[curves] Another try at point compression
Trevor Perrin
trevp at trevp.net
Mon Dec 15 15:36:01 PST 2014
On Sun, Dec 14, 2014 at 3:36 PM, Michael Hamburg <mike at shiftleft.org> wrote:
>
>> On Dec 14, 2014, at 2:14 PM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> So why is this better than just using the Montgomery x-coordinate,
>> plus the Edwards sign bit, for a "unified format"?
[...]
>
> The main advantage vs Montgomery x + Edwards x sign is that the encoding I’m working on eliminates the cofactor for most practical purposes.
[...]
> Of course, there are significant downsides to the new design, the most important being that it doesn’t work for Curve25519.
So that's cool theoretically, by all means keep discussing.
But practically, I'm not seeing much point. The cofactor is a minor
inconvenience which 25519 adopters are already living with. Your
encoding doesn't work for 25519, and even if it did, I doubt this is
worth breaking compatibility for.
A new "extra strength" curve will probably end up co-existing with
25519 as a pair of "regular strength" / "extra strength" options. In
that case, the system already has to account for the cofactor, so
providing extra or different features in the encoding isn't helpful.
I'd be more interested in seeing you align the Goldilocks encoding
with 25519, as far as possible, so it would be easy to provide both
curves as options.
Trevor
More information about the Curves
mailing list