jedisct1
commented
4 years ago crypto_scalarmult_ed25519_base() clamps the scalar (clears the 3 lower bits, set the high bit) before performing the multiplication.
Use crypto_scalarmult_ed25519_base_noclamp() to prevent this.
Or, even better, use the Ristretto group instead.
Hello, I am trying to implement a simple cryptographic primitive in C++.
Under the following code: given sa, sk, hn, I want to compute sb: such that sgG = (sb + sk . hn)G.
However, after finding sb, the following equality does not hold: sb*G + (sk.hn)G = saG.
My understanding is that in the exponent is arithmetic modulo 2^255-19 instead of L.
However, I have a few questions relating to the implementation:
why the scalar has to be chosen from [0,L] where L is the order of the subgroup?
is there a "helper" function that multiplies two large scalars without performing modulo L?
I posted my question in StackOverflow along with a simple code.
https://stackoverflow.com/questions/60156577/basic-group-arithmetic-in-libsodium
can someone help me with this simple calculation?