[noise] XEdDSA and Noise

Trevor Perrin trevp at trevp.net
Tue Oct 25 19:39:49 PDT 2016

On Tue, Oct 25, 2016 at 6:50 PM, Rhys Weatherley
<rhys.weatherley at gmail.com> wrote:
> On Wed, Oct 26, 2016 at 6:50 AM, Trevor Perrin <trevp at trevp.net> wrote:
>> Also, XEdDSA is defined for 512-bit hash functions, so
>> we'd have to decide if/how it works if someone chooses a Noise 256-bit
>> hash.
> I see the 512-bit hash that is used in XEdDSA as an internal implementation
> detail of the signature algorithm.  It is used to hash the message (the
> short "h" in our case) and to safely generate the random nonce r used during
> signing.  It doesn't need to be the same hash as the one used to generate
> the message "h".  IMHO.

Make sense, but you could argue the other way too, e.g. using one hash
for everything minimizes code size and security assumptions.

> It isn't clear to me on a casual read of the linked specification as to why
> plain Ed25519 isn't suitable.  Problems with sharing static keys with
> Diffie-Hellman?  Deterministic signatures?

Noise uses Montgomery-format public keys suitable for X25519.  Ed25519
specifies Edwards-format public keys.

Also, Ed25519 specifies that the private scalar is derived from a
secret key, so it's not obvious how to use an X25519 or X448 private
key directly for Ed25519, even after you convert the public key.

So XEdDSA just specifies how to convert the X25519 key pair for use
with Ed25519.  (I guess that spec could be clearer about motivation).


More information about the Noise mailing list