[cryptography] Point compression prior art?
paul at ciphergoth.org
Fri May 20 19:12:47 EDT 2011
On 20/05/11 23:49, Nico Williams wrote:
> What about using Shcnorr's signature scheme with ECDH? Here's DJB
> talking about it in the context of his Curve25519, which uses the
> discard-y point compression technique:
> This would seem adequate to me, and should result in small signatures.
I don't see how "discard y" works here. It works for DH because x(±yB) =
±xyB = y(±xB). But for Schnorr the verifier needs sB-rnB and sB-rnB !=
sB-r(-nB). I guess it wouldn't be too expensive to try both - any
opinions on the patent status of that?
\/ o\ Paul Crowley, paul at ciphergoth.org
More information about the cryptography