[curves] XEdDSA specification
Mike Hamburg
mike at shiftleft.org
Fri Oct 21 11:08:18 PDT 2016
> On Oct 20, 2016, at 11:51 PM, Trevor Perrin <trevp at trevp.net> wrote:
>
> (Changing title)
>
> On Thu, Oct 20, 2016 at 10:52 PM, Ron Garret <ron at flownet.com> wrote:
>> You derive DSA keys from DH keys using the bilateral equivalence relation and setting the sign bit to zero. Why not instead go the other way and derive DH keys from DSA keys? That way you get to keep the sign bit. One bit is not a big deal, but was there a reason for going DH->DSA instead of the other way?
>
> Sure, it allows the Montgomery ladder for DH, see discussion at
> beginning of 2.3.
>
> Trevor
Of course, you can use the Montgomery ladder with Edwards y coordinates too. It’s pretty much the same formulas and the same loop. It just requires an extra multiply per bit.
The reason to use XEdDSA is to retrofit signatures on an existing PKI that distributes X25519 keys.
— Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3693 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20161021/3cfeed9e/attachment.bin>
More information about the Curves
mailing list