spot-the-bug/stream-ciphers/monocypher-3.1.1/doc/html/crypto_sign.html

216 lines
10 KiB
HTML

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<style>
table.head, table.foot { width: 100%; }
td.head-rtitle, td.foot-os { text-align: right; }
td.head-vol { text-align: center; }
div.Pp { margin: 1ex 0ex; }
</style>
<link rel="stylesheet" href="style.css" type="text/css" media="all"/>
<title>CRYPTO_SIGN(3MONOCYPHER)</title>
</head>
<body>
<table class="head">
<tr>
<td class="head-ltitle">CRYPTO_SIGN(3MONOCYPHER)</td>
<td class="head-vol">3MONOCYPHER</td>
<td class="head-rtitle">CRYPTO_SIGN(3MONOCYPHER)</td>
</tr>
</table>
<div class="manual-text">
<h1 class="Sh" title="Sh" id="NAME"><a class="selflink" href="#NAME">NAME</a></h1>
<b class="Nm" title="Nm">crypto_sign</b>,
<b class="Nm" title="Nm">crypto_check</b>,
<b class="Nm" title="Nm">crypto_sign_public_key</b> &#x2014;
<span class="Nd" title="Nd">public key signatures</span>
<h1 class="Sh" title="Sh" id="SYNOPSIS"><a class="selflink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<b class="In" title="In">#include
&lt;<a class="In" title="In">monocypher.h</a>&gt;</b>
<div class="Pp"></div>
<var class="Ft" title="Ft">void</var>
<br/>
<b class="Fn" title="Fn">crypto_sign_public_key</b>(<var class="Fa" title="Fa">uint8_t
public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
secret_key[32]</var>);
<div class="Pp"></div>
<var class="Ft" title="Ft">void</var>
<br/>
<b class="Fn" title="Fn">crypto_sign</b>(<var class="Fa" title="Fa">uint8_t
signature[64]</var>, <var class="Fa" title="Fa">const uint8_t
secret_key[32]</var>, <var class="Fa" title="Fa">const uint8_t
public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
<var class="Fa" title="Fa">size_t message_size</var>);
<div class="Pp"></div>
<var class="Ft" title="Ft">int</var>
<br/>
<b class="Fn" title="Fn">crypto_check</b>(<var class="Fa" title="Fa">const
uint8_t signature[64]</var>, <var class="Fa" title="Fa">const uint8_t
public_key[32]</var>, <var class="Fa" title="Fa">const uint8_t *message</var>,
<var class="Fa" title="Fa">size_t message_size</var>);
<h1 class="Sh" title="Sh" id="DESCRIPTION"><a class="selflink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<b class="Fn" title="Fn">crypto_sign</b>() and
<b class="Fn" title="Fn">crypto_check</b>() provide EdDSA public key
signatures and verification.
<div class="Pp"></div>
The arguments are:
<dl class="Bl-tag">
<dt class="It-tag">&#x00A0;</dt>
<dd class="It-tag">&#x00A0;</dd>
<dt class="It-tag"><var class="Fa" title="Fa">signature</var></dt>
<dd class="It-tag">The signature.</dd>
<dt class="It-tag">&#x00A0;</dt>
<dd class="It-tag">&#x00A0;</dd>
<dt class="It-tag"><var class="Fa" title="Fa">secret_key</var></dt>
<dd class="It-tag">A 32-byte random number, known only to you. See
<a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> about
random number generation (use your operating system's random number
generator). Do not use the same private key for both signatures and key
exchanges. The public keys are different, and revealing both may leak
information.</dd>
<dt class="It-tag">&#x00A0;</dt>
<dd class="It-tag">&#x00A0;</dd>
<dt class="It-tag"><var class="Fa" title="Fa">public_key</var></dt>
<dd class="It-tag">The public key, generated from
<var class="Fa" title="Fa">secret_key</var> with
<b class="Fn" title="Fn">crypto_sign_public_key</b>().</dd>
<dt class="It-tag">&#x00A0;</dt>
<dd class="It-tag">&#x00A0;</dd>
<dt class="It-tag"><var class="Fa" title="Fa">message</var></dt>
<dd class="It-tag">Message to sign.</dd>
<dt class="It-tag">&#x00A0;</dt>
<dd class="It-tag">&#x00A0;</dd>
<dt class="It-tag"><var class="Fa" title="Fa">message_size</var></dt>
<dd class="It-tag">Length of <var class="Fa" title="Fa">message</var>, in
bytes.</dd>
</dl>
<div class="Pp"></div>
<var class="Fa" title="Fa">signature</var> and
<var class="Fa" title="Fa">message</var> may overlap.
<div class="Pp"></div>
<b class="Fn" title="Fn">crypto_sign_public_key</b>() computes the public key of
the specified secret key.
<div class="Pp"></div>
<b class="Fn" title="Fn">crypto_sign</b>() signs a message with
<var class="Fa" title="Fa">secret_key</var>. The public key is optional, and
will be recomputed if not provided. This recomputation doubles the execution
time.
<div class="Pp"></div>
<b class="Fn" title="Fn">crypto_check</b>() checks that a given signature is
genuine. Meaning, only someone who had the private key could have signed the
message. <b class="Sy" title="Sy">It does not run in constant time</b>. It
does not have to in most threat models, because nothing is secret: everyone
knows the public key, and the signature and message are rarely secret. If the
message needs to be secret, use
<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>
and
<a class="Xr" title="Xr" href="crypto_lock_aead.html">crypto_lock_aead(3monocypher)</a>
instead.
<div class="Pp"></div>
An incremental interface is available; see
<a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>.
<h1 class="Sh" title="Sh" id="RETURN_VALUES"><a class="selflink" href="#RETURN_VALUES">RETURN
VALUES</a></h1>
<b class="Fn" title="Fn">crypto_sign_public_key</b>() and
<b class="Fn" title="Fn">crypto_sign</b>() return nothing.
<div class="Pp"></div>
<b class="Fn" title="Fn">crypto_check</b>() returns 0 for legitimate messages
and -1 for forgeries.
<h1 class="Sh" title="Sh" id="EXAMPLES"><a class="selflink" href="#EXAMPLES">EXAMPLES</a></h1>
The following examples assume the existence of
<b class="Fn" title="Fn">arc4random_buf</b>(), which fills the given buffer
with cryptographically secure random bytes. If
<b class="Fn" title="Fn">arc4random_buf</b>() does not exist on your system,
see <a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a> for
advice about how to generate cryptographically secure random bytes.
<div class="Pp"></div>
Generate a public key from a random secret key:
<div class="Pp"></div>
<div class="Bd" style="margin-left: 5.00ex;">
<pre class="Li">
uint8_t sk[32]; /* Random secret key */
uint8_t pk[32]; /* Matching public key */
arc4random_buf(sk, 32);
crypto_sign_public_key(pk, sk);
/* Wipe the secret key if it is no longer needed */
crypto_wipe(sk, 32);
</pre>
</div>
<div class="Pp"></div>
Sign a message:
<div class="Pp"></div>
<div class="Bd" style="margin-left: 5.00ex;">
<pre class="Li">
uint8_t sk [32]; /* Secret key from above */
const uint8_t pk [32]; /* Matching public key */
const uint8_t message [11] = &quot;Lorem ipsu&quot;; /* Message to sign */
uint8_t signature[64];
crypto_sign(signature, sk, pk, message, 10);
/* Wipe the secret key if it is no longer needed */
crypto_wipe(sk, 32);
</pre>
</div>
<div class="Pp"></div>
Check the above:
<div class="Pp"></div>
<div class="Bd" style="margin-left: 5.00ex;">
<pre class="Li">
const uint8_t pk [32]; /* Their public key */
const uint8_t message [11] = &quot;Lorem ipsu&quot;; /* Signed message */
const uint8_t signature[64]; /* Signature to check */
if (crypto_check(signature, pk, message, 10)) {
/* Message is corrupted, abort processing */
} else {
/* Message is genuine */
}
</pre>
</div>
<h1 class="Sh" title="Sh" id="SEE_ALSO"><a class="selflink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<a class="Xr" title="Xr" href="crypto_blake2b.html">crypto_blake2b(3monocypher)</a>,
<a class="Xr" title="Xr" href="crypto_key_exchange.html">crypto_key_exchange(3monocypher)</a>,
<a class="Xr" title="Xr" href="crypto_lock.html">crypto_lock(3monocypher)</a>,
<a class="Xr" title="Xr" href="intro.html">intro(3monocypher)</a>
<h1 class="Sh" title="Sh" id="STANDARDS"><a class="selflink" href="#STANDARDS">STANDARDS</a></h1>
These functions implement PureEdDSA with Curve25519 and Blake2b, as described in
RFC 8032. This is the same as Ed25519, with Blake2b instead of SHA-512.
<h1 class="Sh" title="Sh" id="HISTORY"><a class="selflink" href="#HISTORY">HISTORY</a></h1>
The <b class="Fn" title="Fn">crypto_sign</b>(),
<b class="Fn" title="Fn">crypto_check</b>(), and
<b class="Fn" title="Fn">crypto_sign_public_key</b>() functions appeared in
Monocypher 0.2.
<div class="Pp"></div>
<b class="Sy" title="Sy">A critical security vulnerability</b> that caused
all-zero signatures to be accepted was introduced in Monocypher 0.3; it was
fixed in Monocypher 1.1.1 and 2.0.4.
<h1 class="Sh" title="Sh" id="SECURITY_CONSIDERATIONS"><a class="selflink" href="#SECURITY_CONSIDERATIONS">SECURITY
CONSIDERATIONS</a></h1>
<h2 class="Ss" title="Ss" id="Signature_malleability"><a class="selflink" href="#Signature_malleability">Signature
malleability</a></h2>
EdDSA signatures are not unique like cryptographic hashes. For any given public
key and message, there are many possible valid signatures. Some of them
require knowledge of the private key. Others only require knowledge of an
existing signature. Observing a valid signature only proves that someone with
knowledge of the private key signed the message at some point. Do not rely on
any other security property.
<h2 class="Ss" title="Ss" id="Fault_injection_and_power_analysis"><a class="selflink" href="#Fault_injection_and_power_analysis">Fault
injection and power analysis</a></h2>
Fault injection (also known as glitching) and power analysis may be used to
manipulate the resulting signature and recover the secret key in some cases.
This requires hardware access. If attackers are expected to have such access
and have the relevant equipment, you may try use the incremental interface
provided by
<a class="Xr" title="Xr" href="crypto_sign_init_first_pass.html">crypto_sign_init_first_pass(3monocypher)</a>
to mitigate the side channel attacks. Note that there may still be other
power-related side channels (such as if the CPU leaks information when an
operation overflows a register) that must be considered.</div>
<table class="foot">
<tr>
<td class="foot-date">March 31, 2020</td>
<td class="foot-os">Linux 4.15.0-106-generic</td>
</tr>
</table>
</body>
</html>