[Cryptography] Ed25519 key generation

cherry cherry at cpal.pw
Thu Apr 28 08:58:41 EDT 2022

On 20/1/22 03:58, James Muir wrote:
> In EdDSA, can someone tell me why the three-lowest bits of the scalar s 
> are cleared when generating an Ed25519 public key, A = s*B?

All the algorithms for doing public/private key stuff, assume a prime 
order group

Well, it is a lot faster and more convenient to use a group that is not 
prime order, whose order has three factors of two times a large prime.

Whereupon all your algorithms have flaws that are extremely difficult to 
describe and understand.

For each algorithm there is ad hoc fix, and why these fixes work is even 
harder to understand than what goes wrong if you do not use the fix.

The fix that I actually do understand is to use an actual prime order 
groups:  Ristretto25519.

More information about the cryptography mailing list