Generate Independent Elliptic Curve Generator Points with Unknown Discrete Logarithm

[qubits4all]

Generate Independent Elliptic Curve Generator Points with Unknown Discrete Logarithm

A number of cryptographic protocols require the ability to generate one or more independent elliptic curve generator points, for which no party knows the associated discrete logarithm including the party generating the ECC generator point. Additionally, as some protocols require a generator's construction to be deterministic and thus repeatable, a version of the provided ECC generator point construction algorithm should be provided where a chosen nonce can be provided (i.e., as opposed to being generated at random).

Applicability to Pedersen Commitments over Elliptic Curves

For example, Pedersen commitments over elliptic curves (ECC Pedersen commitments) require construction of a generator point that is independent of the elliptic curve's published generator G, and vector ECC Pedersen commitments require the generation of several such independent generator points.

• Crucially, the discrete logarithm(s) of the additional generator point(s), as used for (vector) Pedersen commitments, must not be known to any party including the party constructing the commitment.
• (Thereby, such a generator H cannot be calculated simply as H := k * G, for some integer k in [2, q-1], where q is the order of the elliptic curve's published generator G, as this would reveal the constructed generator H's discrete logarithm k to the party that constructed it.)

Acceptance Criteria

• Provide support for generating one or more independent elliptic curve generator points, for which no party knows the associated discrete logarithm.
• Support optionally specifying a particular nonce as input to this ECC generator point construction function, where this unique nonce will be used in place of a randomly-generated nonce value, in order to support the deterministic and thereby repeatable construction of independent generator points, as required by some cryptographic protocols.

Security Requirements

• Cofactor Elimination (Avoiding Small Subgroup Attacks): This mapping function must also incorporate cofactor elimination (i.e., so that any resulting generator point H has order q := o(G)), thereby ensuring H generates the elliptic curve's entire sub-group <G> (i.e., the sub-group generated by the curve's published generator point G).
  • Note: For elliptic curves with a cofactor h not equal to 1 (e.g., the Curve25519 & Curve448-Goldilocks curves used resp. by Ed25519 & Ed448 signatures, which have cofactors of 8 and 4, resp.), not performing co-factor elimination can result in a generated ECC curve point H of small order.

[qubits4all]

Completed as of PR #22, including support for Weierstrass elliptic curves with co-factor=1.

• Deferring support for co-factor elimination (i.e., for elliptic curves with co-factor not equal to 1).
• The functionality already code complete is sufficient for use with ECC Pedersen commitments (e.g., for NIST P-256, P-384 & P-521 curves).