ed25519/readme.md

Ed25519
=======

This is a portable implementation of [Ed25519](http://ed25519.cr.yp.to/) based
on the SUPERCOP "ref10" implementation. All code is in the public domain.

All code is pure ANSI C without any dependencies, except for the random seed
generation which uses standard OS cryptography APIs (`CryptGenRandom` on Windows, `/dev/urandom` on *nix). If you wish to be entirely
portable define `ED25519_NO_SEED`. This disables the `ed25519_create_seed`
function, so if your application requires key generation you must supply your
own seeding function (simply a 32 byte random number generator).


Performance
-----------

On a machine with an Intel Pentium B970 @ 2.3GHz I got the following speeds (running
on only one a single core):

    Seed + key generation:             345us
    Message signing (short message):   256us
    Message verifying (short message): 777us

The speeds on other machines may vary. Sign/verify times will be higher with
longer messages.


Usage
-----

Simply add all .c and .h files in the `src/` folder to your project and include
`ed25519.h` in any file you want to use the API. If you prefer to use a shared
library, only copy `ed25519.h` and define `ED25519_DLL` before importing. A
windows DLL is pre-built.

There are no defined types for seeds, private keys, public keys or signatures.
Instead simple `unsigned char` buffers are used with the following sizes:

```c
unsigned char seed[32];
unsigned char signature[64];
unsigned char public_key[32];
unsigned char private_key[64];
unsigned char scalar[32];
```

API
---

```c
int ed25519_create_seed(unsigned char *seed);
```

Creates a 32 byte random seed in `seed` for key generation. `seed` must be a
writable 32 byte buffer. Returns 0 on success, and nonzero on failure.

```c
void ed25519_create_keypair(unsigned char *public_key, unsigned char *private_key, const unsigned char *seed);
```

Creates a new key pair from the given seed. `public_key` must be a writable 32
byte buffer, `private_key` must be a writable 64 byte buffer and `seed` must be
a 32 byte buffer.

```c
void ed25519_sign(unsigned char *signature,
                  const unsigned char *message, size_t message_len,
                  const unsigned char *public_key, const unsigned char *private_key);
```

Creates a signature of the given message with the given key pair. `signature`
must be a writable 64 byte buffer. `message` must have at least `message_len`
bytes to be read. 

```c
int ed25519_verify(const unsigned char *signature,
                   const unsigned char *message, size_t message_len,
                   const unsigned char *public_key);
```

Verifies the signature on the given message using `public_key`. `signature`
must be a readable 64 byte buffer. `message` must have at least `message_len`
bytes to be read. Returns 1 if the signature matches, 0 otherwise.

```c
void ed25519_add_scalar(unsigned char *public_key, unsigned char *private_key,
                        const unsigned char *scalar);
```

Adds `scalar` to the given key pair where scalar is a 32 byte buffer (possibly
generated with `ed25519_create_seed`), generating a new key pair. You can
calculate the public key sum without knowing the private key and vice versa by
passing in `NULL` for the key you don't know. This is useful for enforcing
randomness on a key pair while only knowing the public key, among other things.
Warning: the last bit of the scalar is ignored - if comparing scalars make sure
to clear it with `scalar[31] &= 127`.

Example
-------
```c
unsigned char seed[32], public_key[32], private_key[64], signature[64];
const unsigned char message[] = "TEST MESSAGE";

/* create a random seed, and a key pair out of that seed */
if (ed25519_create_seed(seed)) {
    printf("error while generating seed\n");
    exit(1);
}

ed25519_create_keypair(public_key, private_key, seed);

/* create signature on the message with the key pair */
ed25519_sign(signature, message, strlen(message), public_key, private_key);

/* verify the signature */
if (ed25519_verify(signature, message, strlen(message), public_key)) {
    printf("valid signature\n");
} else {
    printf("invalid signature\n");
}
```
docs 2013-01-22 05:04:36 -05:00			`Ed25519`
Update readme.md 2013-03-18 12:27:24 -04:00			`=======`
docs 2013-01-22 05:04:36 -05:00
docs and changed to void functions 2013-01-22 05:31:58 -05:00			`This is a portable implementation of [Ed25519](http://ed25519.cr.yp.to/) based`
			`on the SUPERCOP "ref10" implementation. All code is in the public domain.`
docs 2013-01-22 05:04:36 -05:00
more docs 2013-01-22 05:15:39 -05:00			`All code is pure ANSI C without any dependencies, except for the random seed`
Update readme.md 2013-03-18 12:27:24 -04:00			generation which uses standard OS cryptography APIs (`CryptGenRandom` on Windows, `/dev/urandom` on *nix). If you wish to be entirely
more work 2013-02-04 07:47:10 -05:00			portable define `ED25519_NO_SEED`. This disables the `ed25519_create_seed`
			`function, so if your application requires key generation you must supply your`
			`own seeding function (simply a 32 byte random number generator).`
docs 2013-01-22 05:51:53 -05:00

