Internet Research Task Force (IRTF)                         S. Josefsson
Request for Comments: 8032                                        SJD AB
Category: Informational                                     I. Liusvaara
ISSN: 2070-1721                                              Independent
                                                            January 2017
        
Internet Research Task Force (IRTF)                         S. Josefsson
Request for Comments: 8032                                        SJD AB
Category: Informational                                     I. Liusvaara
ISSN: 2070-1721                                              Independent
                                                            January 2017
        

Edwards-Curve Digital Signature Algorithm (EdDSA)

爱德华兹曲线数字签名算法(EdDSA)

Abstract

摘要

This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided.

本文描述了椭圆曲线签名方案Edwards曲线数字签名算法(EdDSA)。该算法使用edwards25519和edwards448曲线的推荐参数进行实例化。提供了一个示例实现和测试向量。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Research Task Force (IRTF). The IRTF publishes the results of Internet-related research and development activities. These results might not be suitable for deployment. This RFC represents the consensus of the Crypto Forum Research Group of the Internet Research Task Force (IRTF). Documents approved for publication by the IRSG are not a candidate for any level of Internet Standard; see Section 2 of RFC 7841.

本文件是互联网研究工作组(IRTF)的产品。IRTF发布互联网相关研究和开发活动的结果。这些结果可能不适合部署。本RFC代表了互联网研究工作组(IRTF)加密论坛研究小组的共识。IRSG批准发布的文件不适用于任何级别的互联网标准;见RFC 7841第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8032.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc8032.

Copyright Notice

版权公告

Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2017 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Notation and Conventions  . . . . . . . . . . . . . . . . . .   4
   3.  EdDSA Algorithm . . . . . . . . . . . . . . . . . . . . . . .   5
     3.1.  Encoding  . . . . . . . . . . . . . . . . . . . . . . . .   7
     3.2.  Keys  . . . . . . . . . . . . . . . . . . . . . . . . . .   7
     3.3.  Sign  . . . . . . . . . . . . . . . . . . . . . . . . . .   8
     3.4.  Verify  . . . . . . . . . . . . . . . . . . . . . . . . .   8
   4.  PureEdDSA, HashEdDSA, and Naming  . . . . . . . . . . . . . .   8
   5.  EdDSA Instances . . . . . . . . . . . . . . . . . . . . . . .   9
     5.1.  Ed25519ph, Ed25519ctx, and Ed25519  . . . . . . . . . . .   9
       5.1.1.  Modular Arithmetic  . . . . . . . . . . . . . . . . .  10
       5.1.2.  Encoding  . . . . . . . . . . . . . . . . . . . . . .  10
       5.1.3.  Decoding  . . . . . . . . . . . . . . . . . . . . . .  11
       5.1.4.  Point Addition  . . . . . . . . . . . . . . . . . . .  11
       5.1.5.  Key Generation  . . . . . . . . . . . . . . . . . . .  13
       5.1.6.  Sign  . . . . . . . . . . . . . . . . . . . . . . . .  13
       5.1.7.  Verify  . . . . . . . . . . . . . . . . . . . . . . .  14
     5.2.  Ed448ph and Ed448 . . . . . . . . . . . . . . . . . . . .  15
       5.2.1.  Modular Arithmetic  . . . . . . . . . . . . . . . . .  16
       5.2.2.  Encoding  . . . . . . . . . . . . . . . . . . . . . .  16
       5.2.3.  Decoding  . . . . . . . . . . . . . . . . . . . . . .  16
       5.2.4.  Point Addition  . . . . . . . . . . . . . . . . . . .  17
       5.2.5.  Key Generation  . . . . . . . . . . . . . . . . . . .  18
       5.2.6.  Sign  . . . . . . . . . . . . . . . . . . . . . . . .  19
       5.2.7.  Verify  . . . . . . . . . . . . . . . . . . . . . . .  19
   6.  Ed25519 Python Illustration . . . . . . . . . . . . . . . . .  20
   7.  Test Vectors  . . . . . . . . . . . . . . . . . . . . . . . .  23
     7.1.  Test Vectors for Ed25519  . . . . . . . . . . . . . . . .  24
     7.2.  Test Vectors for Ed25519ctx . . . . . . . . . . . . . . .  27
     7.3.  Test Vectors for Ed25519ph  . . . . . . . . . . . . . . .  30
     7.4.  Test Vectors for Ed448  . . . . . . . . . . . . . . . . .  30
     7.5.  Test Vectors for Ed448ph  . . . . . . . . . . . . . . . .  38
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  40
     8.1.  Side-Channel Leaks  . . . . . . . . . . . . . . . . . . .  40
     8.2.  Randomness Considerations . . . . . . . . . . . . . . . .  40
     8.3.  Use of Contexts . . . . . . . . . . . . . . . . . . . . .  41
     8.4.  Signature Malleability  . . . . . . . . . . . . . . . . .  41
     8.5.  Choice of Signature Primitive . . . . . . . . . . . . . .  41
     8.6.  Mixing Different Prehashes  . . . . . . . . . . . . . . .  42
     8.7.  Signing Large Amounts of Data at Once . . . . . . . . . .  42
     8.8.  Multiplication by Cofactor in Verification  . . . . . . .  43
     8.9.  Use of SHAKE256 as a Hash Function  . . . . . . . . . . .  43
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  43
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  43
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  44
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Notation and Conventions  . . . . . . . . . . . . . . . . . .   4
   3.  EdDSA Algorithm . . . . . . . . . . . . . . . . . . . . . . .   5
     3.1.  Encoding  . . . . . . . . . . . . . . . . . . . . . . . .   7
     3.2.  Keys  . . . . . . . . . . . . . . . . . . . . . . . . . .   7
     3.3.  Sign  . . . . . . . . . . . . . . . . . . . . . . . . . .   8
     3.4.  Verify  . . . . . . . . . . . . . . . . . . . . . . . . .   8
   4.  PureEdDSA, HashEdDSA, and Naming  . . . . . . . . . . . . . .   8
   5.  EdDSA Instances . . . . . . . . . . . . . . . . . . . . . . .   9
     5.1.  Ed25519ph, Ed25519ctx, and Ed25519  . . . . . . . . . . .   9
       5.1.1.  Modular Arithmetic  . . . . . . . . . . . . . . . . .  10
       5.1.2.  Encoding  . . . . . . . . . . . . . . . . . . . . . .  10
       5.1.3.  Decoding  . . . . . . . . . . . . . . . . . . . . . .  11
       5.1.4.  Point Addition  . . . . . . . . . . . . . . . . . . .  11
       5.1.5.  Key Generation  . . . . . . . . . . . . . . . . . . .  13
       5.1.6.  Sign  . . . . . . . . . . . . . . . . . . . . . . . .  13
       5.1.7.  Verify  . . . . . . . . . . . . . . . . . . . . . . .  14
     5.2.  Ed448ph and Ed448 . . . . . . . . . . . . . . . . . . . .  15
       5.2.1.  Modular Arithmetic  . . . . . . . . . . . . . . . . .  16
       5.2.2.  Encoding  . . . . . . . . . . . . . . . . . . . . . .  16
       5.2.3.  Decoding  . . . . . . . . . . . . . . . . . . . . . .  16
       5.2.4.  Point Addition  . . . . . . . . . . . . . . . . . . .  17
       5.2.5.  Key Generation  . . . . . . . . . . . . . . . . . . .  18
       5.2.6.  Sign  . . . . . . . . . . . . . . . . . . . . . . . .  19
       5.2.7.  Verify  . . . . . . . . . . . . . . . . . . . . . . .  19
   6.  Ed25519 Python Illustration . . . . . . . . . . . . . . . . .  20
   7.  Test Vectors  . . . . . . . . . . . . . . . . . . . . . . . .  23
     7.1.  Test Vectors for Ed25519  . . . . . . . . . . . . . . . .  24
     7.2.  Test Vectors for Ed25519ctx . . . . . . . . . . . . . . .  27
     7.3.  Test Vectors for Ed25519ph  . . . . . . . . . . . . . . .  30
     7.4.  Test Vectors for Ed448  . . . . . . . . . . . . . . . . .  30
     7.5.  Test Vectors for Ed448ph  . . . . . . . . . . . . . . . .  38
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  40
     8.1.  Side-Channel Leaks  . . . . . . . . . . . . . . . . . . .  40
     8.2.  Randomness Considerations . . . . . . . . . . . . . . . .  40
     8.3.  Use of Contexts . . . . . . . . . . . . . . . . . . . . .  41
     8.4.  Signature Malleability  . . . . . . . . . . . . . . . . .  41
     8.5.  Choice of Signature Primitive . . . . . . . . . . . . . .  41
     8.6.  Mixing Different Prehashes  . . . . . . . . . . . . . . .  42
     8.7.  Signing Large Amounts of Data at Once . . . . . . . . . .  42
     8.8.  Multiplication by Cofactor in Verification  . . . . . . .  43
     8.9.  Use of SHAKE256 as a Hash Function  . . . . . . . . . . .  43
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  43
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  43
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  44
        
   Appendix A.  Ed25519/Ed448 Python Library . . . . . . . . . . . .  46
   Appendix B.  Library Driver . . . . . . . . . . . . . . . . . . .  58
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  60
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  60
        
   Appendix A.  Ed25519/Ed448 Python Library . . . . . . . . . . . .  46
   Appendix B.  Library Driver . . . . . . . . . . . . . . . . . . .  58
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  60
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  60
        
1. Introduction
1. 介绍

The Edwards-curve Digital Signature Algorithm (EdDSA) is a variant of Schnorr's signature system with (possibly twisted) Edwards curves. EdDSA needs to be instantiated with certain parameters, and this document describes some recommended variants.

Edwards曲线数字签名算法(EdDSA)是Schnorr签名系统的一个变体,具有(可能扭曲的)Edwards曲线。EdDSA需要使用某些参数进行实例化,本文档描述了一些推荐的变体。

To facilitate adoption of EdDSA in the Internet community, this document describes the signature scheme in an implementation-oriented way and provides sample code and test vectors.

为了便于在互联网社区中采用EdDSA,本文档以面向实现的方式描述了签名方案,并提供了示例代码和测试向量。

The advantages with EdDSA are as follows:

EdDSA的优点如下:

1. EdDSA provides high performance on a variety of platforms;

1. EdDSA在各种平台上提供高性能;

2. The use of a unique random number for each signature is not required;

2. 不需要为每个签名使用唯一的随机数;

3. It is more resilient to side-channel attacks;

3. 它对侧通道攻击更具弹性;

4. EdDSA uses small public keys (32 or 57 bytes) and signatures (64 or 114 bytes) for Ed25519 and Ed448, respectively;

4. EdDSA分别对Ed25519和Ed448使用小型公钥(32或57字节)和签名(64或114字节);

5. The formulas are "complete", i.e., they are valid for all points on the curve, with no exceptions. This obviates the need for EdDSA to perform expensive point validation on untrusted public values; and

5. 这些公式是“完整的”,即它们对曲线上的所有点都有效,没有例外。这样就不需要EdDSA对不可信的公共值执行昂贵的点验证;和

6. EdDSA provides collision resilience, meaning that hash-function collisions do not break this system (only holds for PureEdDSA).

6. EdDSA提供冲突恢复能力,这意味着哈希函数冲突不会破坏该系统(仅适用于PureEdDSA)。

The original EdDSA paper [EDDSA] and the generalized version described in "EdDSA for more curves" [EDDSA2] provide further background. RFC 7748 [RFC7748] discusses specific curves, including Curve25519 [CURVE25519] and Ed448-Goldilocks [ED448].

最初的EdDSA论文[EdDSA]和“更多曲线的EdDSA”[EDDSA2]中描述的广义版本提供了进一步的背景。RFC 7748[RFC7748]讨论了特定曲线,包括Curve25519[Curve25519]和Ed448 Goldilocks[Ed448]。

Ed25519 is intended to operate at around the 128-bit security level and Ed448 at around the 224-bit security level. A sufficiently large quantum computer would be able to break both. Reasonable projections of the abilities of classical computers conclude that Ed25519 is perfectly safe. Ed448 is provided for those applications with relaxed performance requirements and where there is a desire to hedge against analytical attacks on elliptic curves.

Ed25519拟在128位安全级别左右运行,Ed448拟在224位安全级别左右运行。一台足够大的量子计算机将能够同时破解这两个问题。对经典计算机能力的合理预测得出结论,Ed25519是完全安全的。Ed448适用于性能要求较宽松的应用程序,并且希望避免对椭圆曲线的分析攻击。

2. Notation and Conventions
2. 符号和约定

The following notation is used throughout the document:

本文件中使用了以下符号:

p Denotes the prime number defining the underlying field

p表示定义基础字段的素数

GF(p) Finite field with p elements

含p元的GF(p)有限域

x^y x multiplied by itself y times

x^y x乘以自身y倍

B Generator of the group or subgroup of interest

B感兴趣的组或子组的生成器

[n]X X added to itself n times

[n] X自身添加了n次

h[i] The i'th octet of octet string

h[i]八位元字符串的第i个八位元

h_i The i'th bit of h

h_i是h的第i位

a || b (bit-)string a concatenated with (bit-)string b

a | | b(位-)字符串a与(位-)字符串b连接

a <= b a is less than or equal to b

a<=b a小于或等于b

a >= b a is greater than or equal to b

a>=b a大于或等于b

i+j Sum of i and j

i+j i和j之和

i*j Multiplication of i and j

i和j的i*j乘法

i-j Subtraction of j from i

i-j从i减去j

i/j Division of i by j

i/j按j划分i/j

i x j Cartesian product of i and j

i和j的笛卡尔积

(u,v) Elliptic curve point with x-coordinate u and y-coordinate v

具有x坐标u和y坐标v的(u,v)椭圆曲线点

SHAKE256(x, y) The y first octets of SHAKE256 [FIPS202] output for input x

SHAKE256(x,y)输入x的SHAKE256[FIPS202]输出的y个前八位字节

OCTET(x) The octet with value x

八位组(x)值为x的八位组

OLEN(x) The number of octets in string x

OLEN(x)字符串x中的八位字节数

dom2(x, y) The blank octet string when signing or verifying Ed25519. Otherwise, the octet string: "SigEd25519 no Ed25519 collisions" || octet(x) || octet(OLEN(y)) || y, where x is in range 0-255 and y is an octet string of at most 255 octets. "SigEd25519 no Ed25519 collisions" is in ASCII (32 octets).

DOM2(x,y)在签名或验证ED25519时的空白八位字节字符串。否则,八进制字符串:“SigEd25519无Ed25519冲突”| | |八进制(x)| | |八进制(OLEN(y))| | | y,其中x在0-255范围内,y是最多255个八进制的八进制字符串。“SigEd25519无Ed25519冲突”是ASCII码(32个八位字节)。

dom4(x, y) The octet string "SigEd448" || octet(x) || octet(OLEN(y)) || y, where x is in range 0-255 and y is an octet string of at most 255 octets. "SigEd448" is in ASCII (8 octets).

dom4(x,y)八位字节字符串“SigEd448”| |八位字节(x)| |八位字节(OLEN(y))| | y,其中x在0-255范围内,y是最多255个八位字节的八位字节字符串。“SigEd448”是ASCII码(8个八位字节)。

Parentheses (i.e., '(' and ')') are used to group expressions, in order to avoid having the description depend on a binding order between operators.

括号(即“(”和“)”)用于对表达式进行分组,以避免描述依赖于运算符之间的绑定顺序。

Bit strings are converted to octet strings by taking bits from left to right, packing those from the least significant bit of each octet to the most significant bit, and moving to the next octet when each octet fills up. The conversion from octet string to bit string is the reverse of this process; for example, the 16-bit bit string

通过从左到右取位,将每个八位字节的最低有效位压缩到最高有效位,并在每个八位字节填满时移动到下一个八位字节,位字符串转换为八位字节字符串。从八进制字符串到位字符串的转换与此过程相反;例如,16位字符串

b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15

b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15

is converted into two octets x0 and x1 (in this order) as

转换为两个八位字节x0和x1(按此顺序),如下所示:

             x0 = b7*128+b6*64+b5*32+b4*16+b3*8+b2*4+b1*2+b0
             x1 = b15*128+b14*64+b13*32+b12*16+b11*8+b10*4+b9*2+b8
        
             x0 = b7*128+b6*64+b5*32+b4*16+b3*8+b2*4+b1*2+b0
             x1 = b15*128+b14*64+b13*32+b12*16+b11*8+b10*4+b9*2+b8
        

Little-endian encoding into bits places bits from left to right and from least significant to most significant. If combined with bit-string-to-octet-string conversion defined above, this results in little-endian encoding into octets (if length is not a multiple of 8, the most significant bits of the last octet remain unused).

位的小端编码将位从左到右,从最低有效位到最高有效位。如果与上面定义的位字符串到八位字节字符串的转换相结合,这将导致小端编码到八位字节(如果长度不是8的倍数,则最后一个八位字节的最高有效位保持未使用)。

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。

3. EdDSA Algorithm
3. EdDSA算法

EdDSA is a digital signature system with 11 parameters.

EdDSA是一个具有11个参数的数字签名系统。

The generic EdDSA digital signature system with its 11 input parameters is not intended to be implemented directly. Choosing parameters is critical for secure and efficient operation. Instead, you would implement a particular parameter choice for EdDSA (such as

具有11个输入参数的通用EdDSA数字签名系统不打算直接实现。选择参数对安全高效运行至关重要。相反,您将为EdDSA实现一个特定的参数选择(例如

Ed25519 or Ed448), sometimes slightly generalized to achieve code reuse to cover Ed25519 and Ed448.

Ed25519或Ed448),有时稍微泛化以实现代码重用,从而涵盖Ed25519和Ed448。

Therefore, a precise explanation of the generic EdDSA is thus not particularly useful for implementers. For background and completeness, a succinct description of the generic EdDSA algorithm is given here.

因此,对通用EdDSA的精确解释对实现者来说并不特别有用。为了背景和完整性,这里给出了通用EdDSA算法的简洁描述。

The definition of some parameters, such as n and c, may help to explain some steps of the algorithm that are not intuitive.

一些参数的定义,如n和c,可能有助于解释算法中一些不直观的步骤。

This description closely follows [EDDSA2].

此描述紧跟[EDDSA2]。

EdDSA has 11 parameters:

EdDSA有11个参数:

1. An odd prime power p. EdDSA uses an elliptic curve over the finite field GF(p).

1. 奇素数幂p。EdDSA使用有限域GF(p)上的椭圆曲线。

2. An integer b with 2^(b-1) > p. EdDSA public keys have exactly b bits, and EdDSA signatures have exactly 2*b bits. b is recommended to be a multiple of 8, so public key and signature lengths are an integral number of octets.

2. 一个2^(b-1)>p的整数b。EdDSA公钥正好有b位,EdDSA签名正好有2*b位。建议b是8的倍数,因此公钥和签名长度是八位字节的整数。

3. A (b-1)-bit encoding of elements of the finite field GF(p).

3. 有限域GF(p)元素的A(b-1)-位编码。

4. A cryptographic hash function H producing 2*b-bit output. Conservative hash functions (i.e., hash functions where it is infeasible to create collisions) are recommended and do not have much impact on the total cost of EdDSA.

4. 产生2*b位输出的加密哈希函数H。建议使用保守的散列函数(即不可能创建冲突的散列函数),并且对EdDSA的总成本没有太大影响。

5. An integer c that is 2 or 3. Secret EdDSA scalars are multiples of 2^c. The integer c is the base-2 logarithm of the so-called cofactor.

5. 2或3的整数c。秘密EdDSA标量是2^c的倍数。整数c是所谓余因子的以2为底的对数。

6. An integer n with c <= n < b. Secret EdDSA scalars have exactly n + 1 bits, with the top bit (the 2^n position) always set and the bottom c bits always cleared.

6. c<=n<b的整数n。秘密EdDSA标量正好有n+1位,顶部位(2^n位置)始终设置,底部c位始终清除。

7. A non-square element d of GF(p). The usual recommendation is to take it as the value nearest to zero that gives an acceptable curve.

7. GF(p)的非平方元d。通常的建议是将其视为最接近零的值,以给出可接受的曲线。

8. A non-zero square element a of GF(p). The usual recommendation for best performance is a = -1 if p mod 4 = 1, and a = 1 if p mod 4 = 3.

8. GF(p)的非零平方元A。对于最佳性能,通常的建议是:如果p mod 4=1,则a=-1;如果p mod 4=3,则a=1。

9. An element B != (0,1) of the set E = { (x,y) is a member of GF(p) x GF(p) such that a * x^2 + y^2 = 1 + d * x^2 * y^2 }.

9. 元素B!=集合E={(x,y)的(0,1)是GF(p)xgf(p)的一个成员,使得a*x^2+y^2=1+d*x^2*y^2}。

10. An odd prime L such that [L]B = 0 and 2^c * L = #E. The number #E (the number of points on the curve) is part of the standard data provided for an elliptic curve E, or it can be computed as cofactor * order.

10. 一种奇数素数L,使得[L]B=0,2^c*L=#E。数#E(曲线上的点数)是为椭圆曲线E提供的标准数据的一部分,或者可以计算为余因子*阶。

11. A "prehash" function PH. PureEdDSA means EdDSA where PH is the identity function, i.e., PH(M) = M. HashEdDSA means EdDSA where PH generates a short output, no matter how long the message is; for example, PH(M) = SHA-512(M).

11. “预灰化”函数PH.PureEdDSA表示EdDSA,其中PH是标识函数,即PH(M)=M。HashEdDSA表示EdDSA,其中PH生成短输出,无论消息有多长;例如,PH(M)=SHA-512(M)。

   Points on the curve form a group under addition, (x3, y3) = (x1, y1)
   + (x2, y2), with the formulas
        
   Points on the curve form a group under addition, (x3, y3) = (x1, y1)
   + (x2, y2), with the formulas
        
             x1 * y2 + x2 * y1                y1 * y2 - a * x1 * x2
   x3 = --------------------------,   y3 = ---------------------------
         1 + d * x1 * x2 * y1 * y2          1 - d * x1 * x2 * y1 * y2
        
             x1 * y2 + x2 * y1                y1 * y2 - a * x1 * x2
   x3 = --------------------------,   y3 = ---------------------------
         1 + d * x1 * x2 * y1 * y2          1 - d * x1 * x2 * y1 * y2
        

The neutral element in the group is (0,1).

组中的中性元素为(0,1)。

Unlike many other curves used for cryptographic applications, these formulas are "complete"; they are valid for all points on the curve, with no exceptions. In particular, the denominators are non-zero for all input points.

与用于加密应用的许多其他曲线不同,这些公式是“完整的”;它们对曲线上的所有点都有效,没有例外。特别是,所有输入点的分母都不是零。

There are more efficient formulas, which are still complete, that use homogeneous coordinates to avoid the expensive modulo p inversions. See [Faster-ECC] and [Edwards-revisited].

还有一些更有效的公式仍然是完整的,它们使用齐次坐标来避免昂贵的模p反演。请参阅[更快的ECC]和[重新访问爱德华兹]。

3.1. Encoding
3.1. 编码

An integer 0 < S < L - 1 is encoded in little-endian form as a b-bit string ENC(S).

整数0<S<L-1以小端形式编码为b位字符串ENC(S)。

An element (x,y) of E is encoded as a b-bit string called ENC(x,y), which is the (b-1)-bit encoding of y concatenated with one bit that is 1 if x is negative and 0 if x is not negative.

E的一个元素(x,y)被编码为一个称为ENC(x,y)的b位字符串,它是y的(b-1)位编码,与一个位连接,如果x为负,则该位为1;如果x为非负,则该位为0。

The encoding of GF(p) is used to define "negative" elements of GF(p): specifically, x is negative if the (b-1)-bit encoding of x is lexicographically larger than the (b-1)-bit encoding of -x.

