zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
94 Commits
183 Branches
291 MiB
Tree: 1603d6f385
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1603d6f385'
${ noResults }
tendermint/crypto/README.md

183 lines
8.0 KiB
Raw Normal View History

floodberry's ed25519 batch code
11 years ago
 
  1. [ed25519](http://ed25519.cr.yp.to/) is an 
  2. [Elliptic Curve Digital Signature Algortithm](http://en.wikipedia.org/wiki/Elliptic_Curve_DSA), 
  3. developed by [Dan Bernstein](http://cr.yp.to/djb.html), 
  4. [Niels Duif](http://www.nielsduif.nl/), 
  5. [Tanja Lange](http://hyperelliptic.org/tanja), 
  6. [Peter Schwabe](http://www.cryptojedi.org/users/peter/), 
  7. and [Bo-Yin Yang](http://www.iis.sinica.edu.tw/pages/byyang/).
  8. 

  9. This project provides performant, portable 32-bit & 64-bit implementations. All implementations are 
  10. of course constant time in regard to secret data.
  11. 

  12. #### Performance

  13. 

  14. SSE2 code and benches have not been updated yet. I will do those next.
  15. 

  16. Compilers versions are gcc 4.6.3, icc 13.1.1, clang 3.4-1~exp1.
  17. 

  18. Batch verfication time (in parentheses) is the average time per 1 verification in a batch of 64 signatures. Counts are in thousands of cycles.
  19. 

  20. Note that SSE2 performance may be less impressive on AMD & older CPUs with slower SSE ops!
  21. 

  22. Visual Studio performance for `ge25519_scalarmult_base_niels` will lag behind a bit until optimized assembler versions of `ge25519_scalarmult_base_choose_niels`
  23. are made.
  24. 

  25. ##### E5200 @ 2.5ghz, march=core2

  26. 

  27. <table>
  28. <thead><tr><th>Implementation</th><th>Sign</th><th>gcc</th><th>icc</th><th>clang</th><th>Verify</th><th>gcc</th><th>icc</th><th>clang</th></tr></thead>
  29. <tbody>
  30. <tr><td>ed25519-donna 64bit     </td><td></td><td>100k</td><td>110k</td><td>137k</td><td></td><td>327k (144k) </td><td>342k (163k) </td><td>422k (194k) </td></tr>
  31. <tr><td>amd64-64-24k            </td><td></td><td>102k</td><td>    </td><td>    </td><td></td><td>355k (158k) </td><td>            </td><td>            </td></tr>
  32. <tr><td>ed25519-donna-sse2 64bit</td><td></td><td>108k</td><td>111k</td><td>116k</td><td></td><td>353k (155k) </td><td>345k (154k) </td><td>360k (161k) </td></tr>
  33. <tr><td>amd64-51-32k            </td><td></td><td>116k</td><td>    </td><td>    </td><td></td><td>380k (175k) </td><td>            </td><td>            </td></tr>
  34. <tr><td>ed25519-donna-sse2 32bit</td><td></td><td>147k</td><td>147k</td><td>156k</td><td></td><td>380k (178k) </td><td>381k (173k) </td><td>430k (192k) </td></tr>
  35. <tr><td>ed25519-donna 32bit     </td><td></td><td>597k</td><td>335k</td><td>380k</td><td></td><td>1693k (720k)</td><td>1052k (453k)</td><td>1141k (493k)</td></tr>
  36. </tbody>
  37. </table>
  38. 

  39. ##### E3-1270 @ 3.4ghz, march=corei7-avx

  40. 

  41. <table>
  42. <thead><tr><th>Implementation</th><th>Sign</th><th>gcc</th><th>icc</th><th>clang</th><th>Verify</th><th>gcc</th><th>icc</th><th>clang</th></tr></thead>
  43. <tbody>
  44. <tr><td>amd64-64-24k            </td><td></td><td> 68k</td><td>    </td><td>    </td><td></td><td>225k (104k) </td><td>            </td><td>            </td></tr>
  45. <tr><td>ed25519-donna 64bit     </td><td></td><td> 71k</td><td> 75k</td><td> 90k</td><td></td><td>226k (105k) </td><td>226k (112k) </td><td>277k (125k) </td></tr>
  46. <tr><td>amd64-51-32k            </td><td></td><td> 72k</td><td>    </td><td>    </td><td></td><td>218k (107k) </td><td>            </td><td>            </td></tr>
  47. <tr><td>ed25519-donna-sse2 64bit</td><td></td><td> 79k</td><td> 82k</td><td> 92k</td><td></td><td>252k (122k) </td><td>259k (124k) </td><td>282k (131k) </td></tr>
  48. <tr><td>ed25519-donna-sse2 32bit</td><td></td><td> 94k</td><td> 95k</td><td>103k</td><td></td><td>296k (146k) </td><td>294k (137k) </td><td>306k (147k) </td></tr>
  49. <tr><td>ed25519-donna 32bit     </td><td></td><td>525k</td><td>299k</td><td>316k</td><td></td><td>1502k (645k)</td><td>959k (418k) </td><td>954k (416k) </td></tr>
  50. </tbody>
  51. </table>
  52. 

  53. #### Compilation

  54. 

  55. No configuration is needed **if you are compiling against OpenSSL**. 
  56. 

  57. ##### Hash Options

  58. 

  59. If you are not compiling aginst OpenSSL, you will need a hash function.
  60. 

  61. To use a simple/**slow** implementation of SHA-512, use `-DED25519_REFHASH` when compiling `ed25519.c`. 
  62. This should never be used except to verify the code works when OpenSSL is not available.
  63. 

