Boring crypto that simply works

public key signatures

#include <monocypher-ed25519.h>

crypto_ed25519_sign(uint8_t signature[64], const uint8_t secret_key[64], const uint8_t *message, size_t message_size);

crypto_ed25519_check(const uint8_t signature[64], const uint8_t public_key[32], const uint8_t *message, size_t message_size);

crypto_ed25519_key_pair(uint8_t secret_key[64], uint8_t public_key[32], uint8_t seed[32]);

crypto_ed25519_ph_sign(uint8_t signature[64], const uint8_t secret_key[64], const uint8_t message_hash[64]);

crypto_ed25519_ph_check(const uint8_t signature[64], const uint8_t public_key[32], const uint8_t message_hash[64]);

The () and () functions provide Ed25519 public key signatures and verification with SHA-512 as the underlying hash function. They are interoperable with other Ed25519 implementations. If you have no interoperability requirements, prefer crypto_eddsa_sign().

The arguments and security considerations are the same as those described in crypto_eddsa_sign().

() and () implement Ed25519ph. To sign or check a message, first hash the message with crypto_sha512(), then process the resulting message_hash.

crypto_ed25519_key_pair(), crypto_ed25519_sign(), and crypto_ed25519_ph_sign() return nothing.

crypto_ed25519_check() and crypto_ed25519_ph_check() returns 0 for legitimate messages and -1 for forgeries.

crypto_eddsa_sign(), crypto_x25519(), crypto_aead_lock(), crypto_sha512(), intro()

These functions implement Ed25519 as described in RFC 8032.

The crypto_ed25519_sign(), crypto_ed25519_check(), and crypto_ed25519_public_key() functions appeared in Monocypher 3.0.0. They replace recompilation of Monocypher with the ED25519_SHA512 preprocessor definition.

In Monocypher 4.0.0, the incremental and custom hash API removed. The main interface was also reworked to avoid misuse, and crypto_ed25519_key_pair() replaced crypto_ed25519_public_key().

Monocypher does not perform any input validation. Any deviation from the specified input and output length ranges results in . Make sure your inputs are correct.

Signature malleability is the ability of an attacker to produce a valid signature with knowledge of only an existing signature and the public key. Monocypher prevents that by checking the encoding of the signature, and guarantees that generating new signatures requires the private key.

On the other hand, EdDSA signatures are not unique like cryptographic hashes. The signing procedure is deterministic by specification and crypto_ed25519_sign() follows this specification. However, someone with the private key can generate arbitrarily many valid, canonical, and different signatures of the same message. Because of this, never assume that signatures are unique.

Fault injection (also known as glitching) and power analysis may be used to manipulate the resulting signature and recover the secret key in some cases. This requires hardware access. We can try to mitigate this attack by prefixing all hashes a random data block, in a construction similar to Ed25519ctx. Note that there may still be other power-related side channels (such as if the CPU leaks information when an operation overflows a register) that must be considered.

March 1, 2022 Debian