| Crypt::Ed25519 - bare-bones Ed25519 public key signing/verification system |
Crypt::Ed25519 - bare-bones Ed25519 public key signing/verification system
use Crypt::Ed25519; # no symbols exported
############################################ # Ed25519 API - public/private keypair
# generate a public/private key pair once ($pubkey, $privkey) = Crypt::Ed25519::generate_keypair;
# sign a message $signature = Crypt::Ed25519::sign $message, $pubkey, $privkey;
# verify message $valid = Crypt::Ed25519::verify $message, $pubkey, $signature;
# verify, but croak on failure Crypt::Ed25519::verify_croak $message, $pubkey, $signature;
############################################ # EdDSA API - secret key and derived public key
# generate a secret key $secret = Crypt::EdDSA::eddsa_secret_key;
# derive public key as needed $pubkey = Crypt::EdDSA::eddsa_public_key $secret;
# sign a message $signature = Crypt::Ed25519::eddsa_sign $message, $pubkey, $secret;
# verify message $valid = Crypt::Ed25519::eddsa_verify $message, $pubkey, $signature;
# verify, but croak on failure Crypt::Ed25519:eddsa_verify_croak $message, $pubkey, $signature;
This module implements Ed25519 public key generation, message signing and verification. It is a pretty bare-bones implementation that implements the standard Ed25519 variant with SHA512 hash, as well as a slower API compatible with the upcoming EdDSA RFC.
The security target for Ed25519 is to be equivalent to 3000 bit RSA or AES-128.
The advantages of Ed25519 over most other signing algorithms are: small public/private key and signature sizes (<= 64 octets), good key generation, signing and verification performance, no reliance on random number generators for signing and by-design immunity against branch or memory access pattern side-channel attacks.
More detailed praise and other info can be found at http://ed25519.cr.yp.to/index.html.
A word of caution: don't use this module unless you really know what you are doing - even if this module were completely error-free, that still doesn't mean that every way of using it is correct. When in doubt, it's best not to design your own cryptographic protocol.
Public/private/secret keys, messages and signatures are all opaque and architecture-independent octet strings, and, except for the message, have fixed lengths.
$secret_key (e.g. as returned by Crypt::Ed25519::eddsa_secret_key.
The derivation is deterministic, i.e. a specific $secret_key will
always result in the same keypair.
A secret key is simply a random bit string, so if you have a good source of key material, you can simply generate 32 octets from it and use this as your secret key.
$message, $public_key
and $private_key, i.e. no external source of randomness is required for
signing.
$signature is valid for the $message and $public_ke.
Crypt::Ed25519::verify, but instead of returning a boolean,
simply croaks with an error message when the signature isn't valid, so you
don't have to think about what the return value really means.
The upcoming EdDSA draft RFC uses a slightly different (and slower) API for Ed25519. This API is provided by the following functions:
Crypt::Ed25519::eddsa_public_key and is not the same as the private key
used in the Ed25519 API.
A secret key is simply a random bit string, so if you have a good source of key material, you can simply generate 32 octets from it and use this as your secret key.
Crypt::Ed25519::eddsa_secret_key
and returns the corresponding $public_key. The derivation ios
deterministic, i.e. the $public_key generated for a specific
$secret_key is always the same.
This public key corresponds to the public key in the Ed25519 API above.
$secret_key, this function is identical
to Crypt::Ed25519::sign, so everything said about it is true for this
function as well.
Internally, Crypt::Ed25519::eddsa_sign derives the corresponding
private key first and then calls Crypt::Ed25519::sign, so it is always
slower.
Crypt::Ed25519::verify and
Crypt::Ed25519::verify_croak, i.e. the functions without the eddsa_
prefix. These aliases are provided so it's clear that you are using EdDSA
and not Ed25519 API.
The Ed25519 and EdDSA compatible APIs handle keys slightly differently: The Ed25519 API gives you a public/private key pair, while EdDSA takes a secret and generates a public key from it.
You can convert an EdDSA secret to an Ed25519 private/public key pair
using Crypt::Ed25519::generate_keypair:
($public_key, $private_key) = Crypt::Ed25519::generate_keypair $secret
As such, the EdDSA-style API allows you to store only the secret key and derive the public key as needed. On the other hand, signing using the private key is faster than using the secret key, so converting the secret key to a public/private key pair allows you to sign a small message, or many messages, faster.
This module currently uses ``Nightcracker's Ed25519'' implementation, which is unmodified except for some portability fixes and static delcarations, but the interface is kept implementation-agnostic to allow usage of other implementations in the future.
Marc Lehmann <schmorp@schmorp.de> http://sfotware.schmorp.de/pkg/Crypt-Ed25519.html
| Crypt::Ed25519 - bare-bones Ed25519 public key signing/verification system |