[curves] Ed25519 "clamping" and its effect on hierarchical key derivation

Tony Arcieri bascule at gmail.com
Fri Apr 7 17:54:16 PDT 2017

On Fri, Apr 7, 2017 at 5:07 PM, Gregory Maxwell <gmaxwell at gmail.com> wrote:

> I think that people should really consider curves with cofactor 1.
> Outside of the DH context

I think e.g. secp256k1 has some very nice properties for signatures, but it
seems fairly common to want to use the same curve for signatures and D-H,
such as the Lightning Network adapting Trevor's Noise protocol to use
secp256k1 for D-H. I think it's probably worth considering both the
signatures and D-H use cases.

In regard to hierarchical key derivation which addresses both signatures
and D-H cases using Curve25519, the torsion safe representatives scheme
from the Tor developers seems to do this relatively elegantly.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20170407/2c1dd67e/attachment.html>

More information about the Curves mailing list