On Wed, 2015-03-11 at 21:08 +0100, Niels Möller wrote:
void ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv);
void ed25519_sha512_sign (const uint8_t *priv, const uint8_t *pub, size_t length, const uint8_t *msg, uint8_t *signature);
int ed25519_sha512_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature);
That the public key is an input to ed25519_sha512_sign means that it needs only a single scalar multiplication, and it's up to the caller to compute and possibly cache the needed public key. One could even allow pub to be NULL, and in that case recompute it (which makes the signing take twice the time).
Any comments or opinions on the eddsa interface? I'd like to come to some conclusion fairly soon.
None from me. As it is now this algorithm has no real world usage (non standardized), so I cannot say whether this API is good or not. It looks reasonable, but unless we have any standard using it's purely theoretical. I'd say go for it, and if needed later we add another API.
regards, Nikos