			`Performance`
			`-----------`

more work 2013-02-04 07:47:10 -05:00			`On a machine with an Intel Pentium B970 @ 2.3GHz I got the following speeds (running`
			`on only one a single core):`
docs 2013-01-22 05:51:53 -05:00
changed readme and test with performance figures 2013-02-04 07:42:59 -05:00			`Seed + key generation: 345us`
			`Message signing (short message): 256us`
			`Message verifying (short message): 777us`
docs 2013-01-22 05:51:53 -05:00
changed readme and test with performance figures 2013-02-04 07:42:59 -05:00			`The speeds on other machines may vary. Sign/verify times will be higher with`
			`longer messages.`
docs 2013-01-22 05:51:53 -05:00
more docs 2013-01-22 05:07:11 -05:00
docs 2013-01-22 05:04:36 -05:00			`Usage`
			`-----`

changed readme and test with performance figures 2013-02-04 07:42:59 -05:00			Simply add all .c and .h files in the `src/` folder to your project and include
			`ed25519.h` in any file you want to use the API. If you prefer to use a shared
			library, only copy `ed25519.h` and define `ED25519_DLL` before importing. A
			`windows DLL is pre-built.`
docs 2013-01-22 05:04:36 -05:00
changed readme and test with performance figures 2013-02-04 07:42:59 -05:00			`There are no defined types for seeds, private keys, public keys or signatures.`
			Instead simple `unsigned char` buffers are used with the following sizes:
docs 2013-01-22 05:04:36 -05:00
docs 2013-01-22 05:34:38 -05:00			```c
			`unsigned char seed[32];`
			`unsigned char signature[64];`
do not compress private keys - changed terminologiy from verify/sign to public/private 2013-02-04 07:34:01 -05:00			`unsigned char public_key[32];`
			`unsigned char private_key[64];`
added scalar in types 2013-02-04 11:57:09 -05:00			`unsigned char scalar[32];`
docs 2013-01-22 05:34:38 -05:00			```
more docs 2013-01-22 05:15:39 -05:00
			`API`
			`---`

