In curve25519.h rev. 1.4 to 1.7, tb@ and jsing@ provided

ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3). Document them.
author: schwarze <> 2022-12-15 17:20:48 +0000
committer: schwarze <> 2022-12-15 17:20:48 +0000
commit: 4049dbe994284a40aeef67c382535608578d7ee0 (patch)
tree: eaba6e776749a336ee670170eb74f8b948443fcd /src/lib
parent: 7a86fa5aa1ba5371e5599a0597cd218ab91d74c1 (diff)
download: openbsd-4049dbe994284a40aeef67c382535608578d7ee0.tar.gz
openbsd-4049dbe994284a40aeef67c382535608578d7ee0.tar.bz2
openbsd-4049dbe994284a40aeef67c382535608578d7ee0.zip
1 files changed, 121 insertions, 11 deletions
diff --git a/src/lib/libcrypto/man/X25519.3 b/src/lib/libcrypto/man/X25519.3
index 8d8006fe96..a327f8c7b2 100644
--- a/src/lib/libcrypto/man/X25519.3
+++ b/src/lib/libcrypto/man/X25519.3
@@ -1,9 +1,9 @@
-.\" $OpenBSD: X25519.3,v 1.6 2022/02/18 10:24:32 jsg Exp $
+.\" $OpenBSD: X25519.3,v 1.7 2022/12/15 17:20:48 schwarze Exp $
 .\" contains some text from: BoringSSL curve25519.h, curve25519.c
 .\" content also checked up to: OpenSSL f929439f Mar 15 12:19:16 2018 +0000
 .\"
 .\" Copyright (c) 2015 Google Inc.
-.\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
+.\" Copyright (c) 2018, 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -17,13 +17,23 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 18 2022 $
+.\" According to the BoringSSL git history, those parts of the text in
+.\" the present manual page that are Copyrighted by Google were probably
+.\" written by Adam Langley <agl@google.com> in 2015.
+.\" I fail to see any such text in the public domain files written
+.\" by Daniel J. Bernstein and others that are included in SUPERCOP
+.\" and that Adam Langley's BoringSSL implementation is based on.
+.\"
+.Dd $Mdocdate: December 15 2022 $
 .Dt X25519 3
 .Os
 .Sh NAME
 .Nm X25519 ,
-.Nm X25519_keypair
+.Nm X25519_keypair ,
-.Nd Elliptic Curve Diffie-Hellman primitive based on Curve25519
+.Nm ED25519_keypair ,
+.Nm ED25519_sign ,
+.Nm ED25519_verify
+.Nd Elliptic Curve Diffie-Hellman and signature primitives based on Curve25519
 .Sh SYNOPSIS
 .In openssl/curve25519.h
 .Ft int
@@ -37,11 +47,32 @@
 .Fa "uint8_t out_public_value[X25519_KEY_LENGTH]"
 .Fa "uint8_t out_private_key[X25519_KEY_LENGTH]"
 .Fc
+.Ft void
+.Fo ED25519_keypair
+.Fa "uint8_t out_public_key[ED25519_PUBLIC_KEY_LENGTH]"
+.Fa "uint8_t out_private_key[ED25519_PRIVATE_KEY_LENGTH]"
+.Fc
+.Ft int
+.Fo ED25519_sign
+.Fa "uint8_t *out_sig"
+.Fa "const uint8_t *message"
+.Fa "size_t message_len"
+.Fa "const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]"
+.Fa "const uint8_t private_key_seed[ED25519_PRIVATE_KEY_LENGTH]"
+.Fc
+.Ft int
+.Fo ED25519_verify
+.Fa "const uint8_t *message"
+.Fa "size_t message_len"
+.Fa "const uint8_t signature[ED25519_SIGNATURE_LENGTH]"
+.Fa "const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]"
+.Fc
 .Sh DESCRIPTION
-Curve25519 is an elliptic curve over a prime field specified in RFC 7748.
+Curve25519 is an elliptic curve over a prime field
+specified in RFC 7748 section 4.1.
 The prime field is defined by the prime number 2^255 - 19.
 .Pp
-.Fn X25519
+X25519
 is the Diffie-Hellman primitive built from Curve25519 as described
 in RFC 7748 section 5.
 Section 6.1 describes the intended use in an Elliptic Curve Diffie-Hellman
@@ -85,17 +116,96 @@ by multiplying it with the Montgomery base point
 The size of a public and private key is
 .Dv X25519_KEY_LENGTH No = 32
 bytes each.
