[curves] Another try at point compression

Michael Hamburg mike at shiftleft.org
Mon Dec 22 17:40:57 PST 2014

> On Dec 22, 2014, at 5:07 PM, Robert Ransom <rransom.8774 at gmail.com> wrote:
> No, this is the same sort of ‘hazard elimination’ that Dr. Bernstein
> has been advocating (and implementing), e.g. with Curve25519 ECDH.

That’s the idea, though obviously the added complexity hurts.

> It's too bad that this point format will require cofactor 4 (although
> there are good mathematical reasons for that) -- that either makes key
> generation more complicated or decreases the secret key length by an
> extra bit (regardless of the field).

I don’t understand this point.  Why does cofactor 4 make key generation more complicated?

> Any implementation of signing
> would already need to reduce scalars modulo the group order (in order
> to compute s), so that bit of extra complexity won't hurt signature
> software, but it sucks for ECDH.  Curve25519 remains better for ECDH.

I also don’t understand this statement.  Is this assuming that the fancy point format is only odd-ladderable with the Montgomery ladder?  (Which it might be…)

— Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20141222/78959e52/attachment.html>

More information about the Curves mailing list