Why are hashing private key in Ed22519 key generation and later the modifications required?

ph flag

In EdDSA with Ed25519 the algorithm of public key computing is following:

h = hash (privateKey)
h[0] &= 0xF8
h[31] &= 0x7F
h[31] |= 0x40
publicKey = h * B

The questions are

  1. Why is Hashing in Ed25519 key generation needed?
  2. Why are the actions on h bits are needed?
  3. What does the clearing relate to the 31st bit?
Кирилл Волков avatar
ph flag
@kelalaka got it, thanks a lot
kelalaka avatar
in flag
Converted those comments into an aswer since the hash part was missing from any answer during my searhes..
in flag
  1. Hashing in EdDSA key generation

    This is addressed in the original paper as

    Legitimate users choose $A = [a]B$, where $a$ is a random secret; the derivation of a from $H(k)$ ensures adequate randomness.

    If you don't apply the hashing, there is no problem on the verification of the signatures of such public keys.

  2. The question is what actions on h bits are needed for?

    This clearly clears the lower bits so that it is a multiple of 8, and this removes the small groups on the curve that this information, although small, can leak in a small-subgroup attack. See more in this answer

  3. The clearing relates to 0th bit and what about 31th?

    This is mainly due to a possible timing attack (in this site)

Stick to the advises and standards; see RFC 8709.


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.