File Coverage

blib/lib/Crypt/Ed25519.pm

Criterion	Covered	Total	%
statement	3	3	100.0
branch			n/a
condition			n/a
subroutine	1	1	100.0
pod			n/a
total	4	4	100.0

line	stmt	sub	time	code
1				=head1 NAME
2
3				Crypt::Ed25519 - bare-bones Ed25519 public key signing/verification system
4
5				=head1 SYNOPSIS
6
7				use Crypt::Ed25519; # no symbols exported
8
9				############################################
10				# Ed25519 API - public/private keypair
11
12				# generate a public/private key pair once
13				($pubkey, $privkey) = Crypt::Ed25519::generate_keypair;
14
15				# sign a message
16				$signature = Crypt::Ed25519::sign $message, $pubkey, $privkey;
17
18				# verify message
19				$valid = Crypt::Ed25519::verify $message, $pubkey, $signature;
20
21				# verify, but croak on failure
22				Crypt::Ed25519::verify_croak $message, $pubkey, $signature;
23
24				############################################
25				# EdDSA API - secret key and derived public key
26
27				# generate a secret key
28				$secret = Crypt::EdDSA::eddsa_secret_key;
29
30				# derive public key as needed
31				$pubkey = Crypt::EdDSA::eddsa_public_key $secret;
32
33				# sign a message
34				$signature = Crypt::Ed25519::eddsa_sign $message, $pubkey, $secret;
35
36				# verify message
37				$valid = Crypt::Ed25519::eddsa_verify $message, $pubkey, $signature;
38
39				# verify, but croak on failure
40				Crypt::Ed25519:eddsa_verify_croak $message, $pubkey, $signature;
41
42				############################################
43				# Key exchange
44
45				# side A:
46				($pubkey_a, $privkey_a) = Crypt::Ed25519::generate_keypair;
47				# send $pubkey to side B
48
49				# side B:
50				($pubkey_b, $privkey_b) = Crypt::Ed25519::generate_keypair;
51				# send $pubkey to side A
52
53				# side A then calculates their shared secret:
54				$shared_secret = Crypt::Ed25519::key_exchange $pubkey_b, $privkey_a;
55
56				# and side B does this:
57				$shared_secret = Crypt::Ed25519::key_exchange $pubkey_a, $privkey_b;
58
59				# the generated $shared_secret will be the same - you cna now
60				# hash it with hkdf or something else to generate symmetric private keys
61
62				=head1 DESCRIPTION
63
64				This module implements Ed25519 public key generation, message signing and
65				verification. It is a pretty bare-bones implementation that implements
66				the standard Ed25519 variant with SHA512 hash, as well as a slower API
67				compatible with the upcoming EdDSA RFC.
68
69				The security target for Ed25519 is to be equivalent to 3000 bit RSA or
70				AES-128.
71
72				The advantages of Ed25519 over most other signing algorithms are:
73				small public/private key and signature sizes (<= 64 octets), good key
74				generation, signing and verification performance, no reliance on random
75				number generators for signing and by-design immunity against branch or
76				memory access pattern side-channel attacks.
77
78				More detailed praise and other info can be found at
79				L.
80
81				=head1 CRYPTOGRAPHY IS HARD
82
83				A word of caution: don't use this module unless you really know what you
84				are doing - even if this module were completely error-free, that still
85				doesn't mean that every way of using it is correct. When in doubt, it's
86				best not to design your own cryptographic protocol.
87
88				=head1 CONVENTIONS
89
90				Public/private/secret keys, messages and signatures are all opaque and
91				architecture-independent octet strings, and, except for the message, have
92				fixed lengths.
93
94				=cut
95
96				package Crypt::Ed25519;
97
98				BEGIN {
99	3	3	1740	$VERSION = 1.05;
100
101	3		31	require XSLoader;
102	3		1631	XSLoader::load Crypt::Ed25519::, $VERSION;
103				}
104
105				=head1 Ed25519 API
106
107				=over 4
108
109				=item ($public_key, $private_key) = Crypt::Ed25519::generate_keypair
110
111				Creates and returns a new random public and private key pair. The public
112				key is always 32 octets, the private key is always 64 octets long.
113
114				=item ($public_key, $private_key) = Crypt::Ed25519::generate_keypair $secret_key
115
116				Instead of generating a random keypair, generate them from the given
117				C<$secret_key> (e.g. as returned by C.
118				The derivation is deterministic, i.e. a specific C<$secret_key> will
119				always result in the same keypair.
120
121				A secret key is simply a random bit string, so if you have a good source
122				of key material, you can simply generate 32 octets from it and use this as
123				your secret key.
124
125				=item $signature = Crypt::Ed25519::sign $message, $public_key, $private_key
126
127				Generates a signature for the given message using the public and private
