[curves] Finalizing XEdDSA

Brian Smith brian at briansmith.org
Fri Nov 4 00:36:22 PDT 2016

Trevor Perrin <trevp at trevp.net> wrote:

> On Wed, Nov 2, 2016 at 4:53 PM, Brian Smith <brian at briansmith.org> wrote:
> > Assuming I didn't make a huge mistake, here's another factoring of the
> logic
> > that shows that XEd22519 signing can be used with either XEd25519 keys or
> > Ed25519 keys. In particular, the randomization of the nonce and the
> > derivation of an Ed25519 key from an X25519 key are orthogonal
> Sure, agreed that handling of nonce, and public key, are orthogonal.

Just to be clear: hash_1(x) is used whenever randomized nonces are use,
regardless of whether compute_key_pair is used to derive an EdDSA key from
an X25519/X448 key, right? And conversely, if one derives an EdDSA keypair
from an X25519 keypair, but doesn't use a randomized nonce, then just
regular EdDSA should be used, instead of XEdDSA?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20161103/447f0970/attachment.html>

More information about the Curves mailing list