Add SecretToPublicKey function for ed25519

Also remove IsClamped. Clamping occurs with ed25519, but it happens inside the Donna code. It is not needed elsewhere for ed25519.

donna_32.cpp

@@ -1739,7 +1739,7 @@ int curve25519_mult_CXX(byte sharedKey[32], const byte secretKey[32], const byte
     using namespace CryptoPP::Donna::X25519;
 
     FixedSizeSecBlock<byte, 32> e;
-    for (size_t i = 0;i < 32;++i)
+    for (size_t i = 0; i < 32; ++i)
         e[i] = secretKey[i];
     e[0] &= 0xf8; e[31] &= 0x7f; e[31] |= 0x40;
 

xed25519.cpp

@@ -365,18 +365,12 @@ bool x25519::Agree(byte *agreedValue, const byte *privateKey, const byte *otherP
 
 // ******************** ed25519 Signer ************************* //
 
-void ed25519PrivateKey::ClampKeys(byte y[PUBLIC_KEYLENGTH], byte x[SECRET_KEYLENGTH]) const
+void ed25519PrivateKey::SecretToPublicKey(byte y[PUBLIC_KEYLENGTH], const byte x[SECRET_KEYLENGTH]) const
 {
-    x[0] &= 248; x[31] &= 127; x[31] |= 64;
     int ret = Donna::ed25519_publickey(y, x);
     CRYPTOPP_ASSERT(ret == 0); CRYPTOPP_UNUSED(ret);
 }
 
-bool ed25519PrivateKey::IsClamped(const byte x[SECRET_KEYLENGTH]) const
-{
-    return (x[0] & 248) == x[0] && (x[31] & 127) == x[31] && (x[31] | 64) == x[31];
-}
-
 bool ed25519PrivateKey::IsSmallOrder(const byte y[PUBLIC_KEYLENGTH]) const
 {
     return HasSmallOrder(y);
@@ -385,17 +379,14 @@ bool ed25519PrivateKey::IsSmallOrder(const byte y[PUBLIC_KEYLENGTH]) const
 bool ed25519PrivateKey::Validate(RandomNumberGenerator &rng, unsigned int level) const
 {
     CRYPTOPP_UNUSED(rng);
-    CRYPTOPP_ASSERT(IsClamped(m_sk) == true);
     CRYPTOPP_ASSERT(IsSmallOrder(m_pk) == false);
 
-    if (level >= 1 && IsClamped(m_sk) == false)
-        return false;
-    if (level >= 2 && IsSmallOrder(m_pk) == true)
+    if (level >= 1 && IsSmallOrder(m_pk) == true)
         return false;
     if (level >= 3)
     {
         SecByteBlock sk(m_sk, SECRET_KEYLENGTH), pk(PUBLIC_KEYLENGTH);
-        ClampKeys(pk, sk);
+        SecretToPublicKey(pk, sk);
 
         // Secret key is already clamped, bufs are equal
         if (VerifyBufsEqual(pk, m_pk, PUBLIC_KEYLENGTH) == false)
@@ -454,11 +445,10 @@ void ed25519PrivateKey::AssignFrom(const NameValuePairs &source)
         m_oid = oid;
     }
 
-    bool clamp = false;
-    if (source.GetValue("Clamp", clamp) && clamp == true)
-        ClampKeys(m_pk, m_sk);
+    bool derive = false;
+    if (source.GetValue("DerivePublicKey", derive) && derive == true)
+        SecretToPublicKey(m_pk, m_sk);
 
-    CRYPTOPP_ASSERT(IsClamped(m_sk) == true);
     CRYPTOPP_ASSERT(IsSmallOrder(m_pk) == false);
 }
 
