[curves] Generating nonces for Schnorr signatures
Watson Ladd
watsonbladd at gmail.com
Wed Jun 25 21:57:04 PDT 2014
On Wed, Jun 25, 2014 at 4:37 PM, Trevor Perrin <trevp at trevp.net> wrote:
> So Ed25519 and Goldilocks are similar in generating the private scalar
> and signing nonce from a "master key":
>
> Ed25519
> --------
> private_scalar[32], nonce_key[32] = SHA512(master_key[32])
> sig_nonce[32] = SHA512(nonce_key[32] || message) % q
>
> Goldilocks
> --------
> private_scalar[56] = SHA512("derivepk" || masterkey[32])
> sig_nonce[56] = SHA512("signonce" || masterkey[32] || message ||
> masterkey[32]) % q
>
>
> Qs
> * Is it weird that the range for Goldilocks private scalar and nonce
> is size 2^256, rather than the size of the main subgroup (~2^446)?
I can't think of a way to break it. Bernstein mentions something similar
for curve25519, with s, md5 (s) as the secret key.
Sincerely,
Watson Ladd
>
> Trevor
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves
--
"Those who would give up Essential Liberty to purchase a little Temporary
Safety deserve neither Liberty nor Safety."
-- Benjamin Franklin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20140625/d57bed2e/attachment.html>
More information about the Curves
mailing list