[tor/master] Another ed25519 tweak: store secret keys in expanded format - tor-commits

25 Sep 2014

commit 006e6d3b6f52e193b14dc17db4502e14f9ffeb82
Author: Nick Mathewson nickm@torproject.org
Date:   Tue Aug 26 21:35:25 2014 -0400
Another ed25519 tweak: store secret keys in expanded format
This will be needed/helpful for the key blinding of prop224, I
    believe.
---
 src/common/crypto_ed25519.c           |    9 +++++++++
 src/common/crypto_ed25519.h           |    6 +++++-
 src/ext/ed25519/ref10/crypto_sign.h   |    1 +
 src/ext/ed25519/ref10/ed25519_ref10.h |    1 +
 src/ext/ed25519/ref10/keypair.c       |   26 ++++++++++++++++++--------
 src/ext/ed25519/ref10/sign.c          |   10 ++--------
 src/test/test_crypto.c                |    4 +++-
 7 files changed, 39 insertions(+), 18 deletions(-)

diff --git a/src/common/crypto_ed25519.c b/src/common/crypto_ed25519.c
index 5486c89..44c9e5e 100644
--- a/src/common/crypto_ed25519.c
+++ b/src/common/crypto_ed25519.c
@@ -28,6 +28,15 @@ ed25519_secret_key_generate(ed25519_secret_key_t *seckey_out,
 }
int
+ed25519_secret_key_from_seed(ed25519_secret_key_t *seckey_out,
+                             const uint8_t *seed)
+{
+  if (ed25519_ref10_seckey_expand(seckey_out->seckey, seed) < 0)
+    return -1;
+  return 0;
+}
+
+int
 ed25519_public_key_generate(ed25519_public_key_t *pubkey_out,
                         const ed25519_secret_key_t *seckey)
 {
diff --git a/src/common/crypto_ed25519.h b/src/common/crypto_ed25519.h
index 6b00c3d..a68f2ec 100644
--- a/src/common/crypto_ed25519.h
+++ b/src/common/crypto_ed25519.h
@@ -8,7 +8,8 @@
 #include "torint.h"
#define ED25519_PUBKEY_LEN 32
-#define ED25519_SECKEY_LEN 32
+#define ED25519_SECKEY_LEN 64
+#define ED25519_SECKEY_SEED_LEN 32
 #define ED25519_SIG_LEN 64
/** An Ed25519 signature. */
@@ -35,6 +36,9 @@ typedef struct {
 #ifdef CURVE25519_ENABLED
 int ed25519_secret_key_generate(ed25519_secret_key_t *seckey_out,
                             int extra_strong);
+int ed25519_secret_key_from_seed(ed25519_secret_key_t *seckey_out,
+                                 const uint8_t *seed);
+
 int ed25519_public_key_generate(ed25519_public_key_t *pubkey_out,
                             const ed25519_secret_key_t *seckey);
 int ed25519_keypair_generate(ed25519_keypair_t *keypair_out, int extra_strong);
diff --git a/src/ext/ed25519/ref10/crypto_sign.h b/src/ext/ed25519/ref10/crypto_sign.h
index 4a13fb3..5496267 100644
--- a/src/ext/ed25519/ref10/crypto_sign.h
+++ b/src/ext/ed25519/ref10/crypto_sign.h
@@ -2,6 +2,7 @@
 #define crypto_sign ed25519_ref10_sign
 #define crypto_sign_keypair ed25519_ref10_keygen
 #define crypto_sign_seckey ed25519_ref10_seckey
+#define crypto_sign_seckey_expand ed25519_ref10_seckey_expand
 #define crypto_sign_pubkey ed25519_ref10_pubkey
 #define crypto_sign_open ed25519_ref10_open
diff --git a/src/ext/ed25519/ref10/ed25519_ref10.h b/src/ext/ed25519/ref10/ed25519_ref10.h
