[curves] Unifying public key formats

Trevor Perrin trevp at trevp.net
Wed Jan 21 18:02:25 PST 2015


On Wed, Jan 21, 2015 at 3:07 PM, Robert Ransom <rransom.8774 at gmail.com> wrote:
> On 1/21/15, Trevor Perrin <trevp at trevp.net> wrote:
>
>> C) Full-format keys everywhere
>> All public keys include the sign bit, so this is a true "unified
>> format".  [...] Montgomery-ladder-only implementation will require
>> an extra inversion, so key generation would be slowed by ~10%.
>
> It's not an extra inversion -- remember that inversions can easily be
> batched using 'Montgomery's trick'.

Good point, and Jivsov also described this [1].

So the Montgomery ladder function could be modified to recover the
Edwards x sign bit at very low cost.

Would you prefer this for a unified format, instead of using a
single-coordinate format with the sign bit implied as zero (Jivsov) or
encoded into signatures (your idea)?

Trevor


[1] http://www.ietf.org/mail-archive/web/cfrg/current/msg05113.html


More information about the Curves mailing list