rrent design and do end up
shipping it before a draft standard undergoes the requisite bikeshedding,
the "running code" aspect of Tor using it in the wild will probably help
the standard converge around whatever you ship. Worked out for Ed25519
itself, anyway.
--
Tony Ar
crypto.org/mail-archive/curves/2017/000862.html
tl;dr: clamp the third highest bit of the root scalar to zero (in addition
to the bits normally clamped in the non-canonical Ed25519 private scalar),
and use 224-bit child scalars.
--
Tony Arcieri
_
