On Tue, Mar 28, 2017 at 05:25:00PM -0700, Trevor Perrin wrote: > Anyways, Henry suggested another way of dealing with the > small-subgroup risk: Convert the scalar to a representative equivalent > to the original scalar (mod subgroup order), but zero (mod cofactor). > I could imagine that being useful in some protocols. But for > hierarchical key derivation, where you're deriving a new scalar > anyways, I'm not sure this has advantages versus multiplying by the > cofactor?
My understanding is that in the HKD context, people want to view scalars as elements of Z/lZ so that they can do arithmetic on them. The point of a safe representative is that you're not really "converting" anything, you're just choosing a different representative of the same equivalence class. From the point of view of the basepoint and the subgroup, it's exactly the same scalar. So the advantage is that you can view scalars as elements of Z/lZ, and then just choose a safe representative whenever you want to use one. This seems simpler than multiplying by the cofactor, which has to be done in Z, not Z/lZ, and therefore requires thinking about which operations are done modulo l and which aren't. Henry P.S.: To be clear, the idea wasn't just mine, it came from a discussion with Ian, Isis, and George -- although I can be held solely responsible for breaking the Reply headers (sorry!) _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves