Typo, Ed25519 R is not just a field element, it includes the sign bit, so...
On Wed, Aug 6, 2014 at 3:10 PM, Trevor Perrin <[email protected]> wrote: > > Ed25519 > ======== > > R > -- > * Implementations MUST encode R as a value < 2^255-19 > * Implementations MAY reject a signature if its R is >= 2^255-19 > Otherwise, an invalid R MUST be handled as follows: [XXX] > * Implementations MUST decode R as a value < 2^255 (by ignoring the high bit) [XXX] > * Implementations MUST process R with value >= 2^255-19 as if R was > reduced by 2^255-19 Change to: R -- * Implementations MUST encode the R.y coordinate as a value < 2^255-19 * Implementations MAY reject a signature if its R.y is >= 2^255-19 Otherwise, an invalid R.y MUST be handled as follows: * Implementations MUST process R.y with value >= 2^255-19 as if R.y was reduced by 2^255-19 * However, the bytes that are hashed for signature verification contain R as it was received ? Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
