EdDSA

HACL Packages provides the Ed25519 instantiation of EdDSA, i.e., EdDSA signing and verification on the edwards25519 curve.

Two APIs are exposed: A (simple) “One-Shot” API to sign/verify a single message and a (more efficient) “Precomputed” API to sign multiple messages under the same (precomputed) key.

API Reference

void Hacl_Ed25519_secret_to_public(uint8_t *public_key, uint8_t *private_key)

Compute the public key from the private key.

The outparam public_key points to 32 bytes of valid memory, i.e., uint8_t[32]. The argument private_key points to 32 bytes of valid memory, i.e., uint8_t[32].

One-Shot

void Hacl_Ed25519_sign(uint8_t *signature, uint8_t *private_key, uint32_t msg_len, uint8_t *msg)

Create an Ed25519 signature.

The outparam signature points to 64 bytes of valid memory, i.e., uint8_t[64]. The argument private_key points to 32 bytes of valid memory, i.e., uint8_t[32]. The argument msg points to msg_len bytes of valid memory, i.e., uint8_t[msg_len].

The function first calls expand_keys and then invokes sign_expanded.

If one needs to sign several messages under the same private key, it is more efficient to call expand_keys only once and sign_expanded multiple times, for each message.

bool Hacl_Ed25519_verify(uint8_t *public_key, uint32_t msg_len, uint8_t *msg, uint8_t *signature)

Verify an Ed25519 signature.

The function returns true if the signature is valid and false otherwise.

The argument public_key points to 32 bytes of valid memory, i.e., uint8_t[32]. The argument msg points to msg_len bytes of valid memory, i.e., uint8_t[msg_len]. The argument signature points to 64 bytes of valid memory, i.e., uint8_t[64].

Example

Precomputed

void Hacl_Ed25519_expand_keys(uint8_t *expanded_keys, uint8_t *private_key)

Compute the expanded keys for an Ed25519 signature.

The outparam expanded_keys points to 96 bytes of valid memory, i.e., uint8_t[96]. The argument private_key points to 32 bytes of valid memory, i.e., uint8_t[32].

If one needs to sign several messages under the same private key, it is more efficient to call expand_keys only once and sign_expanded multiple times, for each message.

void Hacl_Ed25519_sign_expanded(uint8_t *signature, uint8_t *expanded_keys, uint32_t msg_len, uint8_t *msg)

Create an Ed25519 signature with the (precomputed) expanded keys.

The outparam signature points to 64 bytes of valid memory, i.e., uint8_t[64]. The argument expanded_keys points to 96 bytes of valid memory, i.e., uint8_t[96]. The argument msg points to msg_len bytes of valid memory, i.e., uint8_t[msg_len].

The argument expanded_keys is obtained through expand_keys.

If one needs to sign several messages under the same private key, it is more efficient to call expand_keys only once and sign_expanded multiple times, for each message.

Example