[curves] Ed25519 "clamping" and its effect on hierarchical key derivation

Oleg Andreev oleganza at gmail.com
Fri Apr 7 17:02:08 PDT 2017


> On 7 Apr 2017, at 16:57, Ron Garret <ron at flownet.com> wrote:
> 
> 
> On Apr 7, 2017, at 2:17 PM, Oleg Andreev <oleganza at gmail.com> wrote:
> 
>> For instance, NaCl API accepts 64-byte secret
> 
> Not really.  What appears to be a 64 byte secret key is actually a 32-byte secret key concatenated with the corresponding 32-byte public key.

I noticed that for the Go ed25519 library, but in my copy of NaCl from 2011, 64-byte string is the scalar concatenated with "prefix" (term from EdDSA). See: https://gist.github.com/oleganza/78c9e30f8e292aa8b3aff849a1c28f2c#file-sign-c-L30-L70

PS. I was initially confused to learn that Go library uses 64-byte string to attach pubkey to a 32-byte scalar preimage. That's unfortunate, but I expect everyone else to be confused about this too for a long time to come.





More information about the Curves mailing list