[curves] EdDSA specification
brian at briansmith.org
Wed Oct 26 23:08:28 PDT 2016
Trevor Perrin <trevp at trevp.net> wrote:
> The document also generalizes this signature algorithm to the 448
> curve, and extends it to include VRF functionality, which Signal might
> use in the future. These extensions are somewhat new, and should
> probably get more public review before people rush to implement.
In the motivation for the randomized scheme, the document says "However, if
the same message is signed repeatedly, a glitch that affects the
calculation of h could cause this to happen (an observation due to Benedikt
Schmidt)." Could you provide a reference to a paper/message that explains
what is being referred to here, and/or add a description of the issue to
In xeddsa_sign, why set:
r = hash1(a || M || Z)
instead of one of:
r = hash1(Z || a || m)
r = hash1(a || Z || M)?
It seems like it would be better to incorporate the randomness into the
state of the hash function as early as possible to reduce risk of some
(non-timing) differential side-channel attacks on the hashing step.
Why is Z fixed at 64 bytes? That is, why is its length not a function of
the size of the key and/or the digest function output length?
Do you have any suggestions for how one would mark a key as to whether it
is intended to be used for X25519 and/or EdDSA and/or XEdDSA and/or VXEdDSA?
The security considerations say that the caller "must pass in a new secret
and random 64 byte value each time the signing function is called." I
suggest s/64 byte value/**Z**/. Also, it would be nice to clarify the
extent of the badness if a Z value were to be reused.
Would you be open to using a different name than `q` for the order of the
base point? `q` is commonly used in code and specifications to refer to
what this paper calls `p`. Another name would be less confusing. The EdDSA
RFC uses `L`, IIRC.
Section 2.5 says "since the first |p| bits encode an integer greater than
p." I think it would be useful to add a clarification such as "(This is why
it is required 2**|p| - 1 - i > p.)" or otherwise clarify the motivation
for that precondition.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Curves