1

In EdDSA with Ed25519 the algorithm of public key computing is following:

h = hash (privateKey)
h[0] &= 0xF8
h[31] &= 0x7F
h[31] |= 0x40
publicKey = h * B

The questions are

  1. Why is Hashing in Ed25519 key generation needed?
  2. Why are the actions on h bits are needed?
  3. What does the clearing relate to the 31st bit?
kelalaka
  • 48,443
  • 11
  • 116
  • 196
Кирилл Волков
  • 151
  • 5

1 Answers1

2

  1. Hashing in EdDSA key generation

    This is addressed in the original paper as

    Legitimate users choose $A = [a]B$, where $a$ is a random secret; the derivation of a from $H(k)$ ensures adequate randomness.

    If you don't apply the hashing, there is no problem on the verification of the signatures of such public keys.

  2. The question is what actions on h bits are needed for?

    This clearly clears the lower bits so that it is a multiple of 8, and this removes the small groups on the curve that this information, although small, can leak in a small-subgroup attack. See more in this answer

  3. The clearing relates to 0th bit and what about 31th?

    This is mainly due to a possible timing attack (in this site)

Stick to the advises and standards; see RFC 8709.

Glorfindel
  • 462
  • 1
  • 10
  • 18
kelalaka
  • 48,443
  • 11
  • 116
  • 196