Niels Möller nisse@lysator.liu.se writes:
Simon Josefsson simon@josefsson.org writes:
I'd leave it at documenting the last part of your suggestion here: when you generate a EdDSA key pair, you should store the public key alongside the private key, and use that copy whenever it is needed. Don't throw away the public key (or be ready to re-generate it), and don't trust someone else's version of your public key.
Suggested doc update:
...
+One subtle detail is that the public key is prepended to the message in +the signature process, but the public key is @emph{not} included in the +nonce generation. For this reason, it is essential that the @var{pub} +argument to @code{ed25519_sha512_sign} and @code{ed448_shake256_sign} is +always the same as the output of +@code{ed25519_sha512_public_key}/@code{ed448_shake256_public_key}. If +one ever signs the same message twice using the same private key but +with two different values for the @var{pub} input, enough private +information is leaked to let an attacker forge signatures.
But doesn't that assumes the private key was generated with Nettle, or something compatible with Nettle? Is that a reasonable assumption?
My concern was if someone generated a Ed25519 public/private key-pair using some other software. Applications using Nettle should use the (trusted) public key in all cases, rather than the output from ed25519_sha512_public_key(), or? Even if those should be identical in normal situations.
It would be interesting to understand the real-world applications where this scenarios happens.
/Simon
+For best performance, it is preferable to compute the public key only +once, when the keypair is generated. It should then be stored together +with the private key so that it cannot be tampered with, to ensure that +the same, correct, value is available for every signing operation.
@defvr Constant ED25519_KEY_SIZE The size of a private or public Ed25519 key, 32 octets. @end defvr
Does that sound right?
Regards, /Niels