Assuming you are talking about the Renes–Costello–Batina formulas, they're complete, but not necessarily efficient. According to , optimized short Weierstrass with the complete formulas is still 1.5 to 3 times slower than Curve25519. I imagine the numbers won't be much better for Edwards25519, either. There's definitely a ton of potential for a better complete addition formula on Weierstrass still left.
> Ristretto is nice but so terribly complex
Ristretto is nice, terribly complex, and you don't actually need to care about the conceptual complexity. As an implementer, your only job is to execute the explicit formulas in section 5 of the Ristretto website. You do not have to be able to follow the hard math (just how you do not have to be able to follow the hard math involved in making the explicit formulas). Plus the entire thing can be trivially constant-time given a constant-time selection primitive and constant-time field arithmetic. It's not that much more difficult than doing regular point compression on your own.
 Peter Schwabe, Daan Sprenkels. The complete cost of cofactor h=1 (published in INDOCRYPT19), https://eprint.iacr.org/2019/1166.pdf
I don't think one should blindly follow an instruction without understanding why in any fields, let alone in crypto where a small, subtle difference can make or break it. Also, understanding crypto requires less math than inventing (and attacking) crypto, so it takes some effort, but it's doable even for hobbyists. If the math makes one uncomfortable, maybe one shouldn't try to roll their own crypto for production use in the first place.
Case in point: the author of this article that we're commenting on made a deadly mistake because they did not understand the math behind point conversion between Ed25519 and Curve25519 .
Below I also point out a mistake in their claim about malleability in EdDSA.
By the way, since you seem to work on Wycheproof: would you take a look at my pull request? The EdDSA test vectors would have saved me (and my users), but the front page didn't mention them, so I didn't know they even existed for over a year. I initially believed you were concentrating on other, even more error prone, primitives.
Others might be in my position: letting bugs through because they think Whycheproof is not relevant to their project. A pity, considering how amazing Whycheproof is (I'm now systematically integrating any new test vector I learn about).
But many smart people made many such mistakes in the past. If we gatekeep it to much then we won't have anyone left to implement crypto.
I said if one isn't comfortable with the math, maybe don't try to roll one's own crypto and advertise or use it as production-grade crypto.
Crypto is deep. You can get involved at the levels you feel comfortable with.
First, some Maverick is going to ignore what everyone says and implement crypto for serious applications. Like yours truly.
Second, I've seen it go a bit too far when I implemented Argon2i: there was a discrepancy between the specs and the reference implementations, and the authors haven't corrected the specs. I figured this was because not enough independent implementers bugged them about that. (Now, 3 years later, the specs still aren't fixed, so maybe the authors are really really busy. At least but the issue is still open: https://github.com/P-H-C/phc-winner-argon2/issues/183 )
There were always more efficient formats (binary curves, extension fields) but they never caught on, so efficiency isn't everything.
From a cursory reading, shouldn't that paper compare timings with a Ristretto implementation? The overhead may be small but must be measured for a fair comparison.
It's good to know that implementing Ristretto is much easier than understanding it - that website is very intimidating ;) I need to study it more.
Wish ristretto folks added the library to their website though.
This is not the only motivating factor for curve25519. There is also: that montgomery curves work well with the montgomery ladder, which is easy to use in constant time, and that any 32-byte string is a valid public key for ECDH.
> Now we are stuck with all these cofactor issues.
They are not a major problem for ECDH. If you are doing only ECDH and don't care about group structure, you can simply use the existing clamping mitigations.
The point of ristretto, and its precursor/similar project decaf, is to preserve group structure while using these curves, and also eliminating small subgroups.
You can also have Montgomery ladder an a 32-byte encoding with Weierstrass curve, even though it would be slower.
> The point of ristretto, and its precursor/similar project decaf, is to preserve group structure while using these curves, and also eliminating small subgroups.
Exactly. Because we are stuck with all these cofactor issues. Not to mention how clamping also "contaminated" EdDSA.
I kind of hope they'll also add ristretto448 since RFC 7748 and 8032 include X448/Ed448, so that the draft has feature parity (and covers the h = 4 case properly).
