Please review EdDSA API
Michael StJohns
mstjohns at comcast.net
Wed Jul 25 15:24:07 UTC 2018
On 7/25/2018 10:29 AM, Adam Petcher wrote:
> 2) Similar to X25519/X448, private keys are byte arrays, and public
> keys coordinates. Though we can't get by with a single BigInteger
> coordinate for EdDSA, so I am using the new EdPoint class to hold the
> coordinates.
*sigh* Private keys are big integers. There's an associated parameter
used in signing that the implementation described in the RFC (*not a
standard please note*) generates from a common random byte array - that
byte array is NOT a (or the) private key.
E.g. Private key ::= OctetToInteger(Adjust(Left (HASH(random),
length))) and SigningValue ::= Right(HASH(random),length).
Instead, you can get the exact same result (deterministic signatures) -
and store a bog standard EC private key - by
PrivateKey ::= OctetToInteger(Adjust(random));
SigningValue ::= HASH (IntegerToOctet(PrivateKey)); // signing value may
be regenerated at any time and need not be stored in the ECPrivateKey class.
Adjust twiddles the bits in the byte array to make the byte array a
valid little-endian private key before encoding for this set of curves.
OctetToInteger turns that byte array into a BigInteger.
At this point in time, you've got the correct values to do your point
math using common libraries if you don't happen to have implemented
exactly what's in the RFC.
I know the above is a losing argument, but seriously, do we really need
two new groups of EC classes simply because someone wrote an RFC that
didn't consider existing representational structures?
Or will it be three or more?
Later, Mike
More information about the security-dev
mailing list