[curves] XEdDSA specification

[Trevor Perrin]

Thanks for feedback,

This is timely because I'd like to update this spec in the next couple
weeks with feedback from Brian Smith and others, and some extensions.


On Sun, Apr 16, 2017 at 11:33 PM, Andy Isaacson <adi at hexapodia.org> wrote:
>
> Having two different values named A makes the document excessively confusing
> to the non-expert.

It's hard because "A" is widely used for the Montgomery curve, but is
also the public key in most descriptions of Ed25519/EdDSA signatures.

Most other letters are taken, but with a little shuffling we could
probably use (K, k) for (public key, private key).  And perhaps
subscripts like k_mont and k_ed could distinguish the original vs
converted values.


> I'd be more comfortable if the pseudocode explicitly called out the
> bytes-to-integer and integer-to-bytes conversion that's defined in 2.4; as
> it stands, the document can only be read sequentially starting at the
> beginnning, every time I need to refer to it, because the implicit
> conversions are critical to understanding section 3 and xeddsa_verify.

I thought boldface to indicate byte strings nicely avoided the clutter
of byte-conversion functions.  Sounds like it's not working for you?

> There aren't any test vectors in the spec, and only one in
> curve25519-java/android/jni/ed25519/tests/tests.c that I've found so far.  A
> few more wouldn't hurt.
>
> It'd also be nice to have fully worked examples, but that definitely doesn't
> belong in the spec; I'll see if I can generate an appropriate document as
> part of my current project.

Sure, good ideas.  Giving test vectors for intermediate values would
make sense in an appendix, I think, if you feel like generating that
(and sending to me, there's no github for this at the moment).

Trevor