[curves] Finalizing XEdDSA

Trevor Perrin trevp at trevp.net
Tue Nov 1 10:07:16 PDT 2016


On Tue, Nov 1, 2016 at 7:14 AM, Peter Schwabe <peter at cryptojedi.org> wrote:
> Trevor Perrin <trevp at trevp.net> wrote:
>> One last tweak to consider is clearing the cofactor in verification.
>> Currently XEdDSA does "cofactorless verification", i.e. it takes a
>> signature (R, s) and checks R == sB - hA.  We could change it to cR ==
>> c(sB - hA).  VXEdDSA would be unchanged.
[...]
>
> The Ed25519 paper says
>
>   "The verifier is /permitted/ to check this stronger equation and
>   to reject alleged signatures where the stronger equation does not
>   hold. However, this is not /required/; checking that
>   8SB=8R+8H(\encode{R},\encode{A},M)A is enough for security."
>
>
> You could decide to do the same; allowing both for verification in the
> specification and leaving the choice to the implementation.

Hi Peter,

That's an option:  But I think we'd rather specify rigid behavior, in
case this gets used in an anonymity context where different
implementation choices leak info.

So while this is an annoying and slightly arbitrary decision, I think
we should just commit to one approach.

Trevor


More information about the Curves mailing list