The curve should be called "edwards25519" while "Ed25519" is name for the whole signature scheme

This commit is contained in:
Piotr Włodarek 2018-08-20 17:17:45 +02:00
parent ac45a89136
commit 1af811a4fa
7 changed files with 27 additions and 22 deletions

View file

@ -1,4 +1,4 @@
# Ed25519 curve # Edwards25519 elliptic curve
!!! note !!! note
Author is nowhere close to being a cryptographer. Be sceptical on accuracy. Author is nowhere close to being a cryptographer. Be sceptical on accuracy.
@ -6,13 +6,15 @@
!!! note !!! note
This article is only about the underlying curve. Public key derivation and signing algorithm will be treated separately. This article is only about the underlying curve. Public key derivation and signing algorithm will be treated separately.
Monero employs Ed25519 elliptic curve as a basis for its key pair generation. Monero employs edwards25519 elliptic curve as a basis for its key pair generation.
However, Monero does not exactly follow EdDSA reference signature scheme. The curve comes from the Ed25519 signature scheme. While Monero takes the curve unchanged, it does not exactly follow rest of the Ed25519.
The edwards25519 curve is [birationally equivalent to Curve25519](https://tools.ietf.org/html/rfc7748#section-4.1).
## Definition ## Definition
This is the standard Ed25519 curve definition, no Monero specific stuff here, This is the standard edwards25519 curve definition, no Monero specific stuff here,
except the naming convention. The convention comes from the CryptoNote except the naming convention. The convention comes from the CryptoNote
whitepaper and is widely used in Monero literature. whitepaper and is widely used in Monero literature.
@ -25,8 +27,7 @@ Note:
* curve is in two dimensions (nothing fancy, like all the curves is high school) * curve is in two dimensions (nothing fancy, like all the curves is high school)
* curve is mirrored below y axis due to `y^2` part of the equation (not a polynomial) * curve is mirrored below y axis due to `y^2` part of the equation (not a polynomial)
### Base point: `G`
### Base point `G`
The base point is a specific point on the curve. It is used The base point is a specific point on the curve. It is used
as a basis for further calculations. It is an arbitrary choice as a basis for further calculations. It is an arbitrary choice
@ -40,7 +41,7 @@ That's because the specific x can be calculated from the curve equation.
# The hex representation of the base point # The hex representation of the base point
5866666666666666666666666666666666666666666666666666666666666666 5866666666666666666666666666666666666666666666666666666666666666
### Prime order of the base point `l` ### Prime order of the base point: `l`
In layment terms, the "canvas" where the curve is drawn is assumed In layment terms, the "canvas" where the curve is drawn is assumed
to have a finite "resolution", so point coordinates must "wrap around" to have a finite "resolution", so point coordinates must "wrap around"
@ -48,6 +49,7 @@ at some point. This is achieved by modulo the `l` value (lowercase L).
In other words, the `l` defines the maximum scalar we can use. In other words, the `l` defines the maximum scalar we can use.
l = 2^252 + 27742317777372353535851937790883648493 l = 2^252 + 27742317777372353535851937790883648493
# => 7237005577332262213973186563042994240857116359379907606001950938285454250989
The `l` is a prime number specified by the curve authors. The `l` is a prime number specified by the curve authors.
@ -67,9 +69,10 @@ Monero uses (apparently modified) Ref10 implementation by Daniel J. Bernstein.
## Reference ## Reference
* [A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography](https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/)
* [RFC 8032 defining EdDSA](https://tools.ietf.org/html/rfc8032)
* [Understanding Monero Cryptography](https://steemit.com/monero/@luigi1111/understanding-monero-cryptography-privacy-introduction) - excellent writeup by Luigi * [Understanding Monero Cryptography](https://steemit.com/monero/@luigi1111/understanding-monero-cryptography-privacy-introduction) - excellent writeup by Luigi
* [StackOverflow answer](https://monero.stackexchange.com/questions/2290/why-how-does-monero-generate-public-ed25519-keys-without-using-the-standard-publ) * [StackOverflow answer](https://monero.stackexchange.com/questions/2290/why-how-does-monero-generate-public-ed25519-keys-without-using-the-standard-publ)
* [Python implementation](https://github.com/monero-project/mininero/blob/master/ed25519.py) - not the reference one but easier to understand * [Python implementation](https://github.com/monero-project/mininero/blob/master/ed25519.py) - not the reference one but easier to understand
* [Encoding point to hex](https://monero.stackexchange.com/questions/6050/what-is-the-base-point-g-from-the-whitepaper-and-how-is-it-represented-as-a) * [Encoding point to hex](https://monero.stackexchange.com/questions/6050/what-is-the-base-point-g-from-the-whitepaper-and-how-is-it-represented-as-a)
* [Ed25519 on Wikipedia](https://en.wikipedia.org/wiki/EdDSA#Ed25519) * [EdDSA on Wikipedia](https://en.wikipedia.org/wiki/EdDSA)
* [A (Relatively Easy To Understand) Primer on Elliptic Curve Cryptography](https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/)

View file

@ -15,4 +15,4 @@ Historically, asymmetric cryptography was based on the problem of factorization
back into prime numbers (which is practically impossible for large enough integers). back into prime numbers (which is practically impossible for large enough integers).
Recently, asymmetric cryptography is based on a mathematical notion of elliptic curves. Recently, asymmetric cryptography is based on a mathematical notion of elliptic curves.
Ed25519 is a specific, well researched and standardized elliptic curve used in Monero. Edwards25519 is a specific, well researched and standardized elliptic curve used in Monero.

