5.2.5 Key Generation
5.2.5 Key Generation
The private key is 57 octets (456 bits, corresponding to b) of cryptographically secure random data. See [RFC4086] for a discussion about randomness.
The 57-byte public key is generated by the following steps:
-
Hash the 57-byte private key using SHAKE256(x, 114), storing the digest in a 114-octet large buffer, denoted h. Only the lower 57 bytes are used for generating the public key.
-
Prune the buffer: The two least significant bits of the first octet are cleared, all eight bits the last octet are cleared, and the highest bit of the second to last octet is set.
-
Interpret the buffer as the little-endian integer, forming a secret scalar s. Perform a known-base-point scalar multiplication [s]B.
-
The public key A is the encoding of the point [s]B. First encode the y-coordinate (in the range 0 <= y < p) as a little-endian string of 57 octets. The most significant bit of the final octet is always zero. To form the encoding of the point [s]B, copy the least significant bit of the x coordinate to the most significant bit of the final octet. The result is the public key.