On Wed, Jun 25, 2014 at 4:37 PM, Trevor Perrin <[email protected]> wrote: > So Ed25519 and Goldilocks are similar in generating the private scalar > and signing nonce from a "master key": > > Ed25519 > -------- > private_scalar[32], nonce_key[32] = SHA512(master_key[32]) > sig_nonce[32] = SHA512(nonce_key[32] || message) % q > > Goldilocks > -------- > private_scalar[56] = SHA512("derivepk" || masterkey[32]) > sig_nonce[56] = SHA512("signonce" || masterkey[32] || message || > masterkey[32]) % q > > > Qs > * Is it weird that the range for Goldilocks private scalar and nonce > is size 2^256, rather than the size of the main subgroup (~2^446)?
I can't think of a way to break it. Bernstein mentions something similar for curve25519, with s, md5 (s) as the secret key. Sincerely, Watson Ladd > > Trevor > _______________________________________________ > Curves mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/curves -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
_______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
