[curves] Climbing the elliptic learning curve (was: Re: Finalizing XEdDSA)
    Trevor Perrin 
    trevp at trevp.net
       
    Tue Nov  1 14:40:07 PDT 2016
    
    
  
Nothing wrong with asking about complex topics.  Whether people have
time to answer is another question.  With respect to cofactor, it's a
concept that's explained in typical elliptic curve crypto texts and
standards.
It would be be great if there were better surveys on modern ECC and
engineering issues.  If someone wanted to suggest a reading list /
bibliography that would be a nice contribution (but also a bunch of
work).
Trevor
On Tue, Nov 1, 2016 at 2:09 PM, Ron Garret <ron at flownet.com> wrote:
> Thanks Trevor, but I think I may not have made myself clear.  I’m not really asking about cofactors per se here.  I’m just using them as an illustrative example.  What I’m really asking about is whether I’m asking questions that are appropriate for the Curves list, or if I need to go back and do some more homework and if so, what that homework is.  The fact that you originally answered me off-list seemed to indicate that the latter might be the case.  A lot of the discussion here is still over my head, and I really don’t want to wear out my welcome by asking too many stupid questions.
>
> Notwithstanding the above, thanks for these pointers!  They look like very interesting reading.
>
> On Nov 1, 2016, at 1:35 PM, Trevor Perrin <trevp at trevp.net> wrote:
>
>> Hi Ron,
>>
>> Here's a few references that discuss cofactors in signature verification:
>>
>> https://ed25519.cr.yp.to/eddsa-20150704.pdf (cofactor = 2^c)
>> https://cr.yp.to/badbatch/badbatch-20120919.pdf
>>
>> "Costs of cofactor > 1"
>> https://moderncrypto.org/mail-archive/curves/2014/
>>
>> Trevor
>>
>>
>> On Tue, Nov 1, 2016 at 12:20 PM, Ron Garret <ron at flownet.com> wrote:
>>>
>>> So let me hard-fork this thread and ask a followup meta-question:  The fact that 8 was the cofactor of the curve is apparently something most (if not all) people on this list already knew.  But how?  Neither the Ed25519 paper nor the Curve25519 paper mentions it (AFAICT).
>>
>>
>> Trevor
>
    
    
More information about the Curves
mailing list