File Coverage

blib/lib/Crypt/Ed25519.pm
Criterion Covered Total %
statement 3 3 100.0
branch n/a
condition n/a
subroutine 1 1 100.0
pod n/a
total 4 4 100.0


line stmt bran cond sub pod time code
1             =head1 NAME
2              
3             Crypt::Ed25519 - bare-bones Ed25519 public key signing/verification system
4              
5             =head1 SYNOPSIS
6              
7             use Crypt::Ed25519; # no symbols exported
8              
9             ############################################
10             # Ed25519 API - public/private keypair
11              
12             # generate a public/private key pair once
13             ($pubkey, $privkey) = Crypt::Ed25519::generate_keypair;
14              
15             # sign a message
16             $signature = Crypt::Ed25519::sign $message, $pubkey, $privkey;
17              
18             # verify message
19             $valid = Crypt::Ed25519::verify $message, $pubkey, $signature;
20              
21             # verify, but croak on failure
22             Crypt::Ed25519::verify_croak $message, $pubkey, $signature;
23              
24             ############################################
25             # EdDSA API - secret key and derived public key
26              
27             # generate a secret key
28             $secret = Crypt::EdDSA::eddsa_secret_key;
29              
30             # derive public key as needed
31             $pubkey = Crypt::EdDSA::eddsa_public_key $secret;
32              
33             # sign a message
34             $signature = Crypt::Ed25519::eddsa_sign $message, $pubkey, $secret;
35              
36             # verify message
37             $valid = Crypt::Ed25519::eddsa_verify $message, $pubkey, $signature;
38              
39             # verify, but croak on failure
40             Crypt::Ed25519:eddsa_verify_croak $message, $pubkey, $signature;
41              
42             ############################################
43             # Key exchange
44              
45             # side A:
46             ($pubkey_a, $privkey_a) = Crypt::Ed25519::generate_keypair;
47             # send $pubkey to side B
48              
49             # side B:
50             ($pubkey_b, $privkey_b) = Crypt::Ed25519::generate_keypair;
51             # send $pubkey to side A
52              
53             # side A then calculates their shared secret:
54             $shared_secret = Crypt::Ed25519::key_exchange $pubkey_b, $privkey_a;
55              
56             # and side B does this:
57             $shared_secret = Crypt::Ed25519::key_exchange $pubkey_a, $privkey_b;
58              
59             # the generated $shared_secret will be the same - you cna now
60             # hash it with hkdf or something else to generate symmetric private keys
61              
62             =head1 DESCRIPTION
63              
64             This module implements Ed25519 public key generation, message signing and
65             verification. It is a pretty bare-bones implementation that implements
66             the standard Ed25519 variant with SHA512 hash, as well as a slower API
67             compatible with the upcoming EdDSA RFC.
68              
69             The security target for Ed25519 is to be equivalent to 3000 bit RSA or
70             AES-128.
71              
72             The advantages of Ed25519 over most other signing algorithms are:
73             small public/private key and signature sizes (<= 64 octets), good key
74             generation, signing and verification performance, no reliance on random
75             number generators for signing and by-design immunity against branch or
76             memory access pattern side-channel attacks.
77              
78             More detailed praise and other info can be found at
79             L.
80              
81             =head1 CRYPTOGRAPHY IS HARD
82              
83             A word of caution: don't use this module unless you really know what you
84             are doing - even if this module were completely error-free, that still
85             doesn't mean that every way of using it is correct. When in doubt, it's
86             best not to design your own cryptographic protocol.
87              
88             =head1 CONVENTIONS
89              
90             Public/private/secret keys, messages and signatures are all opaque and
91             architecture-independent octet strings, and, except for the message, have
92             fixed lengths.
93              
94             =cut
95              
96             package Crypt::Ed25519;
97              
98             BEGIN {
99 3     3   1740 $VERSION = 1.05;
100              
101 3         31 require XSLoader;
102 3         1631 XSLoader::load Crypt::Ed25519::, $VERSION;
103             }
104              
105             =head1 Ed25519 API
106              
107             =over 4
108              
109             =item ($public_key, $private_key) = Crypt::Ed25519::generate_keypair
110              
111             Creates and returns a new random public and private key pair. The public
112             key is always 32 octets, the private key is always 64 octets long.
113              
114             =item ($public_key, $private_key) = Crypt::Ed25519::generate_keypair $secret_key
115              
116             Instead of generating a random keypair, generate them from the given
117             C<$secret_key> (e.g. as returned by C.
118             The derivation is deterministic, i.e. a specific C<$secret_key> will
119             always result in the same keypair.
