Commit 44b3aa8a authored by Niels Möller's avatar Niels Möller

New Background section

parent 372f2348
......@@ -86,6 +86,39 @@
</section>
<section title="Background">
<t>EdDSA is defined using an elliptic curve over GF(q) of the
form</t>
<t>-x^2 + y^2 = 1 + d x^2 y^2</t>
<t> It is required that q = 1 modulo 4 (which implies that -1
is a square modulo q) and that d is a non-square modulo q. For
Ed25519, the curve used is equivalent to curve25519, under a
change of coordinates, which means that the difficulty of the
discrete logarithm problem is the same as for curve25519.</t>
<t>Points on this curve form a group under addition, (x3, y3) =
(x1, y1) + (x2, y2), with the formulas</t>
<figure>
<artwork>
x1 y2 + x2 y1 y1 y2 + x1 x2
x3 = -------------------, y3 = -------------------
1 + d x1 x2 y1 y2 1 - d x1 x2 y1 y2
</artwork>
</figure>
<t>Unlike may other curves used for cryptographic applications,
these formulas are "strongly unified": they are valid for all
points on the curve, with no exceptions. In particular, the
denominators are non-zero for all input points.
</t>
<t> There are more efficient formulas, which are still strongly
unified, which use homogeneous coordinates to avoid the
expensive modulo q inversions. See <xref
target="Faster-ECC"/> and <xref target="Edwards-revisited"/>.
</t>
</section>
<section anchor="eddsa"
title="EdDSA">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment