On 1/19/15, Trevor Perrin <[email protected]> wrote: > - Full-format keys decode to Edwards coordinates in about the same > efficiency as compressed Edwards format. > > I'll try a quick writeup of the last point, based on equations Mike > showed me. Robert Ransom also explained this in [3]; below will be a > more simplified explanation.
Actually, the formulas that I posted in that message are for unpacking to projective coordinates in Edwards form. You're decoding to affine, like Andrey Jivsov did in <http://www.ietf.org/mail-archive/web/cfrg/current/msg05113.html> (also with help from Mike Hamburg). I'm reluctant to use the formulas that convert directly to affine Edwards form because those (as far as I can tell) have exceptional cases. I verified that my formulas for unpacking to projective form do not produce the invalid point. (This is also the reason to use the sign bit of the Edwards-form x coordinate, not the Montgomery-form y coordinate -- see <http://www.ietf.org/mail-archive/web/tls/current/msg11189.html>. I'm no longer convinced that all implementations which use the sign bit internally will use Edwards form, but I don't expect the exceptional case to be as serious a problem for implementations which convert to Montgomery-form y, and there may be a way to recover Edwards-form x after the Montgomery ladder without going through Montgomery-form y as well.) Robert Ransom _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
