ed25519.h
Go to the documentation of this file.
1 /**
2  * @file ed25519.h
3  * @brief Ed25519 elliptic curve (constant-time implementation)
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2024 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneCRYPTO Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 2.4.4
29  **/
30 
31 #ifndef _ED25519_H
32 #define _ED25519_H
33 
34 //Dependencies
35 #include "core/crypto.h"
36 #include "ecc/eddsa.h"
37 #include "hash/sha512.h"
38 
39 //Length of EdDSA private keys
40 #define ED25519_PRIVATE_KEY_LEN 32
41 //Length of EdDSA public keys
42 #define ED25519_PUBLIC_KEY_LEN 32
43 //Length of EdDSA signatures
44 #define ED25519_SIGNATURE_LEN 64
45 
46 //Ed25519ph flag
47 #define ED25519_PH_FLAG 1
48 //Prehash function output size
49 #define ED25519_PH_SIZE 64
50 
51 //C++ guard
52 #ifdef __cplusplus
53 extern "C" {
54 #endif
55 
56 
57 /**
58  * @brief Extended point representation
59  **/
60 
61 typedef struct
62 {
63  uint32_t x[8];
64  uint32_t y[8];
65  uint32_t z[8];
66  uint32_t t[8];
67 } Ed25519Point;
68 
69 
70 /**
71  * @brief Ed25519 working state
72  **/
73 
74 typedef struct
75 {
76  Sha512Context sha512Context;
77  uint8_t k[64];
78  uint8_t p[32];
79  uint8_t r[32];
80  uint8_t s[32];
81  Ed25519Point ka;
82  Ed25519Point rb;
83  Ed25519Point sb;
84  Ed25519Point u;
85  Ed25519Point v;
86  uint32_t a[8];
87  uint32_t b[8];
88  uint32_t c[8];
89  uint32_t d[8];
90  uint32_t e[8];
91  uint32_t f[8];
92  uint32_t g[8];
93  uint32_t h[8];
94 } Ed25519State;
95 
96 
97 //Ed25519 related functions
98 error_t ed25519GenerateKeyPair(const PrngAlgo *prngAlgo, void *prngContext,
99  uint8_t *privateKey, uint8_t *publicKey);
100 
101 error_t ed25519GeneratePrivateKey(const PrngAlgo *prngAlgo, void *prngContext,
102  uint8_t *privateKey);
103 
104 error_t ed25519GeneratePublicKey(const uint8_t *privateKey, uint8_t *publicKey);
105 
106 error_t ed25519GenerateSignature(const uint8_t *privateKey,
107  const uint8_t *publicKey, const void *message, size_t messageLen,
108  const void *context, uint8_t contextLen, uint8_t flag, uint8_t *signature);
109 
110 error_t ed25519GenerateSignatureEx(const uint8_t *privateKey,
111  const uint8_t *publicKey, const DataChunk *messageChunks,
112  const void *context, uint8_t contextLen, uint8_t flag, uint8_t *signature);
113 
114 error_t ed25519VerifySignature(const uint8_t *publicKey, const void *message,
115  size_t messageLen, const void *context, uint8_t contextLen, uint8_t flag,
116  const uint8_t *signature);
117 
118 error_t ed25519VerifySignatureEx(const uint8_t *publicKey,
119  const DataChunk *messageChunks, const void *context,
120  uint8_t contextLen, uint8_t flag, const uint8_t *signature);
121 
122 void ed25519Mul(Ed25519State *state, Ed25519Point *r, const uint8_t *k,
123  const Ed25519Point *p);
124 
125 void ed25519Add(Ed25519State *state, Ed25519Point *r, const Ed25519Point *p,
126  const Ed25519Point *q);
127 
128 void ed25519Double(Ed25519State *state, Ed25519Point *r, const Ed25519Point *p);
129 
130 void ed25519Encode(Ed25519Point *p, uint8_t *data);
131 uint32_t ed25519Decode(Ed25519Point *p, const uint8_t *data);
132 
133 void ed25519RedInt(uint8_t *r, const uint8_t *a);
134 
135 void ed25519AddInt(uint8_t *r, const uint8_t *a, const uint8_t *b, uint_t n);
136 uint8_t ed25519SubInt(uint8_t *r, const uint8_t *a, const uint8_t *b, uint_t n);
137 
138 void ed25519MulInt(uint8_t *rl, uint8_t *rh, const uint8_t *a,
139  const uint8_t *b, uint_t n);
140 
141 void ed25519CopyInt(uint8_t *a, const uint8_t *b, uint_t n);
142 
143 void ed25519SelectInt(uint8_t *r, const uint8_t *a, const uint8_t *b,
144  uint8_t c, uint_t n);
145 
146 uint8_t ed25519CompInt(const uint8_t *a, const uint8_t *b, uint_t n);
147 
148 //C++ guard
149 #ifdef __cplusplus
150 }
151 #endif
152 
153 #endif
Ed25519State
Ed25519 working state.
Definition: ed25519.h:75
b
uint8_t b
Definition: nbns_common.h:104
ed25519Mul
void ed25519Mul(Ed25519State *state, Ed25519Point *r, const uint8_t *k, const Ed25519Point *p)
Scalar multiplication on Ed25519 curve.
Definition: ed25519.c:575
Ed25519Point
Extended point representation.
