On Fri, May 19, 2017 at 7:00 PM, Mike Hamburg <m...@shiftleft.org> wrote: > > Right. This is a signature verification, probably Schnorr, so hashing to an > odd number might have fixed it.
Maybe. I think I was wrong that hashing the "key image" into the Schnorr challenge is a fix. Multiplying the "key image" by cofactor before checking for double-spending might work (similar to VXEdDSA producing its "VRF" output). If anyone understands this algorithm in depth feel free to explain more. > Decaf does work for Curve25519. It’s in the paper, and Henry+Isis and I have > independently implemented it. > > In fact, it turns out there are multiple ways to do it for Curve25519 based > on the paper, and Henry+Isis and I probably picked different ones (but we > haven’t cross-tested yet, so we aren’t sure). It would be great to see a writeup + performance analysis of the exact Curve25519 formulas, including conversions from X25519 and Ed25519 public keys into Decaf. People with complex protocols designed for prime-order groups will have to weigh Decaf against just tweaking things for the cofactor, or choosing a different curve, and the relative costs aren't that easy to figure out. Trevor [CryptoNote] https://cryptonote.org/whitepaper.pdf [Decaf] https://eprint.iacr.org/2015/673.pdf _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves