Closed bgrieder closed 1 year ago
I had no time to go through the ECIES implementations in detail.
About the traits, I am a bit bothered by the confusion between being bytes and being serializable. What about:
/// Cryptographic bytes are bytes that are erased from memory on drop.
trait CBytes: ZeroizeOnDrop {
/// Cryptographic bytes should be easy to dereference.
fn as_bytes(&self) -> &[u8];
/// Cryptographic bytes should be convertible from a slice.
fn try_from_slice(bytes: &[u8]) -> Result<Self, _>;
}
trait FixedLengthCBytes: CBytes {
const LENGTH: usize;
fn to_bytes(&self) -> [u8; Self::LENGTH];
fn into_bytes(self) -> [u8; Self::LENGTH];
fn try_from_bytes(bytes: [u8; Self::LENGTH]) -> Result<Self, _>;
}
trait RandomBytes {
fn random(rng: &mut impl CryptoRngCore) -> Self;
}
trait Serializable {
fn write(&self, ...);
fn read(...) -> Self;
}
Then:
CBytes
or FixedLengthCBytes
and RandomBytes
and Serializable
Serializable
I have checked that in the https://github.com/dalek-cryptography/x25519-dalek crate The private key Scalar is constructed from a clamped integer:
This method creates the Publick key by first "clamping" the random bytes of the Ephemeral Key: https://github.com/dalek-cryptography/x25519-dalek/blob/f683cf4d501549bbfc7b24a2af7ebafb6dc0267b/src/x25519.rs#L108
The EdwardsPoint::mul_base_clamped()
method is implemented here:
https://github.com/dalek-cryptography/curve25519-dalek/blob/e111b5d913e8c857acf7589303f655f1fab2d64a/src/edwards.rs#L741
I have also confirmed that libsodium does the same thing, so I reverted all changes to clamping
AFAIC - This is ready for merging
Okay, I just found the mention of the clamped procedure (without naming it) in the DJB's website about generating random Curve25519 Scalar:
Computing secret keys. Inside your program, to generate a 32-byte Curve25519 secret key,
start by generating 32 secret random bytes from a cryptographically safe source:
mysecret[0], mysecret[1], ..., mysecret[31]. Then do
mysecret[0] &= 248;
mysecret[31] &= 127;
mysecret[31] |= 64;
to create a 32-byte Curve25519 secret key mysecret[0], mysecret[1], ..., mysecret[31].