Getting public key from private key via libnacl\libsodium (Python)

semolex · December 29, 2017, 11:20am

Hi all!

I wonder how to get public key from private key via libnacl\libsodium (Python).
There is already amazing implementation by Gimre by using pure Python.
I just want to try develop this part by myself so I have few questions.

This is how I try to to this by my own:

Convert private key from hex into byte string.
Reverse this string.
Make Keccak (512 bits) hash from this byte string.
Perform call of crypto_sign_ed25519_sk_to_pk function from nacl\libsodium with this binary hash as parameter.

And here is the main problem - hash is different as expected.

I also tried to call crypto_scalarmult_base with hash as parameter.
Shifting bytes (eg. myhash[0] &= 0xF8) did not help too.
I suppose to think, there is difference in scalar_multiplication function in pure python and nacl\sodium.

Can you point me what I am missing?

Thank you a lot!

gimre · December 29, 2017, 11:28am

you should not use crypto_sign_ed25519_sk_to_pk it probably uses different hash inside…

maybe this will help you

more specifically:

github.com

NemProject/vanitygen-cpp/blob/master/vanitygen/KeyGenerator.cpp

#include "KeyGenerator.h"

#include "ref10/ge.h"
#include "ref10/sha512.h"

void KeyGenerator::generate(nem::Key& privateKey, nem::Key& publicKey)
{
	m_pcgRandom.fill((uint32_t*)privateKey.data(), privateKey.size() / sizeof(uint32_t));

	derivePublicKey(privateKey, publicKey);
}

int KeyGenerator::derivePublicKey(const nem::Key& priv, nem::Key& pub)
{
	unsigned char h[64];
	ge_p3 A;

	crypto_hash_sha512(h, priv.data(), 32);

	h[0] &= 0xf8;

This file has been truncated. show original

P.S. you can find vectors in https://github.com/NemProject/nem-test-vectors

semolex · December 29, 2017, 11:42am

Thank you, Gimer! I appreciate your answer. This is the part I am afraid of: why the heck it uses it is own hash part. I suppose to thing that there is already some SHA hashing inside.
I will look at code, thanks again.

gimre · December 29, 2017, 12:07pm

actually, looking at the docs, you’re probably misusing crypto_sign_ed25519_sk_to_pk, you probably should call in order:

crypto_sign_ed25519_sk_to_seed
crypto_sign_seed_keypair
crypto_sign_ed25519_sk_to_pk

BUT, as I’ve mentioned, crypto_sign_seed_keypair inside uses sha512, take a look:

github.com

jedisct1/libsodium/blob/569778b517496861a3880e0e690973bf08a52e08/src/libsodium/crypto_sign/ed25519/ref10/keypair.c#L13




#include "crypto_hash_sha512.h"
#include "crypto_scalarmult_curve25519.h"
#include "crypto_sign_ed25519.h"
#include "sign_ed25519_ref10.h"
#include "private/ed25519_ref10.h"
#include "randombytes.h"
#include "utils.h"


int
crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk,
                             const unsigned char *seed)
{
ge25519_p3 A;


#ifdef ED25519_NONDETERMINISTIC
memmove(sk, seed, 32);
#else
crypto_hash_sha512(sk, seed, 32);
#endif
sk[0] &= 248;

If you look at actual ed25519 paper it does not define hashing function (section 2: The signature system, EdDSA parameters), but existing implementations ususally use sha512, cause it’s easier, than passing hash into many of the functions used.

P.S. note that (besides hash and some memoves) crypto_sign_ed25519_seed_keypair is almost exactly == KeyGenerator::derivePublicKey from vanitygen

semolex · December 29, 2017, 1:08pm

There is no way to use some patched library? So the only way is too use pure-python?