GF(p)的编码用于定义GF(p)的“负”元素:具体地说,如果x的(b-1)位编码在词典学上大于-x的(b-1)位编码,那么x是负的。

3.2. Keys
3.2. 钥匙
   An EdDSA private key is a b-bit string k.  Let the hash H(k) =
   (h_0, h_1, ..., h_(2b-1)) determine an integer s, which is 2^n plus
   the sum of m = 2^i * h_i for all integer i, c <= i < n.  Let s
   determine the multiple A = [s]B.  The EdDSA public key is ENC(A).
   The bits h_b, ..., h_(2b-1) are used below during signing.
        
   An EdDSA private key is a b-bit string k.  Let the hash H(k) =
   (h_0, h_1, ..., h_(2b-1)) determine an integer s, which is 2^n plus
   the sum of m = 2^i * h_i for all integer i, c <= i < n.  Let s
   determine the multiple A = [s]B.  The EdDSA public key is ENC(A).
   The bits h_b, ..., h_(2b-1) are used below during signing.
        
3.3. Sign
3.3. 签名

The EdDSA signature of a message M under a private key k is defined as the PureEdDSA signature of PH(M). In other words, EdDSA simply uses PureEdDSA to sign PH(M).

私钥k下消息M的EdDSA签名被定义为PH(M)的PureEdDSA签名。换句话说,EdDSA只是使用PureEdDSA来表示PH(M)。

   The PureEdDSA signature of a message M under a private key k is the
   2*b-bit string ENC(R) || ENC(S).  R and S are derived as follows.
   First define r = H(h_b || ... || h_(2b-1) || M) interpreting 2*b-bit
   strings in little-endian form as integers in {0, 1, ..., 2^(2*b) -
   1}.  Let R = [r]B and S = (r + H(ENC(R) || ENC(A) || PH(M)) * s) mod
   L.  The s used here is from the previous section.
        
   The PureEdDSA signature of a message M under a private key k is the
   2*b-bit string ENC(R) || ENC(S).  R and S are derived as follows.
   First define r = H(h_b || ... || h_(2b-1) || M) interpreting 2*b-bit
   strings in little-endian form as integers in {0, 1, ..., 2^(2*b) -
   1}.  Let R = [r]B and S = (r + H(ENC(R) || ENC(A) || PH(M)) * s) mod
   L.  The s used here is from the previous section.
        
3.4. Verify
3.4. 验证

To verify a PureEdDSA signature ENC(R) || ENC(S) on a message M under a public key ENC(A), proceed as follows. Parse the inputs so that A and R are elements of E, and S is a member of the set {0, 1, ..., L-1}. Compute h = H(ENC(R) || ENC(A) || M), and check the group equation [2^c * S] B = 2^c * R + [2^c * h] A in E. The signature is rejected if parsing fails (including S being out of range) or if the group equation does not hold.

要验证公钥ENC(a)下消息M上的PureEdDSA签名ENC(R)| | ENC(S),请执行以下操作。解析输入,使A和R是E的元素,S是集合{0,1,…,L-1}的成员。计算h=h(ENC(R)| | ENC(A)| | | M),并检查E中的组方程[2^c*S]B=2^c*R+[2^c*h]A。如果解析失败(包括S超出范围)或组方程不成立,则拒绝签名。

EdDSA verification for a message M is defined as PureEdDSA verification for PH(M).

消息M的EdDSA验证定义为PH(M)的PureEdDSA验证。

4. PureEdDSA, HashEdDSA, and Naming
4. pureddsa、hashedsa和命名

One of the parameters of the EdDSA algorithm is the "prehash" function. This may be the identity function, resulting in an algorithm called PureEdDSA, or a collision-resistant hash function such as SHA-512, resulting in an algorithm called HashEdDSA.

EdDSA算法的参数之一是“预灰分”函数。这可能是identity函数,生成一个名为pureddsa的算法,或者是抗冲突哈希函数(如SHA-512),生成一个名为HashEdDSA的算法。

Choosing which variant to use depends on which property is deemed to be more important between 1) collision resilience and 2) a single-pass interface for creating signatures. The collision resilience property means EdDSA is secure even if it is feasible to compute collisions for the hash function. The single-pass interface property means that only one pass over the input message is required to create a signature. PureEdDSA requires two passes over the input. Many existing APIs, protocols, and environments assume digital signature algorithms only need one pass over the input and may have API or bandwidth concerns supporting anything else.

选择使用哪种变体取决于在1)冲突恢复能力和2)用于创建签名的单通道接口之间,哪个属性被认为更重要。冲突弹性属性意味着即使可以为哈希函数计算冲突,EdDSA也是安全的。single pass interface属性意味着创建签名只需要对输入消息进行一次传递。PureEdDSA需要对输入进行两次传递。许多现有的API、协议和环境都假设数字签名算法只需要对输入进行一次传递,并且可能需要API或带宽问题来支持其他任何内容。

Note that single-pass verification is not possible with most uses of signatures, no matter which signature algorithm is chosen. This is because most of the time, one can't process the message until the signature is validated, which needs a pass on the entire message.

请注意,无论选择哪种签名算法,在大多数签名使用情况下,单次通过验证都是不可能的。这是因为在大多数情况下,只有验证签名才能处理消息,签名需要传递整个消息。

This document specifies parameters resulting in the HashEdDSA variants Ed25519ph and Ed448ph and the PureEdDSA variants Ed25519 and Ed448.

本文档指定了导致HashEdDSA变体Ed25519ph和Ed448ph以及PureEdDSA变体Ed25519和Ed448的参数。

5. EdDSA Instances
5. EdDSA实例

This section instantiates the general EdDSA algorithm for the edwards25519 and edwards448 curves, each for the PureEdDSA and HashEdDSA variants (plus a contextualized extension of the Ed25519 scheme). Thus, five different parameter sets are described.

This section instantiates the general EdDSA algorithm for the edwards25519 and edwards448 curves, each for the PureEdDSA and HashEdDSA variants (plus a contextualized extension of the Ed25519 scheme). Thus, five different parameter sets are described.translate error, please retry

5.1. Ed25519ph, Ed25519ctx, and Ed25519
5.1. Ed25519ph、Ed25519ctx和Ed25519

Ed25519 is EdDSA instantiated with:

Ed25519是EdDSA的一个实例:

   +-----------+-------------------------------------------------------+
   | Parameter | Value                                                 |
   +-----------+-------------------------------------------------------+
   |     p     | p of edwards25519 in [RFC7748] (i.e., 2^255 - 19)     |
   |     b     | 256                                                   |
   |  encoding | 255-bit little-endian encoding of {0, 1, ..., p-1}    |
   |  of GF(p) |                                                       |
   |    H(x)   | SHA-512(dom2(phflag,context)||x) [RFC6234]            |
   |     c     | base 2 logarithm of cofactor of edwards25519 in       |
   |           | [RFC7748] (i.e., 3)                                   |
   |     n     | 254                                                   |
   |     d     | d of edwards25519 in [RFC7748] (i.e., -121665/121666  |
   |           | = 370957059346694393431380835087545651895421138798432 |
   |           | 19016388785533085940283555)                           |
   |     a     | -1                                                    |
   |     B     | (X(P),Y(P)) of edwards25519 in [RFC7748] (i.e., (1511 |
   |           | 22213495354007725011514095885315114540126930418572060 |
   |           | 46113283949847762202, 4631683569492647816942839400347 |
   |           | 5163141307993866256225615783033603165251855960))      |
   |     L     | order of edwards25519 in [RFC7748] (i.e.,             |
   |           | 2^252+27742317777372353535851937790883648493).        |
   |   PH(x)   | x (i.e., the identity function)                       |
   +-----------+-------------------------------------------------------+
        
   +-----------+-------------------------------------------------------+
   | Parameter | Value                                                 |
   +-----------+-------------------------------------------------------+
   |     p     | p of edwards25519 in [RFC7748] (i.e., 2^255 - 19)     |
   |     b     | 256                                                   |
   |  encoding | 255-bit little-endian encoding of {0, 1, ..., p-1}    |
   |  of GF(p) |                                                       |
   |    H(x)   | SHA-512(dom2(phflag,context)||x) [RFC6234]            |
   |     c     | base 2 logarithm of cofactor of edwards25519 in       |
   |           | [RFC7748] (i.e., 3)                                   |
   |     n     | 254                                                   |
   |     d     | d of edwards25519 in [RFC7748] (i.e., -121665/121666  |
   |           | = 370957059346694393431380835087545651895421138798432 |
   |           | 19016388785533085940283555)                           |
   |     a     | -1                                                    |
   |     B     | (X(P),Y(P)) of edwards25519 in [RFC7748] (i.e., (1511 |
   |           | 22213495354007725011514095885315114540126930418572060 |
   |           | 46113283949847762202, 4631683569492647816942839400347 |
   |           | 5163141307993866256225615783033603165251855960))      |
   |     L     | order of edwards25519 in [RFC7748] (i.e.,             |
   |           | 2^252+27742317777372353535851937790883648493).        |
   |   PH(x)   | x (i.e., the identity function)                       |
   +-----------+-------------------------------------------------------+
        

Table 1: Parameters of Ed25519

表1:Ed25519的参数

For Ed25519, dom2(f,c) is the empty string. The phflag value is irrelevant. The context (if present at all) MUST be empty. This causes the scheme to be one and the same with the Ed25519 scheme published earlier.

对于Ed25519,dom2(f,c)是空字符串。phflag值是不相关的。上下文(如果存在)必须为空。这导致该方案与先前发布的Ed25519方案相同。

For Ed25519ctx, phflag=0. The context input SHOULD NOT be empty.

对于Ed25519ctx,phflag=0。上下文输入不应为空。

For Ed25519ph, phflag=1 and PH is SHA512 instead. That is, the input is hashed using SHA-512 before signing with Ed25519.

对于Ed25519ph,phflag=1,而PH为SHA512。也就是说,在使用Ed25519签名之前,使用SHA-512对输入进行哈希处理。

Value of context is set by the signer and verifier (maximum of 255 octets; the default is empty string, except for Ed25519, which can't have context) and has to match octet by octet for verification to be successful.

上下文的值由签名者和验证者设置(最多255个八位字节;默认值为空字符串,Ed25519除外,它不能有上下文),并且必须逐八位字节匹配才能成功验证。

The curve used is equivalent to Curve25519 [CURVE25519], under a change of coordinates, which means that the difficulty of the discrete logarithm problem is the same as for Curve25519.

在坐标变化的情况下,所使用的曲线相当于曲线25519[曲线25519],这意味着离散对数问题的难度与曲线25519相同。

5.1.1. Modular Arithmetic
5.1.1. 模运算

For advice on how to implement arithmetic modulo p = 2^255 - 19 efficiently and securely, see Curve25519 [CURVE25519]. For inversion modulo p, it is recommended to use the identity x^-1 = x^(p-2) (mod p). Inverting zero should never happen, as it would require invalid input, which would have been detected before, or would be a calculation error.

有关如何高效、安全地实现算术模p=2^255-19的建议,请参见Curve25519[Curve25519]。对于模p的反演,建议使用恒等式x^-1=x^(p-2)(mod p)。倒零不应该发生,因为它需要无效的输入,以前可能会检测到,或者是一个计算错误。

For point decoding or "decompression", square roots modulo p are needed. They can be computed using the Tonelli-Shanks algorithm or the special case for p = 5 (mod 8). To find a square root of a, first compute the candidate root x = a^((p+3)/8) (mod p). Then there are three cases:

对于点解码或“解压缩”,需要平方根模p。可以使用Tonelli-Shanks算法或p=5(mod 8)的特例计算它们。要求a的平方根,首先计算候选根x=a^((p+3)/8)(mod p)。然后有三种情况:

x^2 = a (mod p). Then x is a square root.

x^2=a(模数p)。那么x是平方根。

x^2 = -a (mod p). Then 2^((p-1)/4) * x is a square root.

x^2=-a(mod p)。那么2^((p-1)/4)*x是平方根。

a is not a square modulo p.

a不是p的平方模。

5.1.2. Encoding
5.1.2. 编码

All values are coded as octet strings, and integers are coded using little-endian convention, i.e., a 32-octet string h h[0],...h[31] represents the integer h[0] + 2^8 * h[1] + ... + 2^248 * h[31].

所有值都编码为八位字符串,而整数则使用小尾端约定进行编码,即32位八位字符串h[0],…h[31]表示整数h[0]+2^8*h[1]+…+2^248*h[31]。

A curve point (x,y), with coordinates in the range 0 <= x,y < p, is coded as follows. First, encode the y-coordinate as a little-endian string of 32 octets. The most significant bit of the final octet is always zero. To form the encoding of the point, copy the least significant bit of the x-coordinate to the most significant bit of the final octet.

坐标范围为0<=x,y<p的曲线点(x,y)编码如下。首先,将y坐标编码为32个八位字节的小端字符串。最后八位字节的最高有效位始终为零。要形成点的编码,请将x坐标的最低有效位复制到最后八位字节的最高有效位。

5.1.3. Decoding
5.1.3. 解码

Decoding a point, given as a 32-octet string, is a little more complicated.

解码一个以32个八位组字符串形式给出的点稍微复杂一些。

1. First, interpret the string as an integer in little-endian representation. Bit 255 of this number is the least significant bit of the x-coordinate and denote this value x_0. The y-coordinate is recovered simply by clearing this bit. If the resulting value is >= p, decoding fails.

1. 首先,将字符串解释为小端点表示法中的整数。该数字的第255位是x坐标的最低有效位,表示该值x_0。只需清除该位即可恢复y坐标。如果结果值>=p,则解码失败。

2. To recover the x-coordinate, the curve equation implies x^2 = (y^2 - 1) / (d y^2 + 1) (mod p). The denominator is always non-zero mod p. Let u = y^2 - 1 and v = d y^2 + 1. To compute the square root of (u/v), the first step is to compute the candidate root x = (u/v)^((p+3)/8). This can be done with the following trick, using a single modular powering for both the inversion of v and the square root:

2. 为了恢复x坐标,曲线方程暗示x^2=(y^2-1)/(dy^2+1)(mod p)。分母总是非零mod p。设u=y^2-1,v=dy^2+1。要计算(u/v)的平方根,第一步是计算候选根x=(u/v)^((p+3)/8)。这可以通过以下技巧来实现,使用单个模块供电来反转v和平方根:

                          (p+3)/8      3        (p-5)/8
                 x = (u/v)        = u v  (u v^7)         (mod p)
        
                          (p+3)/8      3        (p-5)/8
                 x = (u/v)        = u v  (u v^7)         (mod p)
        

3. Again, there are three cases:

3. 同样,有三种情况:

1. If v x^2 = u (mod p), x is a square root.

1. 如果vx^2=u(mod p),x是平方根。

2. If v x^2 = -u (mod p), set x <-- x * 2^((p-1)/4), which is a square root.

2. 如果vx^2=-u(mod p),则设置x<--x*2^((p-1)/4),这是一个平方根。

3. Otherwise, no square root exists for modulo p, and decoding fails.

3. 否则,模p不存在平方根,解码失败。

4. Finally, use the x_0 bit to select the right square root. If x = 0, and x_0 = 1, decoding fails. Otherwise, if x_0 != x mod 2, set x <-- p - x. Return the decoded point (x,y).

4. 最后,使用x_0位选择右平方根。如果x=0,且x_0=1,则解码失败。否则,如果x_0!=x模块2,设置x<--p-x。返回解码点(x,y)。

5.1.4. Point Addition
5.1.4. 点加法

For point addition, the following method is recommended. A point (x,y) is represented in extended homogeneous coordinates (X, Y, Z, T), with x = X/Z, y = Y/Z, x * y = T/Z.

对于点添加,建议采用以下方法。点(x,y)用扩展齐次坐标(x,y,Z,T)表示,x=x/Z,y=y/Z,x*y=T/Z。

The neutral point is (0,1), or equivalently in extended homogeneous coordinates (0, Z, Z, 0) for any non-zero Z.

中性点为(0,1),或者对于任何非零Z,中性点在扩展齐次坐标(0,Z,Z,0)中等效。

The following formulas for adding two points, (x3,y3) = (x1,y1)+(x2,y2), on twisted Edwards curves with a=-1, square a, and non-square d are described in Section 3.1 of [Edwards-revisited] and in [EFD-TWISTED-ADD]. They are complete, i.e., they work for any pair of valid input points.

[Edwards再访]第3.1节和[EFD-twisted-ADD]中描述了在a=-1、正方形a和非正方形d的扭曲Edwards曲线上添加两点(x3,y3)=(x1,y1)+(x2,y2)的以下公式。它们是完整的,也就是说,它们适用于任何一对有效的输入点。

                 A = (Y1-X1)*(Y2-X2)
                 B = (Y1+X1)*(Y2+X2)
                 C = T1*2*d*T2
                 D = Z1*2*Z2
                 E = B-A
                 F = D-C
                 G = D+C
                 H = B+A
                 X3 = E*F
                 Y3 = G*H
                 T3 = E*H
                 Z3 = F*G
        
                 A = (Y1-X1)*(Y2-X2)
                 B = (Y1+X1)*(Y2+X2)
                 C = T1*2*d*T2
                 D = Z1*2*Z2
                 E = B-A
                 F = D-C
                 G = D+C
                 H = B+A
                 X3 = E*F
                 Y3 = G*H
                 T3 = E*H
                 Z3 = F*G
        
   For point doubling, (x3,y3) = (x1,y1)+(x1,y1), one could just
   substitute equal points in the above (because of completeness, such
   substitution is valid) and observe that four multiplications turn
   into squares.  However, using the formulas described in Section 3.2
   of [Edwards-revisited] and in [EFD-TWISTED-DBL] saves a few smaller
   operations.
        
   For point doubling, (x3,y3) = (x1,y1)+(x1,y1), one could just
   substitute equal points in the above (because of completeness, such
   substitution is valid) and observe that four multiplications turn
   into squares.  However, using the formulas described in Section 3.2
   of [Edwards-revisited] and in [EFD-TWISTED-DBL] saves a few smaller
   operations.
        
                 A = X1^2
                 B = Y1^2
                 C = 2*Z1^2
                 H = A+B
                 E = H-(X1+Y1)^2
                 G = A-B
                 F = C+G
                 X3 = E*F
                 Y3 = G*H
                 T3 = E*H
                 Z3 = F*G
        
                 A = X1^2
                 B = Y1^2
                 C = 2*Z1^2
                 H = A+B
                 E = H-(X1+Y1)^2
                 G = A-B
                 F = C+G
                 X3 = E*F
                 Y3 = G*H
                 T3 = E*H
                 Z3 = F*G
        
5.1.5. Key Generation
5.1.5. 密钥生成

The private key is 32 octets (256 bits, corresponding to b) of cryptographically secure random data. See [RFC4086] for a discussion about randomness.

私钥是加密安全的随机数据的32个八位字节(256位,对应于b)。有关随机性的讨论,请参见[RFC4086]。

The 32-byte public key is generated by the following steps.

通过以下步骤生成32字节公钥。

1. Hash the 32-byte private key using SHA-512, storing the digest in a 64-octet large buffer, denoted h. Only the lower 32 bytes are used for generating the public key.

1. 使用SHA-512散列32字节私钥,将摘要存储在64个八位字节的大缓冲区中,表示为h。只有较低的32字节用于生成公钥。

2. Prune the buffer: The lowest three bits of the first octet are cleared, the highest bit of the last octet is cleared, and the second highest bit of the last octet is set.

2. 删除缓冲区:清除第一个八位字节的最低三位,清除最后一个八位字节的最高位,并设置最后一个八位字节的第二个最高位。

3. Interpret the buffer as the little-endian integer, forming a secret scalar s. Perform a fixed-base scalar multiplication [s]B.

3. 将缓冲区解释为小端整数,形成一个秘密标量s。执行固定基标量乘法[s]B。

4. The public key A is the encoding of the point [s]B. First, encode the y-coordinate (in the range 0 <= y < p) as a little-endian string of 32 octets. The most significant bit of the final octet is always zero. To form the encoding of the point [s]B, copy the least significant bit of the x coordinate to the most significant bit of the final octet. The result is the public key.

4. 公钥A是点[s]B的编码。首先,将y坐标(范围0<=y<p)编码为32个八位字节的小端字符串。最后八位字节的最高有效位始终为零。要形成点[s]B的编码,请将x坐标的最低有效位复制到最后八位字节的最高有效位。结果是公钥。

5.1.6. Sign
5.1.6. 签名

The inputs to the signing procedure is the private key, a 32-octet string, and a message M of arbitrary size. For Ed25519ctx and Ed25519ph, there is additionally a context C of at most 255 octets and a flag F, 0 for Ed25519ctx and 1 for Ed25519ph.

签名过程的输入是私钥、32个八位字节字符串和任意大小的消息M。对于Ed25519ctx和Ed25519ph,另外还有最多255个八位字节的上下文C和标志F,0表示Ed25519ctx,1表示Ed25519ph。

1. Hash the private key, 32 octets, using SHA-512. Let h denote the resulting digest. Construct the secret scalar s from the first half of the digest, and the corresponding public key A, as described in the previous section. Let prefix denote the second half of the hash digest, h[32],...,h[63].

1. 使用SHA-512散列私钥,32个八位字节。让h表示结果摘要。如前一节所述,从摘要的前半部分构造秘密标量s和相应的公钥A。让前缀表示哈希摘要的后半部分,h[32],…,h[63]。

2. Compute SHA-512(dom2(F, C) || prefix || PH(M)), where M is the message to be signed. Interpret the 64-octet digest as a little-endian integer r.

2. 计算SHA-512(dom2(F,C)|前缀| | PH(M)),其中M是要签名的消息。将64个八位字节摘要解释为一个小的endian整数r。

3. Compute the point [r]B. For efficiency, do this by first reducing r modulo L, the group order of B. Let the string R be the encoding of this point.

3. 计算点[r]B。为了提高效率,首先减少r模L,即B的组顺序。让字符串r为该点的编码。

4. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the 64-octet digest as a little-endian integer k.

4. 计算SHA512(dom2(F,C)| | R | A | | PH(M)),并将64个八位组摘要解释为一个小的端整数k。

5. Compute S = (r + k * s) mod L. For efficiency, again reduce k modulo L first.

5. 计算S=(r+k*S)模L。为了提高效率,再次先降低k模L。

6. Form the signature of the concatenation of R (32 octets) and the little-endian encoding of S (32 octets; the three most significant bits of the final octet are always zero).

6. 形成R(32个八位字节)和S(32个八位字节;最后八位字节的三个最高有效位始终为零)的小端编码的串联签名。

5.1.7. Verify
5.1.7. 验证

1. To verify a signature on a message M using public key A, with F being 0 for Ed25519ctx, 1 for Ed25519ph, and if Ed25519ctx or Ed25519ph is being used, C being the context, first split the signature into two 32-octet halves. Decode the first half as a point R, and the second half as an integer S, in the range 0 <= s < L. Decode the public key A as point A'. If any of the decodings fail (including S being out of range), the signature is invalid.

1. 要使用公钥a验证消息M上的签名,对于Ed25519ctx,F为0;对于Ed25519ph,F为1;如果正在使用Ed25519ctx或Ed25519ph,C为上下文,则首先将签名拆分为两个32八位字节的两半。将前半部分解码为点R,将后半部分解码为整数S,范围为0<=S<L。将公钥a解码为点a'。如果任何解码失败(包括S超出范围),则签名无效。

2. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the 64-octet digest as a little-endian integer k.

2. 计算SHA512(dom2(F,C)| | R | A | | PH(M)),并将64个八位组摘要解释为一个小的端整数k。

3. Check the group equation [8][S]B = [8]R + [8][k]A'. It's sufficient, but not required, to instead check [S]B = R + [k]A'.

