On 1/21/15, 6:44 PM, "Trevor Perrin" <[email protected]> wrote:
>On Wed, Jan 21, 2015 at 4:09 PM, Paul Lambert <[email protected]> wrote: >> >> >> On 1/21/15, 6:02 PM, "Trevor Perrin" <[email protected]> wrote: >>> >>>So the Montgomery ladder function could be modified to recover the >>>Edwards x sign bit at very low cost. >>> >>>Would you prefer this for a unified format, instead of using a >>>single-coordinate format with the sign bit implied as zero (Jivsov) >> >> Š no extra bits, no leaks, shorter, etc., sounds like a good idea. >> So how is the bit implied? > >Generate a keypair and calculate the sign bit, e.g. as explained >above. If the sign bit is one instead of zero, negate the private >scalar. Now the sign bit is always zero. > >https://datatracker.ietf.org/doc/draft-jivsov-ecc-compact Thanks! > > >>>or >>>encoded into signatures (your idea)? >> Also a cute trick .. But makes you modify the signature algorithm based >>on >> the received point format (not everyone would be Œuniversal¹) > >That's easy, though: if your public-key format doesn't include the >sign bit, just copy it from the signature, then run existing >signature-verify code. For example, in Ed25519: > >https://github.com/trevp/ref10_extract/blob/master/ed25519/additions/curve >_sigs.c > >Anyways, I like the Jivsov and Ransom approaches to single-coordinate >public keys for signatures, but I'm not sure they'll work for all >protocols (?) Likewise - single coordinate has benefits. … are we talking here about public key format or generic point format … It’s hard to predict and analyze multiple unknown protocols. However, I’m not sure it’s necessary. Paul > >Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
