nisse@lysator.liu.se (Niels Möller) writes:
It's not obvious how much to cache in struct ed25519_public_key.
[...]
So maybe one could have the following simpler ed25519 interface, representing all keys as strings of ED25519_KEY_SIZE octets:
void ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv);
void ed25519_sha512_sign (const uint8_t *priv, const uint8_t *pub, size_t length, const uint8_t *msg, uint8_t *signature);
int ed25519_sha512_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature);
That the public key is an input to ed25519_sha512_sign means that it needs only a single scalar multiplication, and it's up to the caller to compute and possibly cache the needed public key. One could even allow pub to be NULL, and in that case recompute it (which makes the signing take twice the time).
Any comments or opinions on the eddsa interface? I'd like to come to some conclusion fairly soon.
Regards, /Niels