[curves] Torsion-safe representatives (was: Ed25519 "clamping" and its effect on hierarchical key derivation)

Taylor R Campbell campbell+moderncrypto-curves at mumble.net
Mon Mar 27 12:32:54 PDT 2017


> Date: Mon, 27 Mar 2017 11:04:40 -0700
> From: Oleg Andreev <oleganza at gmail.com>
> 
> I have a lame question, though. You mention that `a*B = a'*B` holds
> for the base point. But is it also true for any point in the B's
> subgroup? The reason I ask is that I need to have not just regular
> EdDSA signatures, but also DLEQs (discrete log equality proofs) with
> random generator points.

Yes.  Proof: If P is a point in B's subgroup, then P = p*B for some
scalar p.  Thus

   a*P = a*p*B = p*a*B = p*a'*B = a'*p*B = a'*P,

since multiplication of scalars is associative with multiplication of
curve points, and multiplication of scalars is commutative.


More information about the Curves mailing list