[curves] Computing an inverse scalar for Curve25519

Michael Scott mike.scott at miracl.com
Wed May 31 01:21:37 PDT 2017


You might consider using Version3 of our AMCL library

https://github.com/miracl/amcl

Includes a standard API for ECDSA, which requires the inverse calculation,
so should be easy to re-use that code

It supports multiple elliptic curves (all those mentioned here), and its
simple to switch from one curve to another.

Also its available in Go if that is what you like (and C, Rust, Java,
Javascript and Swift)


Mike Scott



On Wed, May 31, 2017 at 1:27 AM, Max Skibinsky <max at skibinsky.com> wrote:

> my understanding of sphinx is that user is constructing *hash(password,
> hash(password)^device_key)* in such way that user never sees *device_key* and
> device never sees *hash(password). *That is achieved by sending
> *hash(password)^p *with random *p *to device/server, which responds with
> *hash(password)^(p*device_key) *and then user calculates
> *hash(password)^(p*device_key)^1/p=**hash(password)^device_key* to get
> final randomized password.
>
> Expanding on Alexey question: which curves/libs currently support
> calculations of inverse (1/p) so that it is possible to restore *hash(password)^device_key
> ? *We run into this issue exactly while considering adding sphinx to our
> crypto relays (which are completely on curve25519)
>
> -
> max​
> vault12
> ​​
> <https://vault12.com/>
> ​​
> blog <http://skibinsky.com/>
>
> *linkedin <http://bit.ly/max-li>*
>
> On Tue, May 30, 2017 at 3:37 PM, Mike Hamburg <mike at shiftleft.org> wrote:
>
>> Is it enough to use 8*r and 8*(r^-1 mod q) for this protocol?
>>
>> If not, or if you can’t prove it, you could always use my library at
>>
>> https://sourceforge.net/projects/ed448goldilocks/
>>
>> It gives a prime-order quotient group of Ed448 and Curve25519, and it
>> implements Elligator and division mod q.
>>
>> — Mike
>>
>>
>> On May 30, 2017, at 3:31 PM, Alexey Ermishkin <scratch.net at gmail.com>
>> wrote:
>>
>> Thanks for pointing out at my mistakes and a very good explanation. I will
>> continue to dig deeper
>>
>> _______________________________________________
>> Curves mailing list
>> Curves at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/curves
>>
>>
>>
>> _______________________________________________
>> Curves mailing list
>> Curves at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/curves
>>
>>
>
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20170531/e78dcff4/attachment.html>


More information about the Curves mailing list