1*beb45aa6Sschwarze.\" $OpenBSD: X25519.3,v 1.7 2022/12/15 17:20:48 schwarze Exp $ 2b1c872b9Sschwarze.\" contains some text from: BoringSSL curve25519.h, curve25519.c 3b1c872b9Sschwarze.\" content also checked up to: OpenSSL f929439f Mar 15 12:19:16 2018 +0000 4ded909dbSschwarze.\" 5b1c872b9Sschwarze.\" Copyright (c) 2015 Google Inc. 6*beb45aa6Sschwarze.\" Copyright (c) 2018, 2022 Ingo Schwarze <schwarze@openbsd.org> 7ded909dbSschwarze.\" 8b1c872b9Sschwarze.\" Permission to use, copy, modify, and/or distribute this software for any 9b1c872b9Sschwarze.\" purpose with or without fee is hereby granted, provided that the above 10b1c872b9Sschwarze.\" copyright notice and this permission notice appear in all copies. 11ded909dbSschwarze.\" 12b1c872b9Sschwarze.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES 13b1c872b9Sschwarze.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 14b1c872b9Sschwarze.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR 15b1c872b9Sschwarze.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 16b1c872b9Sschwarze.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17b1c872b9Sschwarze.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18b1c872b9Sschwarze.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19ded909dbSschwarze.\" 20*beb45aa6Sschwarze.\" According to the BoringSSL git history, those parts of the text in 21*beb45aa6Sschwarze.\" the present manual page that are Copyrighted by Google were probably 22*beb45aa6Sschwarze.\" written by Adam Langley <agl@google.com> in 2015. 23*beb45aa6Sschwarze.\" I fail to see any such text in the public domain files written 24*beb45aa6Sschwarze.\" by Daniel J. Bernstein and others that are included in SUPERCOP 25*beb45aa6Sschwarze.\" and that Adam Langley's BoringSSL implementation is based on. 26*beb45aa6Sschwarze.\" 27*beb45aa6Sschwarze.Dd $Mdocdate: December 15 2022 $ 28ded909dbSschwarze.Dt X25519 3 29ded909dbSschwarze.Os 30ded909dbSschwarze.Sh NAME 31b1c872b9Sschwarze.Nm X25519 , 32*beb45aa6Sschwarze.Nm X25519_keypair , 33*beb45aa6Sschwarze.Nm ED25519_keypair , 34*beb45aa6Sschwarze.Nm ED25519_sign , 35*beb45aa6Sschwarze.Nm ED25519_verify 36*beb45aa6Sschwarze.Nd Elliptic Curve Diffie-Hellman and signature primitives based on Curve25519 37b1c872b9Sschwarze.Sh SYNOPSIS 383e933669Sjsing.In openssl/curve25519.h 39b1c872b9Sschwarze.Ft int 40b1c872b9Sschwarze.Fo X25519 41b1c872b9Sschwarze.Fa "uint8_t out_shared_key[X25519_KEY_LENGTH]" 42b1c872b9Sschwarze.Fa "const uint8_t private_key[X25519_KEY_LENGTH]" 43b1c872b9Sschwarze.Fa "const uint8_t peer_public_value[X25519_KEY_LENGTH]" 44b1c872b9Sschwarze.Fc 45b1c872b9Sschwarze.Ft void 46b1c872b9Sschwarze.Fo X25519_keypair 47b1c872b9Sschwarze.Fa "uint8_t out_public_value[X25519_KEY_LENGTH]" 48b1c872b9Sschwarze.Fa "uint8_t out_private_key[X25519_KEY_LENGTH]" 49b1c872b9Sschwarze.Fc 50*beb45aa6Sschwarze.Ft void 51*beb45aa6Sschwarze.Fo ED25519_keypair 52*beb45aa6Sschwarze.Fa "uint8_t out_public_key[ED25519_PUBLIC_KEY_LENGTH]" 53*beb45aa6Sschwarze.Fa "uint8_t out_private_key[ED25519_PRIVATE_KEY_LENGTH]" 54*beb45aa6Sschwarze.Fc 55*beb45aa6Sschwarze.Ft int 56*beb45aa6Sschwarze.Fo ED25519_sign 57*beb45aa6Sschwarze.Fa "uint8_t *out_sig" 58*beb45aa6Sschwarze.Fa "const uint8_t *message" 59*beb45aa6Sschwarze.Fa "size_t message_len" 60*beb45aa6Sschwarze.Fa "const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]" 