Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ed25519_sign() is significantly different from current libsodium/SUPERCOP ref10 implementations (and generates incompatible output) #10

Closed
rdeker opened this issue Aug 29, 2015 · 5 comments
Closed

ed25519_sign() is significantly different from current libsodium/SUPERCOP ref10 implementations (and generates incompatible output) #10

rdeker opened this issue Aug 29, 2015 · 5 comments

Comments

@rdeker
Copy link

rdeker commented Aug 29, 2015

In working with your implementation, I was doing some testing against other code I have that uses libsodium, and noted that the ed25519 signatures produced by each were entirely different. After some digging, I noted that the implementation of ed25519_sign() you provide does not match the current libsodium/SUPERCOP ref10 (20141124) implementations.

I have an updated version that is interoperable that I'd be happy to submit if you'd like.
@19h
Copy link

19h commented Sep 15, 2015

@rdeker Please share any ideas and work. That will help everyone involved :-)

@rdeker
Copy link
Author

rdeker commented Sep 15, 2015

I've forked this project and have one with a couple of fixes available at https://github.com/rdeker/ed25519 . To date I haven't heard anything in response to my pull request.

@orlp
Copy link
Owner

orlp commented Aug 26, 2016
edited
Loading

Sorry for the late response. I finally got around to checking this. ed25519_sign is not significantly different from SUPERCOP's ref10, I simply have a different representation of the private key.

ref10 stores the private key by storing the seed (32 bytes) and public key (32 bytes) as the 'private key'.

I instead straight up store the hashed seed (64 bytes) as the private key to not have to re-hash the seed on every sign operation.

So if you simply use the 64 bytes from the ref10 'private key' as the private key in this library you will end up with incorrect results.

If you wish to convert a ref10 private key to a private key for this library you can use:

void ref10_to_lib(unsigned char *private_key, const unsigned char *ref10_private_key) {
    sha512(ref10_private_key, 32, private_key);
    private_key[0] &= 248;
    private_key[31] &= 63;
    private_key[31] |= 64;
}

@orlp orlp closed this as completed Aug 26, 2016
@orlp
Copy link
Owner

orlp commented Aug 26, 2016

See also this previous question about this exact topic: #1 (comment)

@dmjones
Copy link

dmjones commented Sep 12, 2017

@orlp Is it worth putting some info about this prominently on the main README.md? This tripped me up for quite a while, until I dug into closed issues. I imagine a lot of people will expect this to play nicely with other implementations.

(Note: I completely understand why you do what you do, but it may be missed by many).

GlitchedPolygons added a commit to GlitchedPolygons/GlitchEd25519 that referenced this issue Oct 9, 2020
@GlitchedPolygons
Added key conversion function ref10->orlp-ed25519.
11ccdd0 
Related to issue [orlp#10](orlp#10) from the orlp/ed25519 repository.
@johndbritton johndbritton mentioned this issue Dec 28, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@orlp @19h @dmjones @rdeker