ed25519: Scalar multiplication guaranteed to land in prime order subgroup?

Question

ed25519 is defined over curve edwards25519 which has a large prime order subgroup and a small subgroup of order 8.

During key generation, bit clamping is used to derive the private key scalar. In https://eprint.iacr.org/2020/823.pdf, Section 4.2.3, the authors describe the effect of clamping the lower order bits as follows:

Clearing the low bits ensures that the scalar is a multiple of the cofactor. This ensures that the result of applying the scalar to any group element results in an element in the prime order subgroup.

Question: If I read the above correctly, the authors state that for any scalar r and curve point P, the result of P * clamp(r) is guaranteed to be in the prime order subgroup. Why is that?

We have a dupe for this. Let me find it for you. By the way, it is written on the Curve25519 paper. one is here Ed25519 and hierarchical deterministic wallet — kelalaka, Jan 22 '24 at 15:40
This didn't answer it for me, but the following kind of does (albeit not in a very high detail): https://crypto.stackexchange.com/questions/101729/why-such-a-complicated-way-of-cofactor-clearing — mti, Jan 22 '24 at 16:26
The question correctly interprets the quote. Hint: clamp(r) is by construction a multiple of $8$. The full group has order $8\ell$ where $\ell$ is prime. — fgrieu, Jan 22 '24 at 17:35
@fgrieu My question is about understanding why that is the case. Why do we always end up with points in the prime order subgroup when we multiple by the cofactor? How can I see this mathematically? (My group theory foundations aren't the best...) — mti, Jan 23 '24 at 10:56
Why are the lower 3 bits of curve25519/ed25519 secret keys cleared during creation? if you have a multiple of 8 then any low-order element maps to zero. — kelalaka, Jan 23 '24 at 11:54

ed25519: Scalar multiplication guaranteed to land in prime order subgroup?

0 Answers0

Linked