I noticed a minor traffic whitenning issue in the HORNET paper : HORNET uses Sphinx packets to build circuits through the mixnet, but the actual HORNET packets that travel on those circuits use a different header.
This begs the question : How should I quickly generate a random curve 25519 group element such that an observer cannot tell that I'm not actually doing a scalar multiplication? We want a hash function f that yields a curve25519 group element such that : (a) if X,Y have uniform distributions, then the resulting distribution f(X) is (sufficiently?) indistinguishable from g(Y) * G where g is some reasonable hash function that yield curve25519 scalars and G is a base point. (b) f(x) can be computed an order of magnitude faster than g(x) * G. I hear a curve25519 DH operation takes about 40x longer than a typical sha512 based KDF. Also, is it possible to do this is such a way that f(x) is a safe basepoint for future DH operations? Jeff
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
