2

In RFC 8032, section 5.1.7, it is prescribed that an Ed25519 signature is verified if

$[8][S]B = [8]R + [8][k]A'.$

The text then says

It's sufficient, but not required, to instead check $[S]B = R + [k]A'.$

What is the point of the first criterion, if the second one also works and is arguably simpler and less computationally expensive, in general?

Community
  • 1
Jay Smith
  • 71
  • 1

1 Answers1

1

If you look at the key generation

  1. Prune the buffer: The lowest three bits of the first octet are cleared, the highest bit of the last octet is cleared, and the second highest bit of the last octet is set.

This used to make sure that the key is not in the small groups, those have order 2,4, and 8.

If you use

$[8][S]B = [8]R + [8][k]A'$.

then if the public key is in a small order, sides will get the identity $\mathcal{O} = [8][S]B$ and you can detect with this. This is key validation.

But, it is not your problem right? Maybe the other side chooses the key deliberately instead of using the recommendation. Then just use $[S]B = R + [k]A'$. but not required. Better check it.

kelalaka
  • 48,443
  • 11
  • 116
  • 196
  • 1
    Thanks. So it would make sense, when importing a public key from some external party, to validate it as described in the link that you provide. After doing so, any verification operations that use a validated public key may use the simpler equality. – Jay Smith Feb 16 '21 at 19:20
  • Yes, if you once validated it then use it. It is more important of the DHKE. In signatures, only someone can try to fool you. – kelalaka Feb 16 '21 at 19:23