Please review EdDSA API
Adam Petcher
adam.petcher at oracle.com
Wed Jul 25 18:05:25 UTC 2018
On 7/25/2018 11:24 AM, Michael StJohns wrote:
>
> *sigh* Private keys are big integers. There's an associated parameter
> used in signing that the implementation described in the RFC (*not a
> standard please note*) generates from a common random byte array -
> that byte array is NOT a (or the) private key.
>
> E.g. Private key ::= OctetToInteger(Adjust(Left (HASH(random),
> length))) and SigningValue ::= Right(HASH(random),length).
>
> Instead, you can get the exact same result (deterministic signatures)
> - and store a bog standard EC private key - by
>
> PrivateKey ::= OctetToInteger(Adjust(random));
Did you mean PrivateKey ::= OctetToInteger(random)? Setting/clearing
bits here destroys information. If we don't prune here, then we can
reverse this operation later to get the byte array back to give to the
hash.
>
> SigningValue ::= HASH (IntegerToOctet(PrivateKey)); // signing value
> may be regenerated at any time and need not be stored in the
> ECPrivateKey class.
With the modification above, I agree that this would give the value that
can be split in half to produce the scalar value (after pruning and
interpreting as an integer) and the prefix that is used in signing.
I think there may be some issues with this approach, but we need to
start by agreeing on what you are proposing. Can you confirm that my
understanding of your proposal is correct, or else clarify it for me?
More information about the security-dev
mailing list