[cryptography] Point compression prior art?

Sebastien Martini seb at dbzteam.org
Fri May 20 20:04:06 EDT 2011


Hi,

On Sat, May 21, 2011 at 00:49, Nico Williams <nico at cryptonector.com> wrote:
> On Fri, May 20, 2011 at 5:40 PM, Paul Crowley <paul at ciphergoth.org> wrote:
>> On 20/05/11 23:14, Zooko O'Whielacronx wrote:
>>> How about the "Compact Representation", section 4.2, of RFC 6090:
>>>
>>> http://www.rfc-editor.org/rfc/rfc6090.txt
>>>
>>> Is that the same "point compression" that you were looking for?
>>
>> Sadly not; this is the "discard y, transmit only x" scheme described in the
>> original CRYPTO 85 paper introducing elliptic curve cryptography. This
>>  works for ECDH, but for protocols such as ECDSA it's harder to see how to
>> make do with only one of the coordinates.  Thanks for the reference though!
>
> What about using Shcnorr's signature scheme with ECDH?  Here's DJB
> talking about it in the context of his Curve25519, which uses the
> discard-y point compression technique:
>
> http://www.derkeiler.com/Newsgroups/sci.crypt/2006-08/msg01621.html
>
> This would seem adequate to me, and should result in small signatures.

>From a practical point of view there is however something not really
handy with Schnorr's signature scheme, that is you can't call the sign
function with a hash of the message  because the ephemeral public key
must be concataned to the message before being hashed.

seb



More information about the cryptography mailing list