+.Pp
+Ed25519 is a signature scheme using a twisted Edwards curve
+that is birationally equivalent to Curve25519.
+.Pp
+.Fn ED25519_keypair
+sets
+.Fa out_public_key
+and
+.Fa out_private_key
+to a freshly generated public/private key pair.
+First, the
+.Fa out_private_key
+is generated with
+.Xr arc4random_buf 3 .
+Then, the
+.Fa out_public_key
+is calculated from the private key.
+.Pp
+.Fn ED25519_sign
+signs the
+.Fa message
+of
+.Fa message_len
+bytes using the
+.Fa public_key
+and the
+.Fa private_key
+and writes the signature to
+.Fa out_sig .
+.Pp
+.Fn ED25519_verify
+checks that signing the
+.Fa message
+of
+.Fa message_len
+bytes using the
+.Fa public_key
+would indeed result in the given
+.Fa signature .
+.Pp
+The sizes of a public and private keys are
+.Dv ED25519_PUBLIC_KEY_LENGTH
+and
+.Dv ED25519_PRIVATE_KEY_LENGTH ,
+which are both 32 bytes, and the size of a signature is
+.Dv ED25519_SIGNATURE_LENGTH No = 64
+bytes.
 .Sh RETURN VALUES
 .Fn X25519
-returns 1 on success or 0 on error.
+and
-Failure can occur when the input is a point of small order.
+.Fn ED25519_sign
+return 1 on success or 0 on error.
+.Fn X25519
+can fail if the input is a point of small order.
+.Fn ED25519_sign
+always succeeds in LibreSSL, but the API reserves the return value 0
+for memory allocation failure.
+.Pp
+.Fn ED25519_verify
+returns 1 if the
+.Fa signature
+is valid or 0 otherwise.
 .Sh SEE ALSO
-.Xr ECDH_compute_key 3
+.Xr ECDH_compute_key 3 ,
+.Xr EVP_DigestSign 3 ,
+.Xr EVP_DigestVerify 3 ,
+.Xr EVP_PKEY_derive 3 ,
+.Xr EVP_PKEY_keygen 3
 .Rs
-.%A D. J. Bernstein
+.%A Daniel J. Bernstein
 .%R A state-of-the-art Diffie-Hellman function:\
    How do I use Curve25519 in my own software?
 .%U https://cr.yp.to/ecdh.html
 .Re
+.Rs
+.%A Daniel J. Bernstein
+.%A Niels Duif
+.%A Tanja Lange
+.%A Peter Schwabe
+.%A Bo-Yin Yang
+.%T High-Speed High-Security Signatures
+.%B Cryptographic Hardware and Embedded Systems \(em CHES 2011
+.%I Springer
+.%J Lecture Notes in Computer Science
+.%V vol 6917
+.%U https://doi.org/10.1007/978-3-642-23951-9_9
+.%C Nara, Japan
+.%D September 29, 2011
+.Re
 .Sh STANDARDS
 RFC 7748: Elliptic Curves for Security
+.Pp
+RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)
author	schwarze <>	2022-12-15 17:20:48 +0000
committer	schwarze <>	2022-12-15 17:20:48 +0000
commit	4049dbe994284a40aeef67c382535608578d7ee0 (patch)
tree	eaba6e776749a336ee670170eb74f8b948443fcd /src/lib
parent	7a86fa5aa1ba5371e5599a0597cd218ab91d74c1 (diff)
download	openbsd-4049dbe994284a40aeef67c382535608578d7ee0.tar.gz openbsd-4049dbe994284a40aeef67c382535608578d7ee0.tar.bz2 openbsd-4049dbe994284a40aeef67c382535608578d7ee0.zip

diff --git a/src/lib/libcrypto/man/X25519.3 b/src/lib/libcrypto/man/X25519.3 index 8d8006fe96..a327f8c7b2 100644 --- a/src/lib/libcrypto/man/X25519.3 +++ b/src/lib/libcrypto/man/X25519.3
@@ -1,9 +1,9 @@
1	.\" $OpenBSD: X25519.3,v 1.6 2022/02/18 10:24:32 jsg Exp $	1	.\" $OpenBSD: X25519.3,v 1.7 2022/12/15 17:20:48 schwarze Exp $
2	.\" contains some text from: BoringSSL curve25519.h, curve25519.c	2	.\" contains some text from: BoringSSL curve25519.h, curve25519.c
3	.\" content also checked up to: OpenSSL f929439f Mar 15 12:19:16 2018 +0000	3	.\" content also checked up to: OpenSSL f929439f Mar 15 12:19:16 2018 +0000
4	.\"	4	.\"
5	.\" Copyright (c) 2015 Google Inc.	5	.\" Copyright (c) 2015 Google Inc.
