Score:1

Should Ed25519 verification multiply by the cofactor?

in flag

The standardization document for Ed25519, RFC 8032, says the following method should be used for verifying Ed25519 signatures:

  1. Check the group equation $[8][S]B = [8]R + [8][k]A'$. It's sufficient, but not required, to instead check $[S]B = R + [k]A'$.

Does that mean that code doing verification should point-multiply both sides by $8 = 2^c$ for cofactor $c$ or should they not? The document and various questions here on CryptoExchange don't really answer whether I as implementer should multiply both sides by $8$ when implementing the standard.

I understand what the number $8$ is; the order of the Ed25519 cyclic group is $8\ell$ for a 253-bit prime $\ell$, and $|B| = \ell$. So $B$ is pre-multiplied by $8$ to make it part of the $\ell$-order subgroup.

kelalaka avatar
in flag
The key point is the [legimate user don't choose such points](https://crypto.stackexchange.com/a/55643/18298)..
kelalaka avatar
in flag
Do we assume the signer as an illegitimate user? What would happen if you see that they use small order? You can control, but not necessary.
Myria avatar
in flag
The public key is trusted, so this would matter only for bad signatures against that public key. Also, that signatures wouldn't be unique (add some $Q$ of order ${2,4,8}$ to $R$ and you get another distinct signature for the same data, without needing to be the original signer. @kelalaka
kelalaka avatar
in flag
yes. 5.1.5 mentions legitimate users. In any case, it is not computing-intensive, you can still check for a possible malicious user.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.