CRYPTO_SIGN_INIT_FIRST_PASS(3MONOCYPHER) 3MONOCYPHER CRYPTO_SIGN_INIT_FIRST_PASS(3MONOCYPHER)

NAME

crypto_sign_init_first_pass, crypto_sign_update, crypto_sign_final, crypto_sign_init_second_pass, crypto_check_init, crypto_check_update, crypto_check_finalincremental public key signatures

SYNOPSIS

#include <monocypher.h>
void
crypto_sign_init_first_pass(crypto_sign_ctx *ctx, const uint8_t secret_key[32], const uint8_t public_key[32]);
void
crypto_sign_update(crypto_sign_ctx *ctx, const uint8_t *message, size_t message_size);
void
crypto_sign_final(crypto_sign_ctx *ctx, uint8_t signature[64]);
void
crypto_sign_init_second_pass(crypto_sign_ctx *ctx);
void
crypto_check_init(crypto_check_ctx *ctx, const uint8_t signature[64], const uint8_t public_key[32]);
void
crypto_check_update(crypto_check_ctx *ctx, const uint8_t *message, size_t message_size);
int
crypto_check_final(crypto_check_ctx *ctx);

DESCRIPTION

These functions are variants of crypto_sign(3monocypher) and crypto_check(3monocypher). Prefer those simpler functions if possible.
The arguments are the same as those described in crypto_sign(3monocypher).
This incremental interface can be used to sign or verify messages too large to fit in a single buffer. The arguments are the same as the direct interface described in crypto_sign(3monocypher).
The direct and incremental interface produce and accept the same signatures.
Signing is done in two passes. This requires five steps:
Verification requires three steps:

RETURN VALUES

crypto_sign_init_first_pass(), crypto_sign_init_second_pass(), crypto_sign_update(), crypto_sign_final(), crypto_check_init() and crypto_check_update() return nothing.
crypto_check_final() returns 0 for legitimate messages and -1 for forgeries.

EXAMPLES

Sign a message:
const uint8_t sk       [ 32]; /* Secret key            */ 
const uint8_t pk       [ 32]; /* Public key (optional) */ 
const uint8_t message  [500]; /* Message to sign       */ 
uint8_t       signature[ 64]; /* Output signature      */ 
crypto_sign_ctx ctx; 
crypto_sign_init_first_pass(&ctx, sk, pk); 
/* Wipe the secret key if no longer needed */ 
crypto_wipe(sk, 32); 
for (size_t i = 0; i < 500; i += 100) { 
    crypto_sign_update(&ctx, message + i, 100); 
} 
crypto_sign_init_second_pass(&ctx); 
for (size_t i = 0; i < 500; i += 100) { 
    crypto_sign_update(&ctx, message + i, 100); 
} 
crypto_sign_final(&ctx, signature);
Check the above:
const uint8_t pk       [ 32]; /* Public key         */ 
const uint8_t message  [500]; /* Message to sign    */ 
const uint8_t signature[ 64]; /* Signature to check */ 
crypto_check_ctx ctx; 
crypto_check_init(&ctx, signature, pk); 
for (size_t i = 0; i < 500; i += 100) { 
    crypto_check_update(&ctx, message + i, 100); 
} 
if (crypto_check_final(&ctx)) { 
    /* Message is corrupted, abort processing */ 
} else { 
    /* Message is genuine */ 
} 

SEE ALSO

crypto_blake2b(3monocypher), crypto_key_exchange(3monocypher), crypto_lock(3monocypher), crypto_sign(3monocypher), crypto_wipe(3monocypher), intro(3monocypher)

STANDARDS

These functions implement PureEdDSA with Curve25519 and Blake2b, as described in RFC 8032. This is the same as Ed25519, with Blake2b instead of SHA-512.

HISTORY

The crypto_sign_init_first_pass(), crypto_sign_update(), crypto_sign_final(), crypto_sign_init_second_pass(), crypto_check_init(), crypto_check_update(), and crypto_check_final() functions first appeared in Monocypher 1.1.0.
A critical security vulnerability that caused all-zero signatures to be accepted was introduced in Monocypher 0.3; it was fixed in Monocypher 1.1.1 and 2.0.4.

SECURITY CONSIDERATIONS

Messages are not verified until the call to crypto_check_final(). Messages may be stored before they are verified, but they cannot be trusted. Processing untrusted messages increases the attack surface of the system. Doing so securely is hard. Do not process messages before calling crypto_check_final().
When signing messages, the security considerations documented in crypto_sign(3monocypher) also apply.

IMPLEMENTATION DETAILS

EdDSA signatures require two passes that cannot be performed in parallel. There are ways around this limitation, but they all lower security in some way. For this reason, Monocypher does not support them.
December 28, 2017 Linux 4.15.0-65-generic