[Cryptography] Question about crypto_sign_open (in tweetnacl.c)

Patrick Chkoreff pc at fexl.com
Sat Oct 27 10:55:33 EDT 2018

I wrote:

> I noticed an intriguing technique used in crypto_sign_open in
> tweetnacl.c.  On line 790 we have:
>   FOR(i,n) m[i] = sm[i];
> That's straightforward.  After that loop, m consists of the 64 byte
> signature followed by the (64-n) byte message that was signed.  But then
> watch this on line 791:
>   FOR(i,32) m[i+32] = pk[i];
> That loop overwrites the last 16 bytes of the signature with the first
> 16 bytes of the public key, and overwrites the first 16 bytes of the
> message with the last 16 bytes of the public key.

Sorry, I misinterpreted that loop.  It overwrites the last 32 bytes of
the 64-byte signature with the contents of the 32-byte public key,
period.  It does not overwrite the message at all.

-- Patrick

More information about the cryptography mailing list