[curves] XEdDSA specification
mike at shiftleft.org
Fri Oct 21 11:08:18 PDT 2016
> On Oct 20, 2016, at 11:51 PM, Trevor Perrin <trevp at trevp.net> wrote:
> (Changing title)
> On Thu, Oct 20, 2016 at 10:52 PM, Ron Garret <ron at flownet.com> wrote:
>> You derive DSA keys from DH keys using the bilateral equivalence relation and setting the sign bit to zero. Why not instead go the other way and derive DH keys from DSA keys? That way you get to keep the sign bit. One bit is not a big deal, but was there a reason for going DH->DSA instead of the other way?
> Sure, it allows the Montgomery ladder for DH, see discussion at
> beginning of 2.3.
Of course, you can use the Montgomery ladder with Edwards y coordinates too. It’s pretty much the same formulas and the same loop. It just requires an extra multiply per bit.
The reason to use XEdDSA is to retrofit signatures on an existing PKI that distributes X25519 keys.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3693 bytes
Desc: not available
More information about the Curves