Use post-hash 64-bytes signing key with Ed25519 ?

[Esya]

Hi,

We want to implement BIP32-Ed25519 for hierarchical deterministic keys using Ed25519 - and will need to sign using the post-hash signing key (64-bytes, the left and right half, with the bits already cleared) without knowing the 32-bytes seed

It seems from the current API that this is not possible yet the paper mentioned that in the original NaCl library it is.

Using the naming conventions from this article we specifically need to sign using a and RH (the private scalar and the right-half of the hash)

This java implementation for instance exposes a way to instanciate a keypair from the h hash (left half and right half) directly for instance.

Is there a way of doing this with tweetnacl as it is that I missed, and if not, what would be the recommended course of action ?

Thanks

[dchest]

I had a quick look at the paper. It says:

We work with the extended private key (64-byte􏰂) k in Ed25519, instead of the original 32-byte key k. All extended keys have the bits set and cleared exactly as specified in [5]. Signing and verifying procedures remain the same as in Section III-B. However, some Ed25519 libraries have a signing function that takes the 32-byte 􏰂k and expands it for every signing, while other libraries sign using the extended 64-bit k. Due to the way child Ed25519 keys are derived, they will not have the 32- byte master secret key. We note that the NaCl library [3] provides the necessary interface to the extended private key.

TweetNaCl.js indeed can use the extended 64-byte private key (nacl.sign.keyPair.fromSecretKey).