[curves] Another try at point compression
Michael Hamburg
mike at shiftleft.org
Mon Dec 22 17:40:57 PST 2014
> On Dec 22, 2014, at 5:07 PM, Robert Ransom <rransom.8774 at gmail.com> wrote:
>
> No, this is the same sort of ‘hazard elimination’ that Dr. Bernstein
> has been advocating (and implementing), e.g. with Curve25519 ECDH.
That’s the idea, though obviously the added complexity hurts.
> It's too bad that this point format will require cofactor 4 (although
> there are good mathematical reasons for that) -- that either makes key
> generation more complicated or decreases the secret key length by an
> extra bit (regardless of the field).
I don’t understand this point. Why does cofactor 4 make key generation more complicated?
> Any implementation of signing
> would already need to reduce scalars modulo the group order (in order
> to compute s), so that bit of extra complexity won't hurt signature
> software, but it sucks for ECDH. Curve25519 remains better for ECDH.
I also don’t understand this statement. Is this assuming that the fancy point format is only odd-ladderable with the Montgomery ladder? (Which it might be…)
Cheers,
— Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20141222/78959e52/attachment.html>
More information about the Curves
mailing list