Re: [Cfrg] Curve selection revisited

[Ilari Liusvaara <ilari.liusvaara@elisanet.fi>]

On Fri, Jul 25, 2014 at 07:25:54PM -0700, Robert Ransom wrote:
> On 7/25/14, Watson Ladd <watsonbladd@gmail.com> wrote:
> 
> Affine Montgomery-form points can be unpacked to and packed from
> projective (optionally twisted) Edwards-form points at a trivial extra
> cost over unpacking from or packing to a compressed affine
> Edwards-form point. 

Do you mean Montgomery_x-only, or that (Montgomery_x, Edwards_x_sign)
representation?

If the latter, it is not at all obvious how to get both in just
one inversion (either can obviously be gotten in just one inversion,
as can full edwards affine form).

Also, looks like the representation hits special case if Edwards-x is
0 (both points map into Montgomery_x=0, and sign bit needs to tell
apart Edwards_y values, instead of Edwards_x values as usual).

So yes, easy conversion to Montgomery form is useful for DH, but
is it useful for when the other side will do things like additions?

> Variable-base scalar-multiplication operations
> which use Edwards form internally are not slowed significantly by
> having a projective rather than affine input (if any operations rely
> on their input being affine, they must occur during table setup), and
> they are not slowed at all if they double and/or apply isogenies to
> clear the cofactor group before operating on an ‘incomplete’ curve
> (e.g. a=-1 in a field in which -1 is a non-square).

At least some protocols that do seem to cope with h>1 (as in having
checks for low-order points and no direct coupling between subgroups)
don't clear cofactors in points sent by the peer, but proceed to
directly calculate with those.


-Ilari