1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
EdDSA-Java
==========
[](https://travis-ci.org/str4d/ed25519-java)
This is an implementation of EdDSA in Java. Structurally, it is based on the ref10 implementation in SUPERCOP (see https://ed25519.cr.yp.to/software.html).
There are two internal implementations:
* A port of the radix-2^51 operations in ref10 - fast and constant-time, but only useful for Ed25519.
* A generic version using BigIntegers for calculation - a bit slower and not constant-time, but compatible with any EdDSA parameter specification.
To use
------
Download the latest .jar from the releases tab and place it in your classpath.
Gradle users:
```
compile 'net.i2p.crypto:eddsa:0.2.0'
```
The code requires Java 6 (for e.g. the `Arrays.copyOfRange()` calls in `EdDSAEngine.engineVerify()`).
The JUnit4 tests require the Hamcrest library `hamcrest-all.jar`.
This code is released to the public domain and can be used for any purpose. See `LICENSE.txt` for details.
Disclaimer
----------
There are **no** guarantees that this is secure for all cases, and users should
review the code themselves before depending on it. PRs that fix bugs or improve
reviewability are very welcome. Additionally:
- The unit test suite includes tests against
[the data from the original Python implementation](https://ed25519.cr.yp.to/python/sign.input).
- The code (as of 97cea3f0d910fc627c7b57b1bc4d783cdd0c2a4a) was reviewed by
[an independent developer](https://github.com/BloodyRookie).
- The code (as of dc9f58f2c874463c15465326efc040d17a627b3a) was audited by an independent third party,
and the one issue found [was fixed](https://github.com/str4d/ed25519-java/pull/31).
Code comparison
---------------
For ease of following, here are the main methods in ref10 and their equivalents in this codebase:
| EdDSA Operation | ref10 function | Java function |
| --------------- | -------------- | ------------- |
| Generate keypair | `crypto_sign_keypair` | `EdDSAPrivateKeySpec` constructor |
| Sign message | `crypto_sign` | `EdDSAEngine.engineSign` |
| Verify signature | `crypto_sign_open` | `EdDSAEngine.engineVerify` |
| EdDSA point arithmetic | ref10 function | Java function |
| ---------------------- | -------------- | ------------- |
| `R = b * B` | `ge_scalarmult_base` | `GroupElement.scalarMultiply` |
| `R = a*A + b*B` | `ge_double_scalarmult_vartime` | `GroupElement.doubleScalarMultiplyVariableTime` |
| `R = 2 * P` | `ge_p2_dbl` | `GroupElement.dbl` |
| `R = P + Q` | `ge_madd`, `ge_add` | `GroupElement.madd`, `GroupElement.add` |
| `R = P - Q` | `ge_msub`, `ge_sub` | `GroupElement.msub`, `GroupElement.sub` |
Important changes
-----------------
### 0.2.0
- Ed25519 is now named `Ed25519` in `EdDSANamedCurveTable`, and the previous public constant
(containing the older inaccurate name) has been removed.
Credits
-------
* The Ed25519 class was originally ported by k3d3 from [the Python Ed25519 reference implementation](https://ed25519.cr.yp.to/python/ed25519.py).
* Useful comments and tweaks were found in [the GNUnet implementation of Ed25519](https://gnunet.org/svn/gnunet-java/src/main/java/org/gnunet/util/crypto/) (based on k3d3's class).
* [BloodyRookie](https://github.com/BloodyRookie) reviewed the code, adding many useful comments, unit tests and literature.
|
