[curves] Ed25519 "clamping" and its effect on hierarchical key derivation

Oleg Andreev oleganza at gmail.com
Fri Apr 7 14:17:42 PDT 2017

> On 29 Mar 2017, at 15:32, Taylor R Campbell <campbell+moderncrypto-curves at mumble.net> wrote:
> (a) that it would be nice to reuse existing code for EdDSA that
> already does bit-twiddling clamping for the private-key-to-public-key
> map, especially now that it has been formalized in an RFC;

Doesn't bit-twiddling only happen immediately after expanding 32-byte random string into a 64-byte "expanded secret key" where first half is a scalar where clamping is applied, and the second half is the "prefix" that later is hashed with the message to generate a nonce?

For instance, NaCl API accepts 64-byte secret and does not modify its bits - that's assumed to be done in the separate "generate keypair" function. EdDSA does not even have a name or interface for 64-byte secret key, and a Go lib for ed25519 also assumes privkey is a raw 32-byte buffer to be hashed.

I mean, is there really a piece of software accepts a 64-byte (already expanded) secret key and tweaks its bits? Because if there isn't, then bit-twiddling that happens in the interfaces accepting 32-byte strings is irrelevant to HKD schemes - they won't be able to derive a child pubkey from a parent pubkey if there's non-linear hashing involved.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20170407/958f2ff6/attachment.html>

More information about the Curves mailing list