well thanks for reply :) The key exchange does not rely on using two different points.
I will try to explain i little more general: I generate my l-torsion subgroup by two points: <P, Q> = E[l] During Key exchange i define my kernel using linear combination of random values: m, n kernel = [m] * P + [n] * Q So i wondered why i need two points. To generate the torsion subgroup it would suffice to use one point: <P> = E[l] And to generate the kernel the linear combination of one points would suffice too: kernel = [m] * P So why is the protocol using zwo points for each? I that purely a security issue to ensure that the torsion subgroup is no cyclic anymore? regards, On 07/09/2015 10:24 AM, coderman wrote: > On 7/8/15, Marcel <tiep...@dev-nu11.de> wrote: >> ... >> So my question is, why do i need to random values m_A and n_A to compute >> the torsiongroup E[l_A] and respectively the kernel K_A ? >> >> Why does is not suffice to use only 1 point to generate E[l_A] and >> Kernel K_A ? > it is late, and i may mis understand, > > yet the two are requisite for peers arriving at a shared secret by way > of these constructed isogeny; and the random values necessary to not > give too much (confirm secret values, without exposing secret values) > > i found this paper a helpful expansion on the subject: > http://cacr.uwaterloo.ca/techreports/2014/cacr2014-20.pdf > "In this paper, we mainly explore the efficiency of implementing recently > proposed isogeny-based post-quantum public key cryptography..." > > specifically the graph on page 5. note that the key exchange relies on > finding a path connecting vertices in a graph of supersingular > isogenies - thus a pair on both ends, not just a pair arrived at among > both participants. > > if this is clear as mud, i will try tomorrow on a fresh brain :) > > > best regards, _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
