On Wed, Jan 21, 2015 at 3:07 PM, Robert Ransom <[email protected]> wrote: > On 1/21/15, Trevor Perrin <[email protected]> wrote: > >> C) Full-format keys everywhere >> All public keys include the sign bit, so this is a true "unified >> format". [...] Montgomery-ladder-only implementation will require >> an extra inversion, so key generation would be slowed by ~10%. > > It's not an extra inversion -- remember that inversions can easily be > batched using 'Montgomery's trick'.
Good point, and Jivsov also described this [1]. So the Montgomery ladder function could be modified to recover the Edwards x sign bit at very low cost. Would you prefer this for a unified format, instead of using a single-coordinate format with the sign bit implied as zero (Jivsov) or encoded into signatures (your idea)? Trevor [1] http://www.ietf.org/mail-archive/web/cfrg/current/msg05113.html _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