index bd1e461..cd0244f 100644
--- a/src/ext/ed25519/ref10/ed25519_ref10.h
+++ b/src/ext/ed25519/ref10/ed25519_ref10.h
@@ -4,6 +4,7 @@
 #include <torint.h>
int ed25519_ref10_seckey(unsigned char *sk);
+int ed25519_ref10_seckey_expand(unsigned char *sk, const unsigned char *sk_seed);
 int ed25519_ref10_pubkey(unsigned char *pk,const unsigned char *sk);
 int ed25519_ref10_keygen(unsigned char *pk,unsigned char *sk);
 int ed25519_ref10_open(
diff --git a/src/ext/ed25519/ref10/keypair.c b/src/ext/ed25519/ref10/keypair.c
index 26a1727..e861998 100644
--- a/src/ext/ed25519/ref10/keypair.c
+++ b/src/ext/ed25519/ref10/keypair.c
@@ -8,22 +8,32 @@
 int
 crypto_sign_seckey(unsigned char *sk)
 {
-  randombytes(sk,32);
+  unsigned char seed[32];
+
+  randombytes(seed,32);
+
+  crypto_sign_seckey_expand(sk, seed);
+
+  memwipe(seed, 0, 32);
+
+  return 0;
+}
+
+int crypto_sign_seckey_expand(unsigned char *sk, const unsigned char *skseed)
+{
+  crypto_hash_sha512(sk,skseed,32);
+  sk[0] &= 248;
+  sk[31] &= 63;
+  sk[31] |= 64;
return 0;
 }
int crypto_sign_pubkey(unsigned char *pk,const unsigned char *sk)
 {
-  unsigned char az[64];
   ge_p3 A;
-  crypto_hash_sha512(az,sk,32);
-  az[0] &= 248;
-  az[31] &= 63;
-  az[31] |= 64;
-
-  ge_scalarmult_base(&A,az);
+  ge_scalarmult_base(&A,sk);
   ge_p3_tobytes(pk,&A);
return 0;
diff --git a/src/ext/ed25519/ref10/sign.c b/src/ext/ed25519/ref10/sign.c
index 7eb23c6..c11fca9 100644
--- a/src/ext/ed25519/ref10/sign.c
+++ b/src/ext/ed25519/ref10/sign.c
@@ -10,17 +10,11 @@ int crypto_sign(
   const unsigned char *sk,const unsigned char *pk
 )
 {
-  unsigned char az[64];
   unsigned char nonce[64];
   unsigned char hram[64];
   ge_p3 R;
-  crypto_hash_sha512(az,sk,32);
-  az[0] &= 248;
-  az[31] &= 63;
-  az[31] |= 64;
-
-  crypto_hash_sha512_2(nonce, az+32, 32, m, mlen);
+  crypto_hash_sha512_2(nonce, sk+32, 32, m, mlen);
sc_reduce(nonce);
   ge_scalarmult_base(&R,nonce);
@@ -28,7 +22,7 @@ int crypto_sign(
crypto_hash_sha512_3(hram, sig, 32, pk, 32, m, mlen);
   sc_reduce(hram);
-  sc_muladd(sig + 32,hram,az,nonce);
+  sc_muladd(sig + 32,hram,sk,nonce);
return 0;
 }
diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c
index 8b04bc8..a4ca609 100644
--- a/src/test/test_crypto.c
+++ b/src/test/test_crypto.c
@@ -1318,10 +1318,12 @@ test_crypto_ed25519_test_vectors(void *arg)
   for (i = 0; items[i].pk; ++i) {
     ed25519_keypair_t kp;
     ed25519_signature_t sig;
+    uint8_t sk_seed[32];
     uint8_t *msg;
     size_t msg_len;
-    base16_decode((char*)kp.seckey.seckey, sizeof(kp.seckey.seckey),
+    base16_decode((char*)sk_seed, sizeof(sk_seed),
                   items[i].sk, 64);
+    ed25519_secret_key_from_seed(&kp.seckey, sk_seed);
     tt_int_op(0, ==, ed25519_public_key_generate(&kp.pubkey, &kp.seckey));
     test_memeq_hex(kp.pubkey.pubkey, items[i].pk);

    