This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||||||||||||||||||
|
There is some mess. The formula for Ed25519 curve is
With two minuses indeed (see DJB paper, page 6, first equation and page 8, line 1). It is canonical Twisted Edwards curve form. The same formulas can be found in the authors' simplified source code (look at d = -121665 * inv(121666) and xx = (y*y-1) * inv(d*y*y+1) (xx is a square of x))
This curve is birationally equavivalent to Curve25519, which is Montgomery curve ( DJB paper, page 7, subsection Choice of curve). Curve25519 itself "is birationally equivalent to an Edwards curve, specifically " (DJB paper, page 8, line 5). Not Twisted Edwards, therefore different formula -- with no minuses. But it is not canonical EdDSA.
Then, the formulas for coord transformation. From Curve25519 to Edwards form (mentioned above): "the equivalence is x =√486664u/v and y =(u − 1)/(u + 1)" (DJP paper, page 8, line 6). From Edwards to Twisted Edwards you just need to replace x^2 with -x^2, or x with (√-1)x (sorry, no link, but this is obvious). Therefore, x =(√-486664)u/v ( this edit was correct) — Preceding unsigned comment added by Hannasnow ( talk • contribs)
I have another question which has been bugging me for quite some time. The DJB paper and this article says, that for verification you should check:
There appears to be an error in above description. There should be two secrets the signer has, their private key associated with there public key and a random number used only once for this signing. I only see the number k which is hashed to produce s.
I think the original paper mentions that this is OK, but I have no clue why the first form (with the ) is mentioned at all.
Looking at that, to me it seems the two equations are checking exactly the same, so why is the mentioned at all ?
Lundril (
talk) 12:55, 10 July 2019 (UTC)
by multiplying by the cofactor 2^c we are guaranteeing that the result is either in the subgroup of order or the identity. This is a cheap way of preventing someone trying to do something funny and get us into the sub group of size 2^c.
quote the article "but does not completely eliminate it, since high quality random numbers are still needed for key generation.". this does not seem to belong here. key generation is not part of the signing procedure, a key can be generated on another computer, can be generated without a computer (coins), or can be derived from another secret. also it is not specific to the DSA algorithm used. i would delete this sentence from here being not related and not meaningful. 178.21.48.33 ( talk) 12:17, 28 August 2015 (UTC)
Are there still too many primary sources and not enough secondary sources in this article? Everything about the signature scheme, and its instantiation for Ed25519, is supported both by the two original papers describing EdDSA and extending it to more curves, and by the IETF RFC 8032. Is that enough to remove the primary sources warning, or is it also necessary to cite some tertiary Vox-style explainer?
I'm not really clear on why we even need secondary sources for an ‘analysis, evaluation, interpretation, or synthesis of the facts, evidence, concepts, and ideas’ by an author ‘at least one step removed from an event’ for the statement of a mathematical algorithm. None of this is original research—the papers cited are the original research. Other mathematical articles cite primary sources; e.g., the article on Hasse's theorem on elliptic curves cites the original thesis by Artin in which the theorem was first conjectured, and the original paper by Hasse in which the theorem was proven. -- 128.30.60.184 ( talk) 20:03, 31 July 2017 (UTC)
Isn't the pubkey size 64byte (512bit)? Secret keys are 32byte (256bit) — Preceding unsigned comment added by 141.45.12.204 ( talk) 12:49, 6 December 2018 (UTC)
No: The public key is a point on the elliptic curve (Edwards curve for Ed25519). Bernstein stores a point into a byte array by storing the Y-coordinate of the point. A coordinate on this curve has 255 bits (ALMOST 32 byte). Additionally there are two solutions for the X-coordinate: One ODD (least significant bit set) solution and one EVEN (least significant bit cleared) solution. Bernstein calls ODD solutions "negative" and EVEN solutions "positive". To be able to fully decode a binary array into a point on the elliptic curve, you additionally need to know if the X-coordinate is ODD or EVEN; so you need one extra bit. Fortunately the Y-coordinate only uses 255 bits, so you have one extra bit left. This is extra bit is used to store if the X-coordinate is ODD (bit set) or EVEN (bit cleared). The result is: You need exactly 32-bytes to store a point which is on the elliptic curve.
The private key encodes: A number (stored as 256 bit number; even if the number is smaller) and a private never revealed secret string, which has also 32-bytes (this secret string is used to generate "random" numbers out of the message to be signed via hashing). So the private key has 64 byte (32 byte number, 32 byte private secret string).
194.25.174.98 (
talk) 12:44, 10 July 2019 (UTC)
Why are you trying so desperately to confuse end users?????
