On 1/21/15, 6:02 PM, "Trevor Perrin" <[email protected]> wrote:
>On Wed, Jan 21, 2015 at 3:07 PM, Robert Ransom <[email protected]> >wrote: >> On 1/21/15, Trevor Perrin <[email protected]> wrote: >> >>> C) Full-format keys everywhere >>> All public keys include the sign bit, so this is a true "unified >>> format". [...] Montgomery-ladder-only implementation will require >>> an extra inversion, so key generation would be slowed by ~10%. >> >> It's not an extra inversion -- remember that inversions can easily be >> batched using 'Montgomery's trick'. > >Good point, and Jivsov also described this [1]. > >So the Montgomery ladder function could be modified to recover the >Edwards x sign bit at very low cost. > >Would you prefer this for a unified format, instead of using a >single-coordinate format with the sign bit implied as zero (Jivsov) Š no extra bits, no leaks, shorter, etc., sounds like a good idea. So how is the bit implied? >or >encoded into signatures (your idea)? Also a cute trick .. But makes you modify the signature algorithm based on the received point format (not everyone would be Œuniversal¹) Paul > >Trevor > > >[1] http://www.ietf.org/mail-archive/web/cfrg/current/msg05113.html _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
