>> I guess this is because X-only for Weierstrass is expensive, >> thus either uncompressed points are transmitted, in which >> case checking the validity of the point is cheap, or points >> are uncompressed, which implicitly verifies the validity. > > Yes, X-only for Weierstrass is expensive.
And for this reason, you typically de-compress points on Weierstrass curves before further processing. > > > And the point was: Even with point compression, in general you > need to check if the square root actually exists (which has cost > of 1 square mod p). > When decompressing, you _compute_ the square root. Thus, you get the check (if the square root actually exists) for free. > > Yes, there are special cases where you don't have to check, e.g, all of: > - Weierstrass. > - p=4k+3, and using the usual a^(p+1)/4 mod p square root. > - The curve is twist-secure. > > > And breaking any of those can lead into trouble: > - With non-weierstrass forms, invalid points can lead to who knows what. > - One of the p=8k+5 square roots yields 0 on blind application to QNR > about half of the time > - One can solve ecdlog in twist of Brainpool256t1 pretty easily. All of this is irrelevant as long as you do one of the following: - You transmit compressed points but decompress them before further processing (using arithmetic with both coordinates). - You transmit uncompressed points and check the curve equation, which is very cheap. Twist security is only important, if you use do one of the following: - You transmit compressed points and use X-coordinate arithmetic. this is not very efficient for Weierstrass curves. - You transmit uncompressed points and fail to verify the curve equation. Since this check is so simple and cheap, this would be careless. I consider the emphasis on twist security more as marketing for certain curves than as a serious argument. -- Johannes _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
