Invalid ed25519_pk generated by crypto_scalarmult_ed25519_base / crypto_sign_ed25519_sk_to_pk ?

[JinYi-Tsinghua]

The issue is that the ed25519_pk generated by crypto_sign_keypair / crypto_sign_ed25519_keypair is valid and can be used for verifying signatures, but a _pk seperately generated from the same _sk with crypto_scalarmult_ed25519_base or crypto_sign_ed25519_sk_to_pk is different and not able to verify signatures created by the secret key that created it.

Basically, it seems like to generate a proper _pk, the following primitives should be used, however they are not available in the library:
ge25519_p3 A;
ge25519_scalarmult_base(&A, sk);
ge25519_p3_tobytes(pk, &A);

The code is self explanatory. Compile and run, you will understand.

`
#include <string.h>
#include <sodium.h>

void test(const unsigned char ed25519_pk[32],const unsigned char ed25519_sk[32])
{
unsigned char message[] = "hello peoples of earth and the sun";
size_t message_len = strlen((char*)message);

unsigned char *message_signed = malloc(message_len + 1 + crypto_sign_BYTES);
unsigned long long message_signed_len;

int success = crypto_sign(message_signed,&message_signed_len,message,message_len,ed25519_sk);
printf("Signing return: %d\n",success);
success = crypto_sign_verify_detached(message_signed,message,message_len,ed25519_pk);
printf("Verification return: %d\n\n",success);

}

int main(void)
{
if (sodium_init() < 0)
exit(-1);

int ret;
unsigned char ed25519_pk[32];
unsigned char ed25519_sk[32];

ret = crypto_sign_ed25519_keypair(ed25519_pk,ed25519_sk); // alt: crypto_sign_keypair (same)
printf("crypto_sign_ed25519_keypair return: %d\n", ret);
test(ed25519_pk,ed25519_sk);

ret = crypto_scalarmult_ed25519_base(ed25519_pk,ed25519_sk);
printf("crypto_scalarmult_ed25519_base return: %d\n", ret);
test(ed25519_pk,ed25519_sk);

ret = crypto_sign_ed25519_sk_to_pk(ed25519_pk,ed25519_sk);
printf("crypto_sign_ed25519_sk_to_pk return: %d\n", ret);
test(ed25519_pk,ed25519_sk);

ret = crypto_scalarmult_ed25519_base_noclamp(ed25519_pk,ed25519_sk);
printf("crypto_scalarmult_ed25519_base_noclamp return: %d\n", ret);
test(ed25519_pk,ed25519_sk);

}

`

[JinYi-Tsinghua]

What I am really looking for, in the context of my project, is a way to verify the signatures with the ed25519_pk created by crypto_scalarmult_ed25519_base / crypto_sign_ed25519_sk_to_pk.

Essentially, a crypto_sign_verify_detached() that will work with the _pk created by crypto_scalarmult_ed25519_base / crypto_sign_ed25519_sk_to_pk.

[jedisct1]

The documentation on signatures say that the secret keys for signatures are crypto_sign_SECRETKEYBYTES bytes long.

That's 64 bytes, not the same as scalars for multiplications over Edwards25519 (crypto_scalarmult_ed25519_SCALARBYTES : 32 bytes), so these are different things.

The same documentation page mentions that secret keys contain a seed and a copy of the public key. Looking at the references on EdDSA given below, an EdDSA public key is computed as A^TRUNCATE(SHA512(seed), 256).

So, if you really want to use the crypto_scalarmult_ed25519_base function, you should create a seed, use crypto_hash_sha512(seed), truncate the result to the first 256 bits, and that's the scalar to use with crypto_scalarmult_ed25519_base() to get the public key.

But, then, you just rewrote the crypto_sign_seed_keypair() function.

[jedisct1]

unsigned char ed25519_pk[32];
unsigned char ed25519_sk[32];

Use the provided constants for sizes. In that example, crypto_sign_PUBLICBYTES and crypto_sign_SECRETBYTES.

That prevents vulnerabilities, such as here, giving a 32 bytes array to a function that is going to write 64 bytes.