[Cryptography] Question about crypto_sign_open (in tweetnacl.c)

Patrick Chkoreff pc at fexl.com
Sat Oct 27 10:45:33 EDT 2018

I noticed an intriguing technique used in crypto_sign_open in
tweetnacl.c.  On line 790 we have:

  FOR(i,n) m[i] = sm[i];

That's straightforward.  After that loop, m consists of the 64 byte
signature followed by the (64-n) byte message that was signed.  But then
watch this on line 791:

  FOR(i,32) m[i+32] = pk[i];

That loop overwrites the last 16 bytes of the signature with the first
16 bytes of the public key, and overwrites the first 16 bytes of the
message with the last 16 bytes of the public key.

I'm thinking that the overwriting on line 791 is done simply for the
purpose of "mixing it up" a bit prior to the call to crypto_hash on line
792, which computes the SHA-512 hash of m.  But knowing DJB's mindset as
I do, it's probably not arbitrary, and most likely protects against some
known possible weakness.  Can anyone elaborate on that?

Note of course that it obviously has to be done because of the gyrations
which occur in crypto_sign, otherwise the signature wouldn't verify.
But I'm wondering what sort of weakness is being guarded against here.

-- Patrick

More information about the cryptography mailing list