9

Looking at a reference implementation it shows that the key pair generation simply does: read X bytes from RNG and then derive another value from these X bytes thus producing private key with derived public key.

However nowhere in documentation I see mention of what qualifies as a “good” private key (or in this case RNG). Does it mean that any [random] N between 0 and up to 64 byte max value is a “good” private key? Or did I miss any description of how the good quality keys should be generated?

Asking this because this is rather different from for example how RSA keys are generated.

Alexey Kamenskiy
  • 237
  • 1
  • 6

1 Answers1

11

Yes.

In order to understand why, you need to understand how the public key is computed.

The secret key is a scalar. A fixed base point is multiplied by that scalar, and no matter what that scalar value is, you will always end up with a point in the same group as the base point.

You may want to avoid an all-zero secret key but the key space is so large that if the scalar comes from a PRG, this is not something you have to worry about.

The order of the group is 2^252 + 27742317777372353535851937790883648493. The secret should be considered modulo that value. Any secret key between 0 and that value will produce a unique public key.

The secret key can be a uniform value in that range but applications usually just generate a 256 bit key, which doesn't make any practical difference.

Note that most Ed25519 implementations mask the lower 3 bits ("clamping"). So 1 will produce the same public key as 2 or 3. This is a simple way to prevent small-subgroup attacks. But once again, most applications usually just generate 256 random bits, and don't really have to care about this.

Frank Denis
  • 3,073
  • 19
  • 19