[Cryptography] Schnorr multisignatures based on ED22519

jamesd at echeque.com jamesd at echeque.com
Tue May 7 03:06:28 EDT 2019

> On Sun, May 5, 2019 at 9:07 PM Dominik Pantůček 
> >     the cofactor for Ed25519 is l=8. The problem of "hitting" small subgroup
> >     is easily mitigated if you clear the 3 least-significant bits of your
> >     keys. As long as you are working with points on the curve which are
> >     eight times multiply of the generator point (i.e. 8G, 16G, 24G ...) you
> >     are safe.

On 06/05/2019 22:16, Phillip Hallam-Baker wrote:
> I think the Schnorr signatures are really useful and important. But I 
> would need to see a CFRG RFC and peer review before making use of them 
> in a spec.

My ignorant opinion is that you would be fine using a well known 
algorithm, such as Schnorr signatures, in a prime group such as 
ristretto255, but in a non prime group such as Ed25519, likely to shoot 
yourself in the foot, and if you roll your own algorithm, likely to 
shoot yourself in the foot even with a prime group.

More information about the cryptography mailing list