[curves] Unifying public key formats
Trevor Perrin
trevp at trevp.net
Wed Jan 21 12:56:56 PST 2015
On Wed, Jan 21, 2015 at 10:29 AM, Trevor Perrin <trevp at trevp.net> wrote:
>
> D) DH-type keys everywhere
> All public keys omit the sign bit (Montgomery x public keys are used
> for everything). For signatures, the sign bit is included as part of
> the signature (Robert Ransom suggested this, and TextSecure is using
> it). This means a very slight reduction in security, as each party
> essentially has two signature keys, rather than one, so an attacker
> could try to forge a signature against either of these keys.
Another way to do this - instead of "Ransom's trick" there's "Jivsov's
trick" where the private key is adjusted - if necessary - to always
make the sign bit 0:
https://datatracker.ietf.org/doc/draft-jivsov-ecc-compact
Trevor
More information about the Curves
mailing list