Like.... https://blog.trailofbits.com/2019/07/08/fuck-rsa/ rsa is not equivalent stop fucking around.
jrabbit05 ( talk) 03:22, 28 September 2019 (UTC)
https://csrc.nist.gov/publications/detail/fips/186/5/final 2A04:4540:6A2C:DE01:E6A0:D55E:6254:DF9F ( talk) 04:53, 4 March 2023 (UTC)
This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||||||||||||||||||
|
There is some mess. The formula for Ed25519 curve is
With two minuses indeed (see DJB paper, page 6, first equation and page 8, line 1). It is canonical Twisted Edwards curve form. The same formulas can be found in the authors' simplified source code (look at d = -121665 * inv(121666) and xx = (y*y-1) * inv(d*y*y+1) (xx is a square of x))
This curve is birationally equavivalent to Curve25519, which is Montgomery curve ( DJB paper, page 7, subsection Choice of curve). Curve25519 itself "is birationally equivalent to an Edwards curve, specifically " (DJB paper, page 8, line 5). Not Twisted Edwards, therefore different formula -- with no minuses. But it is not canonical EdDSA.
Then, the formulas for coord transformation. From Curve25519 to Edwards form (mentioned above): "the equivalence is x =√486664u/v and y =(u − 1)/(u + 1)" (DJP paper, page 8, line 6). From Edwards to Twisted Edwards you just need to replace x^2 with -x^2, or x with (√-1)x (sorry, no link, but this is obvious). Therefore, x =(√-486664)u/v ( this edit was correct) — Preceding unsigned comment added by Hannasnow ( talk • contribs)
I have another question which has been bugging me for quite some time. The DJB paper and this article says, that for verification you should check:
There appears to be an error in above description. There should be two secrets the signer has, their private key associated with there public key and a random number used only once for this signing. I only see the number k which is hashed to produce s.
I think the original paper mentions that this is OK, but I have no clue why the first form (with the ) is mentioned at all.
Looking at that, to me it seems the two equations are checking exactly the same, so why is the mentioned at all ?
Lundril (
talk) 12:55, 10 July 2019 (UTC)
by multiplying by the cofactor 2^c we are guaranteeing that the result is either in the subgroup of order or the identity. This is a cheap way of preventing someone trying to do something funny and get us into the sub group of size 2^c.
quote the article "but does not completely eliminate it, since high quality random numbers are still needed for key generation.". this does not seem to belong here. key generation is not part of the signing procedure, a key can be generated on another computer, can be generated without a computer (coins), or can be derived from another secret. also it is not specific to the DSA algorithm used. i would delete this sentence from here being not related and not meaningful. 178.21.48.33 ( talk) 12:17, 28 August 2015 (UTC)
Are there still too many primary sources and not enough secondary sources in this article? Everything about the signature scheme, and its instantiation for Ed25519, is supported both by the two original papers describing EdDSA and extending it to more curves, and by the IETF RFC 8032. Is that enough to remove the primary sources warning, or is it also necessary to cite some tertiary Vox-style explainer?
I'm not really clear on why we even need secondary sources for an ‘analysis, evaluation, interpretation, or synthesis of the facts, evidence, concepts, and ideas’ by an author ‘at least one step removed from an event’ for the statement of a mathematical algorithm. None of this is original research—the papers cited are the original research. Other mathematical articles cite primary sources; e.g., the article on Hasse's theorem on elliptic curves cites the original thesis by Artin in which the theorem was first conjectured, and the original paper by Hasse in which the theorem was proven. -- 128.30.60.184 ( talk) 20:03, 31 July 2017 (UTC)
Isn't the pubkey size 64byte (512bit)? Secret keys are 32byte (256bit) — Preceding unsigned comment added by 141.45.12.204 ( talk) 12:49, 6 December 2018 (UTC)
No: The public key is a point on the elliptic curve (Edwards curve for Ed25519). Bernstein stores a point into a byte array by storing the Y-coordinate of the point. A coordinate on this curve has 255 bits (ALMOST 32 byte). Additionally there are two solutions for the X-coordinate: One ODD (least significant bit set) solution and one EVEN (least significant bit cleared) solution. Bernstein calls ODD solutions "negative" and EVEN solutions "positive". To be able to fully decode a binary array into a point on the elliptic curve, you additionally need to know if the X-coordinate is ODD or EVEN; so you need one extra bit. Fortunately the Y-coordinate only uses 255 bits, so you have one extra bit left. This is extra bit is used to store if the X-coordinate is ODD (bit set) or EVEN (bit cleared). The result is: You need exactly 32-bytes to store a point which is on the elliptic curve.
The private key encodes: A number (stored as 256 bit number; even if the number is smaller) and a private never revealed secret string, which has also 32-bytes (this secret string is used to generate "random" numbers out of the message to be signed via hashing). So the private key has 64 byte (32 byte number, 32 byte private secret string).
194.25.174.98 (
talk) 12:44, 10 July 2019 (UTC)
Why are you trying so desperately to confuse end users?????
Like.... https://blog.trailofbits.com/2019/07/08/fuck-rsa/ rsa is not equivalent stop fucking around.
jrabbit05 ( talk) 03:22, 28 September 2019 (UTC)
https://csrc.nist.gov/publications/detail/fips/186/5/final 2A04:4540:6A2C:DE01:E6A0:D55E:6254:DF9F ( talk) 04:53, 4 March 2023 (UTC)