[curves] Ed25519 "clamping" and its effect on hierarchical key derivation

Tony Arcieri bascule at gmail.com
Fri Apr 7 17:06:47 PDT 2017


On Fri, Apr 7, 2017 at 4:57 PM, Ron Garret <ron at flownet.com> wrote:

> Not really.  What appears to be a 64 byte secret key is actually a 32-byte
> secret key concatenated with the corresponding 32-byte public key.


Oleg is describing the original NaCl API (as in https://nacl.cr.yp.to/),
not the API provided by the ref10 implementation (which has proliferated
from SUPERCOP). My understanding is this version has various
incompatibilities and security issues versus ref10.

This version uses a 64-bit secret key (sk) alongside a 32-bit public key.
See Brian Warner's writeup which Oleg linked for more information.

Here is the original key generation code from NaCl (2011), which fills a
64-byte secret key buffer with 32-bytes of randomness before expanding it
into 64-bytes using SHA-512. Note it also "pre-clamps" the secret scalar:

int crypto_sign_keypair(
    unsigned char *pk,
    unsigned char *sk
    )
{
  sc25519 scsk;
  ge25519 gepk;

  randombytes(sk, 32);
  crypto_hash_sha512(sk, sk, 32);
  sk[0] &= 248;
  sk[31] &= 127;
  sk[31] |= 64;

  sc25519_from32bytes(&scsk,sk);

  ge25519_scalarmult_base(&gepk, &scsk);
  ge25519_pack(pk, &gepk);
  return 0;
}


-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20170407/5a1bcddd/attachment.html>


More information about the Curves mailing list