On Thu, Jun 1, 2017 at 3:27 AM, Tony Arcieri <basc...@gmail.com> wrote: > > It seems like Decaf provides a strategic mitigation for these sorts of > attacks, as opposed for the > always-multiply-by-the-cofactor-and-check-for-identity tactical response > suggested by Monero's developers: > > https://getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html
A small point: that link doesn't suggest to multiply-by-cofactor-and-check-for-identity. It suggests to multiply by *SUBGROUP ORDER* and reject if *NOT* identity, which is different. (Multiplying the key image by cofactor might be a different fix). Otherwise good questions, I'm curious about people's thoughts too. Trevor _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves
