Score:1

Secure permutation of $E(\mathbb{F}_q)$ as a set for an elliptic curve $E$ over a finite field $\mathbb{F}_q$

id flag

Let $E$ be an elliptic curve over a finite field $\mathbb{F}_q$. For simplicity, let the group $E(\mathbb{F}_q)$ be of prime order.

Assume that I know how to construct an efficiently computable permutation of $E(\mathbb{F}_q)$ as a set, that is, just a bijective map $\phi: E(\mathbb{F}_q) \to E(\mathbb{F}_q)$ rather than a group homomorphism. Moreover, $\phi$ satisfies the property that for every non-zero point $P \in E(\mathbb{F}_q)$ nobody knows the discrete logarithm $\log_{\phi(P)}(P)$. Finally, $\phi$ is supposed to be different from the translation map $P \mapsto P + P_0$ with respect to a fixed point $P_0 \in E(\mathbb{F}_q)$.

I encounter the given primitive in CryptoNote white paper (page 17) and in Monero documentation in their signature deployed on the curve Ed25519.

Do you know other cryptographic protocols in which the permutation $\phi$ is used ? What other properties must $\phi$ have to be secure ? Is there a technology, which applies $\phi$ on an elliptic curve of $j$-invariant $0$ ?

Thank you in advance for an answer!

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.