docs 2013-01-22 05:34:38 -05:00			```c
			`int ed25519_create_seed(unsigned char *seed);`
			```
changed readme and test with performance figures 2013-02-04 07:42:59 -05:00
more docs 2013-01-22 05:15:39 -05:00			Creates a 32 byte random seed in `seed` for key generation. `seed` must be a
more docs 2013-01-22 05:22:43 -05:00			`writable 32 byte buffer. Returns 0 on success, and nonzero on failure.`
more docs 2013-01-22 05:15:39 -05:00
docs 2013-01-22 05:34:38 -05:00			```c
do not compress private keys - changed terminologiy from verify/sign to public/private 2013-02-04 07:34:01 -05:00			`void ed25519_create_keypair(unsigned char public_key, unsigned char private_key, const unsigned char *seed);`
docs 2013-01-22 05:34:38 -05:00			```
more docs 2013-01-22 05:15:39 -05:00
do not compress private keys - changed terminologiy from verify/sign to public/private 2013-02-04 07:34:01 -05:00			Creates a new key pair from the given seed. `public_key` must be a writable 32
changed readme and test with performance figures 2013-02-04 07:42:59 -05:00			byte buffer, `private_key` must be a writable 64 byte buffer and `seed` must be
			`a 32 byte buffer.`
more docs 2013-01-22 05:15:39 -05:00
docs 2013-01-22 05:34:38 -05:00			```c
			`void ed25519_sign(unsigned char *signature,`
Update readme.md 2013-03-13 06:36:02 -04:00			`const unsigned char *message, size_t message_len,`
			`const unsigned char public_key, const unsigned char private_key);`
docs 2013-01-22 05:34:38 -05:00			```
more docs 2013-01-22 05:22:43 -05:00
little docs improvements 2013-02-04 12:04:05 -05:00			Creates a signature of the given message with the given key pair. `signature`
			must be a writable 64 byte buffer. `message` must have at least `message_len`
			`bytes to be read.`
more docs 2013-01-22 05:22:43 -05:00
docs 2013-01-22 05:34:38 -05:00			```c
			`int ed25519_verify(const unsigned char *signature,`
			`const unsigned char *message, size_t message_len,`
do not compress private keys - changed terminologiy from verify/sign to public/private 2013-02-04 07:34:01 -05:00			`const unsigned char *public_key);`
docs 2013-01-22 05:34:38 -05:00			```
more docs 2013-01-22 05:22:43 -05:00
changed readme and test with performance figures 2013-02-04 07:42:59 -05:00			Verifies the signature on the given message using `public_key`. `signature`
			must be a readable 64 byte buffer. `message` must have at least `message_len`
little docs improvements 2013-02-04 12:04:05 -05:00			`bytes to be read. Returns 1 if the signature matches, 0 otherwise.`
more docs 2013-01-22 05:22:43 -05:00
added scalar addition 2013-02-04 11:56:19 -05:00			```c
			`void ed25519_add_scalar(unsigned char public_key, unsigned char private_key,`
			`const unsigned char *scalar);`
			```

little docs improvements 2013-02-04 12:04:05 -05:00			Adds `scalar` to the given key pair where scalar is a 32 byte buffer (possibly
			generated with `ed25519_create_seed`), generating a new key pair. You can
			`calculate the public key sum without knowing the private key and vice versa by`
Update readme.md 2013-02-04 12:14:11 -05:00			passing in `NULL` for the key you don't know. This is useful for enforcing
added warning about last bit being ignored on scalars 2013-02-04 12:12:19 -05:00			`randomness on a key pair while only knowing the public key, among other things.`
			`Warning: the last bit of the scalar is ignored - if comparing scalars make sure`
			to clear it with `scalar[31] &= 127`.
added scalar addition 2013-02-04 11:56:19 -05:00
more docs 2013-01-22 05:22:43 -05:00			`Example`
			`-------`
docs 2013-01-22 05:34:38 -05:00			```c
do not compress private keys - changed terminologiy from verify/sign to public/private 2013-02-04 07:34:01 -05:00			`unsigned char seed[32], public_key[32], private_key[64], signature[64];`
docs 2013-01-22 05:34:38 -05:00			`const unsigned char message[] = "TEST MESSAGE";`

little docs improvements 2013-02-04 12:04:05 -05:00			`/* create a random seed, and a key pair out of that seed */`
docs 2013-01-22 05:34:38 -05:00			`if (ed25519_create_seed(seed)) {`
			`printf("error while generating seed\n");`
			`exit(1);`
			`}`

do not compress private keys - changed terminologiy from verify/sign to public/private 2013-02-04 07:34:01 -05:00			`ed25519_create_keypair(public_key, private_key, seed);`
docs 2013-01-22 05:34:38 -05:00
little docs improvements 2013-02-04 12:04:05 -05:00			`/* create signature on the message with the key pair */`
do not compress private keys - changed terminologiy from verify/sign to public/private 2013-02-04 07:34:01 -05:00			`ed25519_sign(signature, message, strlen(message), public_key, private_key);`
docs 2013-01-22 05:34:38 -05:00
			`/* verify the signature */`
do not compress private keys - changed terminologiy from verify/sign to public/private 2013-02-04 07:34:01 -05:00			`if (ed25519_verify(signature, message, strlen(message), public_key)) {`
docs 2013-01-22 05:34:38 -05:00			`printf("valid signature\n");`
do not compress private keys - changed terminologiy from verify/sign to public/private 2013-02-04 07:34:01 -05:00			`} else {`
			`printf("invalid signature\n");`
docs 2013-01-22 05:34:38 -05:00			`}`
do not compress private keys - changed terminologiy from verify/sign to public/private 2013-02-04 07:34:01 -05:00			```