[curves] Unifying public key formats
trevp at trevp.net
Wed Jan 21 18:44:32 PST 2015
On Wed, Jan 21, 2015 at 4:09 PM, Paul Lambert <paul at marvell.com> wrote:
> On 1/21/15, 6:02 PM, "Trevor Perrin" <trevp at trevp.net> wrote:
>>So the Montgomery ladder function could be modified to recover the
>>Edwards x sign bit at very low cost.
>>Would you prefer this for a unified format, instead of using a
>>single-coordinate format with the sign bit implied as zero (Jivsov)
> Š no extra bits, no leaks, shorter, etc., sounds like a good idea.
> So how is the bit implied?
Generate a keypair and calculate the sign bit, e.g. as explained
above. If the sign bit is one instead of zero, negate the private
scalar. Now the sign bit is always zero.
>>encoded into signatures (your idea)?
> Also a cute trick .. But makes you modify the signature algorithm based on
> the received point format (not everyone would be Œuniversal¹)
That's easy, though: if your public-key format doesn't include the
sign bit, just copy it from the signature, then run existing
signature-verify code. For example, in Ed25519:
Anyways, I like the Jivsov and Ransom approaches to single-coordinate
public keys for signatures, but I'm not sure they'll work for all
More information about the Curves