# Signatures: Ed25519¶

HACL* implements the Edwards-Curve Digital Signature Algorithm (EdDSA)
construction for the Ed25519 elliptic curve as specified in IETF RFC 8032.
The API for this signature algorithm is in `Hacl_Ed25519.h`

.

## Key Generation¶

Any 32 byte array can be used as an Ed25519 private key. In practice, private keys should be generated using a cryptographically strong pseudo-random number generator (CSPRNG). In some cases, the private key may be derived as the result of a key derivation function such as HKDF.

Given a private key, the corresponding public key can be computed
using the `secret_to_public`

function:

```
void Hacl_Ed25519_secret_to_public(uint8_t *pub, uint8_t *priv);
```

The first argument is a pointer to the output public key `pub`

(64 bytes);
the second argument is a pointer to the input private key `priv`

(32 bytes).

## EdDSA Signing¶

The signature operation is implemented by the following function:

```
void Hacl_Ed25519_sign(uint8_t *signature, uint8_t *priv, uint32_t len, uint8_t *msg);
```

The first argument is a pointer to the output signature `signature`

;
the second argument is the private key of the signer `priv`

;
the third argument is the length `len`

of the message to be signed `msg`

.
The size of `signature`

must be (at least) 64 bytes; the size of the private
key is 32 bytes.

## EdDSA Verify¶

To verify an Ed25519 signature, one may call the following function:

```
bool Hacl_Ed25519_verify(uint8_t *pub, uint32_t len, uint8_t *msg, uint8_t *signature);
```

The first argument is a pointer to the public key `pub`

(64 bytes);
the second argument is the length `len`

of the message to be signed `msg`

;
the last argument is the input signature `signature`

.
If the signature verification succeeds the function returns the boolean `true`

,
otherwise it returns `false`

.

## EdDSA Sign Expanded¶

In situations where a signer needs to sign many times with the same
signature key, a part of the signature computation can be shared
between these invocations for efficiency. The caller first calls
`Hacl_Ed25519_expand_keys`

to compute an expanded signing key `ks`

,
and then can use `ks`

to call `Hacl_Ed25519_sign_expanded`

multiple
times with different arguments.

```
void Hacl_Ed25519_expand_keys(uint8_t *ks, uint8_t *priv);
```

```
void Hacl_Ed25519_sign_expanded(uint8_t *signature, uint8_t *ks, uint32_t len, uint8_t *msg);
```

## Other Signature Algorithms: ECDSA with P-256¶

A development branch includes a verified implementation of ECDSA signatures with the P-256 elliptic curve, which has not yet been merged to master. Contact the HACL* maintainers if you wish to use this code.