[curves] Scalar blinding on elliptic curves with special structure
Trevor Perrin
trevp at trevp.net
Mon Aug 10 21:52:11 PDT 2015
A new paper by Fluhrer is relevant to the discussion about scalar
blinding with special-prime vs random-prime curves:
http://eprint.iacr.org/2015/801
My earlier impression [1] was that scalar-blinding on 25519 might use
a 128-bit blinding factor, whereas a similar-but-random-prime curve
would use a 64-bit blinding factor, resulting in a slowdown for 25519
of around (256+128)/(256+64) = 1.2.
Fluhrer's paper argues for using the same size blinding factor, but
recoding the digits of the scalar used for windowing into a form where
the group's order "would, at first glance, appear random". He gives
an example of base-48 digits instead of base-32, and estimates a
slowdown for 25519 of around 1.1.
I don't think this helps implementations that use Montgomery ladder
(instead of windowing). Beyond that, I don't have a good sense how
well this would work, how awkward the encoding would be, or how it
would interact with other scalar encoding methods.
Anyone have a more informed opinion?
Trevor
[1] https://moderncrypto.org/mail-archive/curves/2015/000563.html
More information about the Curves
mailing list