Simon Josefsson simon@josefsson.org writes:
I'd leave it at documenting the last part of your suggestion here: when you generate a EdDSA key pair, you should store the public key alongside the private key, and use that copy whenever it is needed. Don't throw away the public key (or be ready to re-generate it), and don't trust someone else's version of your public key.
Suggested doc update:
--- a/nettle.texinfo +++ b/nettle.texinfo @@ -5732,6 +5732,21 @@ the message first and pass the short message digest as input to the sign and verify functions, however, the resilience to hash collision is then lost.
+One subtle detail is that the public key is prepended to the message in +the signature process, but the public key is @emph{not} included in the +nonce generation. For this reason, it is essential that the @var{pub} +argument to @code{ed25519_sha512_sign} and @code{ed448_shake256_sign} is +always the same as the output of +@code{ed25519_sha512_public_key}/@code{ed448_shake256_public_key}. If +one ever signs the same message twice using the same private key but +with two different values for the @var{pub} input, enough private +information is leaked to let an attacker forge signatures. + +For best performance, it is preferable to compute the public key only +once, when the keypair is generated. It should then be stored together +with the private key so that it cannot be tampered with, to ensure that +the same, correct, value is available for every signing operation. + @defvr Constant ED25519_KEY_SIZE The size of a private or public Ed25519 key, 32 octets. @end defvr
Does that sound right?
Regards, /Niels