3. 检查组方程[8][S]B=[8]R+[8][k]A'。检查[s]B=R+[k]A'就足够了,但不是必需的。

5.2. Ed448ph and Ed448
5.2. Ed448ph和Ed448

Ed448 is EdDSA instantiated with:

Ed448是EdDSA的一个实例:

   +-----------+-------------------------------------------------------+
   | Parameter | Value                                                 |
   +-----------+-------------------------------------------------------+
   |     p     | p of edwards448 in [RFC7748] (i.e., 2^448 - 2^224 -   |
   |           | 1)                                                    |
   |     b     | 456                                                   |
   |  encoding | 455-bit little-endian encoding of {0, 1, ..., p-1}    |
   |  of GF(p) |                                                       |
   |    H(x)   | SHAKE256(dom4(phflag,context)||x, 114)                |
   |   phflag  | 0                                                     |
   |     c     | base 2 logarithm of cofactor of edwards448 in         |
   |           | [RFC7748] (i.e., 2)                                   |
   |     n     | 447                                                   |
   |     d     | d of edwards448 in [RFC7748] (i.e., -39081)           |
   |     a     | 1                                                     |
   |     B     | (X(P),Y(P)) of edwards448 in [RFC7748] (i.e., (224580 |
   |           | 04029592430018760433409989603624678964163256413424612 |
   |           | 54616869504154674060329090291928693579532825780320751 |
   |           | 46446173674602635247710, 2988192100784814926760179304 |
   |           | 43930673437544040154080242095928241372331506189835876 |
   |           | 00353687865541878473398230323350346250053154506283266 |
   |           | 0))                                                   |
   |     L     | order of edwards448 in [RFC7748] (i.e., 2^446 - 13818 |
   |           | 06680989511535200738674851542688033669247488217860989 |
   |           | 4547503885).                                          |
   |   PH(x)   | x (i.e., the identity function)                       |
   +-----------+-------------------------------------------------------+
        
   +-----------+-------------------------------------------------------+
   | Parameter | Value                                                 |
   +-----------+-------------------------------------------------------+
   |     p     | p of edwards448 in [RFC7748] (i.e., 2^448 - 2^224 -   |
   |           | 1)                                                    |
   |     b     | 456                                                   |
   |  encoding | 455-bit little-endian encoding of {0, 1, ..., p-1}    |
   |  of GF(p) |                                                       |
   |    H(x)   | SHAKE256(dom4(phflag,context)||x, 114)                |
   |   phflag  | 0                                                     |
   |     c     | base 2 logarithm of cofactor of edwards448 in         |
   |           | [RFC7748] (i.e., 2)                                   |
   |     n     | 447                                                   |
   |     d     | d of edwards448 in [RFC7748] (i.e., -39081)           |
   |     a     | 1                                                     |
   |     B     | (X(P),Y(P)) of edwards448 in [RFC7748] (i.e., (224580 |
   |           | 04029592430018760433409989603624678964163256413424612 |
   |           | 54616869504154674060329090291928693579532825780320751 |
   |           | 46446173674602635247710, 2988192100784814926760179304 |
   |           | 43930673437544040154080242095928241372331506189835876 |
   |           | 00353687865541878473398230323350346250053154506283266 |
   |           | 0))                                                   |
   |     L     | order of edwards448 in [RFC7748] (i.e., 2^446 - 13818 |
   |           | 06680989511535200738674851542688033669247488217860989 |
   |           | 4547503885).                                          |
   |   PH(x)   | x (i.e., the identity function)                       |
   +-----------+-------------------------------------------------------+
        

Table 2: Parameters of Ed448

表2:Ed448的参数

Ed448ph is the same but with PH being SHAKE256(x, 64) and phflag being 1, i.e., the input is hashed before signing with Ed448 with a hash constant modified.

Ed448ph与之相同,但PH为SHAKE256(x,64),phflag为1,即在使用修改了哈希常数的Ed448签名之前对输入进行哈希处理。

Value of context is set by signer and verifier (maximum of 255 octets; the default is empty string) and has to match octet by octet for verification to be successful.

上下文的值由签名者和验证者设置(最多255个八位字节;默认值为空字符串),并且必须逐个八位字节进行匹配才能成功验证。

The curve is equivalent to Ed448-Goldilocks under change of the basepoint, which preserves difficulty of the discrete logarithm.

在改变基点的情况下,该曲线相当于Ed448 Goldilock,这保留了离散对数的难度。

5.2.1. Modular Arithmetic
5.2.1. 模运算

For advice on how to implement arithmetic modulo p = 2^448 - 2^224 - 1 efficiently and securely, see [ED448]. For inversion modulo p, it is recommended to use the identity x^-1 = x^(p-2) (mod p). Inverting zero should never happen, as it would require invalid input, which would have been detected before, or would be a calculation error.

有关如何高效、安全地实现算术模p=2^448-2^224-1的建议,请参阅[ED448]。对于模p的反演,建议使用恒等式x^-1=x^(p-2)(mod p)。倒零不应该发生,因为它需要无效的输入,以前可能会检测到,或者是一个计算错误。

For point decoding or "decompression", square roots modulo p are needed. They can be computed by first computing candidate root x = a ^ (p+1)/4 (mod p) and then checking if x^2 = a. If it is, then x is the square root of a; if it isn't, then a does not have a square root.

对于点解码或“解压缩”,需要平方根模p。可以通过首先计算候选根x=a^(p+1)/4(mod p),然后检查x^2=a来计算它们。如果是,那么x是a的平方根;如果不是,则a没有平方根。

5.2.2. Encoding
5.2.2. 编码

All values are coded as octet strings, and integers are coded using little-endian convention, i.e., a 57-octet string h h[0],...h[56] represents the integer h[0] + 2^8 * h[1] + ... + 2^448 * h[56].

所有值都编码为八位字符串,而整数则使用小尾端约定进行编码,即57位八位字符串h[0],…h[56]表示整数h[0]+2^8*h[1]+…+2^448*h[56]。

A curve point (x,y), with coordinates in the range 0 <= x,y < p, is coded as follows. First, encode the y-coordinate as a little-endian string of 57 octets. The final octet is always zero. To form the encoding of the point, copy the least significant bit of the x-coordinate to the most significant bit of the final octet.

坐标范围为0<=x,y<p的曲线点(x,y)编码如下。首先,将y坐标编码为57个八位字节的小端字符串。最后一个八位组总是零。要形成点的编码,请将x坐标的最低有效位复制到最后八位字节的最高有效位。

5.2.3. Decoding
5.2.3. 解码

Decoding a point, given as a 57-octet string, is a little more complicated.

解码一个以57个八位字节字符串形式给出的点稍微复杂一些。

1. First, interpret the string as an integer in little-endian representation. Bit 455 of this number is the least significant bit of the x-coordinate, and denote this value x_0. The y-coordinate is recovered simply by clearing this bit. If the resulting value is >= p, decoding fails.

1. 首先,将字符串解释为小端点表示法中的整数。该数字的第455位是x坐标的最低有效位,表示该值x_0。只需清除该位即可恢复y坐标。如果结果值>=p,则解码失败。

2. To recover the x-coordinate, the curve equation implies x^2 = (y^2 - 1) / (d y^2 - 1) (mod p). The denominator is always non-zero mod p. Let u = y^2 - 1 and v = d y^2 - 1. To compute the square root of (u/v), the first step is to compute the candidate root x = (u/v)^((p+1)/4). This can be done using the following trick, to use a single modular powering for both the inversion of v and the square root:

2. 为了恢复x坐标,曲线方程暗示x^2=(y^2-1)/(dy^2-1)(mod p)。分母总是非零mod p。设u=y^2-1,v=dy^2-1。要计算(u/v)的平方根,第一步是计算候选根x=(u/v)^((p+1)/4)。这可以使用以下技巧完成,即使用单个模块供电进行v和平方根的反转:

                          (p+1)/4    3            (p-3)/4
                 x = (u/v)        = u  v (u^5 v^3)         (mod p)
        
                          (p+1)/4    3            (p-3)/4
                 x = (u/v)        = u  v (u^5 v^3)         (mod p)
        

3. If v * x^2 = u, the recovered x-coordinate is x. Otherwise, no square root exists, and the decoding fails.

3. 如果v*x^2=u,则恢复的x坐标为x。否则,不存在平方根,解码失败。

4. Finally, use the x_0 bit to select the right square root. If x = 0, and x_0 = 1, decoding fails. Otherwise, if x_0 != x mod 2, set x <-- p - x. Return the decoded point (x,y).

4. 最后,使用x_0位选择右平方根。如果x=0,且x_0=1,则解码失败。否则,如果x_0!=x模块2,设置x<--p-x。返回解码点(x,y)。

5.2.4. Point Addition
5.2.4. 点加法

For point addition, the following method is recommended. A point (x,y) is represented in projective coordinates (X, Y, Z), with x = X/Z, y = Y/Z.

对于点添加,建议采用以下方法。点(x,y)用射影坐标(x,y,Z)表示,x=x/Z,y=y/Z。

The neutral point is (0,1), or equivalently in projective coordinates (0, Z, Z) for any non-zero Z.

中性点为(0,1),或对于任何非零Z,在投影坐标(0,Z,Z)中等效。

The following formulas for adding two points, (x3,y3) = (x1,y1)+(x2,y2) on untwisted Edwards curve (i.e., a=1) with non-square d, are described in Section 4 of [Faster-ECC] and in [EFD-ADD]. They are complete, i.e., they work for any pair of valid input points.

[Faster ECC]第4节和[EFD-ADD]中描述了在非平方d的无扭曲爱德华兹曲线(即a=1)上添加两点(x3,y3)=(x1,y1)+(x2,y2)的以下公式。它们是完整的,也就是说,它们适用于任何一对有效的输入点。

                 A = Z1*Z2
                 B = A^2
                 C = X1*X2
                 D = Y1*Y2
                 E = d*C*D
                 F = B-E
                 G = B+E
                 H = (X1+Y1)*(X2+Y2)
                 X3 = A*F*(H-C-D)
                 Y3 = A*G*(D-C)
                 Z3 = F*G
        
                 A = Z1*Z2
                 B = A^2
                 C = X1*X2
                 D = Y1*Y2
                 E = d*C*D
                 F = B-E
                 G = B+E
                 H = (X1+Y1)*(X2+Y2)
                 X3 = A*F*(H-C-D)
                 Y3 = A*G*(D-C)
                 Z3 = F*G
        

Again, similar to the other curve, doubling formulas can be obtained by substituting equal points, turning four multiplications into squares. However, this is not even nearly optimal; the following formulas described in Section 4 of [Faster-ECC] and in [EFD-DBL] save multiple multiplications.

同样,与另一条曲线类似,通过替换相等的点,将四次乘法转换为正方形,可以得到倍增公式。然而,这甚至不是最理想的;[Faster ECC]第4节和[EFD-DBL]中描述的以下公式可保存多次乘法。

                 B = (X1+Y1)^2
                 C = X1^2
                 D = Y1^2
                 E = C+D
                 H = Z1^2
                 J = E-2*H
                 X3 = (B-E)*J
                 Y3 = E*(C-D)
                 Z3 = E*J
        
                 B = (X1+Y1)^2
                 C = X1^2
                 D = Y1^2
                 E = C+D
                 H = Z1^2
                 J = E-2*H
                 X3 = (B-E)*J
                 Y3 = E*(C-D)
                 Z3 = E*J
        
5.2.5. Key Generation
5.2.5. 密钥生成

The private key is 57 octets (456 bits, corresponding to b) of cryptographically secure random data. See [RFC4086] for a discussion about randomness.

私钥是加密安全的随机数据的57个八位字节(456位,对应于b)。有关随机性的讨论,请参见[RFC4086]。

The 57-byte public key is generated by the following steps:

通过以下步骤生成57字节的公钥:

1. Hash the 57-byte private key using SHAKE256(x, 114), storing the digest in a 114-octet large buffer, denoted h. Only the lower 57 bytes are used for generating the public key.

1. 使用SHAKE256(x,114)散列57字节的私钥,将摘要存储在114个八位字节的大缓冲区中,表示为h。只有较低的57字节用于生成公钥。

2. Prune the buffer: The two least significant bits of the first octet are cleared, all eight bits the last octet are cleared, and the highest bit of the second to last octet is set.

2. 删减缓冲区:清除第一个八位字节的两个最低有效位,清除最后一个八位字节的所有八位,并设置第二个到最后一个八位字节的最高位。

3. Interpret the buffer as the little-endian integer, forming a secret scalar s. Perform a known-base-point scalar multiplication [s]B.

3. 将缓冲区解释为小端整数,形成一个秘密标量s。执行已知的基点标量乘法[s]B。

4. The public key A is the encoding of the point [s]B. First encode the y-coordinate (in the range 0 <= y < p) as a little-endian string of 57 octets. The most significant bit of the final octet is always zero. To form the encoding of the point [s]B, copy the least significant bit of the x coordinate to the most significant bit of the final octet. The result is the public key.

4. 公钥A是点[s]B的编码。首先将y坐标(范围0<=y<p)编码为57个八位字节的小端字符串。最后八位字节的最高有效位始终为零。要形成点[s]B的编码,请将x坐标的最低有效位复制到最后八位字节的最高有效位。结果是公钥。

5.2.6. Sign
5.2.6. 签名

The inputs to the signing procedure is the private key, a 57-octet string, a flag F, which is 0 for Ed448, 1 for Ed448ph, context C of at most 255 octets, and a message M of arbitrary size.

签名过程的输入为私钥、57个八位字节字符串、标志F(对于Ed448为0)、1(对于Ed448ph)、最多255个八位字节的上下文C以及任意大小的消息M。

1. Hash the private key, 57 octets, using SHAKE256(x, 114). Let h denote the resulting digest. Construct the secret scalar s from the first half of the digest, and the corresponding public key A, as described in the previous section. Let prefix denote the second half of the hash digest, h[57],...,h[113].

1. 使用SHAKE256(x,114)散列私钥57个八位字节。让h表示结果摘要。如前一节所述,从摘要的前半部分构造秘密标量s和相应的公钥A。让前缀表示哈希摘要的后半部分,h[57],…,h[113]。

2. Compute SHAKE256(dom4(F, C) || prefix || PH(M), 114), where M is the message to be signed, F is 1 for Ed448ph, 0 for Ed448, and C is the context to use. Interpret the 114-octet digest as a little-endian integer r.

2. 计算SHAKE256(dom4(F,C)|前缀| PH(M),114),其中M是要签名的消息,F是1表示Ed448ph,0表示Ed448,C是要使用的上下文。将114个八位字节摘要解释为一个小的endian整数r。

3. Compute the point [r]B. For efficiency, do this by first reducing r modulo L, the group order of B. Let the string R be the encoding of this point.

3. 计算点[r]B。为了提高效率,首先减少r模L,即B的组顺序。让字符串r为该点的编码。

4. Compute SHAKE256(dom4(F, C) || R || A || PH(M), 114), and interpret the 114-octet digest as a little-endian integer k.

4. 计算SHAKE256(dom4(F,C)| | R | | A | | PH(M),114),并将114个八位组摘要解释为一个小的endian整数k。

5. Compute S = (r + k * s) mod L. For efficiency, again reduce k modulo L first.

5. 计算S=(r+k*S)模L。为了提高效率,再次先降低k模L。

6. Form the signature of the concatenation of R (57 octets) and the little-endian encoding of S (57 octets; the ten most significant bits of the final octets are always zero).

6. 形成R(57个八位字节)和S(57个八位字节;最后八位字节的十个最高有效位始终为零)的级联签名。

5.2.7. Verify
5.2.7. 验证

1. To verify a signature on a message M using context C and public key A, with F being 0 for Ed448 and 1 for Ed448ph, first split the signature into two 57-octet halves. Decode the first half as a point R, and the second half as an integer S, in the range 0 <= s < L. Decode the public key A as point A'. If any of the decodings fail (including S being out of range), the signature is invalid.

1. 要使用上下文C和公钥a验证消息M上的签名,对于Ed448,F为0,对于Ed448ph,F为1,首先将签名拆分为两个57个八位组的两半。将前半部分解码为点R,将后半部分解码为整数S,范围为0<=S<L。将公钥a解码为点a'。如果任何解码失败(包括S超出范围),则签名无效。

2. Compute SHAKE256(dom4(F, C) || R || A || PH(M), 114), and interpret the 114-octet digest as a little-endian integer k.

2. 计算SHAKE256(dom4(F,C)| | R | | A | | PH(M),114),并将114个八位组摘要解释为一个小的endian整数k。

3. Check the group equation [4][S]B = [4]R + [4][k]A'. It's sufficient, but not required, to instead check [S]B = R + [k]A'.

3. 检查组方程[4][S]B=[4]R+[4][k]A'。检查[s]B=R+[k]A'就足够了,但不是必需的。

6. Ed25519 Python Illustration
6. Ed25519 Python插图

The rest of this section describes how Ed25519 can be implemented in Python (version 3.2 or later) for illustration. See Appendix A for the complete implementation and Appendix B for a test-driver to run it through some test vectors.

本节其余部分将介绍如何在Python(3.2版或更高版本)中实现Ed25519,以供说明。完整的实现见附录A,通过一些测试向量运行测试驱动程序见附录B。

Note that this code is not intended for production as it is not proven to be correct for all inputs, nor does it protect against side-channel attacks. The purpose is to illustrate the algorithm to help implementers with their own implementation.

请注意,此代码不适用于生产,因为它不能证明对所有输入都正确,也不能防止侧通道攻击。目的是说明该算法,以帮助实现者自己实现。

## First, some preliminaries that will be needed.

##首先,需要做一些准备工作。

import hashlib

导入hashlib

def sha512(s):
    return hashlib.sha512(s).digest()
        
def sha512(s):
    return hashlib.sha512(s).digest()
        
# Base field Z_p
p = 2**255 - 19
        
# Base field Z_p
p = 2**255 - 19
        

def modp_inv(x): return pow(x, p-2, p)

def modp_inv(x):返回功率(x,p-2,p)

# Curve constant
d = -121665 * modp_inv(121666) % p
        
# Curve constant
d = -121665 * modp_inv(121666) % p
        
# Group order
q = 2**252 + 27742317777372353535851937790883648493
        
# Group order
q = 2**252 + 27742317777372353535851937790883648493
        
def sha512_modq(s):
    return int.from_bytes(sha512(s), "little") % q
        
def sha512_modq(s):
    return int.from_bytes(sha512(s), "little") % q
        

## Then follows functions to perform point operations.

##然后按照函数执行点操作。

# Points are represented as tuples (X, Y, Z, T) of extended
# coordinates, with x = X/Z, y = Y/Z, x*y = T/Z
        
# Points are represented as tuples (X, Y, Z, T) of extended
# coordinates, with x = X/Z, y = Y/Z, x*y = T/Z
        
def point_add(P, Q):
    A, B = (P[1]-P[0]) * (Q[1]-Q[0]) % p, (P[1]+P[0]) * (Q[1]+Q[0]) % p;
    C, D = 2 * P[3] * Q[3] * d % p, 2 * P[2] * Q[2] % p;
    E, F, G, H = B-A, D-C, D+C, B+A;
    return (E*F, G*H, F*G, E*H);
        
def point_add(P, Q):
    A, B = (P[1]-P[0]) * (Q[1]-Q[0]) % p, (P[1]+P[0]) * (Q[1]+Q[0]) % p;
    C, D = 2 * P[3] * Q[3] * d % p, 2 * P[2] * Q[2] % p;
    E, F, G, H = B-A, D-C, D+C, B+A;
    return (E*F, G*H, F*G, E*H);
        
# Computes Q = s * Q
def point_mul(s, P):
    Q = (0, 1, 1, 0)  # Neutral element
    while s > 0:
        if s & 1:
            Q = point_add(Q, P)
        P = point_add(P, P)
        s >>= 1
    return Q
        
# Computes Q = s * Q
def point_mul(s, P):
    Q = (0, 1, 1, 0)  # Neutral element
    while s > 0:
        if s & 1:
            Q = point_add(Q, P)
        P = point_add(P, P)
        s >>= 1
    return Q
        
def point_equal(P, Q):
    # x1 / z1 == x2 / z2  <==>  x1 * z2 == x2 * z1
    if (P[0] * Q[2] - Q[0] * P[2]) % p != 0:
        return False
    if (P[1] * Q[2] - Q[1] * P[2]) % p != 0:
        return False
    return True
        
def point_equal(P, Q):
    # x1 / z1 == x2 / z2  <==>  x1 * z2 == x2 * z1
    if (P[0] * Q[2] - Q[0] * P[2]) % p != 0:
        return False
    if (P[1] * Q[2] - Q[1] * P[2]) % p != 0:
        return False
    return True
        

## Now follows functions for point compression.

##下面介绍点压缩的函数。

# Square root of -1
modp_sqrt_m1 = pow(2, (p-1) // 4, p)
        
# Square root of -1
modp_sqrt_m1 = pow(2, (p-1) // 4, p)
        
# Compute corresponding x-coordinate, with low bit corresponding to
# sign, or return None on failure
def recover_x(y, sign):
    if y >= p:
        return None
    x2 = (y*y-1) * modp_inv(d*y*y+1)
    if x2 == 0:
        if sign:
            return None
        else:
            return 0
        
# Compute corresponding x-coordinate, with low bit corresponding to
# sign, or return None on failure
def recover_x(y, sign):
    if y >= p:
        return None
    x2 = (y*y-1) * modp_inv(d*y*y+1)
    if x2 == 0:
        if sign:
            return None
        else:
            return 0
        
    # Compute square root of x2
    x = pow(x2, (p+3) // 8, p)
    if (x*x - x2) % p != 0:
        x = x * modp_sqrt_m1 % p
    if (x*x - x2) % p != 0:
        return None
        
    # Compute square root of x2
    x = pow(x2, (p+3) // 8, p)
    if (x*x - x2) % p != 0:
        x = x * modp_sqrt_m1 % p
    if (x*x - x2) % p != 0:
        return None
        
    if (x & 1) != sign:
        x = p - x
    return x
        
    if (x & 1) != sign:
        x = p - x
    return x
        
# Base point
g_y = 4 * modp_inv(5) % p
g_x = recover_x(g_y, 0)
G = (g_x, g_y, 1, g_x * g_y % p)
        
# Base point
g_y = 4 * modp_inv(5) % p
g_x = recover_x(g_y, 0)
G = (g_x, g_y, 1, g_x * g_y % p)
        
def point_compress(P):
    zinv = modp_inv(P[2])
    x = P[0] * zinv % p
    y = P[1] * zinv % p
    return int.to_bytes(y | ((x & 1) << 255), 32, "little")
        
def point_compress(P):
    zinv = modp_inv(P[2])
    x = P[0] * zinv % p
    y = P[1] * zinv % p
    return int.to_bytes(y | ((x & 1) << 255), 32, "little")
        
def point_decompress(s):
    if len(s) != 32:
        raise Exception("Invalid input length for decompression")
    y = int.from_bytes(s, "little")
    sign = y >> 255
    y &= (1 << 255) - 1
        
def point_decompress(s):
    if len(s) != 32:
        raise Exception("Invalid input length for decompression")
    y = int.from_bytes(s, "little")
    sign = y >> 255
    y &= (1 << 255) - 1
        

x = recover_x(y, sign) if x is None: return None else: return (x, y, 1, x*y % p)

x=如果x为无,则恢复x(y,符号):返回其他:返回(x,y,1,x*y%p)

## These are functions for manipulating the private key.

##这些函数用于操作私钥。

def secret_expand(secret):
    if len(secret) != 32:
        raise Exception("Bad size of private key")
    h = sha512(secret)
    a = int.from_bytes(h[:32], "little")
    a &= (1 << 254) - 8
    a |= (1 << 254)
    return (a, h[32:])
        
def secret_expand(secret):
    if len(secret) != 32:
        raise Exception("Bad size of private key")
    h = sha512(secret)
    a = int.from_bytes(h[:32], "little")
    a &= (1 << 254) - 8
    a |= (1 << 254)
    return (a, h[32:])
        
def secret_to_public(secret):
    (a, dummy) = secret_expand(secret)
    return point_compress(point_mul(a, G))
        
def secret_to_public(secret):
    (a, dummy) = secret_expand(secret)
    return point_compress(point_mul(a, G))
        

## The signature function works as below.

##签名功能的工作原理如下。

def sign(secret, msg):
    a, prefix = secret_expand(secret)
    A = point_compress(point_mul(a, G))
    r = sha512_modq(prefix + msg)
    R = point_mul(r, G)
    Rs = point_compress(R)
    h = sha512_modq(Rs + A + msg)
    s = (r + h * a) % q
    return Rs + int.to_bytes(s, 32, "little")
        
def sign(secret, msg):
    a, prefix = secret_expand(secret)
    A = point_compress(point_mul(a, G))
    r = sha512_modq(prefix + msg)
    R = point_mul(r, G)
    Rs = point_compress(R)
    h = sha512_modq(Rs + A + msg)
    s = (r + h * a) % q
    return Rs + int.to_bytes(s, 32, "little")
        

## And finally the verification function.

##最后是验证功能。

def verify(public, msg, signature):
    if len(public) != 32:
        raise Exception("Bad public key length")
    if len(signature) != 64:
        Exception("Bad signature length")
    A = point_decompress(public)
    if not A:
        return False
    Rs = signature[:32]
    R = point_decompress(Rs)
    if not R:
        return False
    s = int.from_bytes(signature[32:], "little")
    if s >= q: return False
    h = sha512_modq(Rs + public + msg)
    sB = point_mul(s, G)
    hA = point_mul(h, A)
    return point_equal(sB, point_add(R, hA))
        
def verify(public, msg, signature):
    if len(public) != 32:
        raise Exception("Bad public key length")
    if len(signature) != 64:
        Exception("Bad signature length")
    A = point_decompress(public)
    if not A:
        return False
    Rs = signature[:32]
    R = point_decompress(Rs)
    if not R:
        return False
    s = int.from_bytes(signature[32:], "little")
    if s >= q: return False
    h = sha512_modq(Rs + public + msg)
    sB = point_mul(s, G)
    hA = point_mul(h, A)
    return point_equal(sB, point_add(R, hA))
        
7. Test Vectors
7. 测试向量

This section contains test vectors for Ed25519ph, Ed25519ctx, Ed448ph, Ed25519, and Ed448.

