Should Ed25519 verification multiply by the cofactor?

Myria

3/15/23, 10:58 PM

The standardization document for Ed25519, RFC 8032, says the following method should be used for verifying Ed25519 signatures:

Check the group equation $[8][S]B = [8]R + [8][k]A'$. It's sufficient, but not required, to instead check $[S]B = R + [k]A'$.

Does that mean that code doing verification should point-multiply both sides by $8 = 2^c$ for cofactor $c$ or should they not? The document and various questions here on CryptoExchange don't really answer whether I as implementer should multiply both sides by $8$ when implementing the standard.

I understand what the number $8$ is; the order of the Ed25519 cyclic group is $8\ell$ for a 253-bit prime $\ell$, and $|B| = \ell$. So $B$ is pre-multiplied by $8$ to make it part of the $\ell$-order subgroup.

0 + 0

signature

ed25519

kelalaka

3/15/23, 11:03 PM

The key point is the [legimate user don't choose such points](https://crypto.stackexchange.com/a/55643/18298)..

kelalaka

3/15/23, 11:12 PM

Do we assume the signer as an illegitimate user? What would happen if you see that they use small order? You can control, but not necessary.

Myria

3/15/23, 11:18 PM

The public key is trusted, so this would matter only for bad signatures against that public key. Also, that signatures wouldn't be unique (add some $Q$ of order ${2,4,8}$ to $R$ and you get another distinct signature for the same data, without needing to be the original signer. @kelalaka

kelalaka

3/15/23, 11:22 PM

yes. 5.1.5 mentions legitimate users. In any case, it is not computing-intensive, you can still check for a possible malicious user.