Andy Isaacson
2017-04-16 23:33:14 UTC
I'm happy to announce that a spec for the "XEd25519" signature
algorithm used in Signal is available at [1].
Feedback is welcome, ...
Thanks for all your work on this, Trevor.algorithm used in Signal is available at [1].
Feedback is welcome, ...
Is the source markup for this document in git somewhere? I'd put up
pull requests for these suggestions if it were.
Having two different values named A makes the document excessively
confusing to the non-expert. We can avoid some confusion if we rename
one of them, for example keep $A$ for the curve constant and use `Ak`
for the twisted Edwards point representation of the public key. (This
will be somewhat confusing with the `kB` notation used for
multiplication in `calculate_key_pair` so perhaps this also demands
writing multiplication `k * B`, which is unfortunate but perhaps not a
blocker.)
I'd be more comfortable if the pseudocode explicitly called out the
bytes-to-integer and integer-to-bytes conversion that's defined in 2.4;
as it stands, the document can only be read sequentially starting at the
beginnning, every time I need to refer to it, because the implicit
conversions are critical to understanding section 3 and xeddsa_verify.
Having one spec defining four different functions (XEd25519, VXEd25519,
XEd448, VXEd448) makes some of the definitions general enough to be hard
for the non-specialist reader to make concrete. I'd have an easier time
understanding XEd25519 in a standalone spec. But there's a tradeoff,
the symmetry in the specs is worth preserving, so maybe this spec should
remain general and once the standards are finalized, a more concrete
implementor's guide can be written.
There aren't any test vectors in the spec, and only one in
curve25519-java/android/jni/ed25519/tests/tests.c that I've found so
far. A few more wouldn't hurt.
It'd also be nice to have fully worked examples, but that definitely
doesn't belong in the spec; I'll see if I can generate an appropriate
document as part of my current project.
-andy