Commit ca70220f authored by Simon Josefsson's avatar Simon Josefsson

fix

parent deab3f68
This diff is collapsed.
......@@ -67,12 +67,15 @@
<t>Does not require the use of a unique random number for each
signature.</t>
<t>Collision resilience, meaning that hash-function collisions
do not break this system.</t>
<t>More resilient to side-channel attacks.</t>
<t>Small public keys (32 bytes) and signatures (64 bytes).</t>
<t>The formulas are "strongly unified", i.e., they are valid
for all points on the curve, with no exceptions.</t>
<t>Collision resilience, meaning that hash-function collisions
do not break this system.</t>
</list></t>
<t>For further background, see the original <xref
......@@ -88,7 +91,7 @@
<t>x^y x multiplied by itself y times</t>
<t>h_i the i'th byte of h</t>
<t>h_i the i'th bit of h</t>
<t>a || b (bit-)string a concatenated with (bit-)string b</t>
......@@ -100,8 +103,8 @@
<t>-x^2 + y^2 = 1 + d x^2 y^2</t>
<t> It is required that q = 1 modulo 4 (which implies that -1
is a square modulo q) and that d is a non-square modulo q. For
<t>It is required that q = 1 modulo 4 (which implies that -1 is
a square modulo q) and that d is a non-square modulo q. For
Ed25519, the curve used is equivalent to curve25519, under a
change of coordinates, which means that the difficulty of the
discrete logarithm problem is the same as for curve25519.</t>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment