On Sun, Dec 14, 2014 at 3:36 PM, Michael Hamburg <[email protected]> wrote: > >> On Dec 14, 2014, at 2:14 PM, Trevor Perrin <[email protected]> wrote: >> >> So why is this better than just using the Montgomery x-coordinate, >> plus the Edwards sign bit, for a "unified format"? [...] > > The main advantage vs Montgomery x + Edwards x sign is that the encoding I’m > working on eliminates the cofactor for most practical purposes. [...] > Of course, there are significant downsides to the new design, the most > important being that it doesn’t work for Curve25519.
So that's cool theoretically, by all means keep discussing. But practically, I'm not seeing much point. The cofactor is a minor inconvenience which 25519 adopters are already living with. Your encoding doesn't work for 25519, and even if it did, I doubt this is worth breaking compatibility for. A new "extra strength" curve will probably end up co-existing with 25519 as a pair of "regular strength" / "extra strength" options. In that case, the system already has to account for the cofactor, so providing extra or different features in the encoding isn't helpful. I'd be more interested in seeing you align the Goldilocks encoding with 25519, as far as possible, so it would be easy to provide both curves as options. Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
