[Cryptography] Ed25519 key generation

[cherry]

On 20/1/22 03:58, James Muir wrote:
> In EdDSA, can someone tell me why the three-lowest bits of the scalar s 
> are cleared when generating an Ed25519 public key, A = s*B?

All the algorithms for doing public/private key stuff, assume a prime 
order group

Well, it is a lot faster and more convenient to use a group that is not 
prime order, whose order has three factors of two times a large prime.

Whereupon all your algorithms have flaws that are extremely difficult to 
describe and understand.

For each algorithm there is ad hoc fix, and why these fixes work is even 
harder to understand than what goes wrong if you do not use the fix.

The fix that I actually do understand is to use an actual prime order 
groups:  Ristretto25519.