128				keys. The signature is always 64 octets long and deterministic, i.e. it is
129				always the same for a specific combination of C<$message>, C<$public_key>
130				and C<$private_key>, i.e. no external source of randomness is required for
131				signing.
132
133				=item $valid = Crypt::Ed25519::verify $message, $public_key, $signature
134
135				Checks whether the C<$signature> is valid for the C<$message> and C<$public_ke>.
136
137				=item Crypt::Ed25519::verify_croak $message, $public_key, $signature
138
139				Same as C, but instead of returning a boolean,
140				simply croaks with an error message when the signature isn't valid, so you
141				don't have to think about what the return value really means.
142
143				=back
144
145				=head1 EdDSA compatible API
146
147				The upcoming EdDSA draft RFC uses a slightly different (and slower)
148				API for Ed25519. This API is provided by the following functions:
149
150				=over 4
151
152				=item $secret_key = Crypt::Ed25519::eddsa_secret_key
153
154				Creates and returns a new secret key, which is always 32 octets
155				long. The secret key can be used to generate the public key via
156				C and is not the same as the private key
157				used in the Ed25519 API.
158
159				A secret key is simply a random bit string, so if you have a good source
160				of key material, you can simply generate 32 octets from it and use this as
161				your secret key.
162
163				=item $public_key = Crypt::Ed25519::eddsa_public_key $secret_key
164
165				Takes a secret key generated by C
166				and returns the corresponding C<$public_key>. The derivation is
167				deterministic, i.e. the C<$public_key> generated for a specific
168				C<$secret_key> is always the same.
169
170				This public key corresponds to the public key in the Ed25519 API above.
171
172				=item $signature = Crypt::Ed25519::eddsa_sign $message, $public_key, $secret_key
173
174				Generates a signature for the given message using the public and secret
175				keys. Apart from specifying the C<$secret_key>, this function is identical
176				to C, so everything said about it is true for this
177				function as well.
178
179				Internally, C derives the corresponding
180				private key first and then calls C, so it is always
181				slower.
182
183				=item $valid = Crypt::Ed25519::eddsa_verify $message, $public_key, $signature
184
185				=item Crypt::Ed25519::eddsa_verify_croak $message, $public_key, $signature
186
187				Really the same as C and
188				C, i.e. the functions without the C
189				prefix. These aliases are provided so it's clear that you are using EdDSA
190				and not Ed25519 API.
191
192				=back
193
194				=head1 CONVERTING BETWEEN Ed25519 and EdDSA
195
196				The Ed25519 and EdDSA compatible APIs handle keys slightly
197				differently: The Ed25519 API gives you a public/private key pair, while
198				EdDSA takes a secret and generates a public key from it.
199
200				You can convert an EdDSA secret to an Ed25519 private/public key pair
201				using C:
202
203				($public_key, $private_key) = Crypt::Ed25519::generate_keypair $secret
204
205				As such, the EdDSA-style API allows you to store only the secret key and
206				derive the public key as needed. On the other hand, signing using the
207				private key is faster than using the secret key, so converting the secret
208				key to a public/private key pair allows you to sign a small message, or
209				many messages, faster.
210
211				=head1 Key Exchange
212
213				As an extension to Ed25519, this module implements a key exchange similar
214				(But not identical) to Curve25519. For this, both sides generate a keypair
215				and send their public key to the other side. Then both sides can generate
216				the same shared secret using this function:
217
218				=over
219
220				=item $shared_secret = Crypt::Ed25519::key_exchange $other_public_key, $own_private_key
221
222				Return the 32 octet shared secret generated from the given public and
223				private key. See SYNOPSIS for an actual example.
224
225				=back
226
227				=head1 SUPPORT FOR THE PERL MULTICORE SPECIFICATION
228
229				This module supports the perl multicore specification
230				(L) for all operations, although it
231				makes most sense to use it when signing or verifying longer messages.
232
233				=head1 IMPLEMENTATION
234
235				This module currently uses "Nightcracker's Ed25519" implementation, which
236				is unmodified except for some portability fixes and static delcarations,
237				but the interface is kept implementation-agnostic to allow usage of other
238				implementations in the future.
239
240				=head1 AUTHOR
241
242				Marc Lehmann
243				http://software.schmorp.de/pkg/Crypt-Ed25519.html
244
245				=cut
246
247				1
248