Module eddsa 

EdDSA digital signatures (RFC 8032).

Algorithms

• Ed25519 — Edwards curve over GF(2^255 - 19) (pure + Ed25519ctx + Ed25519ph).
• Ed448 — planned (RFC 8032 Appendix A port pending).

This module implements Fe25519 field arithmetic, extended- coordinate point operations on the twisted Edwards form, and the full sign / verify protocol for Ed25519.

Side-channel posture

Per arcana/doc/sca/countermeasures/eddsa.rst:

Threat	Status	Roadmap item
SPA on scalar mul	partial	T1-F — audit pass mirroring Weierstrass commit 76191c1
DPA on scalar mul	vulnerable	T2-A (Z-rerandomization, shared with Weierstrass plan)
Single-fault on RFC 8032 deterministic	vulnerable	T1-D — hedged Ed25519 (CFRG det-sigs-with-noise, Romailler 2017)
Template attacks (Samwel et al. 2018)	vulnerable	T2-A + T2-B (Z-rerand + scalar blinding)
DPA on intermediate SHA-512 keyed digest	partial	T2-D — masked SHA-512, shared with HMAC consumer

Romailler-Pelissier 2017 — single-fault key recovery

RFC 8032 derives the per-signature nonce r deterministically from (seed, message). Two signatures of the same message produce the same r, which is fine cryptographically but fragile under fault (FDTC 2017, romailler2017eddsa_fault):

  Sign M  →  (R, s)         (normal)
  Sign M  →  (R', s')       (one fault during SHA-512 → r' ≠ r)

  k  = H(R  ‖ A ‖ M),   s  = r  + k * a mod ℓ
  k' = H(R' ‖ A ‖ M),   s' = r' + k' * a mod ℓ

  →  a = (s - s') / (k - k') mod ℓ

One well-placed fault recovers the whole secret scalar a. The standard fix is hedged signing: derive r from H(prefix ‖ ρ ‖ M) with ρ 32 bytes of fresh randomness; deterministic mode (ρ = 0^32) stays available for KAT determinism. Roadmap item T1-D.

Zeroize-on-Drop

Ed25519SecretKey currently does not implement Drop with silentops::ct_zeroize. Roadmap item T2-E.

Structs

Ed25519PublicKey

Ed25519 public key (32 bytes, compressed point encoding).

Ed25519SecretKey

Ed25519 secret key (the original 32-byte seed).

Ed25519Signature

Ed25519 signature (64 bytes: R || S).

Functions

ed25519_keygen

Generate an Ed25519 key pair from a 32-byte secret seed.

ed25519_sign

Sign a message with Ed25519 (pure mode, no prehashing).

ed25519_verify

Verify an Ed25519 signature (pure mode).

ed25519ctx_sign

Sign a message with Ed25519ctx (RFC 8032 §5.1.6).

ed25519ctx_verify

Verify an Ed25519ctx signature.

ed25519ph_sign

Sign a message with Ed25519ph (RFC 8032 §5.1.7, pre-hashed mode).

ed25519ph_sign_prehashed

Variant of ed25519ph_sign that takes a precomputed SHA-512 digest of the message instead of the message itself. Useful when the caller already has the digest from a streaming hash (e.g. a file scanner that produced the digest as it read the file).

ed25519ph_verify

Verify an Ed25519ph signature.

ed25519ph_verify_prehashed

Verify a precomputed-digest Ed25519ph signature. Counterpart to ed25519ph_sign_prehashed.