Please review EdDSA API

Adam Petcher adam.petcher at
Wed Jul 25 18:05:25 UTC 2018

On 7/25/2018 11:24 AM, Michael StJohns wrote:

> *sigh* Private keys are big integers.  There's an associated parameter 
> used in signing that the implementation described in the RFC (*not a 
> standard please note*) generates from a common random byte array - 
> that byte array is NOT a (or the) private key.
> E.g.       Private key ::= OctetToInteger(Adjust(Left (HASH(random), 
> length))) and SigningValue ::= Right(HASH(random),length).
> Instead, you can get the exact same result (deterministic signatures) 
> - and store a bog standard EC private key - by
> PrivateKey ::= OctetToInteger(Adjust(random));

Did you mean PrivateKey ::= OctetToInteger(random)? Setting/clearing 
bits here destroys information. If we don't prune here, then we can 
reverse this operation later to get the byte array back to give to the 

> SigningValue ::= HASH (IntegerToOctet(PrivateKey)); // signing value 
> may be regenerated at any time and need not be stored in the 
> ECPrivateKey class.

With the modification above, I agree that this would give the value that 
can be split in half to produce the scalar value (after pruning and 
interpreting as an integer) and the prefix that is used in signing.

I think there may be some issues with this approach, but we need to 
start by agreeing on what you are proposing. Can you confirm that my 
understanding of your proposal is correct, or else clarify it for me?

More information about the security-dev mailing list