 NAME
 SYNOPSIS
 DESCRIPTION
 CRYPTOGRAPHY IS HARD
 CONVENTIONS
 Ed25519 API
 EdDSA compatible API
 CONVERTING BETWEEN Ed25519 and EdDSA
 SUPPORT FOR THE PERL MULTICORE SPECIFICATION
 IMPLEMENTATIOIN
 AUTHOR
NAME
Crypt::Ed25519  barebones Ed25519 public key signing/verification system
SYNOPSIS
use Crypt::Ed25519; # no symbols exported
############################################
# Ed25519 API  public/private keypair
# generate a public/private key pair once
($pubkey, $privkey) = Crypt::Ed25519::generate_keypair;
# sign a message
$signature = Crypt::Ed25519::sign $message, $pubkey, $privkey;
# verify message
$valid = Crypt::Ed25519::verify $message, $pubkey, $signature;
# verify, but croak on failure
Crypt::Ed25519::verify_croak $message, $pubkey, $signature;
############################################
# EdDSA API  secret key and derived public key
# generate a secret key
$secret = Crypt::EdDSA::eddsa_secret_key;
# derive public key as needed
$pubkey = Crypt::EdDSA::eddsa_public_key $secret;
# sign a message
$signature = Crypt::Ed25519::eddsa_sign $message, $pubkey, $secret;
# verify message
$valid = Crypt::Ed25519::eddsa_verify $message, $pubkey, $signature;
# verify, but croak on failure
Crypt::Ed25519:eddsa_verify_croak $message, $pubkey, $signature;
DESCRIPTION
This module implements Ed25519 public key generation, message signing and verification. It is a pretty barebones implementation that implements the standard Ed25519 variant with SHA512 hash, as well as a slower API compatible with the upcoming EdDSA RFC.
The security target for Ed25519 is to be equivalent to 3000 bit RSA or AES128.
The advantages of Ed25519 over most other signing algorithms are: small public/private key and signature sizes (<= 64 octets), good key generation, signing and verification performance, no reliance on random number generators for signing and bydesign immunity against branch or memory access pattern sidechannel attacks.
More detailed praise and other info can be found at http://ed25519.cr.yp.to/index.html.
CRYPTOGRAPHY IS HARD
A word of caution: don't use this module unless you really know what you are doing  even if this module were completely errorfree, that still doesn't mean that every way of using it is correct. When in doubt, it's best not to design your own cryptographic protocol.
CONVENTIONS
Public/private/secret keys, messages and signatures are all opaque and architectureindependent octet strings, and, except for the message, have fixed lengths.
Ed25519 API
 ($public_key, $private_key) = Crypt::Ed25519::generate_keypair

Creates and returns a new random public and private key pair. The public key is always 32 octets, the private key is always 64 octets long.
 ($public_key, $private_key) = Crypt::Ed25519::generate_keypair $secret_key

Instead of generating a random keypair, generate them from the given
$secret_key
(e.g. as returned byCrypt::Ed25519::eddsa_secret_key
. The derivation is deterministic, i.e. a specific$secret_key
will always result in the same keypair.A secret key is simply a random bit string, so if you have a good source of key material, you can simply generate 32 octets from it and use this as your secret key.
 $signature = Crypt::Ed25519::sign $message, $public_key, $private_key

Generates a signature for the given message using the public and private keys. The signature is always 64 octets long and deterministic, i.e. it is always the same for a specific combination of
$message
,$public_key
and$private_key
, i.e. no external source of randomness is required for signing.  $valid = Crypt::Ed25519::verify $message, $public_key, $signature

Checks whether the
$signature
is valid for the$message
and$public_ke
.  Crypt::Ed25519::verify_croak $message, $public_key, $signature

Same as
Crypt::Ed25519::verify
, but instead of returning a boolean, simply croaks with an error message when the signature isn't valid, so you don't have to think about what the return value really means.
EdDSA compatible API
The upcoming EdDSA draft RFC uses a slightly different (and slower) API for Ed25519. This API is provided by the following functions:
 $secret_key = Crypt::Ed25519::eddsa_secret_key

Creates and returns a new secret key, which is always 32 octets long. The secret key can be used to generate the public key via
Crypt::Ed25519::eddsa_public_key
and is not the same as the private key used in the Ed25519 API.A secret key is simply a random bit string, so if you have a good source of key material, you can simply generate 32 octets from it and use this as your secret key.
 $public_key = Crypt::Ed25519::eddsa_public_key $secret_key

Takes a secret key generated by
Crypt::Ed25519::eddsa_secret_key
and returns the corresponding$public_key
. The derivation is deterministic, i.e. the$public_key
generated for a specific$secret_key
is always the same.This public key corresponds to the public key in the Ed25519 API above.
 $signature = Crypt::Ed25519::eddsa_sign $message, $public_key, $secret_key

Generates a signature for the given message using the public and secret keys. Apart from specifying the
$secret_key
, this function is identical toCrypt::Ed25519::sign
, so everything said about it is true for this function as well.Internally,
Crypt::Ed25519::eddsa_sign
derives the corresponding private key first and then callsCrypt::Ed25519::sign
, so it is always slower.  $valid = Crypt::Ed25519::eddsa_verify $message, $public_key, $signature
 Crypt::Ed25519::eddsa_verify_croak $message, $public_key, $signature

Really the same as
Crypt::Ed25519::verify
andCrypt::Ed25519::verify_croak
, i.e. the functions without theeddsa_
prefix. These aliases are provided so it's clear that you are using EdDSA and not Ed25519 API.
CONVERTING BETWEEN Ed25519 and EdDSA
The Ed25519 and EdDSA compatible APIs handle keys slightly differently: The Ed25519 API gives you a public/private key pair, while EdDSA takes a secret and generates a public key from it.
You can convert an EdDSA secret to an Ed25519 private/public key pair using Crypt::Ed25519::generate_keypair
:
($public_key, $private_key) = Crypt::Ed25519::generate_keypair $secret
As such, the EdDSAstyle API allows you to store only the secret key and derive the public key as needed. On the other hand, signing using the private key is faster than using the secret key, so converting the secret key to a public/private key pair allows you to sign a small message, or many messages, faster.
SUPPORT FOR THE PERL MULTICORE SPECIFICATION
This module supports the perl multicore specification (http://perlmulticore.schmorp.de/) for key generation (usually the slowest operation), and all signing and verification functions.
IMPLEMENTATIOIN
This module currently uses "Nightcracker's Ed25519" implementation, which is unmodified except for some portability fixes and static delcarations, but the interface is kept implementationagnostic to allow usage of other implementations in the future.
AUTHOR
Marc Lehmann <schmorp@schmorp.de>
http://sfotware.schmorp.de/pkg/CryptEd25519.html