[curves] Torsion-safe representatives (was: Ed25519 "clamping" and its effect on hierarchical key derivation)
Oleg Andreev
oleganza at gmail.com
Mon Mar 27 13:00:49 PDT 2017
>> I have a lame question, though. You mention that `a*B = a'*B` holds
>> for the base point. But is it also true for any point in the B's
>> subgroup? The reason I ask is that I need to have not just regular
>> EdDSA signatures, but also DLEQs (discrete log equality proofs) with
>> random generator points.
>
> Yes. Proof: If P is a point in B's subgroup, then P = p*B for some
> scalar p. Thus
>
> a*P = a*p*B = p*a*B = p*a'*B = a'*p*B = a'*P,
>
> since multiplication of scalars is associative with multiplication of
> curve points, and multiplication of scalars is commutative.
Oh, thanks for pointing this out to me! That was a lame question indeed :)
More information about the Curves
mailing list