[curves] Scalar decomposition for FourQ

Watson Ladd watsonbladd at gmail.com
Sat Mar 25 12:54:30 PDT 2017

On Sat, Mar 25, 2017 at 12:49 PM, Chiraag Juvekar
<chiraag.juvekar at gmail.com> wrote:
> Hi all,
> I had a question about the scalar decompositions in FourQ and I was not sure
> on who to ask. I hope that it is not out of place for this mailing list. I
> wanted to avoid implementing the scalar decomposition logic for a
> low-resource implementation. I was wondering if it is secure to directly
> select the decomposed scalar as 4 random 64-bit numbers when running DH on
> FourQ? I know for example that this is true in the context of \tau-adic
> expansions for Koblitz curves where we can pick a random \tau-NAF directly
> instead of implementing a converter.

For DH this should be fine. It isn't for signatures.

> --
> Chiraag
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves

"Man is born free, but everywhere he is in chains".

More information about the Curves mailing list