fscoto
commented
4 years ago The actual secret key from which the public key is derived is 32 bytes in length. However, the signing algorithm requires that the public key is also be available in addition to the secret key.
NaCl and almost everything following it made it so that their “secret key” is the actual secret key (32 bytes) followed by the public key (32 bytes) for a total of 64 bytes in length. Monocypher strictly divides between the secret key and the public key, recreating the public key from the secret key at signing time.
If you need to interoperate secret keys between Monocypher and another library with 64-byte “secret keys”, the conversion is trivial:
- Monocypher secret key -> 64 byte secret key: Store 32 bytes of secret key followed by 32 bytes of public key;
- 64 byte secret key -> Monocypher: Take the first 32 bytes as secret key and the second 32 bytes as public key (or discard the second 32 bytes; Monocypher's
crypto_sign()and its Ed25519 equivalent will re-compute the necessary public key from the 32-byte secret key alone, though that's a speed penalty)
The reason behind all this is to (a) be pedantically correct, and (b) to allow a speed–memory trade-off: You can either store only the 32 byte actual secret key and take the speed penalty that every signign operation needs to compute the public key again, or you can store both the secret key and the public key and thus skip the recomputation of the public key at the cost of having to store an additional 32 bytes. This is mainly interesting for some embedded applications (think: secret key burnt into expensive fuses).
I hope that helps, feel free to ask for additional clarification.
kingsleyh
Hi
Another question about key lengths and javascript libs:
It seems that both the secret_key and the public_key are 32
The js library for TweetNacl generates a key_pair of private: 64 and public: 32 https://github.com/dchest/tweetnacl-js/blob/master/README.md#signatures
Am I looking at the correct keypair there that matches: crypto_ed25519_public_key ??
(The elliptic library also seems to have the same behaviour as tweetnacl)
So I'm wondering if I'm doing some wrong or if this is a genuine difference that means I will have to go with emscripten rather than existing js libraries?