2022.02.22 11:42:12 (1496072828134772737) from Daniel J. Bernstein, replying to "Elichai Turkel (@Elichai2)" (1495480098622951434):
Within the three important types of implementations listed in Section 4.3 of https://cr.yp.to/newelliptic/nistecc-20160106.pdf, the third type is simplified by the synchronization of various details across X25519 and Ed25519, including scalar choices. Last bit 0 also eliminates a swap line in common code.
2022.02.20 20:26:54 (1495480098622951434) from "Elichai Turkel (@Elichai2)":
#cryptography Twitter, why does ed25519 turns off the 3 least significant bits? Unlike x25519 it doesn't seem to do anything as it's multiplied by the base point which has order L(the prime sub group), not by a potentially malicious point. And the signature arithmetic done mod L.