120              
121             A secret key is simply a random bit string, so if you have a good source
122             of key material, you can simply generate 32 octets from it and use this as
123             your secret key.
124              
125             =item $signature = Crypt::Ed25519::sign $message, $public_key, $private_key
126              
127             Generates a signature for the given message using the public and private
128             keys. The signature is always 64 octets long and deterministic, i.e. it is
129             always the same for a specific combination of C<$message>, C<$public_key>
130             and C<$private_key>, i.e. no external source of randomness is required for
131             signing.
132              
133             =item $valid = Crypt::Ed25519::verify $message, $public_key, $signature
134              
135             Checks whether the C<$signature> is valid for the C<$message> and C<$public_ke>.
136              
137             =item Crypt::Ed25519::verify_croak $message, $public_key, $signature
138              
139             Same as C, but instead of returning a boolean,
140             simply croaks with an error message when the signature isn't valid, so you
141             don't have to think about what the return value really means.
142              
143             =back
144              
145             =head1 EdDSA compatible API
146              
147             The upcoming EdDSA draft RFC uses a slightly different (and slower)
148             API for Ed25519. This API is provided by the following functions:
149              
150             =over 4
151              
152             =item $secret_key = Crypt::Ed25519::eddsa_secret_key
153              
154             Creates and returns a new secret key, which is always 32 octets
155             long. The secret key can be used to generate the public key via
156             C and is not the same as the private key
157             used in the Ed25519 API.
158              
159             A secret key is simply a random bit string, so if you have a good source
160             of key material, you can simply generate 32 octets from it and use this as
161             your secret key.
162              
163             =item $public_key = Crypt::Ed25519::eddsa_public_key $secret_key
164              
165             Takes a secret key generated by C
166             and returns the corresponding C<$public_key>. The derivation is
167             deterministic, i.e. the C<$public_key> generated for a specific
168             C<$secret_key> is always the same.
169              
170             This public key corresponds to the public key in the Ed25519 API above.
171              
172             =item $signature = Crypt::Ed25519::eddsa_sign $message, $public_key, $secret_key
173              
174             Generates a signature for the given message using the public and secret
175             keys. Apart from specifying the C<$secret_key>, this function is identical
176             to C, so everything said about it is true for this
177             function as well.
178              
179             Internally, C derives the corresponding
180             private key first and then calls C, so it is always
181             slower.
182              
183             =item $valid = Crypt::Ed25519::eddsa_verify $message, $public_key, $signature
184              
185             =item Crypt::Ed25519::eddsa_verify_croak $message, $public_key, $signature
186              
187             Really the same as C and
188             C, i.e. the functions without the C
189             prefix. These aliases are provided so it's clear that you are using EdDSA
190             and not Ed25519 API.
191              
192             =back
193              
194             =head1 CONVERTING BETWEEN Ed25519 and EdDSA
195              
196             The Ed25519 and EdDSA compatible APIs handle keys slightly
197             differently: The Ed25519 API gives you a public/private key pair, while
198             EdDSA takes a secret and generates a public key from it.
199              
200             You can convert an EdDSA secret to an Ed25519 private/public key pair
201             using C:
202              
203             ($public_key, $private_key) = Crypt::Ed25519::generate_keypair $secret
204              
205             As such, the EdDSA-style API allows you to store only the secret key and
206             derive the public key as needed. On the other hand, signing using the
207             private key is faster than using the secret key, so converting the secret
208             key to a public/private key pair allows you to sign a small message, or
209             many messages, faster.
210              
211             =head1 Key Exchange
212              
213             As an extension to Ed25519, this module implements a key exchange similar
214             (But not identical) to Curve25519. For this, both sides generate a keypair
215             and send their public key to the other side. Then both sides can generate
216             the same shared secret using this function:
217              
218             =over
219              
220             =item $shared_secret = Crypt::Ed25519::key_exchange $other_public_key, $own_private_key
221              
222             Return the 32 octet shared secret generated from the given public and
223             private key. See SYNOPSIS for an actual example.
224              
225             =back
226              
227             =head1 SUPPORT FOR THE PERL MULTICORE SPECIFICATION
228            
229             This module supports the perl multicore specification
230             (L) for all operations, although it
231             makes most sense to use it when signing or verifying longer messages.
232              
233             =head1 IMPLEMENTATION
234              
235             This module currently uses "Nightcracker's Ed25519" implementation, which
236             is unmodified except for some portability fixes and static delcarations,
237             but the interface is kept implementation-agnostic to allow usage of other
238             implementations in the future.
239              
240             =head1 AUTHOR
241              
242             Marc Lehmann
243             http://software.schmorp.de/pkg/Crypt-Ed25519.html
244              
245             =cut
246              
247             1
248