[curves] Computing an inverse scalar for Curve25519

[Max Skibinsky]

my understanding of sphinx is that user is constructing *hash(password,
hash(password)^device_key)* in such way that user never sees *device_key* and
device never sees *hash(password). *That is achieved by sending
*hash(password)^p *with random *p *to device/server, which responds with
*hash(password)^(p*device_key) *and then user calculates
*hash(password)^(p*device_key)^1/p=**hash(password)^device_key* to get
final randomized password.

Expanding on Alexey question: which curves/libs currently support
calculations of inverse (1/p) so that it is possible to restore
*hash(password)^device_key
? *We run into this issue exactly while considering adding sphinx to our
crypto relays (which are completely on curve25519)

-
max​
vault12
​​
<https://vault12.com/>
​​
blog <http://skibinsky.com/>

*linkedin <http://bit.ly/max-li>*

On Tue, May 30, 2017 at 3:37 PM, Mike Hamburg <mike at shiftleft.org> wrote:

> Is it enough to use 8*r and 8*(r^-1 mod q) for this protocol?
>
> If not, or if you can’t prove it, you could always use my library at
>
> https://sourceforge.net/projects/ed448goldilocks/
>
> It gives a prime-order quotient group of Ed448 and Curve25519, and it
> implements Elligator and division mod q.
>
> — Mike
>
>
> On May 30, 2017, at 3:31 PM, Alexey Ermishkin <scratch.net at gmail.com>
> wrote:
>
> Thanks for pointing out at my mistakes and a very good explanation. I will
> continue to dig deeper
>
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves
>
>
>
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20170530/f1abb047/attachment.html>