[curves] Unifying public key formats

Trevor Perrin trevp at trevp.net
Wed Jan 21 12:56:56 PST 2015


On Wed, Jan 21, 2015 at 10:29 AM, Trevor Perrin <trevp at trevp.net> wrote:
>
> D) DH-type keys everywhere
> All public keys omit the sign bit (Montgomery x public keys are used
> for everything).  For signatures, the sign bit is included as part of
> the signature (Robert Ransom suggested this, and TextSecure is using
> it).  This means a very slight reduction in security, as each party
> essentially has two signature keys, rather than one, so an attacker
> could try to forge a signature against either of these keys.

Another way to do this - instead of "Ransom's trick" there's "Jivsov's
trick" where the private key is adjusted - if necessary - to always
make the sign bit 0:

https://datatracker.ietf.org/doc/draft-jivsov-ecc-compact

Trevor


More information about the Curves mailing list