[curves] Ed25519 "clamping" and its effect on hierarchical key derivation
bascule at gmail.com
Wed Mar 29 11:49:57 PDT 2017
On Tue, Mar 28, 2017 at 5:25 PM, Trevor Perrin <trevp at trevp.net> wrote:
> So maybe the question is how much you care about spending a little
> extra effort in key derivation to make the keys a little safer with
> existing DH software? I.e., do you multiply by the scalar as part of
> derivation, or leave that for a future DH operation?
This is what has always confused me: the clamping procedure used by Ed25519
seems "inherited" from X25519, ostensibly for some case where you may
want to take an Ed25519 key, convert it to an X25519 key, and use it for
D-H. Aside from libsodium providing an API for doing so, I haven't actually
seen anyone do this.
It seems like if you want to support a scheme which works for both
signatures and D-H, maybe it would be better to define the scheme in terms
of Montgomery, so it can be used directly with X25519, and then use
XEd25519 for signatures.
I think most people interested in an "Ed25519-BIP32"-style construction are
interested exclusively in signatures.
 See ("Computing secret keys") https://cr.yp.to/ecdh.html
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Curves