Search code examples
libsodiumed25519

Basic group arithmetic in libsodium

I am trying to implement a simple cryptographic primitive.

Under the following code: given sa, sk, hn, I want to compute sb: such that sg*G = (sb + sk . hn)*G.

However, after finding sb, the following equality does not hold: sb*G + (sk.hn)G = saG.

My understand stand is that in the exponent is arithmetic modulo the order of group instead of L.

However, I have a few questions relating to their implementation:

  1. why the scalar has to be chosen from [0,L] where L is the order of the subgroup?

  2. is there a "helper" function that multiplies two large scalar without performing modulo L?

int main(void)
{
    if (sodium_init() < 0) {
        /* panic! the library couldn't be initialized, it is not safe to use */
        return -1;
    }
    uint8_t sb[crypto_core_ed25519_SCALARBYTES];
    uint8_t sa[crypto_core_ed25519_SCALARBYTES];
    uint8_t hn[crypto_core_ed25519_SCALARBYTES];
    uint8_t sk[crypto_core_ed25519_SCALARBYTES];
    crypto_core_ed25519_scalar_random(sa); // s_a <- [0,l]
    crypto_core_ed25519_scalar_random(sk);  // sk  <- [0,l]
    crypto_core_ed25519_scalar_random(hn);  // hn  <- [0,l]

    uint8_t product[crypto_core_ed25519_SCALARBYTES];
    crypto_core_ed25519_scalar_mul(product, sk,hn);  // sk*hn
    crypto_core_ed25519_scalar_sub(sb, sa, product); // sb = sa-hn*sk

    uint8_t point1[crypto_core_ed25519_BYTES];
    crypto_scalarmult_ed25519_base(point1, sa);

    uint8_t point2[crypto_core_ed25519_BYTES];
    uint8_t sum[crypto_core_ed25519_BYTES];

    // equal
    // crypto_core_ed25519_scalar_add(sum, sb, product);
    // crypto_scalarmult_ed25519_base(point2, sum);

    // is not equal
    uint8_t temp1[crypto_core_ed25519_BYTES];
    uint8_t temp2[crypto_core_ed25519_BYTES];
    crypto_scalarmult_ed25519_base(temp1, sb);      // sb*G
    crypto_scalarmult_ed25519_base(temp2, product); //
    crypto_core_ed25519_add(point2, temp1, temp2);
    if(memcmp(point1, point2, 32) != 0)
    {
        printf("[-] Not equal ");
        return -1;
    }
    printf("[+] equal");

    return 0;
}
Solution

  • I got the answer from jedisct1 , the author of libsodium and I will post it here:

    crypto_scalarmult_ed25519_base() clamps the scalar (clears the 3 lower bits, set the high bit) before performing the multiplication.

    Use crypto_scalarmult_ed25519_base_noclamp() to prevent this.

    Or, even better, use the Ristretto group instead.