diff --git a/docs/cryptography/asymmetric/ed25519.md b/docs/cryptography/asymmetric/edwards25519.md similarity index 78% rename from docs/cryptography/asymmetric/ed25519.md rename to docs/cryptography/asymmetric/edwards25519.md index 7d048ab..3ad4efd 100644 --- a/docs/cryptography/asymmetric/ed25519.md +++ b/docs/cryptography/asymmetric/edwards25519.md @@ -1,4 +1,4 @@ -# Ed25519 curve +# Edwards25519 elliptic curve !!! note Author is nowhere close to being a cryptographer. Be sceptical on accuracy. @@ -6,13 +6,15 @@ !!! note This article is only about the underlying curve. Public key derivation and signing algorithm will be treated separately. -Monero employs Ed25519 elliptic curve as a basis for its key pair generation. - -However, Monero does not exactly follow EdDSA reference signature scheme. +Monero employs edwards25519 elliptic curve as a basis for its key pair generation. + +The curve comes from the Ed25519 signature scheme. While Monero takes the curve unchanged, it does not exactly follow rest of the Ed25519. + +The edwards25519 curve is [birationally equivalent to Curve25519](https://tools.ietf.org/html/rfc7748#section-4.1). ## Definition -This is the standard Ed25519 curve definition, no Monero specific stuff here, +This is the standard edwards25519 curve definition, no Monero specific stuff here, except the naming convention. The convention comes from the CryptoNote whitepaper and is widely used in Monero literature. @@ -25,8 +27,7 @@ Note: * curve is in two dimensions (nothing fancy, like all the curves is high school) * curve is mirrored below y axis due to `y^2` part of the equation (not a polynomial) - -### Base point `G` +### Base point: `G` The base point is a specific point on the curve. It is used as a basis for further calculations. It is an arbitrary choice @@ -40,7 +41,7 @@ That's because the specific x can be calculated from the curve equation. # The hex representation of the base point 5866666666666666666666666666666666666666666666666666666666666666 -### Prime order of the base point `l` +### Prime order of the base point: `l` In layment terms, the "canvas" where the curve is drawn is assumed to have a finite "resolution", so point coordinates must "wrap around" @@ -48,6 +49,7 @@ at some point. This is achieved by modulo the `l` value (lowercase L). In other words, the `l` defines the maximum scalar we can use. l = 2^252 + 27742317777372353535851937790883648493 + # => 7237005577332262213973186563042994240857116359379907606001950938285454250989 The `l` is a prime number specified by the curve authors. @@ -67,9 +69,10 @@ Monero uses (apparently modified) Ref10 implementation by Daniel J. Bernstein. ## Reference +* [A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography](https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/) +* [RFC 8032 defining EdDSA](https://tools.ietf.org/html/rfc8032) * [Understanding Monero Cryptography](https://steemit.com/monero/@luigi1111/understanding-monero-cryptography-privacy-introduction) - excellent writeup by Luigi * [StackOverflow answer](https://monero.stackexchange.com/questions/2290/why-how-does-monero-generate-public-ed25519-keys-without-using-the-standard-publ) * [Python implementation](https://github.com/monero-project/mininero/blob/master/ed25519.py) - not the reference one but easier to understand * [Encoding point to hex](https://monero.stackexchange.com/questions/6050/what-is-the-base-point-g-from-the-whitepaper-and-how-is-it-represented-as-a) -* [Ed25519 on Wikipedia](https://en.wikipedia.org/wiki/EdDSA#Ed25519) -* [A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography](https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/) +* [EdDSA on Wikipedia](https://en.wikipedia.org/wiki/EdDSA) diff --git a/docs/cryptography/asymmetric/introduction.md b/docs/cryptography/asymmetric/introduction.md index 8f8a734..c172e0f 100644 --- a/docs/cryptography/asymmetric/introduction.md +++ b/docs/cryptography/asymmetric/introduction.md @@ -15,4 +15,4 @@ Historically, asymmetric cryptography was based on the problem of factorization back into prime numbers (which is practically impossible for large enough integers). Recently, asymmetric cryptography is based on a mathematical notion of elliptic curves. -Ed25519 is a specific, well researched and standardized elliptic curve used in Monero. +Edwards25519 is a specific, well researched and standardized elliptic curve used in Monero. diff --git a/docs/cryptography/asymmetric/key-image.md b/docs/cryptography/asymmetric/key-image.md index 825594f..8d52010 100644 --- a/docs/cryptography/asymmetric/key-image.md +++ b/docs/cryptography/asymmetric/key-image.md @@ -31,8 +31,8 @@ Where: The `P` comes from this: P = xG - -Where `G` is the [Ed25519](/cryptography/asymmetric/ed25519) base point. + +Where `G` is the [edwards25519](/cryptography/asymmetric/edwards25519) base point. Substitute `P` with `xG` and we get: diff --git a/docs/cryptography/asymmetric/private-key.md b/docs/cryptography/asymmetric/private-key.md index 39cc734..98bbca0 100644 --- a/docs/cryptography/asymmetric/private-key.md +++ b/docs/cryptography/asymmetric/private-key.md @@ -27,8 +27,8 @@ See this [this guide](https://blog.cloudflare.com/a-relatively-easy-to-understan ### Key strength -Before deriving Ed25519 public key, the private key is subject to modulo `l`, -where `l` is the maximum scalar allowed by the [Ed25519 scheme](/cryptography/asymmetric/ed25519). +Before deriving the public key, private key is subject to modulo `l`, +where `l` is the maximum scalar allowed by the [edwards25519 curve](/cryptography/asymmetric/edwards25519). The `l` is on the order of 2^252, so the effective key strength is technically 252 bits, not 256 bits. This is standard for EC cryptography and is more of a cosmetic nuance than any concern. diff --git a/docs/cryptography/asymmetric/public-key.md b/docs/cryptography/asymmetric/public-key.md index 7065b3e..b0b28d8 100644 --- a/docs/cryptography/asymmetric/public-key.md +++ b/docs/cryptography/asymmetric/public-key.md @@ -3,7 +3,7 @@ !!! note Author is nowhere close to being a cryptographer. Be sceptical on accuracy. -Public key is deterministically derived from private key based on [Ed25519 curve](/cryptography/asymmetric/ed25519) with a little Monero-specific twist. +Public key is deterministically derived from private key based on [edwards25519 curve](/cryptography/asymmetric/edwards25519) with a little Monero-specific twist. Public key is meant to be shared. Assuming correct implementation, it is not practically possible to recover private key from public key. @@ -20,7 +20,7 @@ Say: * P is a public key * x is a private key -* G is a "base point"; this is simply a constant specific to [Ed25519](/cryptography/asymmetric/ed25519); this point lies on the elliptic curve +* G is a "base point"; this is simply a constant specific to [edwards25519](/cryptography/asymmetric/edwards25519); this point lies on the elliptic curve Then: diff --git a/docs/public-address/subaddress.md b/docs/public-address/subaddress.md index 6f66b64..92a9662 100644 --- a/docs/public-address/subaddress.md +++ b/docs/public-address/subaddress.md @@ -45,20 +45,22 @@ Index | Size in bytes | Description Otherwise the data structure is the same as for [standard address](/public-address/standard-address/). Each subaddress conceptually has an index (with 0 being the base standard address). -The index is not directly included in subaddress structure but is used as input to create the private spend key. +The index is not directly included in subaddress structure but is used as input to create the private view key. ## Generating -The private key `m` related to a subaddress is derived as follows: +The private view key `m` for a subaddress is derived as follows: m = Hs(a || i) Where: -* `Hs` is a Keccak-256 hash function interpreted as integer and modulo `l` (maximum Ed25519 scalar) -* `a` is a private view key +* `Hs` is a Keccak-256 hash function interpreted as integer and modulo `l` (maximum edwards25519 scalar) +* `a` is a private view key of the base address * `i` is a subaddress index +Deriving "sub view keys" from the "base view key" allows for creating a view only wallet that monitors entire wallet including subaddresses. + TODO: describe rest of the procedure. ## Caveates diff --git a/mkdocs.yml b/mkdocs.yml index b5eacd4..7a63b97 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -16,7 +16,7 @@ nav: - Introduction: 'cryptography/asymmetric/introduction.md' - Private keys: 'cryptography/asymmetric/private-key.md' - Public keys: 'cryptography/asymmetric/public-key.md' - - Ed25519 curve: 'cryptography/asymmetric/ed25519.md' + - Edwards25519 curve: 'cryptography/asymmetric/edwards25519.md' - Key image: 'cryptography/asymmetric/key-image.md' # - CryptoNight PoW: 'cryptography/cryptonight.md' - Base58: 'cryptography/base58.md'