t *	b,
		uint_t	n
	)

Multiplication of two integers.

Parameters

[out]	rl	Low part of the result R = (A * B) mod (2^8)^n
[out]	rh	High part of the result R = (A * B) / (2^8)^n
[in]	a	An integer such as 0 <= A < (2^8)^n
[in]	b	An integer such as 0 <= B < (2^8)^n
[in]	n	Size of the operands, in bytes

Definition at line 962 of file ed25519.c.

ed25519RedInt()

void ed25519RedInt	(	uint8_t *	r,
		const uint8_t *	a
	)

Reduce an integer modulo L.

This function implements Barrett reduction with b = 2^8 and k = 32. The algorithm requires the precomputation of the quantity mu = b^(2 * k) / L

Parameters

[out]	r	Resulting integer R = A mod L
[in]	a	An integer such as 0 <= A < b^(2 * k)

Definition at line 874 of file ed25519.c.

ed25519SelectInt()

void ed25519SelectInt	(	uint8_t *	r,
		const uint8_t *	a,
		const uint8_t *	b,
		uint8_t	c,
		uint_t	n
	)

Select an integer.

Parameters

[out]	r	Pointer to the destination integer
[in]	a	Pointer to the first source integer
[in]	b	Pointer to the second source integer
[in]	c	Condition variable
[in]	n	Size of the integers, in bytes

Definition at line 1038 of file ed25519.c.

ed25519SubInt()

uint8_t ed25519SubInt	(	uint8_t *	r,
		const uint8_t *	a,
		const uint8_t *	b,
		uint_t	n
	)

Subtraction of two integers.

Parameters

[out]	r	Resulting integer R = A - B
[in]	a	An integer such as 0 <= A < (2^8)^n
[in]	b	An integer such as 0 <= B < (2^8)^n
[in]	n	Size of the operands, in bytes

Returns

1 if the result is negative, else 0

Definition at line 934 of file ed25519.c.

ed25519TwinMul()

void ed25519TwinMul	(	Ed25519SubState *	state,
		Ed25519Point *	r,
		const uint8_t *	k1,
		const Ed25519Point *	p,
		const uint8_t *	k2,
		const Ed25519Point *	q
	)

Twin multiplication.

Parameters

[in]	state	Pointer to the working state
[out]	r	Resulting point R = k1 * P + k2 * Q
[in]	k1	First input scalar
[in]	p	First input point
[in]	k2	Second input scalar
[in]	q	Second input point

Definition at line 621 of file ed25519.c.

ed25519VerifySignature()

error_t ed25519VerifySignature	(	const uint8_t *	publicKey,
		const void *	message,
		size_t	messageLen,
		const void *	context,
		uint8_t	contextLen,
		uint8_t	flag,
		const uint8_t *	signature
	)

EdDSA signature verification.

Parameters

[in]	publicKey	Signer's EdDSA public key (32 bytes)
[in]	message	Message whose signature is to be verified
[in]	messageLen	Length of the message, in bytes
[in]	context	Constant string specified by the protocol using it
[in]	contextLen	Length of the context, in bytes
[in]	flag	Prehash flag for Ed25519ph scheme
[in]	signature	EdDSA signature (64 bytes)

Returns

Error code

Definition at line 427 of file ed25519.c.

ed25519VerifySignatureEx()

error_t ed25519VerifySignatureEx	(	const uint8_t *	publicKey,
		const DataChunk *	message,
		uint_t	messageLen,
		const void *	context,
		uint8_t	contextLen,
		uint8_t	flag,
		const uint8_t *	signature
	)

EdDSA signature verification.

Parameters

[in]	publicKey	Signer's EdDSA public key (32 bytes)
[in]	message	Array of data chunks representing the message whose signature is to be verified
[in]	messageLen	Number of data chunks representing the message
[in]	contextLen	Length of the context, in bytes
[in]	flag	Prehash flag for Ed25519ph scheme
[in]	signature	EdDSA signature (64 bytes)

Returns

Error code

Definition at line 459 of file ed25519.c.