6	.\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>	6	.\" Copyright (c) 2018, 2022 Ingo Schwarze <schwarze@openbsd.org>
7	.\"	7	.\"
8	.\" Permission to use, copy, modify, and/or distribute this software for any	8	.\" Permission to use, copy, modify, and/or distribute this software for any
9	.\" purpose with or without fee is hereby granted, provided that the above	9	.\" purpose with or without fee is hereby granted, provided that the above
@@ -17,13 +17,23 @@
17	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	17	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	18	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19	.\"	19	.\"
20	.Dd $Mdocdate: February 18 2022 $	20	.\" According to the BoringSSL git history, those parts of the text in
		21	.\" the present manual page that are Copyrighted by Google were probably
		22	.\" written by Adam Langley <agl@google.com> in 2015.
		23	.\" I fail to see any such text in the public domain files written
		24	.\" by Daniel J. Bernstein and others that are included in SUPERCOP
		25	.\" and that Adam Langley's BoringSSL implementation is based on.
		26	.\"
		27	.Dd $Mdocdate: December 15 2022 $
21	.Dt X25519 3	28	.Dt X25519 3
22	.Os	29	.Os
23	.Sh NAME	30	.Sh NAME
24	.Nm X25519 ,	31	.Nm X25519 ,
25	.Nm X25519_keypair	32	.Nm X25519_keypair ,
26	.Nd Elliptic Curve Diffie-Hellman primitive based on Curve25519	33	.Nm ED25519_keypair ,
		34	.Nm ED25519_sign ,
		35	.Nm ED25519_verify
		36	.Nd Elliptic Curve Diffie-Hellman and signature primitives based on Curve25519
27	.Sh SYNOPSIS	37	.Sh SYNOPSIS
28	.In openssl/curve25519.h	38	.In openssl/curve25519.h
29	.Ft int	39	.Ft int
@@ -37,11 +47,32 @@
37	.Fa "uint8_t out_public_value[X25519_KEY_LENGTH]"	47	.Fa "uint8_t out_public_value[X25519_KEY_LENGTH]"
38	.Fa "uint8_t out_private_key[X25519_KEY_LENGTH]"	48	.Fa "uint8_t out_private_key[X25519_KEY_LENGTH]"
39	.Fc	49	.Fc
		50	.Ft void
		51	.Fo ED25519_keypair
		52	.Fa "uint8_t out_public_key[ED25519_PUBLIC_KEY_LENGTH]"
		53	.Fa "uint8_t out_private_key[ED25519_PRIVATE_KEY_LENGTH]"
		54	.Fc
		55	.Ft int
		56	.Fo ED25519_sign
		57	.Fa "uint8_t *out_sig"
		58	.Fa "const uint8_t *message"
		59	.Fa "size_t message_len"
		60	.Fa "const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]"
		61	.Fa "const uint8_t private_key_seed[ED25519_PRIVATE_KEY_LENGTH]"
		62	.Fc
		63	.Ft int
		64	.Fo ED25519_verify
		65	.Fa "const uint8_t *message"
		66	.Fa "size_t message_len"
		67	.Fa "const uint8_t signature[ED25519_SIGNATURE_LENGTH]"
		68	.Fa "const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]"
		69	.Fc
40	.Sh DESCRIPTION	70	.Sh DESCRIPTION
41	Curve25519 is an elliptic curve over a prime field specified in RFC 7748.	71	Curve25519 is an elliptic curve over a prime field
		72	specified in RFC 7748 section 4.1.
42	The prime field is defined by the prime number 2^255 - 19.	73	The prime field is defined by the prime number 2^255 - 19.
43	.Pp	74	.Pp
44	.Fn X25519	75	X25519
45	is the Diffie-Hellman primitive built from Curve25519 as described	76	is the Diffie-Hellman primitive built from Curve25519 as described
46	in RFC 7748 section 5.	77	in RFC 7748 section 5.
