On Tue, Mar 28, 2017 at 5:25 PM, Trevor Perrin <tr...@trevp.net> wrote:
> So maybe the question is how much you care about spending a little > extra effort in key derivation to make the keys a little safer with > existing DH software? I.e., do you multiply by the scalar as part of > derivation, or leave that for a future DH operation? This is what has always confused me: the clamping procedure used by Ed25519 seems "inherited" from X25519[1], ostensibly for some case where you may want to take an Ed25519 key, convert it to an X25519 key, and use it for D-H. Aside from libsodium providing an API for doing so, I haven't actually seen anyone do this. It seems like if you want to support a scheme which works for both signatures and D-H, maybe it would be better to define the scheme in terms of Montgomery, so it can be used directly with X25519, and then use XEd25519 for signatures. I think most people interested in an "Ed25519-BIP32"-style construction are interested exclusively in signatures. [1] See ("Computing secret keys") https://cr.yp.to/ecdh.html -- Tony Arcieri
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves