[curves] Unifying public key formats
Robert Ransom
rransom.8774 at gmail.com
Mon Jan 19 17:49:53 PST 2015
On 1/19/15, Trevor Perrin <trevp at trevp.net> wrote:
> - Full-format keys decode to Edwards coordinates in about the same
> efficiency as compressed Edwards format.
>
> I'll try a quick writeup of the last point, based on equations Mike
> showed me. Robert Ransom also explained this in [3]; below will be a
> more simplified explanation.
Actually, the formulas that I posted in that message are for unpacking
to projective coordinates in Edwards form. You're decoding to affine,
like Andrey Jivsov did in
<http://www.ietf.org/mail-archive/web/cfrg/current/msg05113.html>
(also with help from Mike Hamburg).
I'm reluctant to use the formulas that convert directly to affine
Edwards form because those (as far as I can tell) have exceptional
cases. I verified that my formulas for unpacking to projective form
do not produce the invalid point.
(This is also the reason to use the sign bit of the Edwards-form x
coordinate, not the Montgomery-form y coordinate -- see
<http://www.ietf.org/mail-archive/web/tls/current/msg11189.html>. I'm
no longer convinced that all implementations which use the sign bit
internally will use Edwards form, but I don't expect the exceptional
case to be as serious a problem for implementations which convert to
Montgomery-form y, and there may be a way to recover Edwards-form x
after the Montgomery ladder without going through Montgomery-form y as
well.)
Robert Ransom
More information about the Curves
mailing list