Hi, I am currently helping with the design of a draft for OTRv4, and we are considering using Decaf point compression with Ed448 for Schnorr signatures and a deniable, authenticated key exchange.
I like Decaf because it allows us to omit information about the cofactor in the protocol and thus in the implementation as well. We have received feedback that multiplying by the cofactor is trivial in comparison to incorporating Decaf. I wanted to ask, when is using Decaf a better choice? And alternatively, when is using the cofactor preferred? Much appreciated, Rosalie -- Rosalie Tolentino Pure Energy She/Her They/Them Fingerprint: 55A0 392B C270 DEBD 6842 A1A7 682A BA98 875D 87B9
signature.asc
Description: PGP signature
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves