[curves] Prime order curves vs Decaf
Trevor Perrin
trevp at trevp.net
Wed May 31 20:41:36 PDT 2017
On Thu, Jun 1, 2017 at 3:27 AM, Tony Arcieri <bascule at gmail.com> wrote:
>
> It seems like Decaf provides a strategic mitigation for these sorts of
> attacks, as opposed for the
> always-multiply-by-the-cofactor-and-check-for-identity tactical response
> suggested by Monero's developers:
>
> https://getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html
A small point: that link doesn't suggest to
multiply-by-cofactor-and-check-for-identity.
It suggests to multiply by *SUBGROUP ORDER* and reject if *NOT*
identity, which is different.
(Multiplying the key image by cofactor might be a different fix).
Otherwise good questions, I'm curious about people's thoughts too.
Trevor
More information about the Curves
mailing list