View file

@ -31,8 +31,8 @@ Where:
The `P` comes from this: The `P` comes from this:
P = xG P = xG
Where `G` is the [Ed25519](/cryptography/asymmetric/ed25519) base point. Where `G` is the [edwards25519](/cryptography/asymmetric/edwards25519) base point.
Substitute `P` with `xG` and we get: Substitute `P` with `xG` and we get:

View file

@ -27,8 +27,8 @@ See this [this guide](https://blog.cloudflare.com/a-relatively-easy-to-understan
### Key strength ### Key strength
Before deriving Ed25519 public key, the private key is subject to modulo `l`, Before deriving the public key, private key is subject to modulo `l`,
where `l` is the maximum scalar allowed by the [Ed25519 scheme](/cryptography/asymmetric/ed25519). where `l` is the maximum scalar allowed by the [edwards25519 curve](/cryptography/asymmetric/edwards25519).
The `l` is on the order of 2^252, so the effective key strength is technically 252 bits, not 256 bits. The `l` is on the order of 2^252, so the effective key strength is technically 252 bits, not 256 bits.
This is standard for EC cryptography and is more of a cosmetic nuance than any concern. This is standard for EC cryptography and is more of a cosmetic nuance than any concern.

View file

@ -3,7 +3,7 @@
!!! note !!! note
Author is nowhere close to being a cryptographer. Be sceptical on accuracy. Author is nowhere close to being a cryptographer. Be sceptical on accuracy.
Public key is deterministically derived from private key based on [Ed25519 curve](/cryptography/asymmetric/ed25519) with a little Monero-specific twist. Public key is deterministically derived from private key based on [edwards25519 curve](/cryptography/asymmetric/edwards25519) with a little Monero-specific twist.
Public key is meant to be shared. Assuming correct implementation, it is not practically possible to recover private key from public key. Public key is meant to be shared. Assuming correct implementation, it is not practically possible to recover private key from public key.
@ -20,7 +20,7 @@ Say:
* P is a public key * P is a public key
* x is a private key * x is a private key
* G is a "base point"; this is simply a constant specific to [Ed25519](/cryptography/asymmetric/ed25519); this point lies on the elliptic curve * G is a "base point"; this is simply a constant specific to [edwards25519](/cryptography/asymmetric/edwards25519); this point lies on the elliptic curve
Then: Then:

View file

@ -45,20 +45,22 @@ Index | Size in bytes | Description
Otherwise the data structure is the same as for [standard address](/public-address/standard-address/). Otherwise the data structure is the same as for [standard address](/public-address/standard-address/).
Each subaddress conceptually has an index (with 0 being the base standard address). Each subaddress conceptually has an index (with 0 being the base standard address).
The index is not directly included in subaddress structure but is used as input to create the private spend key. The index is not directly included in subaddress structure but is used as input to create the private view key.
## Generating ## Generating
The private key `m` related to a subaddress is derived as follows: The private view key `m` for a subaddress is derived as follows:
m = Hs(a || i) m = Hs(a || i)
Where: Where:
* `Hs` is a Keccak-256 hash function interpreted as integer and modulo `l` (maximum Ed25519 scalar) * `Hs` is a Keccak-256 hash function interpreted as integer and modulo `l` (maximum edwards25519 scalar)
* `a` is a private view key * `a` is a private view key of the base address
* `i` is a subaddress index * `i` is a subaddress index
Deriving "sub view keys" from the "base view key" allows for creating a view only wallet that monitors entire wallet including subaddresses.
TODO: describe rest of the procedure. TODO: describe rest of the procedure.
## Caveates ## Caveates

View file

@ -16,7 +16,7 @@ nav:
- Introduction: 'cryptography/asymmetric/introduction.md' - Introduction: 'cryptography/asymmetric/introduction.md'
- Private keys: 'cryptography/asymmetric/private-key.md' - Private keys: 'cryptography/asymmetric/private-key.md'
- Public keys: 'cryptography/asymmetric/public-key.md' - Public keys: 'cryptography/asymmetric/public-key.md'
- Ed25519 curve: 'cryptography/asymmetric/ed25519.md' - Edwards25519 curve: 'cryptography/asymmetric/edwards25519.md'
- Key image: 'cryptography/asymmetric/key-image.md' - Key image: 'cryptography/asymmetric/key-image.md'
# - CryptoNight PoW: 'cryptography/cryptonight.md' # - CryptoNight PoW: 'cryptography/cryptonight.md'
- Base58: 'cryptography/base58.md' - Base58: 'cryptography/base58.md'