On Tue, Mar 28, 2017 at 5:25 PM, Trevor Perrin <tr...@trevp.net> wrote:
> So maybe the question is how much you care about spending a little
> extra effort in key derivation to make the keys a little safer with
> existing DH software? I.e., do you multiply by the scalar as part of
> derivation, or leave that for a future DH operation?
This is what has always confused me: the clamping procedure used by Ed25519
seems "inherited" from X25519[1], ostensibly for some case where you may
want to take an Ed25519 key, convert it to an X25519 key, and use it for
D-H. Aside from libsodium providing an API for doing so, I haven't actually
seen anyone do this.
It seems like if you want to support a scheme which works for both
signatures and D-H, maybe it would be better to define the scheme in terms
of Montgomery, so it can be used directly with X25519, and then use
XEd25519 for signatures.
I think most people interested in an "Ed25519-BIP32"-style construction are
interested exclusively in signatures.
[1] See ("Computing secret keys") https://cr.yp.to/ecdh.html
--
Tony Arcieri
_______________________________________________
Curves mailing list
Curves@moderncrypto.org
https://moderncrypto.org/mailman/listinfo/curves
