-
rbrunnerSomebody on Reddit asked an interesting question about the review of the CryptoNote protocol, this one here: downloads.getmonero.org/whitepaper_review.pdf
-
rbrunnerThey refer to this sentence at the start of chapter 3, "Problems with the protocol":
-
rbrunnermy single biggest question after reading the entire paper is the “how did they choose their elliptic curve constants?” The protocol appears sound; who chose the constants? Will there be a plan for choosing new constants in the future if needed?
-
rbrunnerWhat are those "constants" mentioned here?
-
rbrunner
-
rbrunnerI see that Tevador answered that question: old.reddit.com/r/Monero/comments/yr…tonote_white_paper_question/ivy0481
-
rbrunnerI wonder a bit why Surae Noether would distrust Curve25519 quite in general.
-
rbrunnerOr more exact, Ed25519
-
monerobull[m]Isn't an eliptic curve just a set of numbers? No way to mess with that right?
-
monerobull[m]Or can you define one that is somehow backdoored
-
meropeThe latter. See for example: en.wikipedia.org/wiki/Dual_EC_DRBG
-
monerobull[m]._.
-
DataHoarder
-
DataHoarderdo note some of the "higher level" operations are implemented differently than in the Ed25519 scheme, but the low level operations (add/multiply/substract etc.) are the same
-
rbrunnerDataHoarder: Thanks. That CryptoNote paper review really gave the impression, at least to someone not "in the know", that there most be more to it than simply those very fundamental curve parameters.
-
rbrunnerSomething that the CryptoNote devs themselves decided and defined. Good to know it ain't so. No FUD :)
-
DataHoarderthey were picked in way that make sense, nothing in your sleeve, also not at random
-
rbrunnerIf you don't trust Bernstein, I guess you can lie down and prepare to die.
-
DataHoarder(and yes, not by cryptonote, plz also use curve/ed25519 where possible, for example, wireguard, ssh keys, DNSSEC keys, etc.)
-
DataHoardertor also uses them, that's what the "onion address" is as well btw