On Sat, Oct 04, 2025 at 09:53:22AM +0100, Neil Madden wrote: > (Also, re EdDSA - I thought some of the double-spend issues were using > Ed25519?)
Seems like it was not Ed25519, but some group signature thingy that got confused with Ed25519 due to incorrectly calling the underlying curve "Ed25519". According to RFC7748, the actual name of the curve is "edwards25519". (Similarly RFC7748 calls the curve underlying Ed448 as "edwards448" or "Goldilocks". And Safecurves calls it "Ed448-Goldilocks".) However, the RFC8032 EdDSA still has some rough edges caused by low- order points. Rejecting those adds things like signature binding the message signed. There is a trick for quickly checking for low-order points on Edwards25519 and Edwards448. Point is low-order iff: 1) X^2 == 0 or 2) Y^2 == 0 or 3) X^2+Y^2 == 0 (trivially impossible with Edwards448). (The given point decompression algorithm computes both X^2 and Y^2 as intermediate values.) -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
