2017-06-01 03:27:55 UTC
"exotic" protocols on top of what are effectively signature mechanisms,
e.g. Schnorr/Ring signatures.
The Bitcoin ecosystem (by which I really mean Blockstream) made a Schnorr
signature algorithm on top of secp256k1 and have implemented many of the
sort of exotic constructions I have been referring to earlier.
Others (including my employer) have attempted to implement similarly exotic
constructions on top of Edwards curves, namely the cofactor 8
"edwards25519" curve. Sometimes this hasn't gone so well, see CryptoNote
and the recent "CryptoNote and equivalent points" thread.
It seems like Decaf provides a strategic mitigation for these sorts of
attacks, as opposed for the
always-multiply-by-the-cofactor-and-check-for-identity tactical response
suggested by Monero's developers:
During the recent standardization effort for next-gen TLS curves (i.e.
through the CFRG), there was a big push for Edwards curves. But around the
same time there were several papers on complete formulas for Weierstrass
My rough understanding is these formulas are still less efficient than the
Edwards equivalents, and implementing them requires (non-constant time?)
inversions which can be completely avoided on Edwards curves. And all that
said, I believe libsecp256k1 uses a number of the techniques described in
these papers and is roughly 2X faster than Ed25519 at signature
verification. I also believe I've heard Decaf decompression of Ed25519
points can actually be faster than the regular Edwards decompression.
Seems like a complicated topic. Curious about people's thoughts.