Trevor Perrin <tr...@trevp.net> wrote: > On Wed, Nov 2, 2016 at 4:53 PM, Brian Smith <br...@briansmith.org> wrote: > > Assuming I didn't make a huge mistake, here's another factoring of the > logic > > that shows that XEd22519 signing can be used with either XEd25519 keys or > > Ed25519 keys. In particular, the randomization of the nonce and the > > derivation of an Ed25519 key from an X25519 key are orthogonal > > Sure, agreed that handling of nonce, and public key, are orthogonal. >
Just to be clear: hash_1(x) is used whenever randomized nonces are use, regardless of whether compute_key_pair is used to derive an EdDSA key from an X25519/X448 key, right? And conversely, if one derives an EdDSA keypair from an X25519 keypair, but doesn't use a randomized nonce, then just regular EdDSA should be used, instead of XEdDSA? Cheers, Brian -- https://briansmith.org/
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves