search

paulmillr / noble-curves

Audited & minimal JS implementation of elliptic curve cryptography.
https://paulmillr.com/noble
MIT License
623 stars 56 forks source link

Feature: Allow more than 32 bytes to be passed as private key (seed) to Edwards curves #53

Closed mahnunchik closed 1 year ago

mahnunchik commented 1 year ago

Allow more than 32 bytes to be passed as private key (seed) to Edwards curves.

For the compatability with elliptic implementation it would be helpful to be able to pass more then 32 bytes (64 bytes in my case) as a secret.

Edwards curves use a hash of the secret, so more bytes don't reduce security.

https://github.com/paulmillr/noble-curves/blob/62e806cfaf961f58161382351f4def4c0345fbd9/src/abstract/edwards.ts#L421

Preposed solution:

function getExtendedPublicKey(key: Hex, noCheck: boolean = false) {
    const len = nByteLength;
    if (!noCheck) {
      key = ensureBytes('private key', key, len);
    }
paulmillr commented 1 year ago

https://github.com/paulmillr/noble-curves/discussions/33

For the compatability with elliptic implementation

key.slice(0, 32)

mahnunchik commented 1 year ago

But sha512(secret) !== sha512(secret.slice(0, 32)) if secret has more then 32 bytes

paulmillr commented 1 year ago

Elliptic is wrong here. It's not standard. Other libraries who have 64-byte private keys split it into 32-byte secret and 32-byte public. If elliptic implements it like you've said, it has behavior which radically differs from everyone else.

Moreover, as you may know, elliptic eddsa implementation is broken, produces invalid results, and is not secure.