On Fri, Nov 4, 2016 at 12:36 AM, Brian Smith <br...@briansmith.org> wrote: > Trevor Perrin <tr...@trevp.net> wrote: >> Sure, agreed that handling of nonce, and public key, are orthogonal. > > > Just to be clear: hash_1(x) is used whenever randomized nonces are use, > regardless of whether compute_key_pair is used to derive an EdDSA key from > an X25519/X448 key, right? And conversely, if one derives an EdDSA keypair > from an X25519 keypair, but doesn't use a randomized nonce, then just > regular EdDSA should be used, instead of XEdDSA?
Hmm, maybe this isn't as orthogonal as I thought. I think the term XEdDSA should refer to the whole package of (X->Ed, randomized). I'm not sure why you'd want (X->Ed, deterministic). As far as (Ed, randomized), I'm not sure exactly what its best design there. Trevor _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves