[curves] Ed25519 "clamping" and its effect on hierarchical key derivation

Tony Arcieri bascule at gmail.com
Fri Apr 7 17:06:47 PDT 2017

On Fri, Apr 7, 2017 at 4:57 PM, Ron Garret <ron at flownet.com> wrote:

> Not really.  What appears to be a 64 byte secret key is actually a 32-byte
> secret key concatenated with the corresponding 32-byte public key.

Oleg is describing the original NaCl API (as in https://nacl.cr.yp.to/),
not the API provided by the ref10 implementation (which has proliferated
from SUPERCOP). My understanding is this version has various
incompatibilities and security issues versus ref10.

This version uses a 64-bit secret key (sk) alongside a 32-bit public key.
See Brian Warner's writeup which Oleg linked for more information.

Here is the original key generation code from NaCl (2011), which fills a
64-byte secret key buffer with 32-bytes of randomness before expanding it
into 64-bytes using SHA-512. Note it also "pre-clamps" the secret scalar:

int crypto_sign_keypair(
    unsigned char *pk,
    unsigned char *sk
  sc25519 scsk;
  ge25519 gepk;

  randombytes(sk, 32);
  crypto_hash_sha512(sk, sk, 32);
  sk[0] &= 248;
  sk[31] &= 127;
  sk[31] |= 64;


  ge25519_scalarmult_base(&gepk, &scsk);
  ge25519_pack(pk, &gepk);
  return 0;

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20170407/5a1bcddd/attachment.html>

More information about the Curves mailing list