Cofactor clearing #25
Comments
|
This is interesting. One thing that can be done for curve448 is move it to the twisted edwards, apply the decaf functionality there, and then convert it back to montgomery. |
|
Yeah that would potentially be a good solution! Do you think the overheads of doing those transformation will be favourable compared to incorporating more scalar multiplications? |
That could work, we can evaluate this approach; otherwise, we can shift the suite to Edwards448. |
|
So the best approach here sounds like using Edwards and handling the cofactor as in RFC8032? |
|
What we can do is the following: I can create the interfaces for:
And then we can see which one might be easier to use.. what do you think? |
|
Now that ed448 have been merged to master in circl, I was thinking to start moving this library to use that one as well, prior to using it as well for decaf later. Sounds good? @alxdavids |
Yeah I think that's a great idea 👍 I've not been keeping that up-to-date with the ed448 change, do you think it will be a big change to adapt the VOPRF implementation to use this? |
|
@alxdavids .. not that of a big change.. as the functions should probably be called the same. I'll review it tomorrow just to be sure ;) |
|
@alxdavids decaf is probably going to be added to circl soon! I'll wait for the merge and then send the PR over here (then if all works over here we can also update the document) ;) |
|
Great, thanks @claucece! |
We should adopt the advice in https://eprint.iacr.org/2017/212.pdf to make all scalar multiplication values a multiple of the curve cofactor. This ensures that we have a prime-order group interface even when using curve448, and also reduces the number of necessary scalar multiplications.
cc @armfazh
The text was updated successfully, but these errors were encountered: