[Cryptography] Ed25519 key generation
cherry
cherry at cpal.pw
Thu Apr 28 08:58:41 EDT 2022
On 20/1/22 03:58, James Muir wrote:
> In EdDSA, can someone tell me why the three-lowest bits of the scalar s
> are cleared when generating an Ed25519 public key, A = s*B?
All the algorithms for doing public/private key stuff, assume a prime
order group
Well, it is a lot faster and more convenient to use a group that is not
prime order, whose order has three factors of two times a large prime.
Whereupon all your algorithms have flaws that are extremely difficult to
describe and understand.
For each algorithm there is ad hoc fix, and why these fixes work is even
harder to understand than what goes wrong if you do not use the fix.
The fix that I actually do understand is to use an actual prime order
groups: Ristretto25519.
More information about the cryptography
mailing list