> 1 = 12 + 33 = 4.3 + 11.3
> 1 = 12 + 33 = 1.3 + 11.3
Neat read :) learned a bit!
>There are several ways to sign a document with EdDSA, and produce a valid signature. The three sources of malleability are:
>We can add a multiple of L (the order of the prime subgroup) to s. Recall that B has order L as well, so it will absorb any cofactor. Basically everything happens modulo L, so adding L won't change a thing.
This is prevented in RFC 8032 by checking that 0 <= s < L. Tink  does this check, and therefore is malleability free.
>We can sign the same message with a different nonce r. This requires knowledge of the secret key a.
This proves that the signature of a message is not unique -- that is the signer can product multiple signatures -- but I haven't seen anyone calling this a malleability issue. Malleability is about taking a triple (public key, signature message) and tweaking bits to produce another valid triple.
>We can add a low order point to A, and subtract it from R. That way we produce a valid signature, but from a public key nobody vouches for. If the verifier checks the weaker equation, we can add a low order point to just R, and produce a "valid" signature with the same public key.
This is the second time I saw this claim. When I first saw it , I thought, wait, this test is missing in Wycheproof , but Bleichenbacher does NOT miss anything. That's when I knew it's wrong.
Modifying A or R instantly makes the signature invalid. Using the article's notation, the signature is validated by checking that
B.s.8 == R.8 + A.h.8, where h = SHA-512(R, A, M) and M is the message
Multiplying the cofactor or not doesn't matter, doesn't introduce any weakness, as implied by the article. If R or A is changed, h will change.
 https://github.com/google/wycheproof. Wycheproof has tests for EdDSA malleability, but it only tests if s is not properly range checked.
This is like claiming Weierstrass curves don't have any problems if you follow the NIST/SECG standards. The whole point of the "SafeCurves" it to be easier to get them right, but you can still get them wrong.
You seem to think they should have. May I ask why?
It is, but some libraries do not perform this check. Including TweetNaCl if I recall correctly.
> Modifying A or R instantly makes the signature invalid.
I was talking about modifying them together. Here's what I claim:
B.s = R + A.h
B.s = R + A.h + P - P
B.s =(R + P) + (A.h - P)
> Multiplying the cofactor or not doesn't matter
Perhaps I went over this a bit to fast. Recall that for any low order point P, P.8 = zero. Once you accept this fact, the rest follows pretty smoothly:
B.s = R + A.h
B.s.8 = (R + A.h).8
B.s.8 = R.8 + A.h.8
B.s.8 = R.8 + A.h.8 + zero
B.s.8 = R.8 + A.h.8 + P.8
B.s.8 = (R+P).8 + A.h.8
I'll add this explanation in the article, thanks for the feedback.
I'm not sure why TweetNaCl is even considered a serious crypto library. I guess that it can fit in tweets, but this is an optimization that is at best irrelevant at worst a bad software engineering practice.
Re malleability: instead of just thinking about this issue in an abstract way, I recommend writing an exploit. For example, Tink doesn't check R or A at all, try to see if you can produce a new signature from an existing one by modifying R or A as you said.
Challenge accepted! Hmm, doesn't work. Let me think a bit more abou— <facepalm>
Of course: I totally forgot that h is a hash of R and A, not just the message. So if I change them in any way, h's main factor will change unpredictably, and the signature will fail. Looks like the only malleability left is `s`, and that has nothing to do with the cofactor. Let's take the whole section down.
Lesson learned: I should test my writings like I test my code.
If I may, you should have lead with "If R or A is changed, h will change." I let myself get worked up by your first comment¹, and failed to notice the single most important sentence near the bottom. I ended up having to reach the same conclusion independently. I almost missed my error.
: You didn't address me directly, and you didn't start with my error. Regardless of your intentions, that felt mildly confrontational. Being nicer would have been more effective.
Probably because its authors are all big-name people and their paper says:
> We have placed TweetNaCl into the public domain, and we encourage applications to make use of it.