本节包含Ed25519ph、Ed25519ctx、Ed448ph、Ed25519和Ed448的测试向量。

Each section contains a sequence of test vectors. The octets are hex encoded, and whitespace is inserted for readability. Ed25519, Ed25519ctx, and Ed25519ph private and public keys are 32 octets; signatures are 64 octets. Ed448 and Ed448ph private and public keys are 57 octets; signatures are 114 octets. Messages are of arbitrary length. If the context is non-empty, it is given as 1-255 octets.

每个部分包含一系列测试向量。八位字节是十六进制编码的,为了可读性插入了空格。Ed25519、Ed25519ctx和Ed25519ph私钥和公钥为32个八位字节;签名是64个八位字节。Ed448和Ed448ph私钥和公钥为57个八位字节;签名是114个八位字节。消息的长度是任意的。如果上下文为非空,则表示为1-255个八位字节。

7.1. Test Vectors for Ed25519
7.1. Ed25519的测试向量

These test vectors are taken from [ED25519-TEST-VECTORS] (but we removed the public key as a suffix of the private key and removed the message from the signature) and [ED25519-LIBGCRYPT-TEST-VECTORS].

这些测试向量取自[ED25519-test-vectors](但我们删除了作为私钥后缀的公钥,并从签名中删除了消息)和[ED25519-LIBGCRYPT-test-vectors]。

   -----TEST 1
        
   -----TEST 1
        

ALGORITHM: Ed25519

算法:Ed25519

   SECRET KEY:
   9d61b19deffd5a60ba844af492ec2cc4
   4449c5697b326919703bac031cae7f60
        
   SECRET KEY:
   9d61b19deffd5a60ba844af492ec2cc4
   4449c5697b326919703bac031cae7f60
        
   PUBLIC KEY:
   d75a980182b10ab7d54bfed3c964073a
   0ee172f3daa62325af021a68f707511a
        
   PUBLIC KEY:
   d75a980182b10ab7d54bfed3c964073a
   0ee172f3daa62325af021a68f707511a
        

MESSAGE (length 0 bytes):

消息(长度为0字节):

   SIGNATURE:
   e5564300c360ac729086e2cc806e828a
   84877f1eb8e5d974d873e06522490155
   5fb8821590a33bacc61e39701cf9b46b
   d25bf5f0595bbe24655141438e7a100b
        
   SIGNATURE:
   e5564300c360ac729086e2cc806e828a
   84877f1eb8e5d974d873e06522490155
   5fb8821590a33bacc61e39701cf9b46b
   d25bf5f0595bbe24655141438e7a100b
        
   -----TEST 2
        
   -----TEST 2
        

ALGORITHM: Ed25519

算法:Ed25519

   SECRET KEY:
   4ccd089b28ff96da9db6c346ec114e0f
   5b8a319f35aba624da8cf6ed4fb8a6fb
        
   SECRET KEY:
   4ccd089b28ff96da9db6c346ec114e0f
   5b8a319f35aba624da8cf6ed4fb8a6fb
        
   PUBLIC KEY:
   3d4017c3e843895a92b70aa74d1b7ebc
   9c982ccf2ec4968cc0cd55f12af4660c
        
   PUBLIC KEY:
   3d4017c3e843895a92b70aa74d1b7ebc
   9c982ccf2ec4968cc0cd55f12af4660c
        

MESSAGE (length 1 byte): 72

消息(长度1字节):72

   SIGNATURE:
   92a009a9f0d4cab8720e820b5f642540
   a2b27b5416503f8fb3762223ebdb69da
   085ac1e43e15996e458f3613d0f11d8c
   387b2eaeb4302aeeb00d291612bb0c00
        
   SIGNATURE:
   92a009a9f0d4cab8720e820b5f642540
   a2b27b5416503f8fb3762223ebdb69da
   085ac1e43e15996e458f3613d0f11d8c
   387b2eaeb4302aeeb00d291612bb0c00
        
   -----TEST 3
        
   -----TEST 3
        

ALGORITHM: Ed25519

算法:Ed25519

   SECRET KEY:
   c5aa8df43f9f837bedb7442f31dcb7b1
   66d38535076f094b85ce3a2e0b4458f7
        
   SECRET KEY:
   c5aa8df43f9f837bedb7442f31dcb7b1
   66d38535076f094b85ce3a2e0b4458f7
        
   PUBLIC KEY:
   fc51cd8e6218a1a38da47ed00230f058
   0816ed13ba3303ac5deb911548908025
        
   PUBLIC KEY:
   fc51cd8e6218a1a38da47ed00230f058
   0816ed13ba3303ac5deb911548908025
        

MESSAGE (length 2 bytes): af82

消息(长度为2字节):af82

   SIGNATURE:
   6291d657deec24024827e69c3abe01a3
   0ce548a284743a445e3680d7db5ac3ac
   18ff9b538d16f290ae67f760984dc659
   4a7c15e9716ed28dc027beceea1ec40a
        
   SIGNATURE:
   6291d657deec24024827e69c3abe01a3
   0ce548a284743a445e3680d7db5ac3ac
   18ff9b538d16f290ae67f760984dc659
   4a7c15e9716ed28dc027beceea1ec40a
        
   -----TEST 1024
        
   -----TEST 1024
        

ALGORITHM: Ed25519

算法:Ed25519

   SECRET KEY:
   f5e5767cf153319517630f226876b86c
   8160cc583bc013744c6bf255f5cc0ee5
        
   SECRET KEY:
   f5e5767cf153319517630f226876b86c
   8160cc583bc013744c6bf255f5cc0ee5
        
   PUBLIC KEY:
   278117fc144c72340f67d0f2316e8386
   ceffbf2b2428c9c51fef7c597f1d426e
        
   PUBLIC KEY:
   278117fc144c72340f67d0f2316e8386
   ceffbf2b2428c9c51fef7c597f1d426e
        
   MESSAGE (length 1023 bytes):
   08b8b2b733424243760fe426a4b54908
   632110a66c2f6591eabd3345e3e4eb98
   fa6e264bf09efe12ee50f8f54e9f77b1
   e355f6c50544e23fb1433ddf73be84d8
   79de7c0046dc4996d9e773f4bc9efe57
   38829adb26c81b37c93a1b270b20329d
   658675fc6ea534e0810a4432826bf58c
   941efb65d57a338bbd2e26640f89ffbc
   1a858efcb8550ee3a5e1998bd177e93a
   7363c344fe6b199ee5d02e82d522c4fe
   ba15452f80288a821a579116ec6dad2b
   3b310da903401aa62100ab5d1a36553e
        
   MESSAGE (length 1023 bytes):
   08b8b2b733424243760fe426a4b54908
   632110a66c2f6591eabd3345e3e4eb98
   fa6e264bf09efe12ee50f8f54e9f77b1
   e355f6c50544e23fb1433ddf73be84d8
   79de7c0046dc4996d9e773f4bc9efe57
   38829adb26c81b37c93a1b270b20329d
   658675fc6ea534e0810a4432826bf58c
   941efb65d57a338bbd2e26640f89ffbc
   1a858efcb8550ee3a5e1998bd177e93a
   7363c344fe6b199ee5d02e82d522c4fe
   ba15452f80288a821a579116ec6dad2b
   3b310da903401aa62100ab5d1a36553e
        
   06203b33890cc9b832f79ef80560ccb9
   a39ce767967ed628c6ad573cb116dbef
   efd75499da96bd68a8a97b928a8bbc10
   3b6621fcde2beca1231d206be6cd9ec7
   aff6f6c94fcd7204ed3455c68c83f4a4
   1da4af2b74ef5c53f1d8ac70bdcb7ed1
   85ce81bd84359d44254d95629e9855a9
   4a7c1958d1f8ada5d0532ed8a5aa3fb2
   d17ba70eb6248e594e1a2297acbbb39d
   502f1a8c6eb6f1ce22b3de1a1f40cc24
   554119a831a9aad6079cad88425de6bd
   e1a9187ebb6092cf67bf2b13fd65f270
   88d78b7e883c8759d2c4f5c65adb7553
   878ad575f9fad878e80a0c9ba63bcbcc
   2732e69485bbc9c90bfbd62481d9089b
   eccf80cfe2df16a2cf65bd92dd597b07
   07e0917af48bbb75fed413d238f5555a
   7a569d80c3414a8d0859dc65a46128ba
   b27af87a71314f318c782b23ebfe808b
   82b0ce26401d2e22f04d83d1255dc51a
   ddd3b75a2b1ae0784504df543af8969b
   e3ea7082ff7fc9888c144da2af58429e
   c96031dbcad3dad9af0dcbaaaf268cb8
   fcffead94f3c7ca495e056a9b47acdb7
   51fb73e666c6c655ade8297297d07ad1
   ba5e43f1bca32301651339e22904cc8c
   42f58c30c04aafdb038dda0847dd988d
   cda6f3bfd15c4b4c4525004aa06eeff8
   ca61783aacec57fb3d1f92b0fe2fd1a8
   5f6724517b65e614ad6808d6f6ee34df
   f7310fdc82aebfd904b01e1dc54b2927
   094b2db68d6f903b68401adebf5a7e08
   d78ff4ef5d63653a65040cf9bfd4aca7
   984a74d37145986780fc0b16ac451649
   de6188a7dbdf191f64b5fc5e2ab47b57
   f7f7276cd419c17a3ca8e1b939ae49e4
   88acba6b965610b5480109c8b17b80e1
   b7b750dfc7598d5d5011fd2dcc5600a3
   2ef5b52a1ecc820e308aa342721aac09
   43bf6686b64b2579376504ccc493d97e
   6aed3fb0f9cd71a43dd497f01f17c0e2
   cb3797aa2a2f256656168e6c496afc5f
   b93246f6b1116398a346f1a641f3b041
   e989f7914f90cc2c7fff357876e506b5
   0d334ba77c225bc307ba537152f3f161
   0e4eafe595f6d9d90d11faa933a15ef1
   369546868a7f3a45a96768d40fd9d034
   12c091c6315cf4fde7cb68606937380d
        
   06203b33890cc9b832f79ef80560ccb9
   a39ce767967ed628c6ad573cb116dbef
   efd75499da96bd68a8a97b928a8bbc10
   3b6621fcde2beca1231d206be6cd9ec7
   aff6f6c94fcd7204ed3455c68c83f4a4
   1da4af2b74ef5c53f1d8ac70bdcb7ed1
   85ce81bd84359d44254d95629e9855a9
   4a7c1958d1f8ada5d0532ed8a5aa3fb2
   d17ba70eb6248e594e1a2297acbbb39d
   502f1a8c6eb6f1ce22b3de1a1f40cc24
   554119a831a9aad6079cad88425de6bd
   e1a9187ebb6092cf67bf2b13fd65f270
   88d78b7e883c8759d2c4f5c65adb7553
   878ad575f9fad878e80a0c9ba63bcbcc
   2732e69485bbc9c90bfbd62481d9089b
   eccf80cfe2df16a2cf65bd92dd597b07
   07e0917af48bbb75fed413d238f5555a
   7a569d80c3414a8d0859dc65a46128ba
   b27af87a71314f318c782b23ebfe808b
   82b0ce26401d2e22f04d83d1255dc51a
   ddd3b75a2b1ae0784504df543af8969b
   e3ea7082ff7fc9888c144da2af58429e
   c96031dbcad3dad9af0dcbaaaf268cb8
   fcffead94f3c7ca495e056a9b47acdb7
   51fb73e666c6c655ade8297297d07ad1
   ba5e43f1bca32301651339e22904cc8c
   42f58c30c04aafdb038dda0847dd988d
   cda6f3bfd15c4b4c4525004aa06eeff8
   ca61783aacec57fb3d1f92b0fe2fd1a8
   5f6724517b65e614ad6808d6f6ee34df
   f7310fdc82aebfd904b01e1dc54b2927
   094b2db68d6f903b68401adebf5a7e08
   d78ff4ef5d63653a65040cf9bfd4aca7
   984a74d37145986780fc0b16ac451649
   de6188a7dbdf191f64b5fc5e2ab47b57
   f7f7276cd419c17a3ca8e1b939ae49e4
   88acba6b965610b5480109c8b17b80e1
   b7b750dfc7598d5d5011fd2dcc5600a3
   2ef5b52a1ecc820e308aa342721aac09
   43bf6686b64b2579376504ccc493d97e
   6aed3fb0f9cd71a43dd497f01f17c0e2
   cb3797aa2a2f256656168e6c496afc5f
   b93246f6b1116398a346f1a641f3b041
   e989f7914f90cc2c7fff357876e506b5
   0d334ba77c225bc307ba537152f3f161
   0e4eafe595f6d9d90d11faa933a15ef1
   369546868a7f3a45a96768d40fd9d034
   12c091c6315cf4fde7cb68606937380d
        

b2eaaa707b4c4185c32eddcdd306705e 4dc1ffc872eeee475a64dfac86aba41c 0618983f8741c5ef68d3a101e8a3b8ca c60c905c15fc910840b94c00a0b9d0

b2eaaa707b4c4185c32eddcdd306705e 4DC1FFC872EEE475A64DFAC86ABA41C 0618983f8741c5ef68d3a101e8a3b8ca c60c905c15fc910840b94c00a0b9d0

   SIGNATURE:
   0aab4c900501b3e24d7cdf4663326a3a
   87df5e4843b2cbdb67cbf6e460fec350
   aa5371b1508f9f4528ecea23c436d94b
   5e8fcd4f681e30a6ac00a9704a188a03
        
   SIGNATURE:
   0aab4c900501b3e24d7cdf4663326a3a
   87df5e4843b2cbdb67cbf6e460fec350
   aa5371b1508f9f4528ecea23c436d94b
   5e8fcd4f681e30a6ac00a9704a188a03
        
   -----TEST SHA(abc)
        
   -----TEST SHA(abc)
        

ALGORITHM: Ed25519

算法:Ed25519

   SECRET KEY:
   833fe62409237b9d62ec77587520911e
   9a759cec1d19755b7da901b96dca3d42
        
   SECRET KEY:
   833fe62409237b9d62ec77587520911e
   9a759cec1d19755b7da901b96dca3d42
        
   PUBLIC KEY:
   ec172b93ad5e563bf4932c70e1245034
   c35467ef2efd4d64ebf819683467e2bf
        
   PUBLIC KEY:
   ec172b93ad5e563bf4932c70e1245034
   c35467ef2efd4d64ebf819683467e2bf
        
   MESSAGE (length 64 bytes):
   ddaf35a193617abacc417349ae204131
   12e6fa4e89a97ea20a9eeee64b55d39a
   2192992a274fc1a836ba3c23a3feebbd
   454d4423643ce80e2a9ac94fa54ca49f
        
   MESSAGE (length 64 bytes):
   ddaf35a193617abacc417349ae204131
   12e6fa4e89a97ea20a9eeee64b55d39a
   2192992a274fc1a836ba3c23a3feebbd
   454d4423643ce80e2a9ac94fa54ca49f
        
   SIGNATURE:
   dc2a4459e7369633a52b1bf277839a00
   201009a3efbf3ecb69bea2186c26b589
   09351fc9ac90b3ecfdfbc7c66431e030
   3dca179c138ac17ad9bef1177331a704
   -----
        
   SIGNATURE:
   dc2a4459e7369633a52b1bf277839a00
   201009a3efbf3ecb69bea2186c26b589
   09351fc9ac90b3ecfdfbc7c66431e030
   3dca179c138ac17ad9bef1177331a704
   -----
        
7.2. Test Vectors for Ed25519ctx
7.2. Ed25519ctx的测试向量
   -----foo
        
   -----foo
        

ALGORITHM: Ed25519ctx

算法:Ed25519ctx

   SECRET KEY:
   0305334e381af78f141cb666f6199f57
   bc3495335a256a95bd2a55bf546663f6
        
   SECRET KEY:
   0305334e381af78f141cb666f6199f57
   bc3495335a256a95bd2a55bf546663f6
        
   PUBLIC KEY:
   dfc9425e4f968f7f0c29f0259cf5f9ae
   d6851c2bb4ad8bfb860cfee0ab248292
        
   PUBLIC KEY:
   dfc9425e4f968f7f0c29f0259cf5f9ae
   d6851c2bb4ad8bfb860cfee0ab248292
        
   MESSAGE (length 16 bytes):
   f726936d19c800494e3fdaff20b276a8
        
   MESSAGE (length 16 bytes):
   f726936d19c800494e3fdaff20b276a8
        

CONTEXT: 666f6f

上下文:666f6f

   SIGNATURE:
   55a4cc2f70a54e04288c5f4cd1e45a7b
   b520b36292911876cada7323198dd87a
   8b36950b95130022907a7fb7c4e9b2d5
   f6cca685a587b4b21f4b888e4e7edb0d
        
   SIGNATURE:
   55a4cc2f70a54e04288c5f4cd1e45a7b
   b520b36292911876cada7323198dd87a
   8b36950b95130022907a7fb7c4e9b2d5
   f6cca685a587b4b21f4b888e4e7edb0d
        
   -----bar
        
   -----bar
        

ALGORITHM: Ed25519ctx

算法:Ed25519ctx

   SECRET KEY:
   0305334e381af78f141cb666f6199f57
   bc3495335a256a95bd2a55bf546663f6
        
   SECRET KEY:
   0305334e381af78f141cb666f6199f57
   bc3495335a256a95bd2a55bf546663f6
        
   PUBLIC KEY:
   dfc9425e4f968f7f0c29f0259cf5f9ae
   d6851c2bb4ad8bfb860cfee0ab248292
        
   PUBLIC KEY:
   dfc9425e4f968f7f0c29f0259cf5f9ae
   d6851c2bb4ad8bfb860cfee0ab248292
        
   MESSAGE (length 16 bytes):
   f726936d19c800494e3fdaff20b276a8
        
   MESSAGE (length 16 bytes):
   f726936d19c800494e3fdaff20b276a8
        

CONTEXT: 626172

上下文:626172

   SIGNATURE:
   fc60d5872fc46b3aa69f8b5b4351d580
   8f92bcc044606db097abab6dbcb1aee3
   216c48e8b3b66431b5b186d1d28f8ee1
   5a5ca2df6668346291c2043d4eb3e90d
        
   SIGNATURE:
   fc60d5872fc46b3aa69f8b5b4351d580
   8f92bcc044606db097abab6dbcb1aee3
   216c48e8b3b66431b5b186d1d28f8ee1
   5a5ca2df6668346291c2043d4eb3e90d
        
   -----foo2
        
   -----foo2
        

ALGORITHM: Ed25519ctx

算法:Ed25519ctx

   SECRET KEY:
   0305334e381af78f141cb666f6199f57
   bc3495335a256a95bd2a55bf546663f6
        
   SECRET KEY:
   0305334e381af78f141cb666f6199f57
   bc3495335a256a95bd2a55bf546663f6
        
   PUBLIC KEY:
   dfc9425e4f968f7f0c29f0259cf5f9ae
   d6851c2bb4ad8bfb860cfee0ab248292
        
   PUBLIC KEY:
   dfc9425e4f968f7f0c29f0259cf5f9ae
   d6851c2bb4ad8bfb860cfee0ab248292
        
   MESSAGE (length 16 bytes):
   508e9e6882b979fea900f62adceaca35
        
   MESSAGE (length 16 bytes):
   508e9e6882b979fea900f62adceaca35
        

CONTEXT: 666f6f

上下文:666f6f

   SIGNATURE:
   8b70c1cc8310e1de20ac53ce28ae6e72
   07f33c3295e03bb5c0732a1d20dc6490
   8922a8b052cf99b7c4fe107a5abb5b2c
   4085ae75890d02df26269d8945f84b0b
        
   SIGNATURE:
   8b70c1cc8310e1de20ac53ce28ae6e72
   07f33c3295e03bb5c0732a1d20dc6490
   8922a8b052cf99b7c4fe107a5abb5b2c
   4085ae75890d02df26269d8945f84b0b
        
   -----foo3
        
   -----foo3
        

ALGORITHM: Ed25519ctx

算法:Ed25519ctx

   SECRET KEY:
   ab9c2853ce297ddab85c993b3ae14bca
   d39b2c682beabc27d6d4eb20711d6560
        
   SECRET KEY:
   ab9c2853ce297ddab85c993b3ae14bca
   d39b2c682beabc27d6d4eb20711d6560
        
   PUBLIC KEY:
   0f1d1274943b91415889152e893d80e9
   3275a1fc0b65fd71b4b0dda10ad7d772
        
   PUBLIC KEY:
   0f1d1274943b91415889152e893d80e9
   3275a1fc0b65fd71b4b0dda10ad7d772
        
   MESSAGE (length 16 bytes):
   f726936d19c800494e3fdaff20b276a8
        
   MESSAGE (length 16 bytes):
   f726936d19c800494e3fdaff20b276a8
        

CONTEXT: 666f6f

上下文:666f6f

   SIGNATURE:
   21655b5f1aa965996b3f97b3c849eafb
   a922a0a62992f73b3d1b73106a84ad85
   e9b86a7b6005ea868337ff2d20a7f5fb
   d4cd10b0be49a68da2b2e0dc0ad8960f
   -----
        
   SIGNATURE:
   21655b5f1aa965996b3f97b3c849eafb
   a922a0a62992f73b3d1b73106a84ad85
   e9b86a7b6005ea868337ff2d20a7f5fb
   d4cd10b0be49a68da2b2e0dc0ad8960f
   -----
        
7.3. Test Vectors for Ed25519ph
7.3. Ed25519ph的测试载体
   -----TEST abc
        
   -----TEST abc
        

ALGORITHM: Ed25519ph

算法:Ed25519ph

   SECRET KEY:
   833fe62409237b9d62ec77587520911e
   9a759cec1d19755b7da901b96dca3d42
        
   SECRET KEY:
   833fe62409237b9d62ec77587520911e
   9a759cec1d19755b7da901b96dca3d42
        
   PUBLIC KEY:
   ec172b93ad5e563bf4932c70e1245034
   c35467ef2efd4d64ebf819683467e2bf
        
   PUBLIC KEY:
   ec172b93ad5e563bf4932c70e1245034
   c35467ef2efd4d64ebf819683467e2bf
        

MESSAGE (length 3 bytes): 616263

消息(长度3字节):616263

   SIGNATURE:
   98a70222f0b8121aa9d30f813d683f80
   9e462b469c7ff87639499bb94e6dae41
   31f85042463c2a355a2003d062adf5aa
   a10b8c61e636062aaad11c2a26083406
   -----
        