61*beb45aa6Sschwarze.Fa "const uint8_t private_key_seed[ED25519_PRIVATE_KEY_LENGTH]" 62*beb45aa6Sschwarze.Fc 63*beb45aa6Sschwarze.Ft int 64*beb45aa6Sschwarze.Fo ED25519_verify 65*beb45aa6Sschwarze.Fa "const uint8_t *message" 66*beb45aa6Sschwarze.Fa "size_t message_len" 67*beb45aa6Sschwarze.Fa "const uint8_t signature[ED25519_SIGNATURE_LENGTH]" 68*beb45aa6Sschwarze.Fa "const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]" 69*beb45aa6Sschwarze.Fc 70ded909dbSschwarze.Sh DESCRIPTION 71*beb45aa6SschwarzeCurve25519 is an elliptic curve over a prime field 72*beb45aa6Sschwarzespecified in RFC 7748 section 4.1. 73b1c872b9SschwarzeThe prime field is defined by the prime number 2^255 - 19. 74ded909dbSschwarze.Pp 75*beb45aa6SschwarzeX25519 76b1c872b9Sschwarzeis the Diffie-Hellman primitive built from Curve25519 as described 77b1c872b9Sschwarzein RFC 7748 section 5. 78b1c872b9SschwarzeSection 6.1 describes the intended use in an Elliptic Curve Diffie-Hellman 79b1c872b9Sschwarze(ECDH) protocol. 80ded909dbSschwarze.Pp 81b1c872b9Sschwarze.Fn X25519 82b1c872b9Sschwarzewrites a shared key to 83b1c872b9Sschwarze.Fa out_shared_key 84b1c872b9Sschwarzethat is calculated from the given 85b1c872b9Sschwarze.Fa private_key 86b1c872b9Sschwarzeand the 87b1c872b9Sschwarze.Fa peer_public_value 88b1c872b9Sschwarzeby scalar multiplication. 89b1c872b9SschwarzeDo not use the shared key directly, rather use a key derivation 90b1c872b9Sschwarzefunction and also include the two public values as inputs. 91ded909dbSschwarze.Pp 92b1c872b9Sschwarze.Fn X25519_keypair 93b1c872b9Sschwarzesets 94b1c872b9Sschwarze.Fa out_public_value 95b1c872b9Sschwarzeand 96b1c872b9Sschwarze.Fa out_private_key 97b1c872b9Sschwarzeto a freshly generated public/private key pair. 98b1c872b9SschwarzeFirst, the 99b1c872b9Sschwarze.Fa out_private_key 100b1c872b9Sschwarzeis generated with 101b1c872b9Sschwarze.Xr arc4random_buf 3 . 102b1c872b9SschwarzeThen, the opposite of the masking described in RFC 7748 section 5 103b1c872b9Sschwarzeis applied to it to make sure that the generated private key is never 104b1c872b9Sschwarzecorrectly masked. 105b1c872b9SschwarzeThe purpose is to cause incorrect implementations on the peer side 106b1c872b9Sschwarzeto consistently fail. 107b1c872b9SschwarzeCorrect implementations will decode the key correctly even when it is 108b1c872b9Sschwarzenot correctly masked. 109b1c872b9SschwarzeFinally, the 110b1c872b9Sschwarze.Fa out_public_value 111b1c872b9Sschwarzeis calculated from the 112b1c872b9Sschwarze.Fa out_private_key 113b1c872b9Sschwarzeby multiplying it with the Montgomery base point 114b1c872b9Sschwarze.Vt uint8_t u[32] No = Brq 9 . 115ded909dbSschwarze.Pp 116b1c872b9SschwarzeThe size of a public and private key is 117b1c872b9Sschwarze.Dv X25519_KEY_LENGTH No = 32 118b1c872b9Sschwarzebytes each. 119*beb45aa6Sschwarze.Pp 120*beb45aa6SschwarzeEd25519 is a signature scheme using a twisted Edwards curve 121*beb45aa6Sschwarzethat is birationally equivalent to Curve25519. 122*beb45aa6Sschwarze.Pp 123*beb45aa6Sschwarze.Fn ED25519_keypair 124*beb45aa6Sschwarzesets 125*beb45aa6Sschwarze.Fa out_public_key 126*beb45aa6Sschwarzeand 127*beb45aa6Sschwarze.Fa out_private_key 128*beb45aa6Sschwarzeto a freshly generated public/private key pair. 129*beb45aa6SschwarzeFirst, the 130*beb45aa6Sschwarze.Fa out_private_key 131*beb45aa6Sschwarzeis generated with 132*beb45aa6Sschwarze.Xr arc4random_buf 3 . 