[curves] Prime order curves vs Decaf
trevp at trevp.net
Wed May 31 20:41:36 PDT 2017
On Thu, Jun 1, 2017 at 3:27 AM, Tony Arcieri <bascule at gmail.com> wrote:
> It seems like Decaf provides a strategic mitigation for these sorts of
> attacks, as opposed for the
> always-multiply-by-the-cofactor-and-check-for-identity tactical response
> suggested by Monero's developers:
A small point: that link doesn't suggest to
It suggests to multiply by *SUBGROUP ORDER* and reject if *NOT*
identity, which is different.
(Multiplying the key image by cofactor might be a different fix).
Otherwise good questions, I'm curious about people's thoughts too.
More information about the Curves