   SIGNATURE:
   98a70222f0b8121aa9d30f813d683f80
   9e462b469c7ff87639499bb94e6dae41
   31f85042463c2a355a2003d062adf5aa
   a10b8c61e636062aaad11c2a26083406
   -----
        
7.4. Test Vectors for Ed448
7.4. Ed448的测试向量
   -----Blank
        
   -----Blank
        

ALGORITHM: Ed448

算法:Ed448

SECRET KEY: 6c82a562cb808d10d632be89c8513ebf 6c929f34ddfa8c9f63c9960ef6e348a3 528c8a3fcc2f044e39a3fc5b94492f8f 032e7549a20098f95b

密钥:6c82a562cb808d10d632be89c8513ebf 6c929f34ddfa8c9f63c9960ef6e348a3 528c8a3fcc2f044e39a3fc5b94492f8f 032e7549a20098f95b

PUBLIC KEY: 5fd7449b59b461fd2ce787ec616ad46a 1da1342485a70e1f8a0ea75d80e96778 edf124769b46c7061bd6783df1e50f6c d1fa1abeafe8256180

公钥:5fd7449b59b461fd2ce787ec616ad46a 1da1342485a70e1f8a0ea75d80e96778 edf124769b46c7061bd6783df1e50f6c d1fa1abeafe8256180

MESSAGE (length 0 bytes):

消息(长度为0字节):

SIGNATURE: 533a37f6bbe457251f023c0d88f976ae 2dfb504a843e34d2074fd823d41a591f 2b233f034f628281f2fd7a22ddd47d78 28c59bd0a21bfd3980ff0d2028d4b18a 9df63e006c5d1c2d345b925d8dc00b41 04852db99ac5c7cdda8530a113a0f4db b61149f05a7363268c71d95808ff2e65 2600

签字:533a37f6bbe457251f023c0d88f976ae 2dfb504a843e34d2074fd823d41a591f 2B233F034F628281F2FD7A22DD47D78 28C59BD0A21BFD380FF0D2028D4B18A 9df63e006c5d1c2d345b925d8dc00b41 04852db99ac5c7cdda8530a113a0f4db B61149F05A73268C71D9580FF2E2600

   -----1 octet
        
   -----1 octet
        

ALGORITHM: Ed448

算法:Ed448

SECRET KEY: c4eab05d357007c632f3dbb48489924d 552b08fe0c353a0d4a1f00acda2c463a fbea67c5e8d2877c5e3bc397a659949e f8021e954e0a12274e

密钥:c4eab05d357007c632f3dbb48489924d 552b08fe0c353a0d4a1f00acda2c463a fbea67c5e8d2877c5e3bc397a659949e f8021e954e0a12274e

PUBLIC KEY: 43ba28f430cdff456ae531545f7ecd0a c834a55d9358c0372bfa0c6c6798c086 6aea01eb00742802b8438ea4cb82169c 235160627b4c3a9480

公钥:43BA28F430CDFF456AE53154F7ECD0A C834A55D9358C0372BFA0C6798C086 6aea01eb00742802b8438ea4cb82169c 235160627B4C3A 9480

MESSAGE (length 1 byte): 03

消息(长度1字节):03

SIGNATURE: 26b8f91727bd62897af15e41eb43c377 efb9c610d48f2335cb0bd0087810f435 2541b143c4b981b7e18f62de8ccdf633 fc1bf037ab7cd779805e0dbcc0aae1cb cee1afb2e027df36bc04dcecbf154336 c19f0af7e0a6472905e799f1953d2a0f f3348ab21aa4adafd1d234441cf807c0 3a00

签字:26b8f91727bd62897af15e41eb43c377 efb9c610d48f2335cb0bd0087810f435 2541B1B3C4B981B7E18F62DE8CCDF633 fc1bf037ab7cd779805e0dbcc0aae1cb cee1afb2e027df36bc04dcecbf154336 C19F0AF7E0A6472905E799F1952A0F F3348AB21AA4ADAFD123441CF807C03A000

   -----1 octet (with context)
        
   -----1 octet (with context)
        

ALGORITHM: Ed448

算法:Ed448

SECRET KEY: c4eab05d357007c632f3dbb48489924d 552b08fe0c353a0d4a1f00acda2c463a fbea67c5e8d2877c5e3bc397a659949e f8021e954e0a12274e

密钥:c4eab05d357007c632f3dbb48489924d 552b08fe0c353a0d4a1f00acda2c463a fbea67c5e8d2877c5e3bc397a659949e f8021e954e0a12274e

PUBLIC KEY: 43ba28f430cdff456ae531545f7ecd0a c834a55d9358c0372bfa0c6c6798c086 6aea01eb00742802b8438ea4cb82169c 235160627b4c3a9480

公钥:43BA28F430CDFF456AE53154F7ECD0A C834A55D9358C0372BFA0C6798C086 6aea01eb00742802b8438ea4cb82169c 235160627B4C3A 9480

MESSAGE (length 1 byte): 03

消息(长度1字节):03

CONTEXT: 666f6f

上下文:666f6f

SIGNATURE: d4f8f6131770dd46f40867d6fd5d5055 de43541f8c5e35abbcd001b32a89f7d2 151f7647f11d8ca2ae279fb842d60721 7fce6e042f6815ea000c85741de5c8da 1144a6a1aba7f96de42505d7a7298524 fda538fccbbb754f578c1cad10d54d0d 5428407e85dcbc98a49155c13764e66c 3c00

签名:d4f8f6131770dd46f40867d6fd5d5055 DE43541F8C5E35ABBCD001B32A89F7D2151F7647F11D8CA2AE279FB842D60721 7fce6e042f6815ea000c85741de5c8da 1144A6A1ABA7F96DE42505D7A729824 FDA538FCCB754F578C1CAD10D5428407E85BC98A49C13764E66C 3c00

   -----11 octets
        
   -----11 octets
        

ALGORITHM: Ed448

算法:Ed448

SECRET KEY: cd23d24f714274e744343237b93290f5 11f6425f98e64459ff203e8985083ffd f60500553abc0e05cd02184bdb89c4cc d67e187951267eb328

密钥:CD23D24F714274E7443237B93290F5 11f6425f98e64459ff203e8985083ffd f60500553abc0e05cd02184bdb89c4cc d67e187951267eb328

PUBLIC KEY: dcea9e78f35a1bf3499a831b10b86c90 aac01cd84b67a0109b55a36e9328b1e3 65fce161d71ce7131a543ea4cb5f7e9f 1d8b00696447001400

公钥:dcea9e78f35a1bf3499a831b10b86c90 aac01cd84b67a0109b55a36e9328b1e3 65fce161d71ce7131a543ea4cb5f7e9f 1d8b00696447001400

MESSAGE (length 11 bytes): 0c3e544074ec63b0265e0c

消息(长度11字节):0c3e544074ec63b0265e0c

SIGNATURE: 1f0a8888ce25e8d458a21130879b840a 9089d999aaba039eaf3e3afa090a09d3 89dba82c4ff2ae8ac5cdfb7c55e94d5d 961a29fe0109941e00b8dbdeea6d3b05 1068df7254c0cdc129cbe62db2dc957d bb47b51fd3f213fb8698f064774250a5 028961c9bf8ffd973fe5d5c206492b14 0e00

签名:1f0a8888ce25e8d458a21130879b840a 9089d999aaba039eaf3e3afa090a09d3 89dba82c4ff2ae8ac5cdfb7c55e94d5d 961a29fe0109941e00b8dbdeea6d3b05 1068DF7254C0CDC129CBE62DB2957D BB47B51FD31FB8698F064774250A5028961C9BF8FFD973FE5CD2064B14 0e00

   -----12 octets
        
   -----12 octets
        

ALGORITHM: Ed448

算法:Ed448

SECRET KEY: 258cdd4ada32ed9c9ff54e63756ae582 fb8fab2ac721f2c8e676a72768513d93 9f63dddb55609133f29adf86ec9929dc cb52c1c5fd2ff7e21b

密钥:258cdd4ada32ed9c9ff54e63756ae582 FB8FAB2AC721F2C8E676A7268513D93 9f63dddb55609133f29adf86ec9929dc CB52C1C5FD2F7E21B

PUBLIC KEY: 3ba16da0c6f2cc1f30187740756f5e79 8d6bc5fc015d7c63cc9510ee3fd44adc 24d8e968b6e46e6f94d19b945361726b d75e149ef09817f580

公钥:3ba16da0c6f2cc1f30187740756f5e79 8d6bc5fc015d7c63cc9510ee3fd44adc 24d8e968b6e46e6f94d19b945361726b d75e149ef09817f580

MESSAGE (length 12 bytes): 64a65f3cdedcdd66811e2915

消息(长度12字节):64A65F3CDEDCDD6681E2915

SIGNATURE: 7eeeab7c4e50fb799b418ee5e3197ff6 bf15d43a14c34389b59dd1a7b1b85b4a e90438aca634bea45e3a2695f1270f07 fdcdf7c62b8efeaf00b45c2c96ba457e b1a8bf075a3db28e5c24f6b923ed4ad7 47c3c9e03c7079efb87cb110d3a99861 e72003cbae6d6b8b827e4e6c143064ff 3c00

签名:7eeeab7c4e50fb799b418ee5e3197ff6 bf15d43a14c34389b59dd1a7b1b85b4a E90438ACA6344BEA45E3A2695F1270F07 fdcdf7c62b8efeaf00b45c2c96ba457e B1A8BF075A328E5C24F6B923ED4AD7 C3C9E03C7079EFB87CB110D3A99861 E72003CBAE6B6827E6B43064FF 3c00

   -----13 octets
        
   -----13 octets
        

ALGORITHM: Ed448

算法:Ed448

SECRET KEY: 7ef4e84544236752fbb56b8f31a23a10 e42814f5f55ca037cdcc11c64c9a3b29 49c1bb60700314611732a6c2fea98eeb c0266a11a93970100e

密钥:7ef4e84544236752fbb56b8f31a23a10 E42814F5C5CA037CDCC11C64C9A3B29 49c1bb60700314611732a6c2fea98eeb c0266a11a93970100e

PUBLIC KEY: b3da079b0aa493a5772029f0467baebe e5a8112d9d3a22532361da294f7bb381 5c5dc59e176b4d9f381ca0938e13c6c0 7b174be65dfa578e80

公钥:B3DA079B0AA493A577029F0467BAEBE E5A8112D9D3A2253361DA294B381 5c5dc59e176b4d9f381ca0938e13c6c0 7B174 BE65DFA578E80

MESSAGE (length 13 bytes): 64a65f3cdedcdd66811e2915e7

消息(长度13字节):64A65F3CDEDCDD6681E2915E7

SIGNATURE: 6a12066f55331b6c22acd5d5bfc5d712 28fbda80ae8dec26bdd306743c5027cb 4890810c162c027468675ecf645a8317 6c0d7323a2ccde2d80efe5a1268e8aca 1d6fbc194d3f77c44986eb4ab4177919 ad8bec33eb47bbb5fc6e28196fd1caf5 6b4e7e0ba5519234d047155ac727a105 3100

签名:6a12066f55331b6c22acd5d5bfc5d712 28fbda80ae8dec26bdd306743c5027cb 4890810c162c027468675ecf645a8317 6c0d7323a2ccde2d80efe5a1268e8aca 1d6fbc194d3f77c44986eb4ab4177919 AD8BE33EB47BBB5FC6E28196FD1CAF5 6b4e7e0ba5519234d047155ac727a105 3100

   -----64 octets
        
   -----64 octets
        

ALGORITHM: Ed448

算法:Ed448

SECRET KEY: d65df341ad13e008567688baedda8e9d cdc17dc024974ea5b4227b6530e339bf f21f99e68ca6968f3cca6dfe0fb9f4fa b4fa135d5542ea3f01

密钥:d65df341ad13e008567688baedda8e9d cdc17dc024974ea5b4227b6530e339bf f21f99e68ca6968f3cca6dfe0fb9f4fa b4fa135d5542ea3f01

PUBLIC KEY: df9705f58edbab802c7f8363cfe5560a b1c6132c20a9f1dd163483a26f8ac53a 39d6808bf4a1dfbd261b099bb03b3fb5 0906cb28bd8a081f00

公钥:df9705f58edbab802c7f8363cfe5560a B1C6132C20A9F1DD16348A26F8AC53A 39d6808bf4a1dfbd261b099bb03b3fb5 0906cb28bd8a081f00

   MESSAGE (length 64 bytes):
   bd0f6a3747cd561bdddf4640a332461a
   4a30a12a434cd0bf40d766d9c6d458e5
   512204a30c17d1f50b5079631f64eb31
   12182da3005835461113718d1a5ef944
        
   MESSAGE (length 64 bytes):
   bd0f6a3747cd561bdddf4640a332461a
   4a30a12a434cd0bf40d766d9c6d458e5
   512204a30c17d1f50b5079631f64eb31
   12182da3005835461113718d1a5ef944
        

SIGNATURE: 554bc2480860b49eab8532d2a533b7d5 78ef473eeb58c98bb2d0e1ce488a98b1 8dfde9b9b90775e67f47d4a1c3482058 efc9f40d2ca033a0801b63d45b3b722e f552bad3b4ccb667da350192b61c508c f7b6b5adadc2c8d9a446ef003fb05cba 5f30e88e36ec2703b349ca229c267083 3900

签名:554BC248060B49EAB8532D2A533B7D5 78ef473eeb58c98bb2d0e1ce488a98b1 8DFDE9B90775E67F47D4A1C3482058 EFC9F40D2CA033A081B63D45B3B722E F552BAD3B46B667DA350192B61C508C F7B5ADDC8D9A446EF003FB05CBA 5f30e88e36ec2703b349ca229c267083 3900

   -----256 octets
        
   -----256 octets
        

ALGORITHM: Ed448

算法:Ed448

SECRET KEY: 2ec5fe3c17045abdb136a5e6a913e32a b75ae68b53d2fc149b77e504132d3756 9b7e766ba74a19bd6162343a21c8590a a9cebca9014c636df5

密钥:2ec5fe3c17045abdb136a5e6a913e32a b75ae68b53d2fc149b77e504132d3756 9b7e766ba74a19bd6162343a21c8590a a9cebca9014c636df5

PUBLIC KEY: 79756f014dcfe2079f5dd9e718be4171 e2ef2486a08f25186f6bff43a9936b9b fe12402b08ae65798a3d81e22e9ec80e 7690862ef3d4ed3a00

公钥:79756f014dcfe2079f5dd9e718be4171 E2EF2486A08F25186F6BF43A9936B9B fe12402b08ae65798a3d81e22e9ec80e 7690862ef3d4ed3a00

   MESSAGE (length 256 bytes):
   15777532b0bdd0d1389f636c5f6b9ba7
   34c90af572877e2d272dd078aa1e567c
   fa80e12928bb542330e8409f31745041
   07ecd5efac61ae7504dabe2a602ede89
   e5cca6257a7c77e27a702b3ae39fc769
   fc54f2395ae6a1178cab4738e543072f
   c1c177fe71e92e25bf03e4ecb72f47b6
   4d0465aaea4c7fad372536c8ba516a60
   39c3c2a39f0e4d832be432dfa9a706a6
   e5c7e19f397964ca4258002f7c0541b5
   90316dbc5622b6b2a6fe7a4abffd9610
   5eca76ea7b98816af0748c10df048ce0
   12d901015a51f189f3888145c03650aa
   23ce894c3bd889e030d565071c59f409
   a9981b51878fd6fc110624dcbcde0bf7
   a69ccce38fabdf86f3bef6044819de11
        
   MESSAGE (length 256 bytes):
   15777532b0bdd0d1389f636c5f6b9ba7
   34c90af572877e2d272dd078aa1e567c
   fa80e12928bb542330e8409f31745041
   07ecd5efac61ae7504dabe2a602ede89
   e5cca6257a7c77e27a702b3ae39fc769
   fc54f2395ae6a1178cab4738e543072f
   c1c177fe71e92e25bf03e4ecb72f47b6
   4d0465aaea4c7fad372536c8ba516a60
   39c3c2a39f0e4d832be432dfa9a706a6
   e5c7e19f397964ca4258002f7c0541b5
   90316dbc5622b6b2a6fe7a4abffd9610
   5eca76ea7b98816af0748c10df048ce0
   12d901015a51f189f3888145c03650aa
   23ce894c3bd889e030d565071c59f409
   a9981b51878fd6fc110624dcbcde0bf7
   a69ccce38fabdf86f3bef6044819de11
        

SIGNATURE: c650ddbb0601c19ca11439e1640dd931 f43c518ea5bea70d3dcde5f4191fe53f 00cf966546b72bcc7d58be2b9badef28 743954e3a44a23f880e8d4f1cfce2d7a 61452d26da05896f0a50da66a239a8a1 88b6d825b3305ad77b73fbac0836ecc6 0987fd08527c1a8e80d5823e65cafe2a 3d00

签名:c650ddbb0601c19ca11439e1640dd931 f43c518ea5bea70d3dcde5f4191fe53f 00cf966546b72bcc7d58be2b9badef28 743954e3a44a23f880e8d4f1cfce2d7a 61452d26da05896f0a50da66a239a8a1 88B6D825B3305AD77B73FBAC0836ECC60987FD08527C1A8E80D5823E65CAFE2A 3d00

   -----1023 octets
        
   -----1023 octets
        

ALGORITHM: Ed448

算法:Ed448

SECRET KEY: 872d093780f5d3730df7c212664b37b8 a0f24f56810daa8382cd4fa3f77634ec 44dc54f1c2ed9bea86fafb7632d8be19 9ea165f5ad55dd9ce8

密钥:872d093780f5d3730df7c212664b37b8 A0F24F56810DAA8382CD4FA3F776344EC 44dc54f1c2ed9bea86fafb7632d8be19 9ea165f5ad55dd9ce8

PUBLIC KEY: a81b2e8a70a5ac94ffdbcc9badfc3feb 0801f258578bb114ad44ece1ec0e799d a08effb81c5d685c0c56f64eecaef8cd f11cc38737838cf400

公开密钥:a81b2e8a70a5ac94ffdbcc9badfc3feb 0801F258578BB114 AD44ECE0E799D a08effb81c5d685c0c56f64eecaef8cd f11cc38737838cf400

   MESSAGE (length 1023 bytes):
   6ddf802e1aae4986935f7f981ba3f035
   1d6273c0a0c22c9c0e8339168e675412
   a3debfaf435ed651558007db4384b650
   fcc07e3b586a27a4f7a00ac8a6fec2cd
   86ae4bf1570c41e6a40c931db27b2faa
   15a8cedd52cff7362c4e6e23daec0fbc
   3a79b6806e316efcc7b68119bf46bc76
   a26067a53f296dafdbdc11c77f7777e9
   72660cf4b6a9b369a6665f02e0cc9b6e
   dfad136b4fabe723d2813db3136cfde9
   b6d044322fee2947952e031b73ab5c60
   3349b307bdc27bc6cb8b8bbd7bd32321
   9b8033a581b59eadebb09b3c4f3d2277
   d4f0343624acc817804728b25ab79717
   2b4c5c21a22f9c7839d64300232eb66e
   53f31c723fa37fe387c7d3e50bdf9813
   a30e5bb12cf4cd930c40cfb4e1fc6225
   92a49588794494d56d24ea4b40c89fc0
   596cc9ebb961c8cb10adde976a5d602b
   1c3f85b9b9a001ed3c6a4d3b1437f520
        
   MESSAGE (length 1023 bytes):
   6ddf802e1aae4986935f7f981ba3f035
   1d6273c0a0c22c9c0e8339168e675412
   a3debfaf435ed651558007db4384b650
   fcc07e3b586a27a4f7a00ac8a6fec2cd
   86ae4bf1570c41e6a40c931db27b2faa
   15a8cedd52cff7362c4e6e23daec0fbc
   3a79b6806e316efcc7b68119bf46bc76
   a26067a53f296dafdbdc11c77f7777e9
   72660cf4b6a9b369a6665f02e0cc9b6e
   dfad136b4fabe723d2813db3136cfde9
   b6d044322fee2947952e031b73ab5c60
   3349b307bdc27bc6cb8b8bbd7bd32321
   9b8033a581b59eadebb09b3c4f3d2277
   d4f0343624acc817804728b25ab79717
   2b4c5c21a22f9c7839d64300232eb66e
   53f31c723fa37fe387c7d3e50bdf9813
   a30e5bb12cf4cd930c40cfb4e1fc6225
   92a49588794494d56d24ea4b40c89fc0
   596cc9ebb961c8cb10adde976a5d602b
   1c3f85b9b9a001ed3c6a4d3b1437f520
        

96cd1956d042a597d561a596ecd3d173 5a8d570ea0ec27225a2c4aaff26306d1 526c1af3ca6d9cf5a2c98f47e1c46db9 a33234cfd4d81f2c98538a09ebe76998 d0d8fd25997c7d255c6d66ece6fa56f1 1144950f027795e653008f4bd7ca2dee 85d8e90f3dc315130ce2a00375a318c7 c3d97be2c8ce5b6db41a6254ff264fa6 155baee3b0773c0f497c573f19bb4f42 40281f0b1f4f7be857a4e59d416c06b4 c50fa09e1810ddc6b1467baeac5a3668 d11b6ecaa901440016f389f80acc4db9 77025e7f5924388c7e340a732e554440 e76570f8dd71b7d640b3450d1fd5f041 0a18f9a3494f707c717b79b4bf75c984 00b096b21653b5d217cf3565c9597456 f70703497a078763829bc01bb1cbc8fa 04eadc9a6e3f6699587a9e75c94e5bab 0036e0b2e711392cff0047d0d6b05bd2 a588bc109718954259f1d86678a579a3 120f19cfb2963f177aeb70f2d4844826 262e51b80271272068ef5b3856fa8535 aa2a88b2d41f2a0e2fda7624c2850272 ac4a2f561f8f2f7a318bfd5caf969614 9e4ac824ad3460538fdc25421beec2cc 6818162d06bbed0c40a387192349db67 a118bada6cd5ab0140ee273204f628aa d1c135f770279a651e24d8c14d75a605 9d76b96a6fd857def5e0b354b27ab937 a5815d16b5fae407ff18222c6d1ed263 be68c95f32d908bd895cd76207ae7264 87567f9a67dad79abec316f683b17f2d 02bf07e0ac8b5bc6162cf94697b3c27c d1fea49b27f23ba2901871962506520c 392da8b6ad0d99f7013fbc06c2c17a56 9500c8a7696481c1cd33e9b14e40b82e 79a5f5db82571ba97bae3ad3e0479515 bb0e2b0f3bfcd1fd33034efc6245eddd 7ee2086ddae2600d8ca73e214e8c2b0b db2b047c6a464a562ed77b73d2d841c4 b34973551257713b753632efba348169 abc90a68f42611a40126d7cb21b58695 568186f7e569d2ff0f9e745d0487dd2e b997cafc5abf9dd102e62ff66cba87

96cd1956d042a597d561a596ecd3d173 5A8D570EC27225A2C4AAFF26306D1 526c1af3ca6d9cf5a2c98f47e1c46db9 a33234cfd4d81f2c98538a09ebe76998 D0D8FD25997C7D255C66ECE56F1 1144950F027795E65308F4BD7CA2DEE 85D8E90F3DC315130CE2A00375A318C7C3D98538A09EBE5B6F467B4F497B9F497B7B7B9F40B7B9F47F4B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7c50fa09e1810ddc6b1467baeac5a3668 d11b6ecaa901440016f389f80acc4db9 77025E7F5924388C7E340A732E55440 e76570f8dd71b7d640b3450d1fd5f041 0A18F9A3494F707C717B47B75C984 00B096B21653B5D217CF3565C9597456F703497349778787638BC01BB1CB8FA 04EADC6E3F66997A75B7E75B7B75B75B75B7B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75B75120F19CFB22963F177AEB70F2D4844826 262e51b80271272068ef5b3856fa8535 AA2A88B2D41F20E2FDA762C2850272 AC4A2F561F8F2F7A318BFD5CAF9614 9E4AC824AD3460538FDC25421 BeeC6818162D06B0C4087192349DB67 A118 BAD6CD5AB0140EE273204F628AA D1C135F770A651E24D8C14D75A605 9D76B857FDD857DFC2827AD625DFB1625B1627B1627B1826B1827CFB1626B1827CFB1627be68c95f32d908bd895cd76207ae7264 87567f9a67dad79abec316f683b17f2d 02bf07e0ac8b5bc6162cf94697b3c27c D1FEA49B27F23BA2901871966520C 392DA8B6AD099F7013FBC06C2C17A56 9500C8A766481C1CD33E9B14E40B82E 79A5F5AC82577BA97BAE3AD3E04715 BB0E2B0BFCD1FD3034EFC62457EDD EE20ED20E86D600D8C2C2C67B8C2737B17B7B7B7B7B7B7B7B7B7B7B7B7D7B7D7B7D7D7B7D8D7D7D7D7D7D7B7B7D7D7D7D7b34973551257713b753632efba348169 ABC90A68F4261A40126D7CB21B58695 568186f7e569d2ff0f9e745d0487dd2e b997cafc5abf9dd102e62ff66cba87

