[curves] CryptoNote and equivalent points
Trevor Perrin
trevp at trevp.net
Sun May 21 19:47:22 PDT 2017
On Fri, May 19, 2017 at 7:00 PM, Mike Hamburg <mike at shiftleft.org> wrote:
>
> Right. This is a signature verification, probably Schnorr, so hashing to an odd number might have fixed it.
Maybe. I think I was wrong that hashing the "key image" into the
Schnorr challenge is a fix.
Multiplying the "key image" by cofactor before checking for
double-spending might work (similar to VXEdDSA producing its "VRF"
output).
If anyone understands this algorithm in depth feel free to explain more.
> Decaf does work for Curve25519. It’s in the paper, and Henry+Isis and I have independently implemented it.
>
> In fact, it turns out there are multiple ways to do it for Curve25519 based on the paper, and Henry+Isis and I probably picked different ones (but we haven’t cross-tested yet, so we aren’t sure).
It would be great to see a writeup + performance analysis of the exact
Curve25519 formulas, including conversions from X25519 and Ed25519
public keys into Decaf.
People with complex protocols designed for prime-order groups will
have to weigh Decaf against just tweaking things for the cofactor, or
choosing a different curve, and the relative costs aren't that easy to
figure out.
Trevor
[CryptoNote] https://cryptonote.org/whitepaper.pdf
[Decaf] https://eprint.iacr.org/2015/673.pdf
More information about the Curves
mailing list