mirror of
https://github.com/monero-project/monero-docs.git
synced 2024-12-23 03:59:23 +00:00
The curve should be called "edwards25519" while "Ed25519" is name for the whole signature scheme
This commit is contained in:
parent
ac45a89136
commit
1af811a4fa
7 changed files with 27 additions and 22 deletions
|
@ -1,4 +1,4 @@
|
||||||
# Ed25519 curve
|
# Edwards25519 elliptic curve
|
||||||
|
|
||||||
!!! note
|
!!! note
|
||||||
Author is nowhere close to being a cryptographer. Be sceptical on accuracy.
|
Author is nowhere close to being a cryptographer. Be sceptical on accuracy.
|
||||||
|
@ -6,13 +6,15 @@
|
||||||
!!! note
|
!!! note
|
||||||
This article is only about the underlying curve. Public key derivation and signing algorithm will be treated separately.
|
This article is only about the underlying curve. Public key derivation and signing algorithm will be treated separately.
|
||||||
|
|
||||||
Monero employs Ed25519 elliptic curve as a basis for its key pair generation.
|
Monero employs edwards25519 elliptic curve as a basis for its key pair generation.
|
||||||
|
|
||||||
However, Monero does not exactly follow EdDSA reference signature scheme.
|
The curve comes from the Ed25519 signature scheme. While Monero takes the curve unchanged, it does not exactly follow rest of the Ed25519.
|
||||||
|
|
||||||
|
The edwards25519 curve is [birationally equivalent to Curve25519](https://tools.ietf.org/html/rfc7748#section-4.1).
|
||||||
|
|
||||||
## Definition
|
## Definition
|
||||||
|
|
||||||
This is the standard Ed25519 curve definition, no Monero specific stuff here,
|
This is the standard edwards25519 curve definition, no Monero specific stuff here,
|
||||||
except the naming convention. The convention comes from the CryptoNote
|
except the naming convention. The convention comes from the CryptoNote
|
||||||
whitepaper and is widely used in Monero literature.
|
whitepaper and is widely used in Monero literature.
|
||||||
|
|
||||||
|
@ -25,8 +27,7 @@ Note:
|
||||||
* curve is in two dimensions (nothing fancy, like all the curves is high school)
|
* curve is in two dimensions (nothing fancy, like all the curves is high school)
|
||||||
* curve is mirrored below y axis due to `y^2` part of the equation (not a polynomial)
|
* curve is mirrored below y axis due to `y^2` part of the equation (not a polynomial)
|
||||||
|
|
||||||
|
### Base point: `G`
|
||||||
### Base point `G`
|
|
||||||
|
|
||||||
The base point is a specific point on the curve. It is used
|
The base point is a specific point on the curve. It is used
|
||||||
as a basis for further calculations. It is an arbitrary choice
|
as a basis for further calculations. It is an arbitrary choice
|
||||||
|
@ -40,7 +41,7 @@ That's because the specific x can be calculated from the curve equation.
|
||||||
# The hex representation of the base point
|
# The hex representation of the base point
|
||||||
5866666666666666666666666666666666666666666666666666666666666666
|
5866666666666666666666666666666666666666666666666666666666666666
|
||||||
|
|
||||||
### Prime order of the base point `l`
|
### Prime order of the base point: `l`
|
||||||
|
|
||||||
In layment terms, the "canvas" where the curve is drawn is assumed
|
In layment terms, the "canvas" where the curve is drawn is assumed
|
||||||
to have a finite "resolution", so point coordinates must "wrap around"
|
to have a finite "resolution", so point coordinates must "wrap around"
|
||||||
|
@ -48,6 +49,7 @@ at some point. This is achieved by modulo the `l` value (lowercase L).
|
||||||
In other words, the `l` defines the maximum scalar we can use.
|
In other words, the `l` defines the maximum scalar we can use.
|
||||||
|
|
||||||
l = 2^252 + 27742317777372353535851937790883648493
|
l = 2^252 + 27742317777372353535851937790883648493
|
||||||
|
# => 7237005577332262213973186563042994240857116359379907606001950938285454250989
|
||||||
|
|
||||||
The `l` is a prime number specified by the curve authors.
|
The `l` is a prime number specified by the curve authors.
