[curves] Generating nonces for Schnorr signatures

Mike Hamburg mike at shiftleft.org
Wed Jun 25 22:21:13 PDT 2014


On 6/25/2014 9:57 PM, Watson Ladd wrote:
>
> On Wed, Jun 25, 2014 at 4:37 PM, Trevor Perrin <trevp at trevp.net 
> <mailto:trevp at trevp.net>> wrote:
> > So Ed25519 and Goldilocks are similar in generating the private scalar
> > and signing nonce from a "master key":
> >
> > Ed25519
> > --------
> > private_scalar[32], nonce_key[32] = SHA512(master_key[32])
> > sig_nonce[32] = SHA512(nonce_key[32] || message) % q
> >
> > Goldilocks
> > --------
> > private_scalar[56] = SHA512("derivepk" || masterkey[32])
> > sig_nonce[56] = SHA512("signonce" || masterkey[32] || message ||
> > masterkey[32]) % q
> >
> >
> > Qs
> > * Is it weird that the range for Goldilocks private scalar and nonce
> > is size 2^256, rather than the size of the main subgroup (~2^446)?
>
> I can't think of a way to break it. Bernstein mentions something 
> similar for curve25519,  with s, md5 (s) as the secret key.
>
The curve is designed to be ~2^223 secure.  If the scalar and nonce are 
chosen by a pseudorandom generator and function, respectively, with 
~2^256 security, then they are indistinguishable from random for an 
attacker acting within the security estimate.

-- Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20140625/a2dccc93/attachment.html>


More information about the Curves mailing list