[curves] whitenning optional curve25519 keys
watsonbladd at gmail.com
Mon Sep 14 11:52:47 PDT 2015
On Sep 14, 2015 2:31 PM, "Jeff Burdges" <burdges at gnunet.org> wrote:
> I noticed a minor traffic whitenning issue in the HORNET paper : HORNET
> uses Sphinx packets to build circuits through the mixnet, but the actual
> HORNET packets that travel on those circuits use a different header.
> This begs the question : How should I quickly generate a random curve
> 25519 group element such that an observer cannot tell that I'm not
> actually doing a scalar multiplication?
> We want a hash function f that yields a curve25519 group element such
> that :
> (a) if X,Y have uniform distributions, then the resulting distribution
> f(X) is (sufficiently?) indistinguishable from g(Y) * G where g is some
> reasonable hash function that yield curve25519 scalars and G is a base
> (b) f(x) can be computed an order of magnitude faster than g(x) * G. I
> hear a curve25519 DH operation takes about 40x longer than a typical
> sha512 based KDF.
What about Elligator encoding everything?
> Also, is it possible to do this is such a way that f(x) is a safe
> basepoint for future DH operations?
> Curves mailing list
> Curves at moderncrypto.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Curves