[curves] Ed25519 "clamping" and its effect on hierarchical key derivation
Henry de Valence
hdevalence at hdevalence.ca
Wed Mar 29 14:30:55 PDT 2017
On Tue, Mar 28, 2017 at 05:25:00PM -0700, Trevor Perrin wrote:
> Anyways, Henry suggested another way of dealing with the
> small-subgroup risk: Convert the scalar to a representative equivalent
> to the original scalar (mod subgroup order), but zero (mod cofactor).
> I could imagine that being useful in some protocols. But for
> hierarchical key derivation, where you're deriving a new scalar
> anyways, I'm not sure this has advantages versus multiplying by the
> cofactor?
My understanding is that in the HKD context, people want to view scalars as
elements of Z/lZ so that they can do arithmetic on them. The point of a safe
representative is that you're not really "converting" anything, you're just
choosing a different representative of the same equivalence class. From the
point of view of the basepoint and the subgroup, it's exactly the same scalar.
So the advantage is that you can view scalars as elements of Z/lZ, and
then just choose a safe representative whenever you want to use one.
This seems simpler than multiplying by the cofactor, which has to be done in Z,
not Z/lZ, and therefore requires thinking about which operations are done
modulo l and which aren't.
Henry
P.S.: To be clear, the idea wasn't just mine, it came from a discussion with
Ian, Isis, and George -- although I can be held solely responsible for breaking
the Reply headers (sorry!)
More information about the Curves
mailing list