   SIGNATURE:
   e301345a41a39a4d72fff8df69c98075
   a0cc082b802fc9b2b6bc503f926b65bd
   df7f4c8f1cb49f6396afc8a70abe6d8a
   ef0db478d4c6b2970076c6a0484fe76d
   76b3a97625d79f1ce240e7c576750d29
   5528286f719b413de9ada3e8eb78ed57
   3603ce30d8bb761785dc30dbc320869e
   1a00
   -----
        
   SIGNATURE:
   e301345a41a39a4d72fff8df69c98075
   a0cc082b802fc9b2b6bc503f926b65bd
   df7f4c8f1cb49f6396afc8a70abe6d8a
   ef0db478d4c6b2970076c6a0484fe76d
   76b3a97625d79f1ce240e7c576750d29
   5528286f719b413de9ada3e8eb78ed57
   3603ce30d8bb761785dc30dbc320869e
   1a00
   -----
        
7.5. Test Vectors for Ed448ph
7.5. Ed448ph的测试载体
   -----TEST abc
        
   -----TEST abc
        

ALGORITHM: Ed448ph

算法:Ed448ph

SECRET KEY: 833fe62409237b9d62ec77587520911e 9a759cec1d19755b7da901b96dca3d42 ef7822e0d5104127dc05d6dbefde69e3 ab2cec7c867c6e2c49

密钥:833fe62409237b9d62ec77587520911e 9a759cec1d19755b7da901b96dca3d42 ef7822e0d5104127dc05d6dbefde69e3 ab2cec7c867c6e2c49

PUBLIC KEY: 259b71c19f83ef77a7abd26524cbdb31 61b590a48f7d17de3ee0ba9c52beb743 c09428a131d6b1b57303d90d8132c276 d5ed3d5d01c0f53880

公钥:259b71c19f83ef77a7abd26524cbdb31 61b590a48f7d17de3ee0ba9c52beb743 C09428A131D6B1B5703D90D8132C276 d5ed3d5d01c0f53880

MESSAGE (length 3 bytes): 616263

消息(长度3字节):616263

SIGNATURE: 822f6901f7480f3d5f562c592994d969 3602875614483256505600bbc281ae38 1f54d6bce2ea911574932f52a4e6cadd 78769375ec3ffd1b801a0d9b3f4030cd 433964b6457ea39476511214f97469b5 7dd32dbc560a9a94d00bff07620464a3 ad203df7dc7ce360c3cd3696d9d9fab9 0f00

签字:822F6901F7480F3D5F562C5929994D969 360287561448325650560BBC281AE38 1F54D6BCE291157432F52A4 E6CADD 78769375ec3ffd1b801a0d9b3f4030cd 433964b6457ea39476511214f97469b5 7DD32DBC560A9A94D00BFF076204A3 AD203DF7DC7CE360C3CD3696D9FAB9 0f00

   -----TEST abc (with context)
        
   -----TEST abc (with context)
        

ALGORITHM: Ed448ph

算法:Ed448ph

SECRET KEY: 833fe62409237b9d62ec77587520911e 9a759cec1d19755b7da901b96dca3d42 ef7822e0d5104127dc05d6dbefde69e3 ab2cec7c867c6e2c49

密钥:833fe62409237b9d62ec77587520911e 9a759cec1d19755b7da901b96dca3d42 ef7822e0d5104127dc05d6dbefde69e3 ab2cec7c867c6e2c49

PUBLIC KEY: 259b71c19f83ef77a7abd26524cbdb31 61b590a48f7d17de3ee0ba9c52beb743 c09428a131d6b1b57303d90d8132c276 d5ed3d5d01c0f53880

公钥:259b71c19f83ef77a7abd26524cbdb31 61b590a48f7d17de3ee0ba9c52beb743 C09428A131D6B1B5703D90D8132C276 d5ed3d5d01c0f53880

MESSAGE (length 3 bytes): 616263

消息(长度3字节):616263

CONTEXT: 666f6f

上下文:666f6f

   SIGNATURE:
   c32299d46ec8ff02b54540982814dce9
   a05812f81962b649d528095916a2aa48
   1065b1580423ef927ecf0af5888f90da
   0f6a9a85ad5dc3f280d91224ba9911a3
   653d00e484e2ce232521481c8658df30
   4bb7745a73514cdb9bf3e15784ab7128
   4f8d0704a608c54a6b62d97beb511d13
   2100
   -----
        
   SIGNATURE:
   c32299d46ec8ff02b54540982814dce9
   a05812f81962b649d528095916a2aa48
   1065b1580423ef927ecf0af5888f90da
   0f6a9a85ad5dc3f280d91224ba9911a3
   653d00e484e2ce232521481c8658df30
   4bb7745a73514cdb9bf3e15784ab7128
   4f8d0704a608c54a6b62d97beb511d13
   2100
   -----
        
8. Security Considerations
8. 安全考虑
8.1. Side-Channel Leaks
8.1. 侧通道泄漏

For implementations performing signatures, secrecy of the private key is fundamental. It is possible to protect against some side-channel attacks by ensuring that the implementation executes exactly the same sequence of instructions and performs exactly the same memory accesses, for any value of the private key.

对于执行签名的实现,私钥的保密性是最基本的。通过确保实现对私钥的任何值执行完全相同的指令序列并执行完全相同的内存访问,可以防止某些旁道攻击。

To make an implementation side-channel silent in this way, the modulo p arithmetic must not use any data-dependent branches, e.g., related to carry propagation. Side-channel silent point addition is straightforward, thanks to the unified formulas.

为了以这种方式使实现侧信道静音,模p算法不得使用任何依赖于数据的分支,例如,与进位传播相关的分支。由于统一的公式,侧通道静默点的添加非常简单。

Scalar multiplication, multiplying a point by an integer, needs some additional effort to implement in a side-channel silent manner. One simple approach is to implement a side-channel silent conditional assignment, and use it together with the binary algorithm to examine one bit of the integer at a time.

将一个点乘以一个整数的标量乘法需要额外的努力才能以旁道静默方式实现。一种简单的方法是实现侧通道静默条件分配,并将其与二进制算法一起使用,一次检查整数的一位。

Compared to other signature schemes, avoiding data-dependent branches is easier due to side-channel silent modulo p arithmetic being easier (with recommended curves) and having complete addition formulas instead of having a number of special cases.

与其他签名方案相比,避免数据相关分支更容易,因为侧通道静默模p算法更容易(使用推荐的曲线),并且具有完整的加法公式,而不是有许多特殊情况。

Note that the example implementations in this document do not attempt to be side-channel silent.

请注意,本文档中的示例实现并不试图保持侧通道静默。

8.2. Randomness Considerations
8.2. 随机性考虑

EdDSA signatures are deterministic. This protects against attacks arising from signing with bad randomness; the effects of which can, depending on the algorithm, range up to full private key compromise. It can be surprisingly hard to ensure good-quality random numbers, and there have been numerous security failures relating to this.

EdDSA签名是确定性的。这可以防止由于随机性差的签名而引起的攻击;根据算法的不同,其影响范围可以达到完全私钥泄露。要确保高质量的随机数可能会出人意料地困难,与此相关的安全性故障也很多。

Obviously, private key generation requires randomness, but due to the fact that the private key is hashed before use, a few missing bits of entropy doesn't constitute a disaster.

显然,私钥生成需要随机性,但由于私钥在使用前会被散列,因此丢失的一些熵不会构成灾难。

The basic signature verification is also deterministic. However, some speedups by verifying multiple signatures at once do require random numbers.

基本的签名验证也是确定性的。但是,通过一次验证多个签名而实现的某些加速确实需要随机数。

8.3. Use of Contexts
8.3. 语境的使用

Contexts can be used to separate uses of the protocol between different protocols (which is very hard to reliably do otherwise) and between different uses within the same protocol. However, the following SHOULD be kept in mind when using this facility:

上下文可用于区分不同协议之间的协议使用(否则很难可靠地做到),以及同一协议内不同使用之间的协议使用。但是,在使用本设施时,应牢记以下几点:

The context SHOULD be a constant string specified by the protocol using it. It SHOULD NOT incorporate variable elements from the message itself.

上下文应该是使用它的协议指定的常量字符串。它不应该包含来自消息本身的变量元素。

Contexts SHOULD NOT be used opportunistically, as that kind of use is very error prone. If contexts are used, one SHOULD require all signature schemes available for use in that purpose support contexts.

不应该机会主义地使用上下文,因为这种使用非常容易出错。如果使用上下文,则应要求所有可用于该目的的签名方案支持上下文。

Contexts are an extra input, which percolate out of APIs; as such, even if the signature scheme supports contexts, those may not be available for use. This problem is compounded by the fact that many times the application is not invoking the signing and verification functions directly but via some other protocol.

上下文是一个额外的输入,从API中渗透出来;因此,即使签名方案支持上下文,也可能无法使用这些上下文。很多时候,应用程序不是直接调用签名和验证函数,而是通过其他协议来调用,这使得这个问题更加复杂。

8.4. Signature Malleability
8.4. 特征延展性

Some systems assume signatures are not malleable: that is, given a valid signature for some message under some key, the attacker can't produce another valid signature for the same message and key.

有些系统假定签名是不可延展的:即,给定某个密钥下某个消息的有效签名,攻击者无法为同一个消息和密钥生成另一个有效签名。

Ed25519 and Ed448 signatures are not malleable due to the verification check that decoded S is smaller than l. Without this check, one can add a multiple of l into a scalar part and still pass signature verification, resulting in malleable signatures.

Ed25519和Ed448签名不可延展,因为验证检查表明解码的S小于l。如果不进行此检查,可以将l的倍数添加到标量部分中,并且仍然通过签名验证,从而产生可延展的签名。

8.5. Choice of Signature Primitive
8.5. 签名原语的选择

Ed25519 and Ed25519ph have a nominal strength of 128 bits, whereas Ed448 and Ed448ph have the strength of 224. While the lower strength is sufficient for the foreseeable future, the higher level brings some defense against possible future cryptographic advances. Both are demolished by quantum computers just about the same.

Ed25519和Ed25519ph的标称强度为128位,而Ed448和Ed448ph的标称强度为224位。虽然较低的强度在可预见的未来是足够的,但较高的强度会对未来可能的加密进展带来一些防御。两者都被量子计算机摧毁了。

The Ed25519ph and Ed448ph variants are prehashed. This is mainly useful for interoperation with legacy APIs, since in most of the cases, either the amount of data signed is not large or the protocol is in the position to do digesting in ways better than just prehashing (e.g., tree hashing or splitting the data). The

Ed25519ph和Ed448ph变体已预灰化。这主要用于与遗留API的互操作,因为在大多数情况下,签名的数据量不是很大,或者协议能够以比预灰化更好的方式进行消化(例如,树哈希或分割数据)。这个

prehashing also makes the functions greatly more vulnerable to weaknesses in hash functions used. These variants SHOULD NOT be used.

预灰化还使函数更容易受到所用哈希函数弱点的影响。不应使用这些变体。

Ed25519ctx and Ed448 have contexts. However, this is balanced by the problems noted in Section 8.3 about contexts.

Ed25519ctx和Ed448具有上下文。然而,第8.3节关于上下文的问题平衡了这一点。

On the implementation front, Ed25519 is widely implemented and has many high-quality implementations. The others have much worse support.

在实现方面,Ed25519得到了广泛的实现,并且有许多高质量的实现。其他人的支持率要差得多。

In summary, if a high 128-bit security level is enough, use of Ed25519 is RECOMMENDED; otherwise, Ed448 is RECOMMENDED.

总之,如果高128位安全级别足够,建议使用Ed25519;否则,建议使用Ed448。

8.6. Mixing Different Prehashes
8.6. 混合不同的灰烬

The schemes described in this document are designed to be resistant to mixing prehashes. That is, it is infeasible to find a message that verifies using the same signature under another scheme, even if the original signed message was chosen. Thus, one can use the same key pair for Ed25519, Ed25519ctx, and Ed25519ph and correspondingly with Ed448 and Ed448ph.

本文件中描述的方案旨在防止混合预灰烬。也就是说,即使选择了原始签名的消息,也无法找到在另一个方案下使用相同签名进行验证的消息。因此,可以对Ed25519、Ed25519ctx和Ed25519ph以及相应的Ed448和Ed448ph使用相同的密钥对。

The "SigEd25519 no Ed25519 collisions" constant is chosen to be a textual string such that it does not decode as a point. Because the inner hash input in the Ed25519 signature always starts with a valid point, there is no way trivial collision can be constructed. In the case of seed hash, trivial collisions are so unlikely, even with an attacker choosing all inputs, that it is much more probable that something else goes catastrophically wrong.

“SigEd25519无Ed25519冲突”常量被选择为文本字符串,这样它就不会作为点进行解码。由于Ed25519签名中的内部哈希输入始终以有效点开始,因此无法构造普通冲突。在种子散列的情况下,即使攻击者选择了所有输入,琐碎的冲突也不太可能发生,因此更有可能发生其他灾难性错误。

8.7. Signing Large Amounts of Data at Once
8.7. 一次对大量数据进行签名

Avoid signing large amounts of data at once (where "large" depends on the expected verifier). In particular, unless the underlying protocol does not require it, the receiver MUST buffer the entire message (or enough information to reconstruct it, e.g., compressed or encrypted version) to be verified.

避免一次对大量数据进行签名(其中“大”取决于预期的验证器)。特别是,除非底层协议不需要它,否则接收方必须缓冲整个消息(或足够的信息来重建它,例如,压缩或加密版本)以进行验证。

This is needed because most of the time, it is unsafe to process unverified data, and verifying the signature makes a pass through the whole message, causing ultimately at least two passes through.

这是必要的,因为在大多数情况下,处理未经验证的数据是不安全的,验证签名会使整个消息传递一次,最终导致至少两次传递。

As an API consideration, this means that any Initialize Update Finalize (IFU) verification interface is prone to misuse.

作为API考虑因素,这意味着任何初始化更新最终确定(IFU)验证接口都容易被误用。

It is a bad idea to modify Ed25519 or Ed448 signing to be able to create valid Ed25519/Ed448 signatures using an IUF interface with only constant buffering. Pretty much any error in such would cause catastrophic security failure.

修改Ed25519或Ed448签名以使用仅具有常量缓冲的IUF接口创建有效的Ed25519/Ed448签名是一个坏主意。在这种情况下,几乎任何错误都会导致灾难性的安全故障。

8.8. Multiplication by Cofactor in Verification
8.8. 验证中的余因子乘法

The given verification formulas for both Ed25519 and Ed448 multiply points by the cofactor. While this is not strictly necessary for security (in fact, any signature that meets the non-multiplied equation will satisfy the multiplied one), in some applications it is undesirable for implementations to disagree about the exact set of valid signatures. Such disagreements could open up, e.g., fingerprinting attacks.

Ed25519和Ed448的给定验证公式将点乘以余因子。虽然这对于安全性不是严格必需的(事实上,满足非乘法等式的任何签名都将满足乘法等式),但在某些应用程序中,实现不希望对有效签名的确切集合存在分歧。这类分歧可能会爆发,例如指纹攻击。

8.9. Use of SHAKE256 as a Hash Function
8.9. 使用SHAKE256作为散列函数

Ed448 uses SHAKE256 as a hash function, even if SHAKE256 is specifically defined not to be a hash function.

Ed448使用SHAKE256作为散列函数,即使SHAKE256被明确定义为非散列函数。

The first potentially troublesome property is that shorter outputs are prefixes of longer ones. This is acceptable because output lengths are fixed.

第一个潜在的麻烦特性是,较短的输出是较长输出的前缀。这是可以接受的,因为输出长度是固定的。

The second potentially troublesome property is failing to meet standard hash security notions (especially with preimages). However, the estimated 256-bit security level against collisions and preimages is sufficient to pair with a 224-bit level elliptic curve.

第二个潜在的麻烦属性是无法满足标准哈希安全概念(尤其是前映像)。然而,针对冲突和预映像的估计256位安全级别足以与224位级别的椭圆曲线配对。

9. References
9. 工具书类
9.1. Normative References
9.1. 规范性引用文件

[FIPS202] National Institute of Standards and Technology, "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions", FIPS PUB 202, August 2015, <http://dx.doi.org/10.6028/NIST.FIPS.202>.

[FIPS202]国家标准与技术研究所,“SHA-3标准:基于排列的散列和可扩展输出函数”,FIPS PUB 202,2015年8月<http://dx.doi.org/10.6028/NIST.FIPS.202>.

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.

[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI 10.17487/RFC6234, May 2011, <http://www.rfc-editor.org/info/rfc6234>.

[RFC6234]Eastlake 3rd,D.和T.Hansen,“美国安全哈希算法(基于SHA和SHA的HMAC和HKDF)”,RFC 6234,DOI 10.17487/RFC6234,2011年5月<http://www.rfc-editor.org/info/rfc6234>.

[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, <http://www.rfc-editor.org/info/rfc7748>.

[RFC7748]兰利,A.,汉堡,M.和S.特纳,“安全的椭圆曲线”,RFC 7748,DOI 10.17487/RFC7748,2016年1月<http://www.rfc-editor.org/info/rfc7748>.

9.2. Informative References
9.2. 资料性引用

[CURVE25519] Bernstein, D., "Curve25519: new Diffie-Hellman speed records", DOI 10.1007/11745853_14, February 2006, <http://cr.yp.to/ecdh.html>.

[CURVE25519]Bernstein,D.,“CURVE25519:新的Diffie-Hellman速度记录”,DOI 10.1007/11745853_14,2006年2月<http://cr.yp.to/ecdh.html>.

[ED25519-LIBGCRYPT-TEST-VECTORS] Koch, W., "Ed25519 Libgcrypt test vectors", July 2014, <http://git.gnupg.org/cgi-bin/ gitweb.cgi?p=libgcrypt.git;a=blob;f=tests/t-ed25519.inp; h=e13566f826321eece65e02c593bc7d885b3dbe23;hb=refs/ heads/master>.

[ED25519-LIBGCRYPT-TEST-VECTORS]科赫,W.,“ED25519-LIBGCRYPT测试向量”,2014年7月<http://git.gnupg.org/cgi-bin/ gitweb.cgi?p=libgcrypt.git;a=水滴;f=试验/t-ed25519.inp;h=e13566f826321eece65e02c593bc7d885b3dbe23;hb=refs/heads/master>。

[ED25519-TEST-VECTORS] Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B. Yang, "Ed25519 test vectors", July 2011, <http://ed25519.cr.yp.to/python/sign.input>.

[ED25519-测试向量]Bernstein,D.,Duif,N.,Lange,T.,Schwabe,P.,和B.Yang,“ED25519测试向量”,2011年7月<http://ed25519.cr.yp.to/python/sign.input>.

[ED448] Hamburg, M., "Ed448-Goldilocks, a new elliptic curve", June 2015, <http://eprint.iacr.org/2015/625>.

[ED448]汉堡,M.,“ED448金发姑娘,一条新的椭圆曲线”,2015年6月<http://eprint.iacr.org/2015/625>.

[EDDSA] Bernstein, D., Duif, N., Lange, T., Schwabe, P., and B. Yang, "High-speed high-security signatures", DOI 10.1007/978-3-642-23951-9_9, September 2011, <http://ed25519.cr.yp.to/ed25519-20110926.pdf>.

[EDDSA]Bernstein,D.,Duif,N.,Lange,T.,Schwabe,P.,和B.Yang,“高速高安全签名”,DOI 10.1007/978-3-642-23951-9,2011年9月<http://ed25519.cr.yp.to/ed25519-20110926.pdf>.

[EDDSA2] Bernstein, D., Josefsson, S., Lange, T., Schwabe, P., and B. Yang, "EdDSA for more curves", July 2015, <http://ed25519.cr.yp.to/eddsa-20150704.pdf>.

[EDDSA2]Bernstein,D.,Josefsson,S.,Lange,T.,Schwabe,P.,和B.Yang,“更多曲线的EdDSA”,2015年7月<http://ed25519.cr.yp.to/eddsa-20150704.pdf>.

[Edwards-revisited] Hisil, H., Wong, K., Carter, G., and E. Dawson, "Twisted Edwards Curves Revisited", DOI 10.1007/978-3-540-89255-7_20, December 2008, <http://eprint.iacr.org/2008/522>.

[爱德华兹重访]Hisil,H.,Wong,K.,Carter,G.,和E.Dawson,“重访扭曲的爱德华兹曲线”,内政部10.1007/978-3-540-89255-7僈,2008年12月<http://eprint.iacr.org/2008/522>.

[EFD-ADD] Bernstein, D. and T. Lange, "Projective coordinates for Edwards curves", The 'add-2007-bl' addition formulas, 2007, <http://www.hyperelliptic.org/EFD/g1p/ auto-edwards-projective.html#addition-add-2007-bl>.

[EFD-ADD]Bernstein,D.和T.Lange,“Edwards曲线的投影坐标”,'ADD-2007-bl'加法公式,2007<http://www.hyperelliptic.org/EFD/g1p/ auto-edwards projective.html#addition-add-2007-bl>。

[EFD-DBL] Bernstein, D. and T. Lange, "Projective coordinates for Edwards curves", The 'dbl-2007-bl' doubling formulas, 2007, <http://www.hyperelliptic.org/EFD/g1p/ auto-edwards-projective.html#doubling-dbl-2007-bl>.

[EFD-DBL]Bernstein,D.和T.Lange,“爱德华兹曲线的投影坐标”,'DBL-2007-bl'倍增公式,2007<http://www.hyperelliptic.org/EFD/g1p/ auto-edwards projective.html#double-dbl-2007-bl>。

[EFD-TWISTED-ADD] Hisil, H., Wong, K., Carter, G., and E. Dawson, "Extended coordinates with a=-1 for twisted Edwards curves", The 'add-2008-hwcd-3' addition formulas, December 2008, <http://www.hyperelliptic.org/EFD/g1p/ auto-twisted-extended-1.html#addition-add-2008-hwcd-3>.

[EFD-TWISTED-ADD]Hisil,H.,Wong,K.,Carter,G.,和E.Dawson,“扭曲爱德华兹曲线a=-1的扩展坐标”,'ADD-2008-hwcd-3'加法公式,2008年12月<http://www.hyperelliptic.org/EFD/g1p/ auto-twisted-extended-1.html#addition-add-2008-hwcd-3>。

[EFD-TWISTED-DBL] Hisil, H., Wong, K., Carter, G., and E. Dawson, "Extended coordinates with a=-1 for twisted Edwards curves", The 'dbl-2008-hwcd' doubling formulas, December 2008, <http://www.hyperelliptic.org/EFD/g1p/ auto-twisted-extended-1.html#doubling-dbl-2008-hwcd>.

[EFD-TWISTED-DBL]Hisil,H.,Wong,K.,Carter,G.,和E.Dawson,“扭曲爱德华兹曲线a=-1的扩展坐标”,DBL-2008-hwcd倍增公式,2008年12月<http://www.hyperelliptic.org/EFD/g1p/ auto-twisted-extended-1.html#double-dbl-2008-hwcd>。

[Faster-ECC] Bernstein, D. and T. Lange, "Faster addition and doubling on elliptic curves", DOI 10.1007/978-3-540-76900-2_3, July 2007, <http://eprint.iacr.org/2007/286>.

