On 7/18/20 1:36 PM, Jeff Burdges wrote: > I do think GNS should ideally switch to Tor’s HDKD solution using > Ed25519 instead of doing ECDSA over Ed25519 of course.
The signature computation as described in the Tor document is slightly *different* from the EdDSA standard. EdDSA signing requires the private key not to be the private scalar ('a' in Tor lingo), but the 'seed' s from which the private key (as well as the constant 'r' in the signature calculation) is derived from a hash of the seed. I also think that the clamping of 'h' is not required; if the public key is A=[a]B (assuming 'a' is clamped according to the EdDSA spec), than the derived public key A'=[ha]B has a "non-clamped" scalar even if 'h' is clamped first - the mod multiplication removes that property for sure... Compared to the current GNS implementation this all boils down to replacing ECDSA with a non-standard EdDSA - is it worth the trouble? Cheers, Bernd.