[curves] encoding points -> bitstrings: indistinguishability, PAKE?
Trevor Perrin
trevp at trevp.net
Tue Jun 22 11:04:47 PDT 2021
Hi,
Does anyone know the state-of-the-art for encoding/decoding an
elliptic curve point into a random-looking bit string, such that the
mapping covers all points and bit strings? Is it Elligator-squared?
https://eprint.iacr.org/2014/043.pdf
I'm interested in this partly as a way of making handshake protocols
(e.g. Noise) indistinguishable from random (e.g. censorship
resistance).
Also if such a protocol was encoding its ephemeral DH public keys in
this form, I believe (?) this would enable a PAKE almost for free:
simply XOR the encoded DH ephemeral public values (or even just one of
them) with the password or hash(password), per Bellovin and Merrit's
1992 EKE paper:
https://www.cs.columbia.edu/~smb/papers/neke.pdf
?
Trevor
More information about the Curves
mailing list