[curves] CryptoNote and equivalent points

Trevor Perrin trevp at trevp.net
Sun May 21 19:47:22 PDT 2017


On Fri, May 19, 2017 at 7:00 PM, Mike Hamburg <mike at shiftleft.org> wrote:
>
> Right.  This is a signature verification, probably Schnorr, so hashing to an odd number might have fixed it.

Maybe.  I think I was wrong that hashing the "key image" into the
Schnorr challenge is a fix.

Multiplying the "key image" by cofactor before checking for
double-spending might work (similar to VXEdDSA producing its "VRF"
output).

If anyone understands this algorithm in depth feel free to explain more.


> Decaf does work for Curve25519.  It’s in the paper, and Henry+Isis and I have independently implemented it.
>
> In fact, it turns out there are multiple ways to do it for Curve25519 based on the paper, and Henry+Isis and I probably picked different ones (but we haven’t cross-tested yet, so we aren’t sure).

It would be great to see a writeup + performance analysis of the exact
Curve25519 formulas, including conversions from X25519 and Ed25519
public keys into Decaf.

People with complex protocols designed for prime-order groups will
have to weigh Decaf against just tweaking things for the cofactor, or
choosing a different curve, and the relative costs aren't that easy to
figure out.

Trevor

[CryptoNote] https://cryptonote.org/whitepaper.pdf
[Decaf] https://eprint.iacr.org/2015/673.pdf


More information about the Curves mailing list