Definition: ed25519.h:62
a
uint8_t a
Definition: ndp.h:411
ed25519GenerateKeyPair
error_t ed25519GenerateKeyPair(const PrngAlgo *prngAlgo, void *prngContext, uint8_t *privateKey, uint8_t *publicKey)
EdDSA key pair generation.
Definition: ed25519.c:116
ed25519SubInt
uint8_t ed25519SubInt(uint8_t *r, const uint8_t *a, const uint8_t *b, uint_t n)
Subtraction of two integers.
Definition: ed25519.c:852
ed25519CopyInt
void ed25519CopyInt(uint8_t *a, const uint8_t *b, uint_t n)
Copy an integer.
Definition: ed25519.c:935
PrngAlgo
#define PrngAlgo
Definition: crypto.h:938
ed25519Double
void ed25519Double(Ed25519State *state, Ed25519Point *r, const Ed25519Point *p)
Point doubling.
Definition: ed25519.c:664
p
uint8_t p
Definition: ndp.h:300
x
uint8_t x
Definition: lldp_ext_med.h:211
ed25519GenerateSignatureEx
error_t ed25519GenerateSignatureEx(const uint8_t *privateKey, const uint8_t *publicKey, const DataChunk *messageChunks, const void *context, uint8_t contextLen, uint8_t flag, uint8_t *signature)
EdDSA signature generation.
Definition: ed25519.c:271
Ed25519State::rb
Ed25519Point rb
Definition: ed25519.h:82
message
uint8_t message[]
Definition: chap.h:154
t
uint8_t t
Definition: lldp_ext_med.h:212
data
uint8_t data[]
Definition: ethernet.h:222
sha512.h
SHA-512 (Secure Hash Algorithm 512)
ed25519GeneratePublicKey
error_t ed25519GeneratePublicKey(const uint8_t *privateKey, uint8_t *publicKey)
Derive the public key from an EdDSA private key.
Definition: ed25519.c:168
r
uint8_t r
Definition: ndp.h:346
ed25519RedInt
void ed25519RedInt(uint8_t *r, const uint8_t *a)
Reduce an integer modulo L.
Definition: ed25519.c:792
h
uint8_t h
Definition: ndp.h:302
ed25519Decode
uint32_t ed25519Decode(Ed25519Point *p, const uint8_t *data)
Point decoding.
Definition: ed25519.c:725
ed25519SelectInt
void ed25519SelectInt(uint8_t *r, const uint8_t *a, const uint8_t *b, uint8_t c, uint_t n)
Select an integer.
Definition: ed25519.c:956
error_t
error_t
Error codes.
Definition: error.h:43
Ed25519State::v
Ed25519Point v
Definition: ed25519.h:85
ed25519Encode
void ed25519Encode(Ed25519Point *p, uint8_t *data)
Point encoding.
Definition: ed25519.c:700
eddsa.h
EdDSA (Edwards-Curve Digital Signature Algorithm)
Sha512Context
SHA-512 algorithm context.
Definition: sha512.h:62
ed25519GenerateSignature
error_t ed25519GenerateSignature(const uint8_t *privateKey, const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, uint8_t *signature)
EdDSA signature generation.
Definition: ed25519.c:236
crypto.h
General definitions for cryptographic algorithms.
ed25519GeneratePrivateKey
error_t ed25519GeneratePrivateKey(const PrngAlgo *prngAlgo, void *prngContext, uint8_t *privateKey)
EdDSA private key generation.
Definition: ed25519.c:144
Ed25519State::sha512Context
Sha512Context sha512Context
Definition: ed25519.h:76
ed25519VerifySignatureEx
error_t ed25519VerifySignatureEx(const uint8_t *publicKey, const DataChunk *messageChunks, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
EdDSA signature verification.
Definition: ed25519.c:463
z
uint8_t z
Definition: dns_common.h:191
DataChunk
Data chunk descriptor.
Definition: crypto.h:981
Ed25519State::u
Ed25519Point u
Definition: ed25519.h:84
Ed25519State::ka
Ed25519Point ka
Definition: ed25519.h:81
n
uint8_t n
Definition: dhcpv6_common.h:416
ed25519MulInt
void ed25519MulInt(uint8_t *rl, uint8_t *rh, const uint8_t *a, const uint8_t *b, uint_t n)
Multiplication of two integers.
Definition: ed25519.c:880
s
uint8_t s
Definition: igmp_common.h:234
Ed25519State::sb
Ed25519Point sb
Definition: ed25519.h:83
ed25519AddInt
void ed25519AddInt(uint8_t *r, const uint8_t *a, const uint8_t *b, uint_t n)
Addition of two integers.
Definition: ed25519.c:827
uint_t
unsigned int uint_t
Definition: compiler_port.h:50
ed25519Add
void ed25519Add(Ed25519State *state, Ed25519Point *r, const Ed25519Point *p, const Ed25519Point *q)
Point addition.
Definition: ed25519.c:621
ed25519CompInt
uint8_t ed25519CompInt(const uint8_t *a, const uint8_t *b, uint_t n)
Compare integers.
Definition: ed25519.c:982
c
uint8_t c
Definition: ndp.h:514
ed25519VerifySignature
error_t ed25519VerifySignature(const uint8_t *publicKey, const void *message, size_t messageLen, const void *context, uint8_t contextLen, uint8_t flag, const uint8_t *signature)
EdDSA signature verification.
Definition: ed25519.c:429