[curves] Finalizing XEdDSA
Brian Smith
brian at briansmith.org
Fri Nov 4 00:36:22 PDT 2016
Trevor Perrin <trevp at trevp.net> wrote:
> On Wed, Nov 2, 2016 at 4:53 PM, Brian Smith <brian at briansmith.org> wrote:
> > Assuming I didn't make a huge mistake, here's another factoring of the
> logic
> > that shows that XEd22519 signing can be used with either XEd25519 keys or
> > Ed25519 keys. In particular, the randomization of the nonce and the
> > derivation of an Ed25519 key from an X25519 key are orthogonal
>
> Sure, agreed that handling of nonce, and public key, are orthogonal.
>
Just to be clear: hash_1(x) is used whenever randomized nonces are use,
regardless of whether compute_key_pair is used to derive an EdDSA key from
an X25519/X448 key, right? And conversely, if one derives an EdDSA keypair
from an X25519 keypair, but doesn't use a randomized nonce, then just
regular EdDSA should be used, instead of XEdDSA?
Cheers,
Brian
--
https://briansmith.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20161103/447f0970/attachment.html>
More information about the Curves
mailing list