kayabaNerve
commented
2 years ago May be better to port Ristretto keys to Ed25519...
Closed kayabaNerve closed 1 year ago
kayabaNerve
commented
2 years ago May be better to port Ristretto keys to Ed25519...
kayabaNerve
commented
1 year ago While possible, by specifying which square root, this isn't worth the complexity for us to support as we'd have no benefit.
We should be able to re-encode Ed25519 verification shares (and the group key) into Ristretto points and move forward with a Ristretto FrostKeys, saving a key gen (and DLEq proofs, which I believe would also work).
https://github.com/dalek-cryptography/curve25519-dalek/issues/329 highlights why dalek doesn't support this, as Ristretto doesn't officially support this. While I believe it should be possible to do deterministically and successfully, even in an adversarial scheme, we would need to explicitly define which branch of the inverse square root to take.
If point promotion isn't viable, this falls back to #72, with the distinction that while DLEq of Ed25519 and Ristretto should be without issue, they do have separate types and accordingly need a new proof.
Marking untested as this idea may have pitfalls and we need to be cautious regarding its adoption, potentially falling back to just doing full keygens.