[Cryptography] Schnorr multisignatures based on ED22519
jamesd at echeque.com
jamesd at echeque.com
Tue May 7 03:06:28 EDT 2019
> On Sun, May 5, 2019 at 9:07 PM Dominik Pantůček
> > the cofactor for Ed25519 is l=8. The problem of "hitting" small subgroup
> > is easily mitigated if you clear the 3 least-significant bits of your
> > keys. As long as you are working with points on the curve which are
> > eight times multiply of the generator point (i.e. 8G, 16G, 24G ...) you
> > are safe.
On 06/05/2019 22:16, Phillip Hallam-Baker wrote:
> I think the Schnorr signatures are really useful and important. But I
> would need to see a CFRG RFC and peer review before making use of them
> in a spec.
My ignorant opinion is that you would be fine using a well known
algorithm, such as Schnorr signatures, in a prime group such as
ristretto255, but in a non prime group such as Ed25519, likely to shoot
yourself in the foot, and if you roll your own algorithm, likely to
shoot yourself in the foot even with a prime group.
More information about the cryptography
mailing list