|
||||||
|
|
||||||
|
@ -67,9 +69,10 @@ Monero uses (apparently modified) Ref10 implementation by Daniel J. Bernstein.
|
||||||
|
|
||||||
## Reference
|
## Reference
|
||||||
|
|
||||||
|
* [A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography](https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/)
|
||||||
|
* [RFC 8032 defining EdDSA](https://tools.ietf.org/html/rfc8032)
|
||||||
* [Understanding Monero Cryptography](https://steemit.com/monero/@luigi1111/understanding-monero-cryptography-privacy-introduction) - excellent writeup by Luigi
|
* [Understanding Monero Cryptography](https://steemit.com/monero/@luigi1111/understanding-monero-cryptography-privacy-introduction) - excellent writeup by Luigi
|
||||||
* [StackOverflow answer](https://monero.stackexchange.com/questions/2290/why-how-does-monero-generate-public-ed25519-keys-without-using-the-standard-publ)
|
* [StackOverflow answer](https://monero.stackexchange.com/questions/2290/why-how-does-monero-generate-public-ed25519-keys-without-using-the-standard-publ)
|
||||||
* [Python implementation](https://github.com/monero-project/mininero/blob/master/ed25519.py) - not the reference one but easier to understand
|
* [Python implementation](https://github.com/monero-project/mininero/blob/master/ed25519.py) - not the reference one but easier to understand
|
||||||
* [Encoding point to hex](https://monero.stackexchange.com/questions/6050/what-is-the-base-point-g-from-the-whitepaper-and-how-is-it-represented-as-a)
|
* [Encoding point to hex](https://monero.stackexchange.com/questions/6050/what-is-the-base-point-g-from-the-whitepaper-and-how-is-it-represented-as-a)
|
||||||
* [Ed25519 on Wikipedia](https://en.wikipedia.org/wiki/EdDSA#Ed25519)
|
* [EdDSA on Wikipedia](https://en.wikipedia.org/wiki/EdDSA)
|
||||||
* [A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography](https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/)
|
|
|
@ -15,4 +15,4 @@ Historically, asymmetric cryptography was based on the problem of factorization
|
||||||
back into prime numbers (which is practically impossible for large enough integers).
|
back into prime numbers (which is practically impossible for large enough integers).
|
||||||
|
|
||||||
Recently, asymmetric cryptography is based on a mathematical notion of elliptic curves.
|
Recently, asymmetric cryptography is based on a mathematical notion of elliptic curves.
|
||||||
Ed25519 is a specific, well researched and standardized elliptic curve used in Monero.
|
Edwards25519 is a specific, well researched and standardized elliptic curve used in Monero.
|
||||||
|
|
|
@ -32,7 +32,7 @@ The `P` comes from this:
|
||||||
|
|
||||||
P = xG
|
P = xG
|
||||||
|
|
||||||
Where `G` is the [Ed25519](/cryptography/asymmetric/ed25519) base point.
|
Where `G` is the [edwards25519](/cryptography/asymmetric/edwards25519) base point.
|
||||||
|
|
||||||
Substitute `P` with `xG` and we get:
|
Substitute `P` with `xG` and we get:
|
||||||
|
|
||||||
|
|
|
@ -27,8 +27,8 @@ See this [this guide](https://blog.cloudflare.com/a-relatively-easy-to-understan
|
||||||
|
|
||||||
### Key strength
|
### Key strength
|
||||||
|
|
||||||
Before deriving Ed25519 public key, the private key is subject to modulo `l`,
|
Before deriving the public key, private key is subject to modulo `l`,
|
||||||
where `l` is the maximum scalar allowed by the [Ed25519 scheme](/cryptography/asymmetric/ed25519).
|
where `l` is the maximum scalar allowed by the [edwards25519 curve](/cryptography/asymmetric/edwards25519).
|
||||||
|
|
||||||
The `l` is on the order of 2^252, so the effective key strength is technically 252 bits, not 256 bits.
|
The `l` is on the order of 2^252, so the effective key strength is technically 252 bits, not 256 bits.
|
||||||
This is standard for EC cryptography and is more of a cosmetic nuance than any concern.
|
This is standard for EC cryptography and is more of a cosmetic nuance than any concern.
