Generate Independent Elliptic Curve Generator Points with Unknown Discrete Logarithm
A number of cryptographic protocols require the ability to generate one or more independent elliptic curve generator points, for which no party knows the associated discrete logarithm including the party generating the ECC generator point. Additionally, as some protocols require a generator's construction to be deterministic and thus repeatable, a version of the provided ECC generator point construction algorithm should be provided where a chosen nonce can be provided (i.e., as opposed to being generated at random).
Applicability to Pedersen Commitments over Elliptic Curves
For example, Pedersen commitments over elliptic curves (ECC Pedersen commitments) require construction of a generator point that is independent of the elliptic curve's published generator G, and vector ECC Pedersen commitments require the generation of several such independent generator points.
Crucially, the discrete logarithm(s) of the additional generator point(s), as used for (vector) Pedersen commitments, must not be known to any party including the party constructing the commitment.
(Thereby, such a generator H cannot be calculated simply as H := k * G, for some integer k in [2, q-1], where q is the order of the elliptic curve's published generator G, as this would reveal the constructed generator H's discrete logarithm k to the party that constructed it.)
Acceptance Criteria
Provide support for generating one or more independent elliptic curve generator points, for which no party knows the associated discrete logarithm.
Support optionally specifying a particular nonce as input to this ECC generator point construction function, where this unique nonce will be used in place of a randomly-generated nonce value, in order to support the deterministic and thereby repeatable construction of independent generator points, as required by some cryptographic protocols.
Security Requirements
Cofactor Elimination (Avoiding Small Subgroup Attacks): This mapping function must also incorporate cofactor elimination (i.e., so that any resulting generator point H has order q := o(G)), thereby ensuring H generates the elliptic curve's entire sub-group <G> (i.e., the sub-group generated by the curve's published generator point G).
Note: For elliptic curves with a cofactor h not equal to 1 (e.g., the Curve25519 & Curve448-Goldilocks curves used resp. by Ed25519 & Ed448 signatures, which have cofactors of 8 and 4, resp.), not performing co-factor elimination can result in a generated ECC curve point H of small order.
Generate Independent Elliptic Curve Generator Points with Unknown Discrete Logarithm
A number of cryptographic protocols require the ability to generate one or more independent elliptic curve generator points, for which no party knows the associated discrete logarithm including the party generating the ECC generator point. Additionally, as some protocols require a generator's construction to be deterministic and thus repeatable, a version of the provided ECC generator point construction algorithm should be provided where a chosen nonce can be provided (i.e., as opposed to being generated at random).
Applicability to Pedersen Commitments over Elliptic Curves
For example, Pedersen commitments over elliptic curves (ECC Pedersen commitments) require construction of a generator point that is independent of the elliptic curve's published generator
G
, and vector ECC Pedersen commitments require the generation of several such independent generator points.H := k * G
, for some integerk
in[2, q-1]
, whereq
is the order of the elliptic curve's published generatorG
, as this would reveal the constructed generatorH
's discrete logarithmk
to the party that constructed it.)Acceptance Criteria
Security Requirements
q := o(G)
), thereby ensuringH
generates the elliptic curve's entire sub-group<G>
(i.e., the sub-group generated by the curve's published generator pointG
).h
not equal to 1 (e.g., the Curve25519 & Curve448-Goldilocks curves used resp. by Ed25519 & Ed448 signatures, which have cofactors of 8 and 4, resp.), not performing co-factor elimination can result in a generated ECC curve pointH
of small order.