[curves] EdDSA specification
Ron Garret
ron at flownet.com
Thu Oct 20 19:52:19 PDT 2016
You derive DSA keys from DH keys using the bilateral equivalence relation and setting the sign bit to zero. Why not instead go the other way and derive DH keys from DSA keys? That way you get to keep the sign bit. One bit is not a big deal, but was there a reason for going DH->DSA instead of the other way?
On Oct 20, 2016, at 4:41 PM, Trevor Perrin <trevp at trevp.net> wrote:
> Hi curves,
>
> I'm happy to announce that a spec for the "XEd25519" signature
> algorithm used in Signal is available at [1].
>
> Based on ideas this list has discussed a few times, this allows
> signing and verifying Ed25519 signatures with X25519 key pairs, which
> gives a single format for key pairs, and may even allow a single key
> pair for DH and signatures in some cases.
>
> The document also generalizes this signature algorithm to the 448
> curve, and extends it to include VRF functionality, which Signal might
> use in the future. These extensions are somewhat new, and should
> probably get more public review before people rush to implement.
>
> Feedback is welcome!
>
> If we get editorial or design feedback that is too detailed for this
> list, we may create a more specific list for feedback.
>
> Code implementing XEd25519 and VXEd25519 (the VRF extension) can be
> found in [1].
>
> Trevor
>
> [1]
> https://whispersystems.org/docs/
> https://whispersystems.org/docs/specifications/xeddsa/
>
> [2]
> https://github.com/WhisperSystems/curve25519-java/
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves
More information about the Curves
mailing list