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
!!! note
|
!!! note
|
||||||
Author is nowhere close to being a cryptographer. Be sceptical on accuracy.
|
Author is nowhere close to being a cryptographer. Be sceptical on accuracy.
|
||||||
|
|
||||||
Public key is deterministically derived from private key based on [Ed25519 curve](/cryptography/asymmetric/ed25519) with a little Monero-specific twist.
|
Public key is deterministically derived from private key based on [edwards25519 curve](/cryptography/asymmetric/edwards25519) with a little Monero-specific twist.
|
||||||
|
|
||||||
Public key is meant to be shared. Assuming correct implementation, it is not practically possible to recover private key from public key.
|
Public key is meant to be shared. Assuming correct implementation, it is not practically possible to recover private key from public key.
|
||||||
|
|
||||||
|
@ -20,7 +20,7 @@ Say:
|
||||||
|
|
||||||
* P is a public key
|
* P is a public key
|
||||||
* x is a private key
|
* x is a private key
|
||||||
* G is a "base point"; this is simply a constant specific to [Ed25519](/cryptography/asymmetric/ed25519); this point lies on the elliptic curve
|
* G is a "base point"; this is simply a constant specific to [edwards25519](/cryptography/asymmetric/edwards25519); this point lies on the elliptic curve
|
||||||
|
|
||||||
Then:
|
Then:
|
||||||
|
|
||||||
|
|
|
@ -45,20 +45,22 @@ Index | Size in bytes | Description
|
||||||
Otherwise the data structure is the same as for [standard address](/public-address/standard-address/).
|
Otherwise the data structure is the same as for [standard address](/public-address/standard-address/).
|
||||||
|
|
||||||
Each subaddress conceptually has an index (with 0 being the base standard address).
|
Each subaddress conceptually has an index (with 0 being the base standard address).
|
||||||
The index is not directly included in subaddress structure but is used as input to create the private spend key.
|
The index is not directly included in subaddress structure but is used as input to create the private view key.
|
||||||
|
|
||||||
## Generating
|
## Generating
|
||||||
|
|
||||||
The private key `m` related to a subaddress is derived as follows:
|
The private view key `m` for a subaddress is derived as follows:
|
||||||
|
|
||||||
m = Hs(a || i)
|
m = Hs(a || i)
|
||||||
|
|
||||||
Where:
|
Where:
|
||||||
|
|
||||||
* `Hs` is a Keccak-256 hash function interpreted as integer and modulo `l` (maximum Ed25519 scalar)
|
* `Hs` is a Keccak-256 hash function interpreted as integer and modulo `l` (maximum edwards25519 scalar)
|
||||||
* `a` is a private view key
|
* `a` is a private view key of the base address
|
||||||
* `i` is a subaddress index
|
* `i` is a subaddress index
|
||||||
|
|
||||||
|
Deriving "sub view keys" from the "base view key" allows for creating a view only wallet that monitors entire wallet including subaddresses.
|
||||||
|
|
||||||
TODO: describe rest of the procedure.
|
TODO: describe rest of the procedure.
|
||||||
|
|
||||||
## Caveates
|
## Caveates
|
||||||
|
|
|
@ -16,7 +16,7 @@ nav:
|
||||||
- Introduction: 'cryptography/asymmetric/introduction.md'
|
- Introduction: 'cryptography/asymmetric/introduction.md'
|
||||||
- Private keys: 'cryptography/asymmetric/private-key.md'
|
- Private keys: 'cryptography/asymmetric/private-key.md'
|
||||||
- Public keys: 'cryptography/asymmetric/public-key.md'
|
- Public keys: 'cryptography/asymmetric/public-key.md'
|
||||||
- Ed25519 curve: 'cryptography/asymmetric/ed25519.md'
|
- Edwards25519 curve: 'cryptography/asymmetric/edwards25519.md'
|
||||||
- Key image: 'cryptography/asymmetric/key-image.md'
|
- Key image: 'cryptography/asymmetric/key-image.md'
|
||||||
# - CryptoNight PoW: 'cryptography/cryptonight.md'
|
# - CryptoNight PoW: 'cryptography/cryptonight.md'
|
||||||
- Base58: 'cryptography/base58.md'
|
- Base58: 'cryptography/base58.md'
|
||||||
|
|
Loading…
Reference in a new issue