1

The standardization document for Ed25519, RFC 8032, says the following method should be used for verifying Ed25519 signatures:

  1. Check the group equation $[8][S]B = [8]R + [8][k]A'$. It's sufficient, but not required, to instead check $[S]B = R + [k]A'$.

Does that mean that code doing verification should point-multiply both sides by $8 = 2^c$ for cofactor $c$ or should they not? The document and various questions here on CryptoExchange don't really answer whether I as implementer should multiply both sides by $8$ when implementing the standard.

I understand what the number $8$ is; the order of the Ed25519 cyclic group is $8\ell$ for a 253-bit prime $\ell$, and $|B| = \ell$. So $B$ is pre-multiplied by $8$ to make it part of the $\ell$-order subgroup.

Myria
  • 2,575
  • 13
  • 26
  • The key point is the legimate user don't choose such points.. – kelalaka Nov 15 '21 at 23:03
  • Do we assume the signer as an illegitimate user? What would happen if you see that they use small order? You can control, but not necessary. – kelalaka Nov 15 '21 at 23:12
  • The public key is trusted, so this would matter only for bad signatures against that public key. Also, that signatures wouldn't be unique (add some $Q$ of order ${2,4,8}$ to $R$ and you get another distinct signature for the same data, without needing to be the original signer. @kelalaka – Myria Nov 15 '21 at 23:18
  • 1
    yes. 5.1.5 mentions legitimate users. In any case, it is not computing-intensive, you can still check for a possible malicious user. – kelalaka Nov 15 '21 at 23:22

0 Answers0