why did Ed25519 used Edward25519 instead of Curve25519 directly?
-
-
Replying to @cryptodavidw
Because fixed base scalar multiplication is faster on Edwards curves.
2 replies 0 retweets 9 likes -
Replying to @jedisct1 @cryptodavidw
AIUI Curve25519 doesn't have point addition formulas, just a point multiplication algorithm that throws away the sign; that works for DH but not for Schnorr.
1 reply 0 retweets 2 likes -
Replying to @ciphergoth @cryptodavidw
You’re referring to a specific algorithm (Montgomery ladder) for a specific operation (X25519). Regarding the curve itself, point addition is not a problem if you have both coordinates.
1 reply 0 retweets 0 likes -
Replying to @jedisct1 @cryptodavidw
Is Curve25519 point addition constant-time and exception-free though? ISTR it has to treat the two points being equal as a special case.
1 reply 0 retweets 0 likes -
Replying to @ciphergoth @cryptodavidw
Not something we usually care about for Schnorr signature verification.
1 reply 0 retweets 0 likes -
Replying to @jedisct1 @cryptodavidw
There's at least one point addition in EdDSA signature validation though, right? And more if batch verification is used.
1 reply 0 retweets 0 likes
For EdDSA specifically, yes, even though once again it’s okay if it runs in variable time. But see STROBE signatures, or qDSA instantiated with Curve25519.
-
-
Replying to @jedisct1 @cryptodavidw
qDSA is super neat, thanks for the pointer! What should I be reading re STROBE? Section 5.3 of https://eprint.iacr.org/2017/003.pdf seems pretty vanilla, while https://eprint.iacr.org/2012/309.pdf is exciting but doesn't mention STROBE.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.