On 6/25/2014 9:57 PM, Watson Ladd wrote:
On Wed, Jun 25, 2014 at 4:37 PM, Trevor Perrin <[email protected]
<mailto:[email protected]>> wrote:
> So Ed25519 and Goldilocks are similar in generating the private scalar
> and signing nonce from a "master key":
>
> Ed25519
> --------
> private_scalar[32], nonce_key[32] = SHA512(master_key[32])
> sig_nonce[32] = SHA512(nonce_key[32] || message) % q
>
> Goldilocks
> --------
> private_scalar[56] = SHA512("derivepk" || masterkey[32])
> sig_nonce[56] = SHA512("signonce" || masterkey[32] || message ||
> masterkey[32]) % q
>
>
> Qs
> * Is it weird that the range for Goldilocks private scalar and nonce
> is size 2^256, rather than the size of the main subgroup (~2^446)?
I can't think of a way to break it. Bernstein mentions something
similar for curve25519, with s, md5 (s) as the secret key.
The curve is designed to be ~2^223 secure. If the scalar and nonce are
chosen by a pseudorandom generator and function, respectively, with
~2^256 security, then they are indistinguishable from random for an
attacker acting within the security estimate.
-- Mike
_______________________________________________
Curves mailing list
[email protected]
https://moderncrypto.org/mailman/listinfo/curves
