| CRYPTO_ED25519_SIGN(3MONOCYPHER) | 3MONOCYPHER | CRYPTO_ED25519_SIGN(3MONOCYPHER) |
NAME
public key signaturesSYNOPSIS
#include
<monocypher-ed25519.h>
void
crypto_ed25519_sign(uint8_t
signature[64], const uint8_t secret_key[64],
const uint8_t *message, size_t
message_size);
int
crypto_ed25519_check(const uint8_t
signature[64], const uint8_t public_key[32],
const uint8_t *message, size_t
message_size);
void
crypto_ed25519_key_pair(uint8_t
secret_key[64], uint8_t public_key[32],
uint8_t seed[32]);
void
crypto_ed25519_ph_sign(uint8_t
signature[64], const uint8_t secret_key[64],
const uint8_t message_hash[64]);
int
crypto_ed25519_ph_check(const uint8_t
signature[64], const uint8_t public_key[32],
const uint8_t message_hash[64]);
DESCRIPTION
The
crypto_ed25519_sign()
and
crypto_ed25519_check()
functions provide Ed25519 public key signatures and verification with
SHA-512 as the underlying hash function. They are interoperable with other
Ed25519 implementations. If you have no interoperability requirements,
prefer
crypto_eddsa_sign().
The arguments and security considerations are the same as those described in crypto_eddsa_sign().
crypto_ed25519_ph_sign()
and
crypto_ed25519_ph_check()
implement Ed25519ph. To sign or check a message, first hash the message with
crypto_sha512(), then
process the resulting message_hash.
RETURN VALUES
crypto_ed25519_key_pair(),
crypto_ed25519_sign(), and
crypto_ed25519_ph_sign() return nothing.
crypto_ed25519_check() and
crypto_ed25519_ph_check() returns 0 for legitimate
messages and -1 for forgeries.
SEE ALSO
crypto_eddsa_sign(), crypto_x25519(), crypto_aead_lock(), crypto_sha512(), intro()
STANDARDS
These functions implement Ed25519 as described in RFC 8032.
HISTORY
The crypto_ed25519_sign(),
crypto_ed25519_check(), and
crypto_ed25519_public_key() functions appeared in
Monocypher 3.0.0. They replace recompilation of Monocypher with the
ED25519_SHA512 preprocessor definition.
In Monocypher 4.0.0, the incremental and custom hash API removed.
The main interface was also reworked to avoid misuse, and
crypto_ed25519_key_pair() replaced
crypto_ed25519_public_key().
CAVEATS
Monocypher does not perform any input validation. Any deviation from the specified input and output length ranges results in undefined behaviour. Make sure your inputs are correct.
SECURITY CONSIDERATIONS
Signature malleability
Signature malleability is the ability of an attacker to produce a valid signature with knowledge of only an existing signature and the public key. Monocypher prevents that by checking the encoding of the signature, and guarantees that generating new signatures requires the private key.
On the other hand, EdDSA signatures are not unique like
cryptographic hashes. The signing procedure is deterministic by
specification and crypto_ed25519_sign() follows this
specification. However, someone with the private key can generate
arbitrarily many valid, canonical, and different signatures of the same
message. Because of this, never assume that signatures are unique.
Fault injection and power analysis
Fault injection (also known as glitching) and power analysis may be used to manipulate the resulting signature and recover the secret key in some cases. This requires hardware access. We can try to mitigate this attack by prefixing all hashes a random data block, in a construction similar to Ed25519ctx. Note that there may still be other power-related side channels (such as if the CPU leaks information when an operation overflows a register) that must be considered.
| March 1, 2022 | Debian |