Divide-By-0
commented
5 months ago Can you help me understand what information it leaks?
Closed skaunov closed 3 months ago
Divide-By-0
commented
5 months ago Can you help me understand what information it leaks?
skaunov
commented
5 months ago Generally implementations offer no guarantees $z$ doesn't carry information about the scalar after multiplication, so we usually avoid to bring it over the boundary. Hence it really not even expected by a downstream developer.
0xbok
commented
2 months ago @skaunov @Divide-By-0 i'm curious to know more about this:
Generally implementations offer no guarantees $z$ doesn't carry information about the scalar after multiplication, so we usually avoid to bring it over the boundary. Hence it really not even expected by a downstream developer.
How does using a projective point makes it possible to carry information about the scalar?
skaunov
commented
2 months ago @0xbok , it's like $z$ depends on the number of the group operation the point undergone. I can find a link for you for more details.
0xbok
commented
1 month ago @skaunov isn't projective point format just another way to write an (x,y) coordinate? it just avoids the introduction of a new notation for point at infinity. IIUC there is a 1:1 invertible mapping between these two formats.
0xbok
commented
1 month ago ok, found this https://www.iacr.org/archive/eurocrypt2004/30270258/projective.pdf. will go through this at some point
As it's known to be leaking some information. At least was using it for the input on verification.