[tor-commits] [tor/master] Another ed25519 tweak: store secret keys in expanded format
nickm at torproject.org
nickm at torproject.org
Thu Sep 25 19:12:40 UTC 2014
commit 006e6d3b6f52e193b14dc17db4502e14f9ffeb82
Author: Nick Mathewson <nickm at torproject.org>
Date: Tue Aug 26 21:35:25 2014 -0400
Another ed25519 tweak: store secret keys in expanded format
This will be needed/helpful for the key blinding of prop224, I
believe.
---
src/common/crypto_ed25519.c | 9 +++++++++
src/common/crypto_ed25519.h | 6 +++++-
src/ext/ed25519/ref10/crypto_sign.h | 1 +
src/ext/ed25519/ref10/ed25519_ref10.h | 1 +
src/ext/ed25519/ref10/keypair.c | 26 ++++++++++++++++++--------
src/ext/ed25519/ref10/sign.c | 10 ++--------
src/test/test_crypto.c | 4 +++-
7 files changed, 39 insertions(+), 18 deletions(-)
diff --git a/src/common/crypto_ed25519.c b/src/common/crypto_ed25519.c
index 5486c89..44c9e5e 100644
--- a/src/common/crypto_ed25519.c
+++ b/src/common/crypto_ed25519.c
@@ -28,6 +28,15 @@ ed25519_secret_key_generate(ed25519_secret_key_t *seckey_out,
}
int
+ed25519_secret_key_from_seed(ed25519_secret_key_t *seckey_out,
+ const uint8_t *seed)
+{
+ if (ed25519_ref10_seckey_expand(seckey_out->seckey, seed) < 0)
+ return -1;
+ return 0;
+}
+
+int
ed25519_public_key_generate(ed25519_public_key_t *pubkey_out,
const ed25519_secret_key_t *seckey)
{
diff --git a/src/common/crypto_ed25519.h b/src/common/crypto_ed25519.h
index 6b00c3d..a68f2ec 100644
--- a/src/common/crypto_ed25519.h
+++ b/src/common/crypto_ed25519.h
@@ -8,7 +8,8 @@
#include "torint.h"
#define ED25519_PUBKEY_LEN 32
-#define ED25519_SECKEY_LEN 32
+#define ED25519_SECKEY_LEN 64
+#define ED25519_SECKEY_SEED_LEN 32
#define ED25519_SIG_LEN 64
/** An Ed25519 signature. */
@@ -35,6 +36,9 @@ typedef struct {
#ifdef CURVE25519_ENABLED
int ed25519_secret_key_generate(ed25519_secret_key_t *seckey_out,
int extra_strong);
+int ed25519_secret_key_from_seed(ed25519_secret_key_t *seckey_out,
+ const uint8_t *seed);
+
int ed25519_public_key_generate(ed25519_public_key_t *pubkey_out,
const ed25519_secret_key_t *seckey);
int ed25519_keypair_generate(ed25519_keypair_t *keypair_out, int extra_strong);
diff --git a/src/ext/ed25519/ref10/crypto_sign.h b/src/ext/ed25519/ref10/crypto_sign.h
index 4a13fb3..5496267 100644
--- a/src/ext/ed25519/ref10/crypto_sign.h
+++ b/src/ext/ed25519/ref10/crypto_sign.h
@@ -2,6 +2,7 @@
#define crypto_sign ed25519_ref10_sign
#define crypto_sign_keypair ed25519_ref10_keygen
#define crypto_sign_seckey ed25519_ref10_seckey
+#define crypto_sign_seckey_expand ed25519_ref10_seckey_expand
#define crypto_sign_pubkey ed25519_ref10_pubkey
#define crypto_sign_open ed25519_ref10_open
diff --git a/src/ext/ed25519/ref10/ed25519_ref10.h b/src/ext/ed25519/ref10/ed25519_ref10.h
index bd1e461..cd0244f 100644
--- a/src/ext/ed25519/ref10/ed25519_ref10.h
+++ b/src/ext/ed25519/ref10/ed25519_ref10.h
@@ -4,6 +4,7 @@
#include <torint.h>
int ed25519_ref10_seckey(unsigned char *sk);
+int ed25519_ref10_seckey_expand(unsigned char *sk, const unsigned char *sk_seed);
int ed25519_ref10_pubkey(unsigned char *pk,const unsigned char *sk);
int ed25519_ref10_keygen(unsigned char *pk,unsigned char *sk);
int ed25519_ref10_open(
diff --git a/src/ext/ed25519/ref10/keypair.c b/src/ext/ed25519/ref10/keypair.c
index 26a1727..e861998 100644
--- a/src/ext/ed25519/ref10/keypair.c
+++ b/src/ext/ed25519/ref10/keypair.c
@@ -8,22 +8,32 @@
int
crypto_sign_seckey(unsigned char *sk)
{
- randombytes(sk,32);
+ unsigned char seed[32];
+
+ randombytes(seed,32);
+
+ crypto_sign_seckey_expand(sk, seed);
+
+ memwipe(seed, 0, 32);
+
+ return 0;
+}
+
+int crypto_sign_seckey_expand(unsigned char *sk, const unsigned char *skseed)
+{
+ crypto_hash_sha512(sk,skseed,32);
+ sk[0] &= 248;
+ sk[31] &= 63;
+ sk[31] |= 64;
return 0;
}
int crypto_sign_pubkey(unsigned char *pk,const unsigned char *sk)
{
- unsigned char az[64];
ge_p3 A;
- crypto_hash_sha512(az,sk,32);
- az[0] &= 248;
- az[31] &= 63;
- az[31] |= 64;
-
- ge_scalarmult_base(&A,az);
+ ge_scalarmult_base(&A,sk);
ge_p3_tobytes(pk,&A);
return 0;
diff --git a/src/ext/ed25519/ref10/sign.c b/src/ext/ed25519/ref10/sign.c
index 7eb23c6..c11fca9 100644
--- a/src/ext/ed25519/ref10/sign.c
+++ b/src/ext/ed25519/ref10/sign.c
@@ -10,17 +10,11 @@ int crypto_sign(
const unsigned char *sk,const unsigned char *pk
)
{
- unsigned char az[64];
unsigned char nonce[64];
unsigned char hram[64];
ge_p3 R;
- crypto_hash_sha512(az,sk,32);
- az[0] &= 248;
- az[31] &= 63;
- az[31] |= 64;
-
- crypto_hash_sha512_2(nonce, az+32, 32, m, mlen);
+ crypto_hash_sha512_2(nonce, sk+32, 32, m, mlen);
sc_reduce(nonce);
ge_scalarmult_base(&R,nonce);
@@ -28,7 +22,7 @@ int crypto_sign(
crypto_hash_sha512_3(hram, sig, 32, pk, 32, m, mlen);
sc_reduce(hram);
- sc_muladd(sig + 32,hram,az,nonce);
+ sc_muladd(sig + 32,hram,sk,nonce);
return 0;
}
diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c
index 8b04bc8..a4ca609 100644
--- a/src/test/test_crypto.c
+++ b/src/test/test_crypto.c
@@ -1318,10 +1318,12 @@ test_crypto_ed25519_test_vectors(void *arg)
for (i = 0; items[i].pk; ++i) {
ed25519_keypair_t kp;
ed25519_signature_t sig;
+ uint8_t sk_seed[32];
uint8_t *msg;
size_t msg_len;
- base16_decode((char*)kp.seckey.seckey, sizeof(kp.seckey.seckey),
+ base16_decode((char*)sk_seed, sizeof(sk_seed),
items[i].sk, 64);
+ ed25519_secret_key_from_seed(&kp.seckey, sk_seed);
tt_int_op(0, ==, ed25519_public_key_generate(&kp.pubkey, &kp.seckey));
test_memeq_hex(kp.pubkey.pubkey, items[i].pk);
More information about the tor-commits
mailing list