[messaging] Issues in Schnorr DLEQ proofs
Ian Goldberg
iang at cs.uwaterloo.ca
Wed Jan 8 15:39:39 PST 2020
On Wed, Jan 08, 2020 at 04:51:55PM -0500, Jeff Burdges wrote:
>
> Appears Privacy Pass only uses prime order curves, but this only turns up in their code.
I'm not sure what you mean by "this only turns up in their code". The
paper[1] is clear (Sections 3.2, 5.1) that the group G has to have prime
order q.
[1] https://cs.uwaterloo.ca/~iang/pubs/privacypass-popets18.pdf
You're right that cofactors can be annoying, which is why prime-order
curves are often preferable, though there are sometimes extenuating
circumstances that suggest something else.
--
Ian Goldberg
Canada Research Chair in Privacy Enhancing Technologies
Professor, Cheriton School of Computer Science
University of Waterloo
More information about the Messaging
mailing list