You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For context, the goal is to get an unbiased random secret key (=scalar). The NIST-approved way to do this is rejection sampling as done here. A slightly biased key could be obtained by taking random 32 bytes and reducing modulo p. Alternative approaches would be to reduce a 64 byte hash such as SHA-512 (which has negligible bias), or more generally using an expanding function to get sufficiently many bytes to reduce. This latter approach described in https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-14#section-5 has the advantage (over rejection sampling) of being constant time.
Could you please explain the variable p in the algorithm?
It seems to be used without further introduction.
The text was updated successfully, but these errors were encountered: