[Cryptography] Ed25519 key generation
James Muir
muir.james.a at gmail.com
Wed Jan 19 14:58:41 EST 2022
In EdDSA, can someone tell me why the three-lowest bits of the scalar s
are cleared when generating an Ed25519 public key, A = s*B?
I have seen this question asked on stack-exchange, but the answers talk
about small-subgroup attacks in the context of ECDH. As far as I can
tell, small-subgroup attacks are not relevant for EdDSA.
Note that the number of points on Ed25519 is 8*L, where L is a large
prime (253 bits). The point B generates a subgroup of size L.
For reference, Ed25519 keypair generation is described here:
https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.5
The original Ed25519 paper is here:
http://ed25519.cr.yp.to/ed25519-20110926.pdf
I suspect that this way of generating Ed25519 keys was proposed to be
consistent with Curve25519 (Ed25519 and Curve25519 are isomorphic).
Curve25519 is used for ECDH and small sub-group attacks are a concern in
that context. It seems desirable to have one consistent procedure for
key generation for both curves, but I want to be sure I am not
overlooking a security concern. In particular, I do not think it is
true that publishing, say, R = r*B somehow leaks the three lowest bits of r.
-James M
More information about the cryptography
mailing list