Last active
January 18, 2023 01:08
-
-
Save tarcieri/4760215 to your computer and use it in GitHub Desktop.
Ed25519-based semi-private keys
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Attempting a little "mathematical prose" here ;) | |
| I'm trying to implement semiprivate keys. These expand the normal idea | |
| of symmetric keys, which have a public/private keypair, to N keys which | |
| can each represent a different capability level. | |
| For the purposes of getting started, I'd like to have 3 capability levels: | |
| one for creating new ciphertexts, one for decrypting and verifying them, | |
| and one which can only verify or not decrypt. So the goal here is to | |
| produce keys with 3 capability levels (the degenerate form of semi-private | |
| keys, as anything lower would be a typical keypair) | |
| I'm trying to implement semi-private keys as defined in the Tahoe paper: | |
| http://eprint.iacr.org/2012/524.pdf | |
| The problem is Tahoe's description of semi-private keys is intended | |
| for DSA, however I would like to implement semi-private keys for | |
| use with NaCl. NaCl uses elliptic curve cryptography, so the | |
| implementation is slightly different. | |
| This is, as best I understand it, how to implement it in terms of NaCl: | |
| P = NaCl base point (standard group element) | |
| O = Order(P) | |
| x = original private scalar (i.e. random number + some bitflipping) | |
| s = x*P (semiprivate key) | |
| y = H(s) mod O | |
| a = x*y mod O (computed Ed25519 private scalar) | |
| A = y*s (Ed25519 public key) | |
| assert(A == a*P) |
Author
Unfortunately neither NaCl or libsodium provide Ed25519 scalar multiplication APIs at the moment (also the above SAGE is using Montgomery)
Author
libsodium issue here: jedisct1/libsodium#236 (comment)
As mention, the Sage code seems to be the x25519 (Montgomery) curve, not the ed25519 curve. Anyone that managed to represent the ed25519 curve in Sage. Sage seems to mandate curve creation in the long Weierstrass equation. So how to represent ed25519 (Edwards curve) is certainly not obvious to me.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Do you think you could provide an example using NaCl primitives?