[curves] XEdDSA specification

Ron Garret ron at flownet.com
Fri Oct 21 13:27:38 PDT 2016

On Oct 21, 2016, at 11:08 AM, Mike Hamburg <mike at shiftleft.org> wrote:

>> On Oct 20, 2016, at 11:51 PM, Trevor Perrin <trevp at trevp.net> wrote:
>> (Changing title)
>> On Thu, Oct 20, 2016 at 10:52 PM, Ron Garret <ron at flownet.com> wrote:
>>> You derive DSA keys from DH keys using the bilateral equivalence relation and setting the sign bit to zero.  Why not instead go the other way and derive DH keys from DSA keys?  That way you get to keep the sign bit.  One bit is not a big deal, but was there a reason for going DH->DSA instead of the other way?
>> Sure, it allows the Montgomery ladder for DH, see discussion at
>> beginning of 2.3.
>> Trevor
> Of course, you can use the Montgomery ladder with Edwards y coordinates too.  It’s pretty much the same formulas and the same loop.  It just requires an extra multiply per bit.

I think both of you misinterpreted my question.  I understand why you would want to use one form for DH and the other for DSA.  What I didn’t understand was why you would want to make the DH form primary and derive the DSA from from it rather than the other way around.  (I was particularly interested in this because I do it the other way around in SC4 and I wanted to make sure there was not some cryptographic reason to prefer DH->DSA that I was not aware of.)

> The reason to use XEdDSA is to retrofit signatures on an existing PKI that distributes X25519 keys.

That is the answer I was looking for.  Thanks!


More information about the Curves mailing list