[curves] whitenning optional curve25519 keys

Watson Ladd watsonbladd at gmail.com
Mon Sep 14 11:52:47 PDT 2015


On Sep 14, 2015 2:31 PM, "Jeff Burdges" <burdges at gnunet.org> wrote:
>
>
> I noticed a minor traffic whitenning issue in the HORNET paper :  HORNET
> uses Sphinx packets to build circuits through the mixnet, but the actual
> HORNET packets that travel on those circuits use a different header.
>
> This begs the question : How should I quickly generate a random curve
> 25519 group element such that an observer cannot tell that I'm not
> actually doing a scalar multiplication?
>
> We want a hash function f that yields a curve25519 group element such
> that :
> (a) if X,Y have uniform distributions, then the resulting distribution
> f(X) is (sufficiently?) indistinguishable from g(Y) * G where g is some
> reasonable hash function that yield curve25519 scalars and G is a base
> point.
> (b) f(x) can be computed an order of magnitude faster than g(x) * G.  I
> hear a curve25519 DH operation takes about 40x longer than a typical
> sha512 based KDF.

What about Elligator encoding everything?
>
> Also, is it possible to do this is such a way that f(x) is a safe
> basepoint for future DH operations?
>
> Jeff
>
>
>
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20150914/837448dc/attachment.html>


More information about the Curves mailing list