[curves] whitenning optional curve25519 keys

Jeff Burdges burdges at gnunet.org
Mon Sep 14 11:31:33 PDT 2015

I noticed a minor traffic whitenning issue in the HORNET paper :  HORNET
uses Sphinx packets to build circuits through the mixnet, but the actual
HORNET packets that travel on those circuits use a different header.  

This begs the question : How should I quickly generate a random curve
25519 group element such that an observer cannot tell that I'm not
actually doing a scalar multiplication?

We want a hash function f that yields a curve25519 group element such
that :
(a) if X,Y have uniform distributions, then the resulting distribution
f(X) is (sufficiently?) indistinguishable from g(Y) * G where g is some
reasonable hash function that yield curve25519 scalars and G is a base
(b) f(x) can be computed an order of magnitude faster than g(x) * G.  I
hear a curve25519 DH operation takes about 40x longer than a typical
sha512 based KDF.

Also, is it possible to do this is such a way that f(x) is a safe
basepoint for future DH operations? 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20150914/8fd54bd8/attachment.sig>

More information about the Curves mailing list