[cryptography] Point compression prior art?
seb at dbzteam.org
Fri May 20 20:04:06 EDT 2011
On Sat, May 21, 2011 at 00:49, Nico Williams <nico at cryptonector.com> wrote:
> On Fri, May 20, 2011 at 5:40 PM, Paul Crowley <paul at ciphergoth.org> wrote:
>> On 20/05/11 23:14, Zooko O'Whielacronx wrote:
>>> How about the "Compact Representation", section 4.2, of RFC 6090:
>>> Is that the same "point compression" that you were looking for?
>> Sadly not; this is the "discard y, transmit only x" scheme described in the
>> original CRYPTO 85 paper introducing elliptic curve cryptography. This
>> works for ECDH, but for protocols such as ECDSA it's harder to see how to
>> make do with only one of the coordinates. Thanks for the reference though!
> What about using Shcnorr's signature scheme with ECDH? Here's DJB
> talking about it in the context of his Curve25519, which uses the
> discard-y point compression technique:
> This would seem adequate to me, and should result in small signatures.
>From a practical point of view there is however something not really
handy with Schnorr's signature scheme, that is you can't call the sign
function with a hash of the message because the ephemeral public key
must be concataned to the message before being hashed.
More information about the cryptography