> On Oct 20, 2016, at 11:51 PM, Trevor Perrin <tr...@trevp.net> wrote: > > (Changing title) > > On Thu, Oct 20, 2016 at 10:52 PM, Ron Garret <r...@flownet.com> wrote: >> You derive DSA keys from DH keys using the bilateral equivalence relation >> and setting the sign bit to zero. Why not instead go the other way and >> derive DH keys from DSA keys? That way you get to keep the sign bit. One >> bit is not a big deal, but was there a reason for going DH->DSA instead of >> the other way? > > Sure, it allows the Montgomery ladder for DH, see discussion at > beginning of 2.3. > > Trevor
Of course, you can use the Montgomery ladder with Edwards y coordinates too. It’s pretty much the same formulas and the same loop. It just requires an extra multiply per bit. The reason to use XEdDSA is to retrofit signatures on an existing PKI that distributes X25519 keys. — Mike
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves
