[curves] Another try at point compression
Trevor Perrin
trevp at trevp.net
Sun Dec 14 14:14:39 PST 2014
On Mon, Dec 8, 2014 at 2:07 PM, Mike Hamburg <mike at shiftleft.org> wrote:
> Hi curves,
>
> Here is another try at a unified point compression system.
So why is this better than just using the Montgomery x-coordinate,
plus the Edwards sign bit, for a "unified format"?
People have a lot of experience and code for dealing with Montgomery x
in the case of Curve25519, so it would make sense to leverage that.
This format can be decompressed into Edwards form with very small
efficiency loss (a few percent). So these public keys could be used
with Ed25519 or similar signature algorithms easily. And for ECDH you
can ignore the bit and just do the Montgomery ladder, so this is of
course very efficient there.
I'm biased because TextSecure essentially does this, but I'm not sold
on the merits of your more complicated encodings yet.
Trevor
More information about the Curves
mailing list