why did Ed25519 used Edward25519 instead of Curve25519 directly?
-
-
Replying to @cryptodavidw
The question should rather be why use Curve25519 instead of Edwards25519 for DH? And that’s mainly because X25519 predates Edwards curves.
2 replies 0 retweets 3 likes -
Replying to @jedisct1 @cryptodavidw
The reasons the CFRG stood by it are: - simple point decoding - Montgomery ladder favors small code size and constant time implementations That said, every time I see someone convert from Edwards to Montgomery form to do D-H I
3 replies 0 retweets 3 likes -
Replying to @bascule @cryptodavidw
Great in theory if you only need DH, but in the real world, most applications need both DH and signatures. So long for the small code size. Plus, yes, conversions, that are neither cheap nor required.
1 reply 0 retweets 3 likes -
As a protocol designer I've always followed my instinct that if I use the same (or same up to birational equivalence) key for signing and DH that I'll be setting myself up for sadness of some kind. Is this in fact safe?
2 replies 0 retweets 2 likes
If the secret key is compromised due to an issue in your DH code, you’ll be sad because the attacker also gets a signature key, which is often a long-term key. But having the same curve for both operations doesn’t mean that you need to use the same key.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.