47	Section 6.1 describes the intended use in an Elliptic Curve Diffie-Hellman	78	Section 6.1 describes the intended use in an Elliptic Curve Diffie-Hellman
@@ -85,17 +116,96 @@ by multiplying it with the Montgomery base point
85	The size of a public and private key is	116	The size of a public and private key is
86	.Dv X25519_KEY_LENGTH No = 32	117	.Dv X25519_KEY_LENGTH No = 32
87	bytes each.	118	bytes each.
		119	.Pp
		120	Ed25519 is a signature scheme using a twisted Edwards curve
		121	that is birationally equivalent to Curve25519.
		122	.Pp
		123	.Fn ED25519_keypair
		124	sets
		125	.Fa out_public_key
		126	and
		127	.Fa out_private_key
		128	to a freshly generated public/private key pair.
		129	First, the
		130	.Fa out_private_key
		131	is generated with
		132	.Xr arc4random_buf 3 .
		133	Then, the
		134	.Fa out_public_key
		135	is calculated from the private key.
		136	.Pp
		137	.Fn ED25519_sign
		138	signs the
		139	.Fa message
		140	of
		141	.Fa message_len
		142	bytes using the
		143	.Fa public_key
		144	and the
		145	.Fa private_key
		146	and writes the signature to
		147	.Fa out_sig .
		148	.Pp
		149	.Fn ED25519_verify
		150	checks that signing the
		151	.Fa message
		152	of
		153	.Fa message_len
		154	bytes using the
		155	.Fa public_key
		156	would indeed result in the given
		157	.Fa signature .
		158	.Pp
		159	The sizes of a public and private keys are
		160	.Dv ED25519_PUBLIC_KEY_LENGTH
		161	and
		162	.Dv ED25519_PRIVATE_KEY_LENGTH ,
		163	which are both 32 bytes, and the size of a signature is
		164	.Dv ED25519_SIGNATURE_LENGTH No = 64
		165	bytes.
88	.Sh RETURN VALUES	166	.Sh RETURN VALUES
89	.Fn X25519	167	.Fn X25519
90	returns 1 on success or 0 on error.	168	and
91	Failure can occur when the input is a point of small order.	169	.Fn ED25519_sign
		170	return 1 on success or 0 on error.
		171	.Fn X25519
		172	can fail if the input is a point of small order.
		173	.Fn ED25519_sign
		174	always succeeds in LibreSSL, but the API reserves the return value 0
		175	for memory allocation failure.
		176	.Pp
		177	.Fn ED25519_verify
		178	returns 1 if the
		179	.Fa signature
		180	is valid or 0 otherwise.
92	.Sh SEE ALSO	181	.Sh SEE ALSO
93	.Xr ECDH_compute_key 3	182	.Xr ECDH_compute_key 3 ,
		183	.Xr EVP_DigestSign 3 ,
		184	.Xr EVP_DigestVerify 3 ,
		185	.Xr EVP_PKEY_derive 3 ,
		186	.Xr EVP_PKEY_keygen 3
94	.Rs	187	.Rs
95	.%A D. J. Bernstein	188	.%A Daniel J. Bernstein
96	.%R A state-of-the-art Diffie-Hellman function:\	189	.%R A state-of-the-art Diffie-Hellman function:\
97	How do I use Curve25519 in my own software?	190	How do I use Curve25519 in my own software?
98	.%U https://cr.yp.to/ecdh.html	191	.%U https://cr.yp.to/ecdh.html
99	.Re	192	.Re
		193	.Rs
		194	.%A Daniel J. Bernstein
		195	.%A Niels Duif
		196	.%A Tanja Lange
		197	.%A Peter Schwabe
		198	.%A Bo-Yin Yang
		199	.%T High-Speed High-Security Signatures
		200	.%B Cryptographic Hardware and Embedded Systems \(em CHES 2011
		201	.%I Springer
		202	.%J Lecture Notes in Computer Science
		203	.%V vol 6917
		204	.%U https://doi.org/10.1007/978-3-642-23951-9_9
		205	.%C Nara, Japan
		206	.%D September 29, 2011
		207	.Re
100	.Sh STANDARDS	208	.Sh STANDARDS
101	RFC 7748: Elliptic Curves for Security	209	RFC 7748: Elliptic Curves for Security
		210	.Pp
		211	RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)