On Wed, Jan 21, 2015 at 10:29 AM, Trevor Perrin <[email protected]> wrote: > > D) DH-type keys everywhere > All public keys omit the sign bit (Montgomery x public keys are used > for everything). For signatures, the sign bit is included as part of > the signature (Robert Ransom suggested this, and TextSecure is using > it). This means a very slight reduction in security, as each party > essentially has two signature keys, rather than one, so an attacker > could try to forge a signature against either of these keys.
Another way to do this - instead of "Ransom's trick" there's "Jivsov's trick" where the private key is adjusted - if necessary - to always make the sign bit 0: https://datatracker.ietf.org/doc/draft-jivsov-ecc-compact Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
