On Sep 14, 2015 2:31 PM, "Jeff Burdges" <[email protected]> wrote: > > > I noticed a minor traffic whitenning issue in the HORNET paper : HORNET > uses Sphinx packets to build circuits through the mixnet, but the actual > HORNET packets that travel on those circuits use a different header. > > This begs the question : How should I quickly generate a random curve > 25519 group element such that an observer cannot tell that I'm not > actually doing a scalar multiplication? > > We want a hash function f that yields a curve25519 group element such > that : > (a) if X,Y have uniform distributions, then the resulting distribution > f(X) is (sufficiently?) indistinguishable from g(Y) * G where g is some > reasonable hash function that yield curve25519 scalars and G is a base > point. > (b) f(x) can be computed an order of magnitude faster than g(x) * G. I > hear a curve25519 DH operation takes about 40x longer than a typical > sha512 based KDF.
What about Elligator encoding everything? > > Also, is it possible to do this is such a way that f(x) is a safe > basepoint for future DH operations? > > Jeff > > > > _______________________________________________ > Curves mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/curves >
_______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
