[curves] Computing an inverse scalar for Curve25519

Max Skibinsky max at skibinsky.com
Wed May 31 08:13:42 PDT 2017


Thank you for sharing this Mike. looks like a great lib, quite a delight to
find both Swift and Rust implementation.

-
max​
vault12
​​
<https://vault12.com/>
​​
blog <http://skibinsky.com/>

*linkedin <http://bit.ly/max-li>*

On Wed, May 31, 2017 at 1:21 AM, Michael Scott <mike.scott at miracl.com>
wrote:

> You might consider using Version3 of our AMCL library
>
> https://github.com/miracl/amcl
>
> Includes a standard API for ECDSA, which requires the inverse calculation,
> so should be easy to re-use that code
>
> It supports multiple elliptic curves (all those mentioned here), and its
> simple to switch from one curve to another.
>
> Also its available in Go if that is what you like (and C, Rust, Java,
> Javascript and Swift)
>
>
> Mike Scott
>
>
>
> On Wed, May 31, 2017 at 1:27 AM, Max Skibinsky <max at skibinsky.com> wrote:
>
>> my understanding of sphinx is that user is constructing *hash(password,
>> hash(password)^device_key)* in such way that user never sees *device_key* and
>> device never sees *hash(password). *That is achieved by sending
>> *hash(password)^p *with random *p *to device/server, which responds with
>> *hash(password)^(p*device_key) *and then user calculates
>> *hash(password)^(p*device_key)^1/p=**hash(password)^device_key* to get
>> final randomized password.
>>
>> Expanding on Alexey question: which curves/libs currently support
>> calculations of inverse (1/p) so that it is possible to restore *hash(password)^device_key
>> ? *We run into this issue exactly while considering adding sphinx to our
>> crypto relays (which are completely on curve25519)
>>
>> -
>> max​
>> vault12
>> ​​
>> <https://vault12.com/>
>> ​​
>> blog <http://skibinsky.com/>
>>
>> *linkedin <http://bit.ly/max-li>*
>>
>> On Tue, May 30, 2017 at 3:37 PM, Mike Hamburg <mike at shiftleft.org> wrote:
>>
>>> Is it enough to use 8*r and 8*(r^-1 mod q) for this protocol?
>>>
>>> If not, or if you can’t prove it, you could always use my library at
>>>
>>> https://sourceforge.net/projects/ed448goldilocks/
>>>
>>> It gives a prime-order quotient group of Ed448 and Curve25519, and it
>>> implements Elligator and division mod q.
>>>
>>> — Mike
>>>
>>>
>>> On May 30, 2017, at 3:31 PM, Alexey Ermishkin <scratch.net at gmail.com>
>>> wrote:
>>>
>>> Thanks for pointing out at my mistakes and a very good explanation. I
>>> will
>>> continue to dig deeper
>>>
>>> _______________________________________________
>>> Curves mailing list
>>> Curves at moderncrypto.org
>>> https://moderncrypto.org/mailman/listinfo/curves
>>>
>>>
>>>
>>> _______________________________________________
>>> Curves mailing list
>>> Curves at moderncrypto.org
>>> https://moderncrypto.org/mailman/listinfo/curves
>>>
>>>
>>
>> _______________________________________________
>> Curves mailing list
>> Curves at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/curves
>>
>>
>
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20170531/31bd169b/attachment.html>


More information about the Curves mailing list