On Mon, May 26, 2014 at 04:34:55PM +0200, Johannes Merkle wrote: > I guess this is because X-only for Weierstrass is expensive, > thus either uncompressed points are transmitted, in which > case checking the validity of the point is cheap, or points > are uncompressed, which implicitly verifies the validity.
Yes, X-only for Weierstrass is expensive. And the point was: Even with point compression, in general you need to check if the square root actually exists (which has cost of 1 square mod p). Yes, there are special cases where you don't have to check, e.g, all of: - Weierstrass. - p=4k+3, and using the usual a^(p+1)/4 mod p square root. - The curve is twist-secure. And breaking any of those can lead into trouble: - With non-weierstrass forms, invalid points can lead to who knows what. - One of the p=8k+5 square roots yields 0 on blind application to QNR about half of the time - One can solve ecdlog in twist of Brainpool256t1 pretty easily. -Ilari _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
