// Verify returns true iff sig is a valid signature of message by publicKey. func Verify(publicKey *[PublicKeySize]byte, message []byte, sig *[SignatureSize]byte) bool { if sig[63]&224 != 0 { return false } var A edwards25519.ExtendedGroupElement if !A.FromBytes(publicKey) { return false } edwards25519.FeNeg(&A.X, &A.X) edwards25519.FeNeg(&A.T, &A.T) h := sha512.New() h.Write(sig[:32]) h.Write(publicKey[:]) h.Write(message) var digest [64]byte h.Sum(digest[:0]) var hReduced [32]byte edwards25519.ScReduce(&hReduced, &digest) var R edwards25519.ProjectiveGroupElement var b [32]byte copy(b[:], sig[32:]) edwards25519.GeDoubleScalarMultVartime(&R, &hReduced, &A, &b) var checkR [32]byte R.ToBytes(&checkR) return subtle.ConstantTimeCompare(sig[:32], checkR[:]) == 1 }
// GenerateKey generates a public/private key pair using randomness from rand. func GenerateKey(rand io.Reader) (publicKey *[PublicKeySize]byte, privateKey *[PrivateKeySize]byte, err error) { privateKey = new([64]byte) publicKey = new([32]byte) _, err = io.ReadFull(rand, privateKey[:32]) if err != nil { return nil, nil, err } h := sha512.New() h.Write(privateKey[:32]) digest := h.Sum(nil) digest[0] &= 248 digest[31] &= 127 digest[31] |= 64 var A edwards25519.ExtendedGroupElement var hBytes [32]byte copy(hBytes[:], digest) edwards25519.GeScalarMultBase(&A, &hBytes) A.ToBytes(publicKey) copy(privateKey[32:], publicKey[:]) return }
// PublicKeyToCurve25519 converts an Ed25519 public key into the curve25519 // public key that would be generated from the same private key. func PublicKeyToCurve25519(curve25519Public *[32]byte, publicKey *[32]byte) bool { var A edwards25519.ExtendedGroupElement if !A.FromBytes(publicKey) { return false } // A.Z = 1 as a postcondition of FromBytes. var x edwards25519.FieldElement edwardsToMontgomeryX(&x, &A.Y) edwards25519.FeToBytes(curve25519Public, &x) return true }
func TestUnmarshalMarshal(t *testing.T) { pk, _, _ := GenerateKey(rand.Reader) var A edwards25519.ExtendedGroupElement ret := A.FromBytes(pk) var pk2 [32]byte A.ToBytes(&pk2) if *pk != pk2 { _ = ret t.Errorf("FromBytes(%v)->ToBytes not idempotent:\n%x\nbytes:\n\t%x\n\t%x\ndelta: %x\n", ret, A, *pk, pk2, int(pk[31])-int(pk2[31])) } }
func TestUnmarshalMarshalNegative(t *testing.T) { pk, _, _ := GenerateKey(rand.Reader) var A edwards25519.ExtendedGroupElement ret := A.FromBytes(pk) var pk2 [32]byte A.ToBytes(&pk2) pk2[31] ^= 0x80 if *pk == pk2 { t.Errorf("flipping sign did not change public key:\n%x\nbytes:\n\t%x\n\t%x\ndelta: %x\n", ret, A, *pk, pk2, int(pk[31])-int(pk2[31])) } }
func TestUnmarshalMarshal(t *testing.T) { pub, _, _ := GenerateKey(rand.Reader) var A edwards25519.ExtendedGroupElement if !A.FromBytes(pub) { t.Fatalf("ExtendedGroupElement.FromBytes failed") } var pub2 [32]byte A.ToBytes(&pub2) if *pub != pub2 { t.Errorf("FromBytes(%v)->ToBytes does not round-trip, got %x\n", *pub, pub2) } }
