mirror of
https://github.com/monero-project/monero-docs.git
synced 2025-01-08 20:09:31 +00:00
Update ed25519 (requires review)
This commit is contained in:
parent
e848e0ff24
commit
8fa6bfc585
1 changed files with 33 additions and 15 deletions
|
@ -12,37 +12,55 @@ However, Monero does not exactly follow EdDSA reference signature scheme.
|
|||
|
||||
## Definition
|
||||
|
||||
This is the standard Ed25519 curve definition, no Monero specific stuff here.
|
||||
This is the standard Ed25519 curve definition, no Monero specific stuff here,
|
||||
except the naming convention. The convention comes from the CryptoNote
|
||||
whitepaper and is widely used in Monero literature.
|
||||
|
||||
Curve equation:
|
||||
### Curve equation
|
||||
|
||||
−x^2 + y^2 = 1 − (121665/121666) * x^2 * y^2
|
||||
|
||||
Base point:
|
||||
Note:
|
||||
|
||||
* curve is in two dimensions (nothing fancy, like all the curves is high school)
|
||||
* curve is mirrored below y axis due to `y^2` part of the equation (not a polynomial)
|
||||
|
||||
|
||||
### Base point `G`
|
||||
|
||||
The base point is a specific point on the curve. It is used
|
||||
as a basis for further calculations. It is an arbitrary choice
|
||||
by the curve authors, just to standardize the scheme.
|
||||
|
||||
Note that it is enough to specify the y value and the sign of the x value.
|
||||
That's because the specific x can be calculated from the curve equation.
|
||||
|
||||
# The base point is the specific point on the curve. It is used
|
||||
# as a basis for further calculations. It is an arbitrary choice
|
||||
# by the curve authors, just to standarize the scheme.
|
||||
#
|
||||
# Note that it is enough to specify the y value and the sign of the x value.
|
||||
# That's because the specific x can be calculated from the curve equation.
|
||||
G = (x, 4/5) # take the point with the positive x
|
||||
|
||||
# The hex representation of the base point
|
||||
5866666666666666666666666666666666666666666666666666666666666666
|
||||
|
||||
Prime order of the base point:
|
||||
### Prime order of the base point `l`
|
||||
|
||||
In layment terms, the "canvas" where the curve is drawn is assumed
|
||||
to have a finite "resolution", so point coordinates must "wrap around"
|
||||
at some point. This is achieved by modulo the `l` value (lowercase L).
|
||||
In other words, the `l` defines the maximum scalar we can use.
|
||||
|
||||
# In layment terms, the "canvas" where the curve is drawn is assumed
|
||||
# to have a finite "resolution", so point coordinates must "wrap around"
|
||||
# at some point. This is achieved by modulo the "l" value.
|
||||
# In other words, the "l" defines the maximum scalar we can use.
|
||||
l = 2^252 + 27742317777372353535851937790883648493
|
||||
|
||||
The total number of points on the curve, a prime number:
|
||||
The `l` is a prime number specified by the curve authors.
|
||||
|
||||
In practice this is the private key's strength.
|
||||
|
||||
### Total number of points on the curve
|
||||
|
||||
The total number of points on the curve is also a prime number:
|
||||
|
||||
q = 2^255 - 19
|
||||
|
||||
In practice not all points are "useful" and so the private key strength is limited to `l` describe above.
|
||||
|
||||
## Implementation
|
||||
|
||||
Monero uses (apparently modified) Ref10 implementation by Daniel J. Bernstein.
|
||||
|
|
Loading…
Reference in a new issue