The point is that cofactors are an issue. You can choose to rely on people to use a complicated protection, or else adopt a simpler setting.
-
-
But Decaf is a wire format. Unlike validation of uncompressed points, there's no need to rely on people to opt in: they're just protected.
1 reply 0 retweets 0 likes -
Replying to @hdevalence @zmanian
You mean like Monero was "just protected"?
1 reply 0 retweets 0 likes -
But... Decaf would've actually protected Monero from those attacks
1 reply 0 retweets 3 likes -
So would a prime-order curve.
2 replies 1 retweet 2 likes -
So the answer to"You mean like Monero was just protected?" is... no, Decaf provides the same protections as a prime order curve
2 replies 0 retweets 1 like -
(correction to my tweet:) ... except that prime order is conceptually simpler and easier to use properly.
1 reply 0 retweets 1 like -
It's curious that the same arguments for using SafeCurves are now being applied for using "old curves" ;)
1 reply 1 retweet 1 like -
Replying to @conradoplg @bascule and
Only "old" in the sense of having prime order. Rigidity and transfers are new; efficient complete arithmetic is even newer than SafeCurves.
1 reply 0 retweets 2 likes -
Replying to @pbarreto @conradoplg and
I saw the Microsoft NUMS work on complete and efficient Weierstrass formulas. Do you have a more recent citation?
2 replies 0 retweets 0 likes
The complete addition formulas cited in the NUMS work aren't specific to the NUMS curves. Also I've stumbled across newer work recently.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.