Add Ed25519 signing support

[briansmith]

This should be relatively easy because there's good code in crypto/curve25519/curve25519.c that can be used. Actually, in src/ec/eddsa.rs, there is already a function named ed25519_sign that implements the signing. So, the bulk of this work is just implementing the ring::signature::SigningKey API that is consistent with the rest of ring, and then adding ring::signature::ED25519_SIGNING.

The tricky part is that there's no code to load a serialized private key, and there's no way to serialize a private key, which would be important to many uses. Deserialization and serialization could be done as a follow-on.

See also any general notes about signing APIs in #205.

[djc]

So without ser/de, what does the SigningKey instantiation look like? Just a 64-element u8 slice?

[briansmith]

Should it be a 64-element u8 slice, or two 32-element u8 slices, one for the private part and one for the public part?

Anyway, yes, at least until we have deserialization and serialization support, setting the key via a slice or slices is fine.

[briansmith]

If you're interested in working on this, I suggest that you just try to implement SigningKey in the most simple way possible, hard-coding Ed25519 (and SHA-512). Then we can evolve the API from there.

For example, instead of trying to define a generic SigningKey type and a generic sign function, we can have an Ed25519KeyPair struct with methods like this:

// A wrapper around an array of bytes, very much like digest::Digest.
struct Signature {
    ...
}

impl Ed25519KeyPair<'a> {
    fn generate(rng: &SecureRandom) -> Result<Ed25519KeyPair, ()>,
    fn from_bytes(private_key: &[u8], public_key: &[u8]) -> Result<Ed25519KeyPair, ()>,
    fn private_key_bytes() -> &'a [u8],
    fn public_key_bytes() -> &'a [u8],
    fn sign(&self, msg: Input) -> Signature,
}

[briansmith]

Note: Ed25519KeyPair and all the code should be in ring::ec::eddsa. Then, ring::signature should pub use ec::eddsa::Ed25519KeyPair to expose it in the public API.

[Edit: s/agreement/signature/]

[briansmith]

Rough Steps:

• Implement Ed25519KeyPair
• Tests (I think there are already tests existing, using the private ed25519_sign function; they may just need to be adapted.)
• Add documentation, including a full example. (Note: the example should use signature::Ed25519SKeyPair, not ec::eddsa::Ed25519KeyPair. Also, you need to temporarily flip the doctests on in Cargo.toml; they are disabled because they brea cross-compiling.)
• Benchmarks in crypto-bench.

[Edit: s/agreement/signature/]

[briansmith]

I'm going to close this, since the only thing left on the checklist is the benchmarks, and crypto-bench already is keeping track of what needs to be done. Thanks again @djc.