[curves] XEdDSA specification

Andy Isaacson adi at hexapodia.org
Tue Apr 18 12:40:23 PDT 2017

On Tue, Apr 18, 2017 at 03:45:26AM +0000, Trevor Perrin wrote:
>> I'd be more comfortable if the pseudocode explicitly called out the
>> bytes-to-integer and integer-to-bytes conversion that's defined in 2.4; as
>> it stands, the document can only be read sequentially starting at the
>> beginnning, every time I need to refer to it, because the implicit
>> conversions are critical to understanding section 3 and xeddsa_verify.
>I thought boldface to indicate byte strings nicely avoided the clutter
>of byte-conversion functions.  Sounds like it's not working for you?

Agreed, explicit byte conversion routines will add some clutter.

I'd missed that the bold was semantically significant -- the bold isn't 
stronly visually different on my browser setup (firefox, debian testing, 
hi-dpi monitor), it's more visually distinctive in the PDF version.

My use case for the document here is that I've read the spec carefully 
several months ago and am now returning to it with implementation in 
mind, so I just skimmed the preamble and dug into the pseudocode and 
textual specification, then stumbled several times on these issues.

Re-reading with the bold in mind, I immediately stumble on 
<bold>M</bold> which is just a byte sequence (the message) rather than 
the byte-representation-of-a-point.

I think my conclusion is that I'm way out of practice reading math. :)

>> There aren't any test vectors in the spec, and only one in
>> curve25519-java/android/jni/ed25519/tests/tests.c that I've found so far.  A
>> few more wouldn't hurt.
>> It'd also be nice to have fully worked examples, but that definitely doesn't
>> belong in the spec; I'll see if I can generate an appropriate document as
>> part of my current project.
>Sure, good ideas.  Giving test vectors for intermediate values would
>make sense in an appendix, I think, if you feel like generating that
>(and sending to me, there's no github for this at the moment).

I'll try to squeeze this in, but I can't make a solid commitment due to 
some resource competition on my end.


More information about the Curves mailing list