Why does EdDSA use the (SHA-512) hash of the secret key as the exponent for the public key rather than using the secret key value directly? This seems inefficient, and I can't see how it adds any extra security.
Asked
Active
Viewed 869 times
1 Answers
3
Ed25519 needs two secret values:
- The private scalar (~256 bits)
- A hash prefix used derive a secret nonce from the message (256 bits)
Using the same value for these is bad style, as is deriving one of them from the other. You could also use their concatenation as private key, but that'd double its size to 512 bits. So Ed25519 chose the clean solution of deriving both from a 256 bit master secret.
CodesInChaos
- 25,121
- 2
- 90
- 129