[Faster ECC]Bernstein,D.和T.Lange,“椭圆曲线上的快速加法和倍增”,DOI 10.1007/978-3-540-76900-2!3,2007年7月<http://eprint.iacr.org/2007/286>.

[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, DOI 10.17487/RFC4086, June 2005, <http://www.rfc-editor.org/info/rfc4086>.

[RFC4086]Eastlake 3rd,D.,Schiller,J.,和S.Crocker,“安全的随机性要求”,BCP 106,RFC 4086,DOI 10.17487/RFC4086,2005年6月<http://www.rfc-editor.org/info/rfc4086>.

Appendix A. Ed25519/Ed448 Python Library

附录A.Ed25519/Ed448 Python库

Below is an example implementation of Ed25519/Ed448 written in Python; version 3.2 or higher is required.

下面是用Python编写的Ed25519/Ed448的示例实现;需要3.2版或更高版本。

Note: This code is not intended for production. Although it should produce correct results for every input, it is slow and makes no attempt to avoid side-channel attacks.

注:此代码不适用于生产。虽然它应该为每个输入生成正确的结果,但速度很慢,并且不会试图避免侧通道攻击。

import hashlib;
import os;
        
import hashlib;
import os;
        
#Compute candidate square root of x modulo p, with p = 3 (mod 4).
def sqrt4k3(x,p): return pow(x,(p + 1)//4,p)
        
#Compute candidate square root of x modulo p, with p = 3 (mod 4).
def sqrt4k3(x,p): return pow(x,(p + 1)//4,p)
        
#Compute candidate square root of x modulo p, with p = 5 (mod 8).
def sqrt8k5(x,p):
    y = pow(x,(p+3)//8,p)
    #If the square root exists, it is either y or y*2^(p-1)/4.
    if (y * y) % p == x % p: return y
    else:
        z = pow(2,(p - 1)//4,p)
        return (y * z) % p
        
#Compute candidate square root of x modulo p, with p = 5 (mod 8).
def sqrt8k5(x,p):
    y = pow(x,(p+3)//8,p)
    #If the square root exists, it is either y or y*2^(p-1)/4.
    if (y * y) % p == x % p: return y
    else:
        z = pow(2,(p - 1)//4,p)
        return (y * z) % p
        
#Decode a hexadecimal string representation of the integer.
def hexi(s): return int.from_bytes(bytes.fromhex(s),byteorder="big")
        
#Decode a hexadecimal string representation of the integer.
def hexi(s): return int.from_bytes(bytes.fromhex(s),byteorder="big")
        
#Rotate a word x by b places to the left.
def rol(x,b): return ((x << b) | (x >> (64 - b))) & (2**64-1)
        
#Rotate a word x by b places to the left.
def rol(x,b): return ((x << b) | (x >> (64 - b))) & (2**64-1)
        
#From little endian.
def from_le(s): return int.from_bytes(s, byteorder="little")
        
#From little endian.
def from_le(s): return int.from_bytes(s, byteorder="little")
        
#Do the SHA-3 state transform on state s.
def sha3_transform(s):
    ROTATIONS = [0,1,62,28,27,36,44,6,55,20,3,10,43,25,39,41,45,15,\
                 21,8,18,2,61,56,14]
    PERMUTATION = [1,6,9,22,14,20,2,12,13,19,23,15,4,24,21,8,16,5,3,\
                   18,17,11,7,10]
    RC = [0x0000000000000001,0x0000000000008082,0x800000000000808a,\
          0x8000000080008000,0x000000000000808b,0x0000000080000001,\
          0x8000000080008081,0x8000000000008009,0x000000000000008a,\
          0x0000000000000088,0x0000000080008009,0x000000008000000a,\
          0x000000008000808b,0x800000000000008b,0x8000000000008089,\
          0x8000000000008003,0x8000000000008002,0x8000000000000080,\
          0x000000000000800a,0x800000008000000a,0x8000000080008081,\
          0x8000000000008080,0x0000000080000001,0x8000000080008008]
        
#Do the SHA-3 state transform on state s.
def sha3_transform(s):
    ROTATIONS = [0,1,62,28,27,36,44,6,55,20,3,10,43,25,39,41,45,15,\
                 21,8,18,2,61,56,14]
    PERMUTATION = [1,6,9,22,14,20,2,12,13,19,23,15,4,24,21,8,16,5,3,\
                   18,17,11,7,10]
    RC = [0x0000000000000001,0x0000000000008082,0x800000000000808a,\
          0x8000000080008000,0x000000000000808b,0x0000000080000001,\
          0x8000000080008081,0x8000000000008009,0x000000000000008a,\
          0x0000000000000088,0x0000000080008009,0x000000008000000a,\
          0x000000008000808b,0x800000000000008b,0x8000000000008089,\
          0x8000000000008003,0x8000000000008002,0x8000000000000080,\
          0x000000000000800a,0x800000008000000a,0x8000000080008081,\
          0x8000000000008080,0x0000000080000001,0x8000000080008008]
        
    for rnd in range(0,24):
        #AddColumnParity (Theta)
        c = [0]*5;
        d = [0]*5;
        for i in range(0,25): c[i%5]^=s[i]
        for i in range(0,5): d[i]=c[(i+4)%5]^rol(c[(i+1)%5],1)
        for i in range(0,25): s[i]^=d[i%5]
        #RotateWords (Rho)
        for i in range(0,25): s[i]=rol(s[i],ROTATIONS[i])
        #PermuteWords (Pi)
        t = s[PERMUTATION[0]]
        for i in range(0,len(PERMUTATION)-1):
            s[PERMUTATION[i]]=s[PERMUTATION[i+1]]
        s[PERMUTATION[-1]]=t;
        #NonlinearMixRows (Chi)
        for i in range(0,25,5):
            t=[s[i],s[i+1],s[i+2],s[i+3],s[i+4],s[i],s[i+1]]
            for j in range(0,5): s[i+j]=t[j]^((~t[j+1])&(t[j+2]))
        #AddRoundConstant (Iota)
        s[0]^=RC[rnd]
        
    for rnd in range(0,24):
        #AddColumnParity (Theta)
        c = [0]*5;
        d = [0]*5;
        for i in range(0,25): c[i%5]^=s[i]
        for i in range(0,5): d[i]=c[(i+4)%5]^rol(c[(i+1)%5],1)
        for i in range(0,25): s[i]^=d[i%5]
        #RotateWords (Rho)
        for i in range(0,25): s[i]=rol(s[i],ROTATIONS[i])
        #PermuteWords (Pi)
        t = s[PERMUTATION[0]]
        for i in range(0,len(PERMUTATION)-1):
            s[PERMUTATION[i]]=s[PERMUTATION[i+1]]
        s[PERMUTATION[-1]]=t;
        #NonlinearMixRows (Chi)
        for i in range(0,25,5):
            t=[s[i],s[i+1],s[i+2],s[i+3],s[i+4],s[i],s[i+1]]
            for j in range(0,5): s[i+j]=t[j]^((~t[j+1])&(t[j+2]))
        #AddRoundConstant (Iota)
        s[0]^=RC[rnd]
        
#Reinterpret octet array b to word array and XOR it to state s.
def reinterpret_to_words_and_xor(s,b):
    for j in range(0,len(b)//8):
        s[j]^=from_le(b[8*j:][:8])
        
#Reinterpret octet array b to word array and XOR it to state s.
def reinterpret_to_words_and_xor(s,b):
    for j in range(0,len(b)//8):
        s[j]^=from_le(b[8*j:][:8])
        
#Reinterpret word array w to octet array and return it.
def reinterpret_to_octets(w):
    mp=bytearray()
    for j in range(0,len(w)):
        mp+=w[j].to_bytes(8,byteorder="little")
    return mp
        
#Reinterpret word array w to octet array and return it.
def reinterpret_to_octets(w):
    mp=bytearray()
    for j in range(0,len(w)):
        mp+=w[j].to_bytes(8,byteorder="little")
    return mp
        
#(semi-)generic SHA-3 implementation
def sha3_raw(msg,r_w,o_p,e_b):
    r_b=8*r_w
    s=[0]*25
    #Handle whole blocks.
    idx=0
    blocks=len(msg)//r_b
    for i in range(0,blocks):
        reinterpret_to_words_and_xor(s,msg[idx:][:r_b])
        idx+=r_b
        sha3_transform(s)
    #Handle last block padding.
    m=bytearray(msg[idx:])
    m.append(o_p)
    while len(m) < r_b: m.append(0)
    m[len(m)-1]|=128
    #Handle padded last block.
    reinterpret_to_words_and_xor(s,m)
    sha3_transform(s)
    #Output.
    out = bytearray()
    while len(out)<e_b:
        out+=reinterpret_to_octets(s[:r_w])
        sha3_transform(s)
    return out[:e_b]
        
#(semi-)generic SHA-3 implementation
def sha3_raw(msg,r_w,o_p,e_b):
    r_b=8*r_w
    s=[0]*25
    #Handle whole blocks.
    idx=0
    blocks=len(msg)//r_b
    for i in range(0,blocks):
        reinterpret_to_words_and_xor(s,msg[idx:][:r_b])
        idx+=r_b
        sha3_transform(s)
    #Handle last block padding.
    m=bytearray(msg[idx:])
    m.append(o_p)
    while len(m) < r_b: m.append(0)
    m[len(m)-1]|=128
    #Handle padded last block.
    reinterpret_to_words_and_xor(s,m)
    sha3_transform(s)
    #Output.
    out = bytearray()
    while len(out)<e_b:
        out+=reinterpret_to_octets(s[:r_w])
        sha3_transform(s)
    return out[:e_b]
        
#Implementation of SHAKE256 functions.
def shake256(msg,olen): return sha3_raw(msg,17,31,olen)
        
#Implementation of SHAKE256 functions.
def shake256(msg,olen): return sha3_raw(msg,17,31,olen)
        
#A (prime) field element.
class Field:
    #Construct number x (mod p).
    def __init__(self,x,p):
        self.__x=x%p
        self.__p=p
    #Check that fields of self and y are the same.
    def __check_fields(self,y):
        if type(y) is not Field or self.__p!=y.__p:
            raise ValueError("Fields don't match")
    #Field addition.  The fields must match.
    def __add__(self,y):
        self.__check_fields(y)
        return Field(self.__x+y.__x,self.__p)
    #Field subtraction.  The fields must match.
    def __sub__(self,y):
        self.__check_fields(y)
        return Field(self.__p+self.__x-y.__x,self.__p)
    #Field negation.
    def __neg__(self):
        return Field(self.__p-self.__x,self.__p)
    #Field multiplication.  The fields must match.
    def __mul__(self,y):
        self.__check_fields(y)
        return Field(self.__x*y.__x,self.__p)
    #Field division.  The fields must match.
    def __truediv__(self,y):
        return self*y.inv()
    #Field inverse (inverse of 0 is 0).
    def inv(self):
        return Field(pow(self.__x,self.__p-2,self.__p),self.__p)
    #Field square root.  Returns none if square root does not exist.
    #Note: not presently implemented for p mod 8 = 1 case.
    def sqrt(self):
        #Compute candidate square root.
        if self.__p%4==3: y=sqrt4k3(self.__x,self.__p)
        elif self.__p%8==5: y=sqrt8k5(self.__x,self.__p)
        else: raise NotImplementedError("sqrt(_,8k+1)")
        _y=Field(y,self.__p);
        #Check square root candidate valid.
        return _y if _y*_y==self else None
    #Make the field element with the same field as this, but
    #with a different value.
    def make(self,ival): return Field(ival,self.__p)
    #Is the field element the additive identity?
    def iszero(self): return self.__x==0
    #Are field elements equal?
    def __eq__(self,y): return self.__x==y.__x and self.__p==y.__p
        
#A (prime) field element.
class Field:
    #Construct number x (mod p).
    def __init__(self,x,p):
        self.__x=x%p
        self.__p=p
    #Check that fields of self and y are the same.
    def __check_fields(self,y):
        if type(y) is not Field or self.__p!=y.__p:
            raise ValueError("Fields don't match")
    #Field addition.  The fields must match.
    def __add__(self,y):
        self.__check_fields(y)
        return Field(self.__x+y.__x,self.__p)
    #Field subtraction.  The fields must match.
    def __sub__(self,y):
        self.__check_fields(y)
        return Field(self.__p+self.__x-y.__x,self.__p)
    #Field negation.
    def __neg__(self):
        return Field(self.__p-self.__x,self.__p)
    #Field multiplication.  The fields must match.
    def __mul__(self,y):
        self.__check_fields(y)
        return Field(self.__x*y.__x,self.__p)
    #Field division.  The fields must match.
    def __truediv__(self,y):
        return self*y.inv()
    #Field inverse (inverse of 0 is 0).
    def inv(self):
        return Field(pow(self.__x,self.__p-2,self.__p),self.__p)
    #Field square root.  Returns none if square root does not exist.
    #Note: not presently implemented for p mod 8 = 1 case.
    def sqrt(self):
        #Compute candidate square root.
        if self.__p%4==3: y=sqrt4k3(self.__x,self.__p)
        elif self.__p%8==5: y=sqrt8k5(self.__x,self.__p)
        else: raise NotImplementedError("sqrt(_,8k+1)")
        _y=Field(y,self.__p);
        #Check square root candidate valid.
        return _y if _y*_y==self else None
    #Make the field element with the same field as this, but
    #with a different value.
    def make(self,ival): return Field(ival,self.__p)
    #Is the field element the additive identity?
    def iszero(self): return self.__x==0
    #Are field elements equal?
    def __eq__(self,y): return self.__x==y.__x and self.__p==y.__p
        
    #Are field elements not equal?
    def __ne__(self,y): return not (self==y)
    #Serialize number to b-1 bits.
    def tobytes(self,b):
        return self.__x.to_bytes(b//8,byteorder="little")
    #Unserialize number from bits.
    def frombytes(self,x,b):
        rv=from_le(x)%(2**(b-1))
        return Field(rv,self.__p) if rv<self.__p else None
    #Compute sign of number, 0 or 1.  The sign function
    #has the following property:
    #sign(x) = 1 - sign(-x) if x != 0.
    def sign(self): return self.__x%2
        
    #Are field elements not equal?
    def __ne__(self,y): return not (self==y)
    #Serialize number to b-1 bits.
    def tobytes(self,b):
        return self.__x.to_bytes(b//8,byteorder="little")
    #Unserialize number from bits.
    def frombytes(self,x,b):
        rv=from_le(x)%(2**(b-1))
        return Field(rv,self.__p) if rv<self.__p else None
    #Compute sign of number, 0 or 1.  The sign function
    #has the following property:
    #sign(x) = 1 - sign(-x) if x != 0.
    def sign(self): return self.__x%2
        
#A point on (twisted) Edwards curve.
class EdwardsPoint:
    #base_field = None
    #x = None
    #y = None
    #z = None
    def initpoint(self, x, y):
        self.x=x
        self.y=y
        self.z=self.base_field.make(1)
    def decode_base(self,s,b):
        #Check that point encoding is the correct length.
        if len(s)!=b//8: return (None,None)
        #Extract signbit.
        xs=s[(b-1)//8]>>((b-1)&7)
        #Decode y.  If this fails, fail.
        y = self.base_field.frombytes(s,b)
        if y is None: return (None,None)
        #Try to recover x.  If it does not exist, or if zero and xs
        #are wrong, fail.
        x=self.solve_x2(y).sqrt()
        if x is None or (x.iszero() and xs!=x.sign()):
            return (None,None)
        #If sign of x isn't correct, flip it.
        if x.sign()!=xs: x=-x
        # Return the constructed point.
        return (x,y)
    def encode_base(self,b):
        xp,yp=self.x/self.z,self.y/self.z
        #Encode y.
        s=bytearray(yp.tobytes(b))
        #Add sign bit of x to encoding.
        if xp.sign()!=0: s[(b-1)//8]|=1<<(b-1)%8
        return s
        
#A point on (twisted) Edwards curve.
class EdwardsPoint:
    #base_field = None
    #x = None
    #y = None
    #z = None
    def initpoint(self, x, y):
        self.x=x
        self.y=y
        self.z=self.base_field.make(1)
    def decode_base(self,s,b):
        #Check that point encoding is the correct length.
        if len(s)!=b//8: return (None,None)
        #Extract signbit.
        xs=s[(b-1)//8]>>((b-1)&7)
        #Decode y.  If this fails, fail.
        y = self.base_field.frombytes(s,b)
        if y is None: return (None,None)
        #Try to recover x.  If it does not exist, or if zero and xs
        #are wrong, fail.
        x=self.solve_x2(y).sqrt()
        if x is None or (x.iszero() and xs!=x.sign()):
            return (None,None)
        #If sign of x isn't correct, flip it.
        if x.sign()!=xs: x=-x
        # Return the constructed point.
        return (x,y)
    def encode_base(self,b):
        xp,yp=self.x/self.z,self.y/self.z
        #Encode y.
        s=bytearray(yp.tobytes(b))
        #Add sign bit of x to encoding.
        if xp.sign()!=0: s[(b-1)//8]|=1<<(b-1)%8
        return s
        
    def __mul__(self,x):
        r=self.zero_elem()
        s=self
        while x > 0:
            if (x%2)>0:
                r=r+s
            s=s.double()
            x=x//2
        return r
    #Check that two points are equal.
    def __eq__(self,y):
        #Need to check x1/z1 == x2/z2 and similarly for y, so cross
        #multiply to eliminate divisions.
        xn1=self.x*y.z
        xn2=y.x*self.z
        yn1=self.y*y.z
        yn2=y.y*self.z
        return xn1==xn2 and yn1==yn2
    #Check if two points are not equal.
    def __ne__(self,y): return not (self==y)
        
    def __mul__(self,x):
        r=self.zero_elem()
        s=self
        while x > 0:
            if (x%2)>0:
                r=r+s
            s=s.double()
            x=x//2
        return r
    #Check that two points are equal.
    def __eq__(self,y):
        #Need to check x1/z1 == x2/z2 and similarly for y, so cross
        #multiply to eliminate divisions.
        xn1=self.x*y.z
        xn2=y.x*self.z
        yn1=self.y*y.z
        yn2=y.y*self.z
        return xn1==xn2 and yn1==yn2
    #Check if two points are not equal.
    def __ne__(self,y): return not (self==y)
        
#A point on Edwards25519.
class Edwards25519Point(EdwardsPoint):
    #Create a new point on the curve.
    base_field=Field(1,2**255-19)
    d=-base_field.make(121665)/base_field.make(121666)
    f0=base_field.make(0)
    f1=base_field.make(1)
    xb=base_field.make(hexi("216936D3CD6E53FEC0A4E231FDD6DC5C692CC76"+\
        "09525A7B2C9562D608F25D51A"))
    yb=base_field.make(hexi("666666666666666666666666666666666666666"+\
        "6666666666666666666666658"))
    #The standard base point.
    @staticmethod
    def stdbase():
        return Edwards25519Point(Edwards25519Point.xb,\
            Edwards25519Point.yb)
    def __init__(self,x,y):
        #Check the point is actually on the curve.
        if y*y-x*x!=self.f1+self.d*x*x*y*y:
            raise ValueError("Invalid point")
        self.initpoint(x, y)
        self.t=x*y
    #Decode a point representation.
    def decode(self,s):
        x,y=self.decode_base(s,256);
        return Edwards25519Point(x, y) if x is not None else None
        
#A point on Edwards25519.
class Edwards25519Point(EdwardsPoint):
    #Create a new point on the curve.
    base_field=Field(1,2**255-19)
    d=-base_field.make(121665)/base_field.make(121666)
    f0=base_field.make(0)
    f1=base_field.make(1)
    xb=base_field.make(hexi("216936D3CD6E53FEC0A4E231FDD6DC5C692CC76"+\
        "09525A7B2C9562D608F25D51A"))
    yb=base_field.make(hexi("666666666666666666666666666666666666666"+\
        "6666666666666666666666658"))
    #The standard base point.
    @staticmethod
    def stdbase():
        return Edwards25519Point(Edwards25519Point.xb,\
            Edwards25519Point.yb)
    def __init__(self,x,y):
        #Check the point is actually on the curve.
        if y*y-x*x!=self.f1+self.d*x*x*y*y:
            raise ValueError("Invalid point")
        self.initpoint(x, y)
        self.t=x*y
    #Decode a point representation.
    def decode(self,s):
        x,y=self.decode_base(s,256);
        return Edwards25519Point(x, y) if x is not None else None
        
    #Encode a point representation.
    def encode(self):
        return self.encode_base(256)
    #Construct a neutral point on this curve.
    def zero_elem(self):
        return Edwards25519Point(self.f0,self.f1)
    #Solve for x^2.
    def solve_x2(self,y):
        return ((y*y-self.f1)/(self.d*y*y+self.f1))
    #Point addition.
    def __add__(self,y):
        #The formulas are from EFD.
        tmp=self.zero_elem()
        zcp=self.z*y.z
        A=(self.y-self.x)*(y.y-y.x)
        B=(self.y+self.x)*(y.y+y.x)
        C=(self.d+self.d)*self.t*y.t
        D=zcp+zcp
        E,H=B-A,B+A
        F,G=D-C,D+C
        tmp.x,tmp.y,tmp.z,tmp.t=E*F,G*H,F*G,E*H
        return tmp
    #Point doubling.
    def double(self):
        #The formulas are from EFD (with assumption a=-1 propagated).
        tmp=self.zero_elem()
        A=self.x*self.x
        B=self.y*self.y
        Ch=self.z*self.z
        C=Ch+Ch
        H=A+B
        xys=self.x+self.y
        E=H-xys*xys
        G=A-B
        F=C+G
        tmp.x,tmp.y,tmp.z,tmp.t=E*F,G*H,F*G,E*H
        return tmp
    #Order of basepoint.
    def l(self):
        return hexi("1000000000000000000000000000000014def9dea2f79cd"+\
            "65812631a5cf5d3ed")
    #The logarithm of cofactor.
    def c(self): return 3
    #The highest set bit
    def n(self): return 254
    #The coding length
    def b(self): return 256
        
    #Encode a point representation.
    def encode(self):
        return self.encode_base(256)
    #Construct a neutral point on this curve.
    def zero_elem(self):
        return Edwards25519Point(self.f0,self.f1)
    #Solve for x^2.
    def solve_x2(self,y):
        return ((y*y-self.f1)/(self.d*y*y+self.f1))
    #Point addition.
    def __add__(self,y):
        #The formulas are from EFD.
        tmp=self.zero_elem()
        zcp=self.z*y.z
        A=(self.y-self.x)*(y.y-y.x)
        B=(self.y+self.x)*(y.y+y.x)
        C=(self.d+self.d)*self.t*y.t
        D=zcp+zcp
        E,H=B-A,B+A
        F,G=D-C,D+C
        tmp.x,tmp.y,tmp.z,tmp.t=E*F,G*H,F*G,E*H
        return tmp
    #Point doubling.
    def double(self):
        #The formulas are from EFD (with assumption a=-1 propagated).
        tmp=self.zero_elem()
        A=self.x*self.x
        B=self.y*self.y
        Ch=self.z*self.z
        C=Ch+Ch
        H=A+B
        xys=self.x+self.y
        E=H-xys*xys
        G=A-B
        F=C+G
        tmp.x,tmp.y,tmp.z,tmp.t=E*F,G*H,F*G,E*H
        return tmp
    #Order of basepoint.
    def l(self):
        return hexi("1000000000000000000000000000000014def9dea2f79cd"+\
            "65812631a5cf5d3ed")
    #The logarithm of cofactor.
    def c(self): return 3
    #The highest set bit
    def n(self): return 254
    #The coding length
    def b(self): return 256
        
    #Validity check (for debugging)
    def is_valid_point(self):
        x,y,z,t=self.x,self.y,self.z,self.t
        x2=x*x
        y2=y*y
        z2=z*z
        lhs=(y2-x2)*z2
        rhs=z2*z2+self.d*x2*y2
        assert(lhs == rhs)
        assert(t*z == x*y)
        
    #Validity check (for debugging)
    def is_valid_point(self):
        x,y,z,t=self.x,self.y,self.z,self.t
        x2=x*x
        y2=y*y
        z2=z*z
        lhs=(y2-x2)*z2
        rhs=z2*z2+self.d*x2*y2
        assert(lhs == rhs)
        assert(t*z == x*y)
        
#A point on Edwards448.
class Edwards448Point(EdwardsPoint):
    #Create a new point on the curve.
    base_field=Field(1,2**448-2**224-1)
    d=base_field.make(-39081)
    f0=base_field.make(0)
    f1=base_field.make(1)
    xb=base_field.make(hexi("4F1970C66BED0DED221D15A622BF36DA9E14657"+\
        "0470F1767EA6DE324A3D3A46412AE1AF72AB66511433B80E18B00938E26"+\
        "26A82BC70CC05E"))
    yb=base_field.make(hexi("693F46716EB6BC248876203756C9C7624BEA737"+\
        "36CA3984087789C1E05A0C2D73AD3FF1CE67C39C4FDBD132C4ED7C8AD98"+\
        "08795BF230FA14"))
    #The standard base point.
    @staticmethod
    def stdbase():
        return Edwards448Point(Edwards448Point.xb,Edwards448Point.yb)
    def __init__(self,x,y):
        #Check that the point is actually on the curve.
        if y*y+x*x!=self.f1+self.d*x*x*y*y:
            raise ValueError("Invalid point")
        self.initpoint(x, y)
    #Decode a point representation.
    def decode(self,s):
        x,y=self.decode_base(s,456);
        return Edwards448Point(x, y) if x is not None else None
    #Encode a point representation.
    def encode(self):
        return self.encode_base(456)
    #Construct a neutral point on this curve.
    def zero_elem(self):
        return Edwards448Point(self.f0,self.f1)
    #Solve for x^2.
    def solve_x2(self,y):
        return ((y*y-self.f1)/(self.d*y*y-self.f1))
        
#A point on Edwards448.
class Edwards448Point(EdwardsPoint):
    #Create a new point on the curve.
    base_field=Field(1,2**448-2**224-1)
    d=base_field.make(-39081)
    f0=base_field.make(0)
    f1=base_field.make(1)
    xb=base_field.make(hexi("4F1970C66BED0DED221D15A622BF36DA9E14657"+\
        "0470F1767EA6DE324A3D3A46412AE1AF72AB66511433B80E18B00938E26"+\
        "26A82BC70CC05E"))
    yb=base_field.make(hexi("693F46716EB6BC248876203756C9C7624BEA737"+\
        "36CA3984087789C1E05A0C2D73AD3FF1CE67C39C4FDBD132C4ED7C8AD98"+\
        "08795BF230FA14"))
    #The standard base point.
    @staticmethod
    def stdbase():
        return Edwards448Point(Edwards448Point.xb,Edwards448Point.yb)
    def __init__(self,x,y):
        #Check that the point is actually on the curve.
        if y*y+x*x!=self.f1+self.d*x*x*y*y:
            raise ValueError("Invalid point")
        self.initpoint(x, y)
    #Decode a point representation.
    def decode(self,s):
        x,y=self.decode_base(s,456);
        return Edwards448Point(x, y) if x is not None else None
    #Encode a point representation.
    def encode(self):
        return self.encode_base(456)
    #Construct a neutral point on this curve.
    def zero_elem(self):
        return Edwards448Point(self.f0,self.f1)
    #Solve for x^2.
    def solve_x2(self,y):
        return ((y*y-self.f1)/(self.d*y*y-self.f1))
        
    #Point addition.
    def __add__(self,y):
        #The formulas are from EFD.
        tmp=self.zero_elem()
        xcp,ycp,zcp=self.x*y.x,self.y*y.y,self.z*y.z
        B=zcp*zcp
        E=self.d*xcp*ycp
        F,G=B-E,B+E
        tmp.x=zcp*F*((self.x+self.y)*(y.x+y.y)-xcp-ycp)
        tmp.y,tmp.z=zcp*G*(ycp-xcp),F*G
        return tmp
    #Point doubling.
    def double(self):
        #The formulas are from EFD.
        tmp=self.zero_elem()
        x1s,y1s,z1s=self.x*self.x,self.y*self.y,self.z*self.z
        xys=self.x+self.y
        F=x1s+y1s
        J=F-(z1s+z1s)
        tmp.x,tmp.y,tmp.z=(xys*xys-x1s-y1s)*J,F*(x1s-y1s),F*J
        return tmp
    #Order of basepoint.
    def l(self):
        return hexi("3ffffffffffffffffffffffffffffffffffffffffffffff"+\
            "fffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c2"+\
            "92ab5844f3")
    #The logarithm of cofactor.
    def c(self): return 2
    #The highest set bit.
    def n(self): return 447
    #The coding length.
    def b(self): return 456
    #Validity check (for debugging).
    def is_valid_point(self):
        x,y,z=self.x,self.y,self.z
        x2=x*x
        y2=y*y
        z2=z*z
        lhs=(x2+y2)*z2
        rhs=z2*z2+self.d*x2*y2
        assert(lhs == rhs)
        
    #Point addition.
    def __add__(self,y):
        #The formulas are from EFD.
        tmp=self.zero_elem()
        xcp,ycp,zcp=self.x*y.x,self.y*y.y,self.z*y.z
        B=zcp*zcp
        E=self.d*xcp*ycp
        F,G=B-E,B+E
        tmp.x=zcp*F*((self.x+self.y)*(y.x+y.y)-xcp-ycp)
        tmp.y,tmp.z=zcp*G*(ycp-xcp),F*G
        return tmp
    #Point doubling.
    def double(self):
        #The formulas are from EFD.
        tmp=self.zero_elem()
        x1s,y1s,z1s=self.x*self.x,self.y*self.y,self.z*self.z
        xys=self.x+self.y
        F=x1s+y1s
        J=F-(z1s+z1s)
        tmp.x,tmp.y,tmp.z=(xys*xys-x1s-y1s)*J,F*(x1s-y1s),F*J
        return tmp
    #Order of basepoint.
    def l(self):
        return hexi("3ffffffffffffffffffffffffffffffffffffffffffffff"+\
            "fffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c2"+\
            "92ab5844f3")
    #The logarithm of cofactor.
    def c(self): return 2
    #The highest set bit.
    def n(self): return 447
    #The coding length.
    def b(self): return 456
    #Validity check (for debugging).
    def is_valid_point(self):
        x,y,z=self.x,self.y,self.z
        x2=x*x
        y2=y*y
        z2=z*z
        lhs=(x2+y2)*z2
        rhs=z2*z2+self.d*x2*y2
        assert(lhs == rhs)
        
#Simple self-check.
def curve_self_check(point):
    p=point
    q=point.zero_elem()
    z=q
    l=p.l()+1
    p.is_valid_point()
    q.is_valid_point()
    for i in range(0,point.b()):
        if (l>>i)&1 != 0:
            q=q+p
            q.is_valid_point()
        p=p.double()
        p.is_valid_point()
    assert q.encode() == point.encode()
    assert q.encode() != p.encode()
    assert q.encode() != z.encode()
        
#Simple self-check.
def curve_self_check(point):
    p=point
    q=point.zero_elem()
    z=q
    l=p.l()+1
    p.is_valid_point()
    q.is_valid_point()
    for i in range(0,point.b()):
        if (l>>i)&1 != 0:
            q=q+p
            q.is_valid_point()
        p=p.double()
        p.is_valid_point()
    assert q.encode() == point.encode()
    assert q.encode() != p.encode()
    assert q.encode() != z.encode()
        
#Simple self-check.
def self_check_curves():
    curve_self_check(Edwards25519Point.stdbase())
    curve_self_check(Edwards448Point.stdbase())
        
#Simple self-check.
def self_check_curves():
    curve_self_check(Edwards25519Point.stdbase())
    curve_self_check(Edwards448Point.stdbase())
        
#PureEdDSA scheme.
#Limitation: only b mod 8 = 0 is handled.
class PureEdDSA:
    #Create a new object.
    def __init__(self,properties):
        self.B=properties["B"]
        self.H=properties["H"]
        self.l=self.B.l()
        self.n=self.B.n()
        self.b=self.B.b()
        self.c=self.B.c()
    #Clamp a private scalar.
    def __clamp(self,a):
        _a = bytearray(a)
        for i in range(0,self.c): _a[i//8]&=~(1<<(i%8))
        _a[self.n//8]|=1<<(self.n%8)
        for i in range(self.n+1,self.b): _a[i//8]&=~(1<<(i%8))
        return _a
    #Generate a key.  If privkey is None, a random one is generated.
    #In any case, the (privkey, pubkey) pair is returned.
    def keygen(self,privkey):
        #If no private key data is given, generate random.
        if privkey is None: privkey=os.urandom(self.b//8)
        
#PureEdDSA scheme.
#Limitation: only b mod 8 = 0 is handled.
class PureEdDSA:
    #Create a new object.
    def __init__(self,properties):
        self.B=properties["B"]
        self.H=properties["H"]
        self.l=self.B.l()
        self.n=self.B.n()
        self.b=self.B.b()
        self.c=self.B.c()
    #Clamp a private scalar.
    def __clamp(self,a):
        _a = bytearray(a)
        for i in range(0,self.c): _a[i//8]&=~(1<<(i%8))
        _a[self.n//8]|=1<<(self.n%8)
        for i in range(self.n+1,self.b): _a[i//8]&=~(1<<(i%8))
        return _a
    #Generate a key.  If privkey is None, a random one is generated.
    #In any case, the (privkey, pubkey) pair is returned.
    def keygen(self,privkey):
        #If no private key data is given, generate random.
        if privkey is None: privkey=os.urandom(self.b//8)
        
        #Expand key.
        khash=self.H(privkey,None,None)
        a=from_le(self.__clamp(khash[:self.b//8]))
        #Return the key pair (public key is A=Enc(aB).
        return privkey,(self.B*a).encode()
    #Sign with key pair.
    def sign(self,privkey,pubkey,msg,ctx,hflag):
        #Expand key.
        khash=self.H(privkey,None,None)
        a=from_le(self.__clamp(khash[:self.b//8]))
        seed=khash[self.b//8:]
        #Calculate r and R (R only used in encoded form).
        r=from_le(self.H(seed+msg,ctx,hflag))%self.l
        R=(self.B*r).encode()
        #Calculate h.
        h=from_le(self.H(R+pubkey+msg,ctx,hflag))%self.l
        #Calculate s.
        S=((r+h*a)%self.l).to_bytes(self.b//8,byteorder="little")
        #The final signature is a concatenation of R and S.
        return R+S
    #Verify signature with public key.
    def verify(self,pubkey,msg,sig,ctx,hflag):
        #Sanity-check sizes.
        if len(sig)!=self.b//4: return False
        if len(pubkey)!=self.b//8: return False
        #Split signature into R and S, and parse.
        Rraw,Sraw=sig[:self.b//8],sig[self.b//8:]
        R,S=self.B.decode(Rraw),from_le(Sraw)
        #Parse public key.
        A=self.B.decode(pubkey)
        #Check parse results.
        if (R is None) or (A is None) or S>=self.l: return False
        #Calculate h.
        h=from_le(self.H(Rraw+pubkey+msg,ctx,hflag))%self.l
        #Calculate left and right sides of check eq.
        rhs=R+(A*h)
        lhs=self.B*S
        for i in range(0, self.c):
            lhs = lhs.double()
            rhs = rhs.double()
        #Check eq. holds?
        return lhs==rhs
        
        #Expand key.
        khash=self.H(privkey,None,None)
        a=from_le(self.__clamp(khash[:self.b//8]))
        #Return the key pair (public key is A=Enc(aB).
        return privkey,(self.B*a).encode()
    #Sign with key pair.
    def sign(self,privkey,pubkey,msg,ctx,hflag):
        #Expand key.
        khash=self.H(privkey,None,None)
        a=from_le(self.__clamp(khash[:self.b//8]))
        seed=khash[self.b//8:]
        #Calculate r and R (R only used in encoded form).
        r=from_le(self.H(seed+msg,ctx,hflag))%self.l
        R=(self.B*r).encode()
        #Calculate h.
        h=from_le(self.H(R+pubkey+msg,ctx,hflag))%self.l
        #Calculate s.
        S=((r+h*a)%self.l).to_bytes(self.b//8,byteorder="little")
        #The final signature is a concatenation of R and S.
        return R+S
    #Verify signature with public key.
    def verify(self,pubkey,msg,sig,ctx,hflag):
        #Sanity-check sizes.
        if len(sig)!=self.b//4: return False
        if len(pubkey)!=self.b//8: return False
        #Split signature into R and S, and parse.
        Rraw,Sraw=sig[:self.b//8],sig[self.b//8:]
        R,S=self.B.decode(Rraw),from_le(Sraw)
        #Parse public key.
        A=self.B.decode(pubkey)
        #Check parse results.
        if (R is None) or (A is None) or S>=self.l: return False
        #Calculate h.
        h=from_le(self.H(Rraw+pubkey+msg,ctx,hflag))%self.l
        #Calculate left and right sides of check eq.
        rhs=R+(A*h)
        lhs=self.B*S
        for i in range(0, self.c):
            lhs = lhs.double()
            rhs = rhs.double()
        #Check eq. holds?
        return lhs==rhs
        
def Ed25519_inthash(data,ctx,hflag):
    if (ctx is not None and len(ctx) > 0) or hflag:
        raise ValueError("Contexts/hashes not supported")
    return hashlib.sha512(data).digest()
        
def Ed25519_inthash(data,ctx,hflag):
    if (ctx is not None and len(ctx) > 0) or hflag:
        raise ValueError("Contexts/hashes not supported")
    return hashlib.sha512(data).digest()
        
#The base PureEdDSA schemes.
pEd25519=PureEdDSA({\
    "B":Edwards25519Point.stdbase(),\
    "H":Ed25519_inthash\
})
        
#The base PureEdDSA schemes.
pEd25519=PureEdDSA({\
    "B":Edwards25519Point.stdbase(),\
    "H":Ed25519_inthash\
})
        
def Ed25519ctx_inthash(data,ctx,hflag):
    dompfx = b""
    PREFIX=b"SigEd25519 no Ed25519 collisions"
    if ctx is not None:
        if len(ctx) > 255: raise ValueError("Context too big")
        dompfx=PREFIX+bytes([1 if hflag else 0,len(ctx)])+ctx
    return hashlib.sha512(dompfx+data).digest()
        
def Ed25519ctx_inthash(data,ctx,hflag):
    dompfx = b""
    PREFIX=b"SigEd25519 no Ed25519 collisions"
    if ctx is not None:
        if len(ctx) > 255: raise ValueError("Context too big")
        dompfx=PREFIX+bytes([1 if hflag else 0,len(ctx)])+ctx
    return hashlib.sha512(dompfx+data).digest()
        
pEd25519ctx=PureEdDSA({\
    "B":Edwards25519Point.stdbase(),\
    "H":Ed25519ctx_inthash\
})
        
pEd25519ctx=PureEdDSA({\
    "B":Edwards25519Point.stdbase(),\
    "H":Ed25519ctx_inthash\
})
        
def Ed448_inthash(data,ctx,hflag):
    dompfx = b""
    if ctx is not None:
        if len(ctx) > 255: raise ValueError("Context too big")
        dompfx=b"SigEd448"+bytes([1 if hflag else 0,len(ctx)])+ctx
    return shake256(dompfx+data,114)
        
def Ed448_inthash(data,ctx,hflag):
    dompfx = b""
    if ctx is not None:
        if len(ctx) > 255: raise ValueError("Context too big")
        dompfx=b"SigEd448"+bytes([1 if hflag else 0,len(ctx)])+ctx
    return shake256(dompfx+data,114)
        
pEd448 = PureEdDSA({\
    "B":Edwards448Point.stdbase(),\
    "H":Ed448_inthash\
})
        
pEd448 = PureEdDSA({\
    "B":Edwards448Point.stdbase(),\
    "H":Ed448_inthash\
})
        
#EdDSA scheme.
class EdDSA:
    #Create a new scheme object, with the specified PureEdDSA base
    #scheme and specified prehash.
    def __init__(self,pure_scheme,prehash):
        self.__pflag = True
        self.__pure=pure_scheme
        self.__prehash=prehash
        if self.__prehash is None:
            self.__prehash = lambda x,y:x
            self.__pflag = False
    # Generate a key.  If privkey is none, it generates a random
    # privkey key, otherwise it uses a specified private key.
    # Returns pair (privkey, pubkey).
    def keygen(self,privkey): return self.__pure.keygen(privkey)
        
#EdDSA scheme.
class EdDSA:
    #Create a new scheme object, with the specified PureEdDSA base
    #scheme and specified prehash.
    def __init__(self,pure_scheme,prehash):
        self.__pflag = True
        self.__pure=pure_scheme
        self.__prehash=prehash
        if self.__prehash is None:
            self.__prehash = lambda x,y:x
            self.__pflag = False
    # Generate a key.  If privkey is none, it generates a random
    # privkey key, otherwise it uses a specified private key.
    # Returns pair (privkey, pubkey).
    def keygen(self,privkey): return self.__pure.keygen(privkey)
        
    # Sign message msg using specified key pair.
    def sign(self,privkey,pubkey,msg,ctx=None):
        if ctx is None: ctx=b"";
        return self.__pure.sign(privkey,pubkey,self.__prehash(msg,ctx),\
            ctx,self.__pflag)
    # Verify signature sig on message msg using public key pubkey.
    def verify(self,pubkey,msg,sig,ctx=None):
        if ctx is None: ctx=b"";
        return self.__pure.verify(pubkey,self.__prehash(msg,ctx),sig,\
            ctx,self.__pflag)
        
    # Sign message msg using specified key pair.
    def sign(self,privkey,pubkey,msg,ctx=None):
        if ctx is None: ctx=b"";
        return self.__pure.sign(privkey,pubkey,self.__prehash(msg,ctx),\
            ctx,self.__pflag)
    # Verify signature sig on message msg using public key pubkey.
    def verify(self,pubkey,msg,sig,ctx=None):
        if ctx is None: ctx=b"";
        return self.__pure.verify(pubkey,self.__prehash(msg,ctx),sig,\
            ctx,self.__pflag)
        

def Ed448ph_prehash(data,ctx): return shake256(data,64)

def Ed448ph_预灰分(数据,ctx):返回数据256(数据,64)

#Our signature schemes.
Ed25519 = EdDSA(pEd25519,None)
Ed25519ctx = EdDSA(pEd25519ctx,None)
Ed25519ph = EdDSA(pEd25519ctx,lambda x,y:hashlib.sha512(x).digest())
Ed448 = EdDSA(pEd448,None)
Ed448ph = EdDSA(pEd448,Ed448ph_prehash)
        
#Our signature schemes.
Ed25519 = EdDSA(pEd25519,None)
Ed25519ctx = EdDSA(pEd25519ctx,None)
Ed25519ph = EdDSA(pEd25519ctx,lambda x,y:hashlib.sha512(x).digest())
Ed448 = EdDSA(pEd448,None)
Ed448ph = EdDSA(pEd448,Ed448ph_prehash)
        
def eddsa_obj(name):
    if name == "Ed25519": return Ed25519
    if name == "Ed25519ctx": return Ed25519ctx
    if name == "Ed25519ph": return Ed25519ph
    if name == "Ed448": return Ed448
    if name == "Ed448ph": return Ed448ph
    raise NotImplementedError("Algorithm not implemented")
        
def eddsa_obj(name):
    if name == "Ed25519": return Ed25519
    if name == "Ed25519ctx": return Ed25519ctx
    if name == "Ed25519ph": return Ed25519ph
    if name == "Ed448": return Ed448
    if name == "Ed448ph": return Ed448ph
    raise NotImplementedError("Algorithm not implemented")
        
Appendix B. Library Driver
附录B.库驱动程序

Below is a command-line tool that uses the library above to perform computations for interactive use or for self-checking.

下面是一个命令行工具,它使用上面的库来执行交互使用或自检的计算。

import sys import binascii

导入系统导入binascii

from eddsa2 import Ed25519

从eddsa2导入Ed25519

def munge_string(s, pos, change):
    return (s[:pos] +
            int.to_bytes(s[pos] ^ change, 1, "little") +
            s[pos+1:])
        
def munge_string(s, pos, change):
    return (s[:pos] +
            int.to_bytes(s[pos] ^ change, 1, "little") +
            s[pos+1:])
        
# Read a file in the format of
# http://ed25519.cr.yp.to/python/sign.input
lineno = 0
while True:
    line = sys.stdin.readline()
    if not line:
        break
    lineno = lineno + 1
    print(lineno)
    fields = line.split(":")
    secret = (binascii.unhexlify(fields[0]))[:32]
    public = binascii.unhexlify(fields[1])
    msg = binascii.unhexlify(fields[2])
    signature = binascii.unhexlify(fields[3])[:64]
        
# Read a file in the format of
# http://ed25519.cr.yp.to/python/sign.input
lineno = 0
while True:
    line = sys.stdin.readline()
    if not line:
        break
    lineno = lineno + 1
    print(lineno)
    fields = line.split(":")
    secret = (binascii.unhexlify(fields[0]))[:32]
    public = binascii.unhexlify(fields[1])
    msg = binascii.unhexlify(fields[2])
    signature = binascii.unhexlify(fields[3])[:64]
        
    privkey,pubkey = Ed25519.keygen(secret)
    assert public == pubkey
    assert signature == Ed25519.sign(privkey, pubkey, msg)
    assert Ed25519.verify(public, msg, signature)
    if len(msg) == 0:
        bad_msg = b"x"
    else:
        bad_msg = munge_string(msg, len(msg) // 3, 4)
    assert not Ed25519.verify(public,bad_msg,signature)
    assert not Ed25519.verify(public, msg, munge_string(signature,20,8))
    assert not Ed25519.verify(public,msg,munge_string(signature,40,16))
        
    privkey,pubkey = Ed25519.keygen(secret)
    assert public == pubkey
    assert signature == Ed25519.sign(privkey, pubkey, msg)
    assert Ed25519.verify(public, msg, signature)
    if len(msg) == 0:
        bad_msg = b"x"
    else:
        bad_msg = munge_string(msg, len(msg) // 3, 4)
    assert not Ed25519.verify(public,bad_msg,signature)
    assert not Ed25519.verify(public, msg, munge_string(signature,20,8))
    assert not Ed25519.verify(public,msg,munge_string(signature,40,16))
        

Acknowledgements

致谢

EdDSA and Ed25519 were initially described in a paper due to Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. The Ed448 curve is due to Mike Hamburg.

EdDSA和Ed25519最初是由Daniel J.Bernstein、Niels Duif、Tanja Lange、Peter Schwabe和Bo Yin Yang撰写的一篇论文中描述的。Ed448曲线是由Mike Hamburg造成的。

An earlier draft version of this document was coauthored by Niels Moeller.

本文件的早期草稿由Niels Moeller共同撰写。

Feedback on this document was received from Werner Koch, Damien Miller, Bob Bradley, Franck Rondepierre, Alexey Melnikov, Kenny Paterson, and Robert Edmonds.

沃纳·科赫、达米恩·米勒、鲍勃·布拉德利、弗朗克·隆德皮尔、亚历克赛·梅尔尼科夫、肯尼·帕特森和罗伯特·埃德蒙兹对本文件提出了反馈意见。

The Ed25519 test vectors were double checked by Bob Bradley using three separate implementations (one based on TweetNaCl and two different implementations based on code from SUPERCOP).

Bob Bradley使用三种不同的实现(一种基于TweetNaCl,两种基于SUPERCOP代码的不同实现)对Ed25519测试向量进行了双重检查。

Authors' Addresses

作者地址

Simon Josefsson SJD AB

西蒙·约瑟夫森SJD AB

   Email: simon@josefsson.org
   URI:   http://josefsson.org/
        
   Email: simon@josefsson.org
   URI:   http://josefsson.org/
        

Ilari Liusvaara Independent

Ilari Liusvaara独立报

   Email: ilariliusvaara@welho.com
        
   Email: ilariliusvaara@welho.com