The algorithm that used to be described here is broken.
A better alternative is described here: https://github.com/sipa/writeups/tree/main/elligator-square-for-bn
Last active
January 4, 2023 10:31
-
-
Save sipa/29118d3fcfac69f9930d57433316c039 to your computer and use it in GitHub Desktop.
Covert ECDH over secp256k1
Nice -- I was looking around to see if a covert ephemeral ECDH was possible and found this. It's unfortunate that such contortions need to be done to get a covert diffie hellman on secp256k1, and I guess that in the end, most protocol designers won't want to use such a scheme. Still, thanks very much for writing it up!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
do this about 10 times:
seems to work ok... depending on your protocol and the security guarantee you need. in our case the only guarantee we need is on a remote observer operating on aggregate sets of thousands of keys ... which is a lot less worrisome than a local unprivileged observer!