[messaging] Issues in Schnorr DLEQ proofs

Ian Goldberg iang at cs.uwaterloo.ca
Wed Jan 8 15:39:39 PST 2020

On Wed, Jan 08, 2020 at 04:51:55PM -0500, Jeff Burdges wrote:
> Appears Privacy Pass only uses prime order curves, but this only turns up in their code.

I'm not sure what you mean by "this only turns up in their code".  The
paper[1] is clear (Sections 3.2, 5.1) that the group G has to have prime
order q.

[1] https://cs.uwaterloo.ca/~iang/pubs/privacypass-popets18.pdf

You're right that cofactors can be annoying, which is why prime-order
curves are often preferable, though there are sometimes extenuating
circumstances that suggest something else.
Ian Goldberg
Canada Research Chair in Privacy Enhancing Technologies
Professor, Cheriton School of Computer Science
University of Waterloo

More information about the Messaging mailing list