[curves] Prime order curves vs Decaf

Trevor Perrin trevp at trevp.net
Wed May 31 20:41:36 PDT 2017

On Thu, Jun 1, 2017 at 3:27 AM, Tony Arcieri <bascule at gmail.com> wrote:
> It seems like Decaf provides a strategic mitigation for these sorts of
> attacks, as opposed for the
> always-multiply-by-the-cofactor-and-check-for-identity tactical response
> suggested by Monero's developers:
> https://getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html

A small point: that link doesn't suggest to

It suggests to multiply by *SUBGROUP ORDER* and reject if *NOT*
identity, which is different.

(Multiplying the key image by cofactor might be a different fix).

Otherwise good questions, I'm curious about people's thoughts too.


More information about the Curves mailing list