Update ed25519 (requires review)

This commit is contained in:
Piotr Włodarek 2018-03-27 13:40:54 +02:00
parent e848e0ff24
commit 8fa6bfc585

View file

@ -12,37 +12,55 @@ However, Monero does not exactly follow EdDSA reference signature scheme.
## Definition ## Definition
This is the standard Ed25519 curve definition, no Monero specific stuff here. This is the standard Ed25519 curve definition, no Monero specific stuff here,
except the naming convention. The convention comes from the CryptoNote
whitepaper and is widely used in Monero literature.
Curve equation: ### Curve equation
x^2 + y^2 = 1 (121665/121666) * x^2 * y^2 x^2 + y^2 = 1 (121665/121666) * x^2 * y^2
Base point: Note:
* curve is in two dimensions (nothing fancy, like all the curves is high school)
* curve is mirrored below y axis due to `y^2` part of the equation (not a polynomial)
### Base point `G`
The base point is a specific point on the curve. It is used
as a basis for further calculations. It is an arbitrary choice
by the curve authors, just to standardize the scheme.
Note that it is enough to specify the y value and the sign of the x value.
That's because the specific x can be calculated from the curve equation.
# The base point is the specific point on the curve. It is used
# as a basis for further calculations. It is an arbitrary choice
# by the curve authors, just to standarize the scheme.
#
# Note that it is enough to specify the y value and the sign of the x value.
# That's because the specific x can be calculated from the curve equation.
G = (x, 4/5) # take the point with the positive x G = (x, 4/5) # take the point with the positive x
# The hex representation of the base point # The hex representation of the base point
5866666666666666666666666666666666666666666666666666666666666666 5866666666666666666666666666666666666666666666666666666666666666
Prime order of the base point: ### Prime order of the base point `l`
In layment terms, the "canvas" where the curve is drawn is assumed
to have a finite "resolution", so point coordinates must "wrap around"
at some point. This is achieved by modulo the `l` value (lowercase L).
In other words, the `l` defines the maximum scalar we can use.
# In layment terms, the "canvas" where the curve is drawn is assumed
# to have a finite "resolution", so point coordinates must "wrap around"
# at some point. This is achieved by modulo the "l" value.
# In other words, the "l" defines the maximum scalar we can use.
l = 2^252 + 27742317777372353535851937790883648493 l = 2^252 + 27742317777372353535851937790883648493
The total number of points on the curve, a prime number: The `l` is a prime number specified by the curve authors.
In practice this is the private key's strength.
### Total number of points on the curve
The total number of points on the curve is also a prime number:
q = 2^255 - 19 q = 2^255 - 19
In practice not all points are "useful" and so the private key strength is limited to `l` describe above.
## Implementation ## Implementation
Monero uses (apparently modified) Ref10 implementation by Daniel J. Bernstein. Monero uses (apparently modified) Ref10 implementation by Daniel J. Bernstein.