Feature Request: crypto_sign_sk_is_valid()

[paragonie-security]

Background information

• https://old.reddit.com/r/crypto/comments/vfl2se/initial_impact_report_about_this_weeks_eddsa/
• https://github.com/MystenLabs/ed25519-unsafe-libs

In a lot of Ed25519 implementations, if you sign a message twice using the same Ed25519 secret seed (the first 32 bytes of the secret key) but a different public key (the remaining 32 bytes), you can create a condition like #170.

It also turns out to be possible to trigger the same misuse through libsodium; albeit, you have to go out of your way to do so.

<?php

$good1 = mb_substr(sodium_crypto_sign_keypair(), 0, 64, '8bit');
$good2 = mb_substr(sodium_crypto_sign_keypair(), 0, 64, '8bit');
$bad = mb_substr($good1, 0, 32, '8bit') . mb_substr($good2, 32, 32, '8bit');

$plaintext = 'This is just a test message';
$sig1 = sodium_crypto_sign_detached($plaintext, $good1);
$sig2 = sodium_crypto_sign_detached($plaintext, $good2);
$sig3 = sodium_crypto_sign_detached($plaintext, $bad);
var_dump(
    sodium_bin2hex($sig1),
    sodium_bin2hex($sig2),
    sodium_bin2hex($sig3)
);

Demo here: https://3v4l.org/VoREq

---

Given the above, I posit that it would be useful to have a feature to validate that a given secret key is valid (i.e. the public key portion does correspond to the given secret seed). This would mostly be helpful in wrapper libraries that want to assert that the Ed25519 secret key is valid, but only wants to assert it once at runtime (rather than updating the signing algorithm to check before every signing attempt).

Request

A new API (tentatively named crypto_sign_sk_is_valid()) which looks like this (except written by a more talented C programmer than me):

int crypto_sign_sk_is_valid(const char* sk, size_t sk_len) {
    unsigned char seed[crypto_sign_SEED_BYTES];
    unsigned char calc_sk[crypto_sign_SECRETKEYBYTES];
    unsigned char calc_pk[crypto_sign_PUBLICKEYBYTES];

    if (sk_len < crypto_sign_SECRETKEYBYTES) {
        return -1;
    }
    // Extract the seed from the secret key
    if (crypto_sign_ed25519_sk_to_seed(seed, sk) < 0) {
        return -1;
    }
    // Recalculate the keypair
    if (crypto_sign_seed_keypair(calc_pk, calc_sk, seed) < 0) {
        return -1;
    }
    // Compare the two in constant-time
    return sodium_memcmp(calc_sk, sk);
}

[jedisct1]

What is documented as the secret key in libsodium is actually the secret key followed by the public key. The seed is never documented as being the secret key. It's a seed, from which you get the 64 byte secret key.

I don't know of any bindings that does things differently. The secret key always includes a copy of the corresponding public key.

Who would be using an API that does the additional scalar multiplication?

• People not familiar with EdDSA internals - But these are people who wouldn't start truncating an internal representation to start with.

Who would not be using that API?

• Everybody else, due to the performance cost.