mirror of
https://github.com/monero-project/monero-docs.git
synced 2024-12-23 03:59:23 +00:00
Update ed25519 (requires review)
This commit is contained in:
parent
e848e0ff24
commit
8fa6bfc585
1 changed files with 33 additions and 15 deletions
|
@ -12,37 +12,55 @@ However, Monero does not exactly follow EdDSA reference signature scheme.
|
||||||
|
|
||||||
## Definition
|
## Definition
|
||||||
|
|
||||||
This is the standard Ed25519 curve definition, no Monero specific stuff here.
|
This is the standard Ed25519 curve definition, no Monero specific stuff here,
|
||||||
|
except the naming convention. The convention comes from the CryptoNote
|
||||||
|
whitepaper and is widely used in Monero literature.
|
||||||
|
|
||||||
Curve equation:
|
### Curve equation
|
||||||
|
|
||||||
−x^2 + y^2 = 1 − (121665/121666) * x^2 * y^2
|
−x^2 + y^2 = 1 − (121665/121666) * x^2 * y^2
|
||||||
|
|
||||||
Base point:
|
Note:
|
||||||
|
|
||||||
|
* curve is in two dimensions (nothing fancy, like all the curves is high school)
|
||||||
|
* curve is mirrored below y axis due to `y^2` part of the equation (not a polynomial)
|
||||||
|
|
||||||
|
|
||||||
|
### Base point `G`
|
||||||
|
|
||||||
|
The base point is a specific point on the curve. It is used
|
||||||
|
as a basis for further calculations. It is an arbitrary choice
|
||||||
|
by the curve authors, just to standardize the scheme.
|
||||||
|
|
||||||
|
Note that it is enough to specify the y value and the sign of the x value.
|
||||||
|
That's because the specific x can be calculated from the curve equation.
|
||||||
|
|
||||||
# The base point is the specific point on the curve. It is used
|
|
||||||
# as a basis for further calculations. It is an arbitrary choice
|
|
||||||
# by the curve authors, just to standarize the scheme.
|
|
||||||
#
|
|
||||||
# Note that it is enough to specify the y value and the sign of the x value.
|
|
||||||
# That's because the specific x can be calculated from the curve equation.
|
|
||||||
G = (x, 4/5) # take the point with the positive x
|
G = (x, 4/5) # take the point with the positive x
|
||||||
|
|
||||||
# The hex representation of the base point
|
# The hex representation of the base point
|
||||||
5866666666666666666666666666666666666666666666666666666666666666
|
5866666666666666666666666666666666666666666666666666666666666666
|
||||||
|
|
||||||
Prime order of the base point:
|
### Prime order of the base point `l`
|
||||||
|
|
||||||
|
In layment terms, the "canvas" where the curve is drawn is assumed
|
||||||
|
to have a finite "resolution", so point coordinates must "wrap around"
|
||||||
|
at some point. This is achieved by modulo the `l` value (lowercase L).
|
||||||
|
In other words, the `l` defines the maximum scalar we can use.
|
||||||
|
|
||||||
# In layment terms, the "canvas" where the curve is drawn is assumed
|
|
||||||
# to have a finite "resolution", so point coordinates must "wrap around"
|
|
||||||
# at some point. This is achieved by modulo the "l" value.
|
|
||||||
# In other words, the "l" defines the maximum scalar we can use.
|
|
||||||
l = 2^252 + 27742317777372353535851937790883648493
|
l = 2^252 + 27742317777372353535851937790883648493
|
||||||
|
|
||||||
The total number of points on the curve, a prime number:
|
The `l` is a prime number specified by the curve authors.
|
||||||
|
|
||||||
|
In practice this is the private key's strength.
|
||||||
|
|
||||||
|
### Total number of points on the curve
|
||||||
|
|
||||||
|
The total number of points on the curve is also a prime number:
|
||||||
|
|
||||||
q = 2^255 - 19
|
q = 2^255 - 19
|
||||||
|
|
||||||
|
In practice not all points are "useful" and so the private key strength is limited to `l` describe above.
|
||||||
|
|
||||||
## Implementation
|
## Implementation
|
||||||
|
|
||||||
Monero uses (apparently modified) Ref10 implementation by Daniel J. Bernstein.
|
Monero uses (apparently modified) Ref10 implementation by Daniel J. Bernstein.
|
||||||
|
|
Loading…
Reference in a new issue