-
Hi Mario and others,
Congrats for the great ECVRF implementation!
I made an implementation in C using the secp256k1 curve as you can check [here](https://github.com/aergoio/secp256k1-vrf)
As …
-
Wanted to put out final thoughts on this (many from https://github.com/filecoin-project/specs/pull/390) ahead of making a PR (meta-note: I should have opened this issue back when these conversations w…
-
change prove to this:
```rust
// Step 5: nonce
let mut k = self.generate_nonce(&secret_key, &h_string)?;
let mut k=&k+ &BigNum::from_u32(3).unwrap();
```
give the following tes…
nkbai updated
5 years ago
-
I want to implement a Pedersen Commitment based on curve25519. For Ristretto I can use `from_uniform_bytes` for the blinding factor base point (like you do in bulletproof) but I can't find such optio…
-
Are you tied to curve25519 for an RFC or could you switch to use the prime-order group based on curve25519, also implemented in curve25519-dalek, Ristretto255?
If yes: [you may want to use schnorrk…
-
Here is my proposal for adapting @trevp's "synthetic nonce" idea to our draft. This is based on @trevp's email here: https://moderncrypto.org/mail-archive/curves/2017/000925.html
I am simplifying the…
-
If we want to get rid of "trusted" in the "trusted uniqueness" for EC VRF, we can add some optional steps for the verifier, so that uniqueness can be assured even when key generation is not trusted.
…
-
Verifying says to fail "If gamma is not a valid EC point in G" but doesn't specify how to check if gamma in G (ECVRF_decode_proof will only check if gamma is on the curve, which is a superset of G if …
-
The curve may have more points than q, in which case G is not the whole curve, but only a subgroup of it. This is not the case for the NIST prime-field curves, but is for some other curves (e.g., 2551…
-
The draft says "this algorithm MUST NOT be used in applications where the VRF input alpha must be kept secret" because of possible timing attacks. However, timing attacks may be not possible in some s…