Ed25519 keys have low entropy due to nettle-rs
I have opened a ticket on nettle-rs with more detail on nettle-rs#28 (closed), but in short I do not think Sequioia should be clamping Ed25519 keys. The code affected is here. By calling ed25519::private_key
the keys end up being clamped twice, first by nettle-rs and second in the actual EdDSA scheme. The two fixes possible are:
- Don't call ed25519::private_key, and just generate 32 random bytes prefixed with 0x40;
- Call ed25519::private_key, but remove clamping and rename to "seed" or something similar for clarity.
(Curve::Ed25519, true) => {
let mut public = [0u8; ED25519_KEY_SIZE + 1];
let private: Protected =
ed25519::private_key(&mut rng).into(); // <- Offender
Edited by Reisen