32bit seed required for crypto sign keypair instead of optional or enforced 64bit like crypto box
tomwoods opened this issue · 4 comments
I need to use Sha256 to generate the seed for a crypto sign keypair,
nacl.crypto_sign_keypair_from_seed(Uint8Array)
but I'm getting an error message saying that its expecting a 32bit seed, instead of the 64bit from the Sha function. Is there any particular reason why we are requiring 32 instead of 64bit seeds?
Hi Tom,
The reason is that the Ed25519 signature scheme requires a 32-byte seed. (Incidentally, sha256 returns 32-byte values; nacl.crypto_hash is sha512, not sha256.) The reason crypto_sign_keypair_from_seed() is the way it is is to make it compatible with other nacl/libsodium bindings. Upon reflection, I think crypto_box_keypair_from_seed() should change to be more like the signing variant...
Here's an explanation of the key-generation process from Brian Warner's post on the topic:
Ed25519 keys start life as a 32-byte (256-bit) uniformly random binary seed (e.g. the output of SHA256 on some random input). The seed is then hashed using SHA512, which gets you 64 bytes (512 bits), which is then split into a “left half” (the first 32 bytes) and a “right half”. The left half is massaged into a curve25519 private scalar “a” by setting and clearing a few high/low-order bits. The pubkey is generated by multiplying this secret scalar by “B” (the generator), which yields a 32-byte/256-bit group element “A”.
As an aside: are you sure you need sha256 to construct your key seed? Such a simple hash function might not be a good idea. It might be better to use a pure random value (nacl.random_bytes(32)) or to use a proper PBKDF like scrypt.
Thanks, I'm probably doing something wrong, then. Maybe when I'm calling toString(), its converting the output of SHA256 to hex that is causing the trouble.
Thanks for the suggestion. I'm using HMACSHA256, but since I get the same result when using SHA256, I decided to simplify the question.
I know there is something I'm not grasping. If I go to http://www.xorbin.com/tools/sha256-hash-calculator and create any hash, then copy it and paste it into http://mothereff.in/byte-counter, I'll get the same report that its 64 bytes long. I assume because its represented as hex and parsed as utf8. Maybe I should try and parse the hex from my HMACSHA256 into utf8, and then feed that into nacl.
Thanks again for your response!
Hi, just wanted to let you know that that was the issue. I converted the output of the SHA256 to latin1 then converted from latin1 and fed that into crypto sign keypair.
Thanks for a great library!
Cool. I'm glad you got it working!