diff options
author | Florian Dold <florian@dold.me> | 2021-10-19 13:20:03 +0200 |
---|---|---|
committer | Florian Dold <florian@dold.me> | 2021-10-19 13:20:03 +0200 |
commit | f9b3f95b133dd98289ccd165966896fc0af5860d (patch) | |
tree | fa45353a1d3a0eb0f69fa709febae635706b079f | |
parent | 3a9e7d47e8c0d8b5cc172d48c44afdeed6414429 (diff) | |
download | anastasis-f9b3f95b133dd98289ccd165966896fc0af5860d.tar.gz anastasis-f9b3f95b133dd98289ccd165966896fc0af5860d.tar.bz2 anastasis-f9b3f95b133dd98289ccd165966896fc0af5860d.zip |
Fix account key derivation.
In Ed25519, the secret key is just a seed and not a scalar. It is used
both when hashing the message and used to derive the scalar "d" via
hashing. Only the scalar "d" needs bit-twiddling. Bit-twiddling the
seed doesn't make sense.
-rw-r--r-- | doc/sphinx/cryptography.rst | 10 | ||||
-rw-r--r-- | doc/system-documentation/design.tex | 9 | ||||
-rw-r--r-- | src/util/anastasis_crypto.c | 5 |
3 files changed, 2 insertions, 22 deletions
diff --git a/doc/sphinx/cryptography.rst b/doc/sphinx/cryptography.rst index 194b311..6c25fc0 100644 --- a/doc/sphinx/cryptography.rst +++ b/doc/sphinx/cryptography.rst @@ -116,7 +116,7 @@ HKDF to ensure that the result differs from other cases where we hash .. code-block:: none ver_secret := HKDF(kdf_id, "ver", keysize) - eddsa_priv := eddsa_d_to_a(ver_secret) + eddsa_priv := ver_secret eddsa_pub := get_EdDSA_Pub(eddsa_priv) @@ -128,14 +128,6 @@ HKDF to ensure that the result differs from other cases where we hash **ver_secret**: Derived key from the ``kdf_id``, serves as intermediate step for the generation of the private key. -**eddsa_d_to_a()**: Function which converts the ver_key to a valid EdDSA private key. Specifically, assuming the value ``eddsa_priv`` is in a 32-byte array "digest", the function clears and sets certain bits as follows: - -.. code-block:: c - - digest[0] &= 0xf8; - digest[31] &= 0x7f; - digest[31] |= 0x40; - **eddsa_priv**: The generated EdDSA private key. **eddsa_pub**: The generated EdDSA public key. diff --git a/doc/system-documentation/design.tex b/doc/system-documentation/design.tex index 0883e7a..1fe9134 100644 --- a/doc/system-documentation/design.tex +++ b/doc/system-documentation/design.tex @@ -357,7 +357,7 @@ that the result differs from other cases where we hash {\em kdf id}: eddsa_keys_create (kdf_id, salt, keysize) { ver_secret = HKDF(kdf_id, salt, keysize) - eddsa_priv = eddsa_d_to_a(ver_secret) + eddsa_priv = ver_secret eddsa_pub = get_eddsa_pub(eddsa_priv) return eddsa_priv, eddsa_pub } @@ -369,15 +369,8 @@ eddsa_keys_create (kdf_id, salt, keysize) \item[salt] {Is used that different keys are generated, the salt here is "ver".} \item[key\_size] {Size of the output, here 32 bytes.} \item[ver\_secret] {Derived key from the kdf\_id, serves as intermediate step for the generation of the private key.} - \item[eddsa\_d\_to\_a()] {Function which converts the ver\_key to a valid EdDSA private key. Specifically, assuming the value eddsa\_priv is in a 32-byte array “digest”, the function clears and sets certain bits as follows:} \end{description} -\begin{lstlisting} -digest[0] &= 0xf8; -digest[31] &= 0x7f; -digest[31] |= 0x40; -\end{lstlisting} - \begin{description} \item[eddsa\_priv] {The generated EdDSA private key.} \item[eddsa\_pub] {The generated EdDSA public key.} diff --git a/src/util/anastasis_crypto.c b/src/util/anastasis_crypto.c index 9231fc1..e122c07 100644 --- a/src/util/anastasis_crypto.c +++ b/src/util/anastasis_crypto.c @@ -240,11 +240,6 @@ ANASTASIS_CRYPTO_account_private_key_derive ( GNUNET_break (0); return; } - /* go from ver_secret to proper private key (eddsa_d_to_a() in spec) */ - - priv_key->priv.d[0] &= 0xf8; - priv_key->priv.d[31] &= 0x7f; - priv_key->priv.d[31] |= 0x40; } |