> On Dec 22, 2014, at 5:07 PM, Robert Ransom <[email protected]> wrote:
>
> No, this is the same sort of ‘hazard elimination’ that Dr. Bernstein
> has been advocating (and implementing), e.g. with Curve25519 ECDH.
That’s the idea, though obviously the added complexity hurts.
> It's too bad that this point format will require cofactor 4 (although
> there are good mathematical reasons for that) -- that either makes key
> generation more complicated or decreases the secret key length by an
> extra bit (regardless of the field).
I don’t understand this point. Why does cofactor 4 make key generation more
complicated?
> Any implementation of signing
> would already need to reduce scalars modulo the group order (in order
> to compute s), so that bit of extra complexity won't hurt signature
> software, but it sucks for ECDH. Curve25519 remains better for ECDH.
I also don’t understand this statement. Is this assuming that the fancy point
format is only odd-ladderable with the Montgomery ladder? (Which it might be…)
Cheers,
— Mike
_______________________________________________
Curves mailing list
[email protected]
https://moderncrypto.org/mailman/listinfo/curves
