Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ed: Change SigningKey::to_scalar back to SigningKey::to_scalar_bytes #599

Merged
merged 5 commits into from
Nov 14, 2023
Merged

ed: Change SigningKey::to_scalar back to SigningKey::to_scalar_bytes #599

merged 5 commits into from
Nov 14, 2023

Conversation

rozbb
Copy link
Contributor

@rozbb rozbb commented Nov 14, 2023

As mentioned in the conversation in #565, it is currently not clear how you would use a clamped and reduced scalar from SigningKey::to_scalar() to build an x25519 keypair. In fact, the test code in that thread shows that x25519_dalek::PublicKey::from(StaticScalar::from(sk.to_scalar().to_bytes())) does not match the ed25519 public key. This is because the second public key computation does clamping again, so it's clamp -> reduce -> clamp, which is not a no-op.

This PR replaces SigningKey::to_scalar() with SigningKey::to_scalar_bytes(), which returns the unreduced scalar bytes determined by the ed25519 secret key. This is actually how things used to be before #545, and what the docs (currently erroneously) reflect.

I've also added a regression test to the ed25519 tests.

@rozbb rozbb requested a review from tarcieri November 14, 2023 07:01
@tarcieri
Copy link
Contributor

This is a breaking change that would break running code, namely @dignifiedquire is using these conversions to instantiate a crypto_box using a Scalar originally computed as an Ed25519 key, via these APIs:

dalek-cryptography/ed25519-dalek#296

That's all working just fine and the existing API is useful.

If you really want to go through with this, you either need to deprecate to_scalar instead of just outright deleting it, or bump ed25519-dalek's major version to 3.

@tarcieri
Copy link
Contributor

To be clear: I'm fine with adding to_scalar_bytes, but I think it should be a purely additive change.

@rozbb
Copy link
Contributor Author

rozbb commented Nov 14, 2023

Ok agreed. I think simply adding it would be fine. And updating the docs on to_scalar

@rozbb
Copy link
Contributor Author

rozbb commented Nov 14, 2023

Alright, ready to review again

@rozbb rozbb merged commit 04f811a into main Nov 14, 2023
28 checks passed
@rozbb rozbb deleted the ed-privkey-to-scalar-fix branch November 14, 2023 18:23
This was referenced Nov 14, 2023
Closed
Merged
@rozbb rozbb restored the ed-privkey-to-scalar-fix branch February 7, 2024 01:10
@rozbb rozbb deleted the ed-privkey-to-scalar-fix branch February 7, 2024 01:11
mikelodder7 pushed a commit to mikelodder7/curve25519-dalek-ml that referenced this pull request Feb 17, 2024
@rozbb @mikelodder7
ed: Add back SigningKey::to_scalar_bytes (dalek-cryptography#599)
ea05b85 
* Brought back SigningKey::to_scalar_bytes; added regression test

* Updated SigningKey::to_scalar docs and tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tarcieri tarcieri tarcieri approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rozbb @tarcieri