Mismatch in ssh-ed25519's shared secret in the Go code and in the spec.

[gildor478]

Hi,

I am reimplementing (for private reason reasons), age in Java. There is something strange in between the spec and the implementation.

In the spec:

The tweaked key for an ssh-ed25519 recipient is X25519(tweak, converted key)
where tweak is HKDF[SSH key, "age-encryption.org/v1/ssh-ed25519"]("")
and converted key is the Ed25519 public key converted to the Montgomery curve.

In the go code:

       sharedSecret, err := curve25519.X25519(ephemeral, r.theirPublicKey) // = X25519(ephemeral, converted key)
	[...]
	tweak := [...]
	sharedSecret, _ = curve25519.X25519(tweak, sharedSecret) // = X25519(tweak, X25519(ephemeral, converted key))

The problem is that:
X25519(tweak, converted key) != X25519(tweak, X25519(ephemeral, converted key))

I might have misunderstood the Go code, or the spec, or both. Let me know if something is wrong here.

Regards

[FiloSottile]

Hello! Always glad to get additional implementations, whether public or not. A rewrite of the spec is really overdue to make it more clear, sorry about that. Please do open threads for anything that is not clear, even if you do figure it out.

In the spec, the tweaked key is then used like a X25519 recipient, so the final secret is X25519(ephemeral, X25519(tweak, converted key)), which is the same as X25519(tweak, X25519(ephemeral, converted key)), because X25519 is commutative.

(I regret the tweak in ssh-ed25519, I now can pretty clearly see it doesn't add any security, but it also doesn't cause any harm, so changing it is not worth the additional complexity, at least for now.)

[gildor478]

Thanks. I am not a crypto expert and I didn't know that X25519 was commutitative.

Thanks.