[curves] Prime order curves vs Decaf

Trevor Perrin trevp at trevp.net
Wed May 31 20:41:36 PDT 2017


On Thu, Jun 1, 2017 at 3:27 AM, Tony Arcieri <bascule at gmail.com> wrote:
>
> It seems like Decaf provides a strategic mitigation for these sorts of
> attacks, as opposed for the
> always-multiply-by-the-cofactor-and-check-for-identity tactical response
> suggested by Monero's developers:
>
> https://getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html

A small point: that link doesn't suggest to
multiply-by-cofactor-and-check-for-identity.

It suggests to multiply by *SUBGROUP ORDER* and reject if *NOT*
identity, which is different.

(Multiplying the key image by cofactor might be a different fix).

Otherwise good questions, I'm curious about people's thoughts too.


Trevor


More information about the Curves mailing list