  64. To use a custom hash function, use `-DED25519_CUSTOMHASH` when compiling `ed25519.c` and put your 
  65. custom hash implementation in ed25519-hash-custom.h. The hash must have a 512bit digest and implement
  66. 

  67. 	struct ed25519_hash_context;
  68. 

  69. 	void ed25519_hash_init(ed25519_hash_context *ctx);
  70. 	void ed25519_hash_update(ed25519_hash_context *ctx, const uint8_t *in, size_t inlen);
  71. 	void ed25519_hash_final(ed25519_hash_context *ctx, uint8_t *hash);
  72. 	void ed25519_hash(uint8_t *hash, const uint8_t *in, size_t inlen);
  73. 

  74. ##### Random Options

  75. 

  76. If you are not compiling aginst OpenSSL, you will need a random function for batch verification.
  77. 

  78. To use a custom random function, use `-DED25519_CUSTOMRANDOM` when compiling `ed25519.c` and put your 
  79. custom hash implementation in ed25519-randombytes-custom.h. The random function must implement:
  80. 

  81. 	void ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len);
  82. 

  83. Use `-DED25519_TEST` when compiling `ed25519.c` to use a deterministically seeded, non-thread safe CSPRNG 
  84. variant of Bob Jenkins [ISAAC](http://en.wikipedia.org/wiki/ISAAC_%28cipher%29)
  85. 

  86. ##### Minor options

  87. 

  88. Use `-DED25519_INLINE_ASM` to disable the use of custom assembler routines and instead rely on portable C.
  89. 

  90. Use `-DED25519_FORCE_32BIT` to force the use of 32 bit routines even when compiling for 64 bit.
  91. 

  92. ##### 32-bit

  93. 

  94. 	gcc ed25519.c -m32 -O3 -c
  95. 

  96. ##### 64-bit

  97. 

  98. 	gcc ed25519.c -m64 -O3 -c
  99. 

  100. ##### SSE2

  101. 

  102. 	gcc ed25519.c -m32 -O3 -c -DED25519_SSE2 -msse2
  103. 	gcc ed25519.c -m64 -O3 -c -DED25519_SSE2
  104. 

  105. clang and icc are also supported
  106. 

  107. 

  108. #### Usage

  109. 

  110. To use the code, link against `ed25519.o -mbits` and:
  111. 

  112. 	#include "ed25519.h"
  113. 

  114. Add `-lssl -lcrypto` when using OpenSSL (Some systems don't need -lcrypto? It might be trial and error).
  115. 

  116. To generate a private key, simply generate 32 bytes from a secure
  117. cryptographic source:
  118. 

  119. 	ed25519_secret_key sk;
  120. 	randombytes(sk, sizeof(ed25519_secret_key));
  121. 

  122. To generate a public key:
  123. 

  124. 	ed25519_public_key pk;
  125. 	ed25519_publickey(sk, pk);
  126. 

  127. To sign a message:
  128. 

  129. 	ed25519_signature sig;
  130. 	ed25519_sign(message, message_len, sk, pk, signature);
  131. 

  132. To verify a signature:
  133. 

  134. 	int valid = ed25519_sign_open(message, message_len, pk, signature) == 0;
  135. 

  136. To batch verify signatures:
  137. 

  138. 	const unsigned char *mp[num] = {message1, message2..}
  139. 	size_t ml[num] = {message_len1, message_len2..}
  140. 	const unsigned char *pkp[num] = {pk1, pk2..}
  141. 	const unsigned char *sigp[num] = {signature1, signature2..}
  142. 	int valid[num]
  143. 

  144. 	/* valid[i] will be set to 1 if the individual signature was valid, 0 otherwise */
  145. 	int all_valid = ed25519_sign_open_batch(mp, ml, pkp, sigp, num, valid) == 0;
  146. 

  147. **Note**: Batch verification uses `ed25519_randombytes_unsafe`, implemented in 
  148. `ed25519-randombytes.h`, to generate random scalars for the verification code. 
  149. The default implementation now uses OpenSSLs `RAND_bytes`.
  150. 

  151. Unlike the [SUPERCOP](http://bench.cr.yp.to/supercop.html) version, signatures are
  152. not appended to messages, and there is no need for padding in front of messages. 
  153. Additionally, the secret key does not contain a copy of the public key, so it is 
  154. 32 bytes instead of 64 bytes, and the public key must be provided to the signing
  155. function.
  156. 

  157. ##### Curve25519

  158. 

  159. Curve25519 public keys can be generated thanks to 
  160. [Adam Langley](http://www.imperialviolet.org/2013/05/10/fastercurve25519.html) 
  161. leveraging Ed25519's precomputed basepoint scalar multiplication.
  162. 

  163. 	curved25519_key sk, pk;
  164. 	randombytes(sk, sizeof(curved25519_key));
  165. 	curved25519_scalarmult_basepoint(pk, sk);
  166. 

  167. Note the name is curved25519, a combination of curve and ed25519, to prevent 
  168. name clashes. Performance is slightly faster than short message ed25519
  169. signing due to both using the same code for the scalar multiply.
  170. 

  171. #### Testing

  172. 

  173. Fuzzing against reference implemenations is now available. See [fuzz/README](fuzz/README.md).
  174. 

  175. Building `ed25519.c` with `-DED25519_TEST` and linking with `test.c` will run basic sanity tests
  176. and benchmark each function. `test-batch.c` has been incorporated in to `test.c`.
  177. 

  178. `test-internals.c` is standalone and built the same way as `ed25519.c`. It tests the math primitives
  179. with extreme values to ensure they function correctly. SSE2 is now supported.
  180. 

  181. #### Papers

  182. 

  183. [Available on the Ed25519 website](http://ed25519.cr.yp.to/papers.html)