[curves] Finalizing XEdDSA
Trevor Perrin
trevp at trevp.net
Wed Nov 2 17:23:14 PDT 2016
On Wed, Nov 2, 2016 at 4:53 PM, Brian Smith <brian at briansmith.org> wrote:
>
> Yes, I found (and find) it confusing that XEd448 is different than Ed448 in
> obvious ways, but yet a of XEdDSA is to be co,[compatible with EdDSA in some
> way. More on the equivalence of Ed25519 and XEd25119 below.
Yeah, I'd prefer Ed448 to be the equivalent of Ed25519 for the X448
curve (equivalent curve; same input encoding; same hash). But that's
up to the IETF.
> Assuming I didn't make a huge mistake, here's another factoring of the logic
> that shows that XEd22519 signing can be used with either XEd25519 keys or
> Ed25519 keys. In particular, the randomization of the nonce and the
> derivation of an Ed25519 key from an X25519 key are orthogonal
Sure, agreed that handling of nonce, and public key, are orthogonal.
Trevor
More information about the Curves
mailing list