[curves] Ed25519 "clamping" and its effect on hierarchical key derivation

Tony Arcieri bascule at gmail.com
Wed Mar 29 11:49:57 PDT 2017

On Tue, Mar 28, 2017 at 5:25 PM, Trevor Perrin <trevp at trevp.net> wrote:

> So maybe the question is how much you care about spending a little
> extra effort in key derivation to make the keys a little safer with
> existing DH software?  I.e., do you multiply by the scalar as part of
> derivation, or leave that for a future DH operation?

This is what has always confused me: the clamping procedure used by Ed25519
seems "inherited" from X25519[1], ostensibly for some case where you may
want to take an Ed25519 key, convert it to an X25519 key, and use it for
D-H. Aside from libsodium providing an API for doing so, I haven't actually
seen anyone do this.

It seems like if you want to support a scheme which works for both
signatures and D-H, maybe it would be better to define the scheme in terms
of Montgomery, so it can be used directly with X25519, and then use
XEd25519 for signatures.

I think most people interested in an "Ed25519-BIP32"-style construction are
interested exclusively in signatures.

[1] See ("Computing secret keys") https://cr.yp.to/ecdh.html

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20170329/c32738a6/attachment.html>

More information about the Curves mailing list