[cryptography] Point compression prior art?

Nico Williams nico at cryptonector.com
Fri May 20 19:36:32 EDT 2011

On Fri, May 20, 2011 at 6:12 PM, Paul Crowley <paul at ciphergoth.org> wrote:
> On 20/05/11 23:49, Nico Williams wrote:
>> What about using Shcnorr's signature scheme with ECDH?  Here's DJB
>> talking about it in the context of his Curve25519, which uses the
>> discard-y point compression technique:
>> http://www.derkeiler.com/Newsgroups/sci.crypt/2006-08/msg01621.html
>> This would seem adequate to me, and should result in small signatures.
> I don't see how "discard y" works here. It works for DH because x(±yB) =
> ±xyB = y(±xB).  But for Schnorr the verifier needs sB-rnB and sB-rnB !=
> sB-r(-nB).  I guess it wouldn't be too expensive to try both - any opinions
> on the patent status of that?

Ah yes, I see that now.  I wouldn't know if there exists any patents
covering that.


More information about the cryptography mailing list