Re: Convenient x-coordinate-only EC signing
- From: "xmath" <xmath.news@xxxxxxxxx>
- Date: 16 Sep 2006 02:27:21 -0700
D. J. Bernstein wrote:
On 2006-09-14, xmath <xmath.news@xxxxxxxxx> wrote:
This equation also holds if you use -R instead of R, so it doesn't
matter which one you recover.
You can just as easily pin down one to recover: R S(R), which is the
same as -R S(-R).
Yes, of course. The equation works for R or -R so you can just always
pick the one for which S(R) = 1 if that simplifies matter for you.
There's no reason for S to be hard to evaluate: for
example, protocols often take the square root below p/2.
I prefer the one which is 0 mod 2, easier to determine.
At first glance I prefer the sB = Q + H(Q,m) P form. Either way the
verifier has to recover one y-coordinate; the virtue of having this
be the y-coordinate of P is that it can be reused for other
signatures under the same public key. Is there an advantage the
other way?
Unless special care has been taken to make sure S(P) has a known value,
you won't know which of P and -P is right, and Q + h P will give really
different answers in the two cases.
This avoids mucking with the keygen, keeping it the same as for DH.
Making sure S(P) == 1 during keygen means it'll have to recover its
y-coordinate there, which is significant extra work, and means it'll
have to negate the private key correspondingly, which is an interface
change for the function.
My way keeps the mess confined inside sign.
- xmath
.
- References:
- Convenient x-coordinate-only EC signing
- From: xmath
- Re: Convenient x-coordinate-only EC signing
- From: D. J. Bernstein
- Convenient x-coordinate-only EC signing
- Prev by Date: Re: Question about bit strength
- Next by Date: Chaffinch Implementations?
- Previous by thread: Re: Convenient x-coordinate-only EC signing
- Next by thread: Re: Convenient x-coordinate-only EC signing
- Index(es):
Relevant Pages
|
