Closed skaunov closed 3 months ago
Can you help me understand what information it leaks?
Generally implementations offer no guarantees $z$ doesn't carry information about the scalar after multiplication, so we usually avoid to bring it over the boundary. Hence it really not even expected by a downstream developer.
@skaunov @Divide-By-0 i'm curious to know more about this:
Generally implementations offer no guarantees $z$ doesn't carry information about the scalar after multiplication, so we usually avoid to bring it over the boundary. Hence it really not even expected by a downstream developer.
How does using a projective point makes it possible to carry information about the scalar?
@0xbok , it's like $z$ depends on the number of the group operation the point undergone. I can find a link for you for more details.
@skaunov isn't projective point format just another way to write an (x,y) coordinate? it just avoids the introduction of a new notation for point at infinity. IIUC there is a 1:1 invertible mapping between these two formats.
ok, found this https://www.iacr.org/archive/eurocrypt2004/30270258/projective.pdf. will go through this at some point
As it's known to be leaking some information. At least was using it for the input on verification.