[cryptography] Point compression prior art?

James A. Donald jamesd at echeque.com
Sat May 21 07:17:12 EDT 2011


On 2011-05-21 9:12 AM, Paul Crowley wrote:
> On 20/05/11 23:49, Nico Williams wrote:
>> What about using Shcnorr's signature scheme with ECDH? Here's DJB
>> talking about it in the context of his Curve25519, which uses the
>> discard-y point compression technique:
>>
>> http://www.derkeiler.com/Newsgroups/sci.crypt/2006-08/msg01621.html
>>
>> This would seem adequate to me, and should result in small signatures.
>
> I don't see how "discard y" works here. It works for DH because x(±yB) =
> ±xyB = y(±xB). But for Schnorr the verifier needs sB-rnB and sB-rnB !=
> sB-r(-nB). I guess it wouldn't be too expensive to try both - any
> opinions on the patent status of that?

I believe that the wheel is patented, as is the idea of trying to get 
around the patent by using something other than a wheel for the sort of 
purposes a wheel might be used for.  Should someone ever figure how to 
make something other than a wheel roll, the idea of rolling non wheels 
is also patented.




More information about the cryptography mailing list