[curves] Unifying public key formats

Paul Lambert paul at marvell.com
Wed Jan 21 18:09:57 PST 2015



On 1/21/15, 6:02 PM, "Trevor Perrin" <trevp at trevp.net> wrote:

>On Wed, Jan 21, 2015 at 3:07 PM, Robert Ransom <rransom.8774 at gmail.com>
>wrote:
>> On 1/21/15, Trevor Perrin <trevp at trevp.net> wrote:
>>
>>> C) Full-format keys everywhere
>>> All public keys include the sign bit, so this is a true "unified
>>> format".  [...] Montgomery-ladder-only implementation will require
>>> an extra inversion, so key generation would be slowed by ~10%.
>>
>> It's not an extra inversion -- remember that inversions can easily be
>> batched using 'Montgomery's trick'.
>
>Good point, and Jivsov also described this [1].
>
>So the Montgomery ladder function could be modified to recover the
>Edwards x sign bit at very low cost.
>
>Would you prefer this for a unified format, instead of using a
>single-coordinate format with the sign bit implied as zero (Jivsov)

 Š no extra bits, no leaks, shorter, etc., sounds like a good idea.
So how is the bit implied?

>or
>encoded into signatures (your idea)?
Also a cute trick .. But makes you modify the signature algorithm based on
the received point format (not everyone would be Œuniversal¹)

Paul


>
>Trevor
>
>
>[1] http://www.ietf.org/mail-archive/web/cfrg/current/msg05113.html



More information about the Curves mailing list