// Rederive an Ed25519 public key from a private key. func Ed25519RederivePublic(privateKey *[64]byte) (publicKey *[32]byte) { h := sha512.New() h.Write(privateKey[:32]) digest := h.Sum(nil) digest[0] &= 248 digest[31] &= 127 digest[31] |= 64 var A edwards25519.ExtendedGroupElement var hBytes [32]byte copy(hBytes[:], digest) edwards25519.GeScalarMultBase(&A, &hBytes) publicKey = new([32]byte) A.ToBytes(publicKey) return }
// MakePublicKey makes a publicKey from the first half of privateKey. func MakePublicKey(privateKey *[PrivateKeySize]byte) (publicKey *[PublicKeySize]byte) { publicKey = new([32]byte) h := sha512.New() h.Write(privateKey[:32]) digest := h.Sum(nil) digest[0] &= 248 digest[31] &= 127 digest[31] |= 64 var A edwards25519.ExtendedGroupElement var hBytes [32]byte copy(hBytes[:], digest) edwards25519.GeScalarMultBase(&A, &hBytes) A.ToBytes(publicKey) copy(privateKey[32:], publicKey[:]) return }
// Sign signs the message with privateKey and returns a signature. func Sign(privateKey *[PrivateKeySize]byte, message []byte) *[SignatureSize]byte { h := sha512.New() h.Write(privateKey[:32]) var digest1, messageDigest, hramDigest [64]byte var expandedSecretKey [32]byte h.Sum(digest1[:0]) copy(expandedSecretKey[:], digest1[:]) expandedSecretKey[0] &= 248 expandedSecretKey[31] &= 63 expandedSecretKey[31] |= 64 h.Reset() h.Write(digest1[32:]) h.Write(message) h.Sum(messageDigest[:0]) var messageDigestReduced [32]byte edwards25519.ScReduce(&messageDigestReduced, &messageDigest) var R edwards25519.ExtendedGroupElement edwards25519.GeScalarMultBase(&R, &messageDigestReduced) var encodedR [32]byte R.ToBytes(&encodedR) h.Reset() h.Write(encodedR[:]) h.Write(privateKey[32:]) h.Write(message) h.Sum(hramDigest[:0]) var hramDigestReduced [32]byte edwards25519.ScReduce(&hramDigestReduced, &hramDigest) var s [32]byte edwards25519.ScMulAdd(&s, &hramDigestReduced, &expandedSecretKey, &messageDigestReduced) signature := new([64]byte) copy(signature[:], encodedR[:]) copy(signature[32:], s[:]) return signature }
// Sign signs the message with privateKey and returns a signature. func Sign(privateKey *[32]byte, message []byte, random [64]byte) *[64]byte { // Calculate Ed25519 public key from Curve25519 private key var A edwards25519.ExtendedGroupElement var publicKey [32]byte edwards25519.GeScalarMultBase(&A, privateKey) A.ToBytes(&publicKey) // Calculate r diversifier := [32]byte{ 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF} var r [64]byte h := sha512.New() h.Write(diversifier[:]) h.Write(privateKey[:]) h.Write(message) h.Write(random[:]) h.Sum(r[:0]) // Calculate R var rReduced [32]byte edwards25519.ScReduce(&rReduced, &r) var R edwards25519.ExtendedGroupElement edwards25519.GeScalarMultBase(&R, &rReduced) var encodedR [32]byte R.ToBytes(&encodedR) // Calculate S = r + SHA2-512(R || A_ed || msg) * a (mod L) var hramDigest [64]byte h.Reset() h.Write(encodedR[:]) h.Write(publicKey[:]) h.Write(message) h.Sum(hramDigest[:0]) var hramDigestReduced [32]byte edwards25519.ScReduce(&hramDigestReduced, &hramDigest) var s [32]byte edwards25519.ScMulAdd(&s, &hramDigestReduced, privateKey, &rReduced) signature := new([64]byte) copy(signature[:], encodedR[:]) copy(signature[32:], s[:]) signature[63] |= publicKey[31] & 0x80 return signature }