@@ -469,7 +459,6 @@ void ed25519PrivateKey::GenerateRandom(RandomNumberGenerator &rng, const NameVal
         rng.IncorporateEntropy(seed.begin(), seed.size());
 
     rng.GenerateBlock(m_sk, SECRET_KEYLENGTH);
-    m_sk[0] &= 248; m_sk[31] &= 127; m_sk[31] |= 64;
     int ret = Donna::ed25519_publickey(m_pk, m_sk);
     CRYPTOPP_ASSERT(ret == 0); CRYPTOPP_UNUSED(ret);
 }
@@ -537,7 +526,6 @@ void ed25519PrivateKey::BERDecode(BufferedTransformation &bt)
     if (generatePublicKey)
         Donna::ed25519_publickey(m_pk, m_sk);
 
-    CRYPTOPP_ASSERT(IsClamped(m_sk) == true);
     CRYPTOPP_ASSERT(IsSmallOrder(m_pk) == false);
 }
 
@@ -601,7 +589,7 @@ void ed25519PrivateKey::SetPrivateExponent (const byte x[SECRET_KEYLENGTH])
 {
     AssignFrom(MakeParameters
         (Name::PrivateExponent(), ConstByteArrayParameter(x, SECRET_KEYLENGTH))
-        ("Clamp", true));
+        ("DerivePublicKey", true));
 }
 
 void ed25519PrivateKey::SetPrivateExponent (const Integer &x)
@@ -613,7 +601,7 @@ void ed25519PrivateKey::SetPrivateExponent (const Integer &x)
 
     AssignFrom(MakeParameters
         (Name::PrivateExponent(), ConstByteArrayParameter(bx, SECRET_KEYLENGTH, false))
-        ("Clamp", true));
+        ("DerivePublicKey", true));
 }
 
 const Integer& ed25519PrivateKey::GetPrivateExponent() const
@@ -635,7 +623,7 @@ ed25519Signer::ed25519Signer(const byte x[SECRET_KEYLENGTH])
 {
     AccessPrivateKey().AssignFrom(MakeParameters
         (Name::PrivateExponent(), ConstByteArrayParameter(x, SECRET_KEYLENGTH, false))
-        ("Clamp", true));
+        ("DerivePublicKey", true));
 }
 
 ed25519Signer::ed25519Signer(const Integer &y, const Integer &x)
@@ -661,7 +649,7 @@ ed25519Signer::ed25519Signer(const Integer &x)
 
     AccessPrivateKey().AssignFrom(MakeParameters
         (Name::PrivateExponent(), ConstByteArrayParameter(bx, SECRET_KEYLENGTH, false))
-        ("Clamp", true));
+        ("DerivePublicKey", true));
 }
 
 ed25519Signer::ed25519Signer(RandomNumberGenerator &rng)

xed25519.h

@@ -452,17 +452,6 @@ struct ed25519PrivateKey : public PKCS8PrivateKey
     void SetPrivateExponent(const Integer &x);
     const Integer& GetPrivateExponent() const;
 
-    /// \brief Clamp a private key
-    /// \param y public key
-    /// \param x private key
-    /// \details ClampKeys() clamps a private key and then regenerates the
-    ///   public key from the private key.
-    void ClampKeys(byte y[PUBLIC_KEYLENGTH], byte x[SECRET_KEYLENGTH]) const;
-
-    /// \brief Determine if private key is clamped
-    /// \param x private key
-    bool IsClamped(const byte x[SECRET_KEYLENGTH]) const;
-
     /// \brief Test if a key has small order
     /// \param y public key
     bool IsSmallOrder(const byte y[PUBLIC_KEYLENGTH]) const;
@@ -481,6 +470,10 @@ struct ed25519PrivateKey : public PKCS8PrivateKey
         return m_pk.begin();
     }
 
+protected:
+    // Create a public key from a private key
+    void SecretToPublicKey(byte y[PUBLIC_KEYLENGTH], const byte x[SECRET_KEYLENGTH]) const;
+
 protected:
     FixedSizeSecBlock<byte, SECRET_KEYLENGTH> m_sk;
     FixedSizeSecBlock<byte, PUBLIC_KEYLENGTH> m_pk;