[messaging] XEdDSA specification
trevp at trevp.net
Sat Oct 22 07:03:10 PDT 2016
On Thu, Oct 20, 2016 at 7:44 PM, Martin Thomson
<martin.thomson at gmail.com> wrote:
> On 21 October 2016 at 10:37, Trevor Perrin <trevp at trevp.net> wrote:
>> I'm happy to announce that a spec for the "XEd25519" signature
>> algorithm used in Signal is available at .
> One comment: the document doesn't really explain why you might want to
> use X- or VX-prefixed variants over the deterministic base algorithms
> (the benefits of which have many words spilled over).
There's some rationales sprinkled throughout, though I guess it's
light on that. We'll probably discuss design and rationales more on
As far as deterministic vs randomized algorithms, that's discussed in Section 8.
Determinism is somewhat of a red herring. To protect the private key
it's important that different hash "challenges" (h) get different
nonces (r). Hashing the message into the computation of h and r helps
However, it's not important that the same h gets the same r. Adding
randomization on top of hashing adds some resilience against glitching
and side-channel attacks.
If it's important that the same (message, public key) can only give
one output, then you want a VRF.
More information about the Messaging