<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 6/25/2014 9:57 PM, Watson Ladd
wrote:<br>
</div>
<blockquote
cite="mid:CACsn0cmZ4rY8WjnBgpQhwLn1hB4S++fsoPmHStwUPR-7ZgA4kQ@mail.gmail.com"
type="cite">
<p dir="ltr">On Wed, Jun 25, 2014 at 4:37 PM, Trevor Perrin <<a
moz-do-not-send="true" href="mailto:trevp@trevp.net">trevp@trevp.net</a>>
wrote:<br>
> So Ed25519 and Goldilocks are similar in generating the
private scalar<br>
> and signing nonce from a "master key":<br>
><br>
> Ed25519<br>
> --------<br>
> private_scalar[32], nonce_key[32] = SHA512(master_key[32])<br>
> sig_nonce[32] = SHA512(nonce_key[32] || message) % q<br>
><br>
> Goldilocks<br>
> --------<br>
> private_scalar[56] = SHA512("derivepk" || masterkey[32])<br>
> sig_nonce[56] = SHA512("signonce" || masterkey[32] ||
message ||<br>
> masterkey[32]) % q<br>
><br>
><br>
> Qs<br>
> * Is it weird that the range for Goldilocks private scalar
and nonce<br>
> is size 2^256, rather than the size of the main subgroup
(~2^446)?</p>
<p dir="ltr">I can't think of a way to break it. Bernstein
mentions something similar for curve25519, with s, md5 (s) as
the secret key.<br>
</p>
</blockquote>
The curve is designed to be ~2^223 secure. If the scalar and nonce
are chosen by a pseudorandom generator and function, respectively,
with ~2^256 security, then they are indistinguishable from random
for an attacker acting within the security estimate.<br>
<br>
-- Mike<br>
</body>
</html>