[curves] Unifying public key formats

Robert Ransom rransom.8774 at gmail.com
Mon Jan 19 17:49:53 PST 2015


On 1/19/15, Trevor Perrin <trevp at trevp.net> wrote:

>  - Full-format keys decode to Edwards coordinates in about the same
> efficiency as compressed Edwards format.
>
> I'll try a quick writeup of the last point, based on equations Mike
> showed me.  Robert Ransom also explained this in [3]; below will be a
> more simplified explanation.

Actually, the formulas that I posted in that message are for unpacking
to projective coordinates in Edwards form.  You're decoding to affine,
like Andrey Jivsov did in
<http://www.ietf.org/mail-archive/web/cfrg/current/msg05113.html>
(also with help from Mike Hamburg).

I'm reluctant to use the formulas that convert directly to affine
Edwards form because those (as far as I can tell) have exceptional
cases.  I verified that my formulas for unpacking to projective form
do not produce the invalid point.


(This is also the reason to use the sign bit of the Edwards-form x
coordinate, not the Montgomery-form y coordinate -- see
<http://www.ietf.org/mail-archive/web/tls/current/msg11189.html>.  I'm
no longer convinced that all implementations which use the sign bit
internally will use Edwards form, but I don't expect the exceptional
case to be as serious a problem for implementations which convert to
Montgomery-form y, and there may be a way to recover Edwards-form x
after the Montgomery ladder without going through Montgomery-form y as
well.)


Robert Ransom


More information about the Curves mailing list