133*beb45aa6SschwarzeThen, the 134*beb45aa6Sschwarze.Fa out_public_key 135*beb45aa6Sschwarzeis calculated from the private key. 136*beb45aa6Sschwarze.Pp 137*beb45aa6Sschwarze.Fn ED25519_sign 138*beb45aa6Sschwarzesigns the 139*beb45aa6Sschwarze.Fa message 140*beb45aa6Sschwarzeof 141*beb45aa6Sschwarze.Fa message_len 142*beb45aa6Sschwarzebytes using the 143*beb45aa6Sschwarze.Fa public_key 144*beb45aa6Sschwarzeand the 145*beb45aa6Sschwarze.Fa private_key 146*beb45aa6Sschwarzeand writes the signature to 147*beb45aa6Sschwarze.Fa out_sig . 148*beb45aa6Sschwarze.Pp 149*beb45aa6Sschwarze.Fn ED25519_verify 150*beb45aa6Sschwarzechecks that signing the 151*beb45aa6Sschwarze.Fa message 152*beb45aa6Sschwarzeof 153*beb45aa6Sschwarze.Fa message_len 154*beb45aa6Sschwarzebytes using the 155*beb45aa6Sschwarze.Fa public_key 156*beb45aa6Sschwarzewould indeed result in the given 157*beb45aa6Sschwarze.Fa signature . 158*beb45aa6Sschwarze.Pp 159*beb45aa6SschwarzeThe sizes of a public and private keys are 160*beb45aa6Sschwarze.Dv ED25519_PUBLIC_KEY_LENGTH 161*beb45aa6Sschwarzeand 162*beb45aa6Sschwarze.Dv ED25519_PRIVATE_KEY_LENGTH , 163*beb45aa6Sschwarzewhich are both 32 bytes, and the size of a signature is 164*beb45aa6Sschwarze.Dv ED25519_SIGNATURE_LENGTH No = 64 165*beb45aa6Sschwarzebytes. 166b1c872b9Sschwarze.Sh RETURN VALUES 167b1c872b9Sschwarze.Fn X25519 168*beb45aa6Sschwarzeand 169*beb45aa6Sschwarze.Fn ED25519_sign 170*beb45aa6Sschwarzereturn 1 on success or 0 on error. 171*beb45aa6Sschwarze.Fn X25519 172*beb45aa6Sschwarzecan fail if the input is a point of small order. 173*beb45aa6Sschwarze.Fn ED25519_sign 174*beb45aa6Sschwarzealways succeeds in LibreSSL, but the API reserves the return value 0 175*beb45aa6Sschwarzefor memory allocation failure. 176*beb45aa6Sschwarze.Pp 177*beb45aa6Sschwarze.Fn ED25519_verify 178*beb45aa6Sschwarzereturns 1 if the 179*beb45aa6Sschwarze.Fa signature 180*beb45aa6Sschwarzeis valid or 0 otherwise. 181ded909dbSschwarze.Sh SEE ALSO 182*beb45aa6Sschwarze.Xr ECDH_compute_key 3 , 183*beb45aa6Sschwarze.Xr EVP_DigestSign 3 , 184*beb45aa6Sschwarze.Xr EVP_DigestVerify 3 , 185*beb45aa6Sschwarze.Xr EVP_PKEY_derive 3 , 186*beb45aa6Sschwarze.Xr EVP_PKEY_keygen 3 187b1c872b9Sschwarze.Rs 188*beb45aa6Sschwarze.%A Daniel J. Bernstein 189b1c872b9Sschwarze.%R A state-of-the-art Diffie-Hellman function:\ 190b1c872b9Sschwarze How do I use Curve25519 in my own software? 191d905fc10Sjsg.%U https://cr.yp.to/ecdh.html 192b1c872b9Sschwarze.Re 193*beb45aa6Sschwarze.Rs 194*beb45aa6Sschwarze.%A Daniel J. Bernstein 195*beb45aa6Sschwarze.%A Niels Duif 196*beb45aa6Sschwarze.%A Tanja Lange 197*beb45aa6Sschwarze.%A Peter Schwabe 198*beb45aa6Sschwarze.%A Bo-Yin Yang 199*beb45aa6Sschwarze.%T High-Speed High-Security Signatures 200*beb45aa6Sschwarze.%B Cryptographic Hardware and Embedded Systems \(em CHES 2011 201*beb45aa6Sschwarze.%I Springer 202*beb45aa6Sschwarze.%J Lecture Notes in Computer Science 203*beb45aa6Sschwarze.%V vol 6917 204*beb45aa6Sschwarze.%U https://doi.org/10.1007/978-3-642-23951-9_9 205*beb45aa6Sschwarze.%C Nara, Japan 206*beb45aa6Sschwarze.%D September 29, 2011 207*beb45aa6Sschwarze.Re 208b1c872b9Sschwarze.Sh STANDARDS 209b1c872b9SschwarzeRFC 7748: Elliptic Curves for Security 210*beb45aa6Sschwarze.Pp 211*beb45aa6SschwarzeRFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA) 212