# RFC Errata

### RFC 8032, "Edwards-Curve Digital Signature Algorithm (EdDSA)", January 2017

Source of RFC: IRTF
Errata ID: 6306

**Status: Reported
Type: Technical
Publication Format(s) : TEXT**

Reported By: Dmitry Khovratovich

Date Reported: 2020-10-15

Section 5.1.7 says:

Decode the first half as a point R, and the second half as an integer S, in the range 0 <= s < L. Decode the public key A as point A'. If any of the decodings fail (including S being out of range), the signature is invalid. 2. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the 64-octet digest as a little-endian integer k. 3. Check the group equation [8][S]B = [8]R + [8][k]A'. It's sufficient, but not required, to instead check [S]B = R + [k]A'.

It should say:

Decode the first half R as a point R', and the second half as an integer S, in the range 0 <= S < L. Decode the public key A as point A'. If any of the decodings fail (including S being out of range), the signature is invalid. 2. Compute SHA512(dom2(F, C) || R || A || PH(M)), and interpret the 64-octet digest as a little-endian integer k. 3. Check the group equation [8][S]B = [8]R' + [8][k]A'. It's sufficient, but not required, to instead check [S]B = R' + [k]A'.

Notes:

1) public key R' and its encoding R are confused

2) s changed to S (this errata has been reported already)