[cryptography] Point compression prior art?

Paul Crowley paul at ciphergoth.org
Fri May 20 19:12:47 EDT 2011


On 20/05/11 23:49, Nico Williams wrote:
> What about using Shcnorr's signature scheme with ECDH?  Here's DJB
> talking about it in the context of his Curve25519, which uses the
> discard-y point compression technique:
>
> http://www.derkeiler.com/Newsgroups/sci.crypt/2006-08/msg01621.html
>
> This would seem adequate to me, and should result in small signatures.

I don't see how "discard y" works here. It works for DH because x(±yB) = 
±xyB = y(±xB).  But for Schnorr the verifier needs sB-rnB and sB-rnB != 
sB-r(-nB).  I guess it wouldn't be too expensive to try both - any 
opinions on the patent status of that?
-- 
   __
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/



More information about the cryptography mailing list