Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Endian issue in handling eddsa private key scalar #199

Closed
gzelda opened this issue May 27, 2022 · 2 comments · Fixed by #202 or #237
Closed

Endian issue in handling eddsa private key scalar #199

gzelda opened this issue May 27, 2022 · 2 comments · Fixed by #202 or #237
Assignees
@gbotrel

Comments

@gzelda
Copy link
Contributor

gzelda commented May 27, 2022

https://github.com/ConsenSys/gnark-crypto/blob/master/ecc/bn254/twistededwards/eddsa/eddsa.go#L89

code reference

	h := blake2b.Sum512(seed[:])
	for i := 0; i < 32; i++ {
		priv.randSrc[i] = h[i+32]
	}

	// prune the key
	// https://tools.ietf.org/html/rfc8032#section-5.1.5, key generation

	h[0] &= 0xF8
	h[31] &= 0x7F
	h[31] |= 0x40

	// reverse first bytes because setBytes interpret stream as big endian
	// but in eddsa specs s is the first 32 bytes in little endian
	for i, j := 0, sizeFr; i < j; i, j = i+1, j-1 {
		h[i], h[j] = h[j], h[i]
	}

explanation

h is [64]byte, and in eddsa h[:32] is scalar and h[32:] is random source.
As the annotation describes, if reverse first bytes because setBytes interpret stream as big endian.
We should swap h[0] with h[31] but not h[sizeFr] = h[32].

Please correct me if I understand wrongly. I can create a pr for this issue later.
@gzelda gzelda mentioned this issue May 27, 2022
Merged
@gzelda
Copy link
Contributor Author

gzelda commented May 30, 2022

@gbotrel
@ThomasPiellard
Need confirmation

@gbotrel
Copy link
Collaborator

gbotrel commented May 31, 2022

@tyGavinZJU you are correct, j should be initialized with sizeFr - 1 ; thanks for raising this issue 👍

@gbotrel gbotrel self-assigned this May 31, 2022
gbotrel added a commit that referenced this issue May 31, 2022
@gbotrel
fix: closes #199. Correct bound in eddsa key gen template
f65f313
@gbotrel gbotrel mentioned this issue May 31, 2022
Merged
@gbotrel gbotrel linked a pull request May 31, 2022 that will close this issue
fix: closes #199 correct bound in eddsa key gen template #202
Merged
gbotrel added a commit that referenced this issue May 31, 2022
@gbotrel
Merge pull request #202 from ConsenSys/gbotrel/issue199
914fc69 
fix: closes #199 correct bound in eddsa key gen template
@gbotrel gbotrel closed this as completed May 31, 2022
@gbotrel gbotrel mentioned this issue Aug 3, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gbotrel gbotrel

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@gbotrel @gzelda