Another ed25519 tweak: store secret keys in expanded format

This will be needed/helpful for the key blinding of prop224, I
believe.

src/common/crypto_ed25519.c

@@ -27,6 +27,15 @@ ed25519_secret_key_generate(ed25519_secret_key_t *seckey_out,
   return 0;
 }
 
+int
+ed25519_secret_key_from_seed(ed25519_secret_key_t *seckey_out,
+                             const uint8_t *seed)
+{
+  if (ed25519_ref10_seckey_expand(seckey_out->seckey, seed) < 0)
+    return -1;
+  return 0;
+}
+
 int
 ed25519_public_key_generate(ed25519_public_key_t *pubkey_out,
                         const ed25519_secret_key_t *seckey)

src/common/crypto_ed25519.h

@@ -8,7 +8,8 @@
 #include "torint.h"
 
 #define ED25519_PUBKEY_LEN 32
-#define ED25519_SECKEY_LEN 32
+#define ED25519_SECKEY_LEN 64
+#define ED25519_SECKEY_SEED_LEN 32
 #define ED25519_SIG_LEN 64
 
 /** An Ed25519 signature. */
@@ -35,6 +36,9 @@ typedef struct {
 #ifdef CURVE25519_ENABLED
 int ed25519_secret_key_generate(ed25519_secret_key_t *seckey_out,
                             int extra_strong);
+int ed25519_secret_key_from_seed(ed25519_secret_key_t *seckey_out,
+                                 const uint8_t *seed);
+
 int ed25519_public_key_generate(ed25519_public_key_t *pubkey_out,
                             const ed25519_secret_key_t *seckey);
 int ed25519_keypair_generate(ed25519_keypair_t *keypair_out, int extra_strong);

src/ext/ed25519/ref10/crypto_sign.h

@@ -2,6 +2,7 @@
 #define crypto_sign ed25519_ref10_sign
 #define crypto_sign_keypair ed25519_ref10_keygen
 #define crypto_sign_seckey ed25519_ref10_seckey
+#define crypto_sign_seckey_expand ed25519_ref10_seckey_expand
 #define crypto_sign_pubkey ed25519_ref10_pubkey
 #define crypto_sign_open ed25519_ref10_open
 

src/ext/ed25519/ref10/ed25519_ref10.h

@@ -4,6 +4,7 @@
 #include <torint.h>
 
 int ed25519_ref10_seckey(unsigned char *sk);
+int ed25519_ref10_seckey_expand(unsigned char *sk, const unsigned char *sk_seed);
 int ed25519_ref10_pubkey(unsigned char *pk,const unsigned char *sk);
 int ed25519_ref10_keygen(unsigned char *pk,unsigned char *sk);
 int ed25519_ref10_open(

src/ext/ed25519/ref10/keypair.c

@@ -8,22 +8,32 @@
 int
 crypto_sign_seckey(unsigned char *sk)
 {
-  randombytes(sk,32);
+  unsigned char seed[32];
+
+  randombytes(seed,32);
+
+  crypto_sign_seckey_expand(sk, seed);
+
+  memwipe(seed, 0, 32);
+
+  return 0;
+}
+
+int crypto_sign_seckey_expand(unsigned char *sk, const unsigned char *skseed)
+{
+  crypto_hash_sha512(sk,skseed,32);
+  sk[0] &= 248;
+  sk[31] &= 63;
+  sk[31] |= 64;
 
   return 0;
 }
 
 int crypto_sign_pubkey(unsigned char *pk,const unsigned char *sk)
 {
-  unsigned char az[64];
   ge_p3 A;
 
-  crypto_hash_sha512(az,sk,32);
-  az[0] &= 248;
-  az[31] &= 63;
-  az[31] |= 64;
-
-  ge_scalarmult_base(&A,az);
+  ge_scalarmult_base(&A,sk);
   ge_p3_tobytes(pk,&A);
 
   return 0;

src/ext/ed25519/ref10/sign.c

@@ -10,17 +10,11 @@ int crypto_sign(
   const unsigned char *sk,const unsigned char *pk
 )
 {
-  unsigned char az[64];
   unsigned char nonce[64];
   unsigned char hram[64];
   ge_p3 R;
 
-  crypto_hash_sha512(az,sk,32);
-  az[0] &= 248;
-  az[31] &= 63;
-  az[31] |= 64;
-
-  crypto_hash_sha512_2(nonce, az+32, 32, m, mlen);
+  crypto_hash_sha512_2(nonce, sk+32, 32, m, mlen);
 
   sc_reduce(nonce);
   ge_scalarmult_base(&R,nonce);
@@ -28,7 +22,7 @@ int crypto_sign(
 
   crypto_hash_sha512_3(hram, sig, 32, pk, 32, m, mlen);
   sc_reduce(hram);
-  sc_muladd(sig + 32,hram,az,nonce);
+  sc_muladd(sig + 32,hram,sk,nonce);
 
   return 0;
 }

src/test/test_crypto.c

@@ -1318,10 +1318,12 @@ test_crypto_ed25519_test_vectors(void *arg)
   for (i = 0; items[i].pk; ++i) {
     ed25519_keypair_t kp;
     ed25519_signature_t sig;
+    uint8_t sk_seed[32];
     uint8_t *msg;
     size_t msg_len;
-    base16_decode((char*)kp.seckey.seckey, sizeof(kp.seckey.seckey),
+    base16_decode((char*)sk_seed, sizeof(sk_seed),
                   items[i].sk, 64);
+    ed25519_secret_key_from_seed(&kp.seckey, sk_seed);
     tt_int_op(0, ==, ed25519_public_key_generate(&kp.pubkey, &kp.seckey));
     test_memeq_hex(kp.pubkey.pubkey, items[i].pk);