Gregory Maxwell

23 only arose because in one of the layouts it was the maximum length that would fit without causing another compression function invocation. Anything over 16 bytes should be ample...

heh, would be good to know if a crazy permutation actually looked safer, we could still use it in libsecp256k1 even if it wouldn't be what we would specify as...

I'm fond of the architecture used by tcpcrypt-- the transport layer provides an ephemerally keyed connection and makes available a session ID to the application which will match on both...

uh. Come on, almost the entire file is copied, you even copied the comments verbatim -- https://github.com/jl777/SuperNET/blob/master/iguana/iguana_secp.c#L455

Petertodd PR #5 does an even better job, giving a way for people who don't have their own google-signed messages from that time a way of verifying someone elses.

Interesting. I suppose better is better... though I think we're kinda shooting in the dark. We really need to have a good power analysis test setup to really know if...

I avoided stateless randomization in the initial implementation not just for performance reasons, but so that additional calls amplified uncertainty. Consider an attacker that can observe high resolution power traces...

Any thoughts about adding some kind of dying gasp so that if a node crashes or hits some fatal error the most recent unfiltered log can be saved?

@instagibbs I believe the only cases that should be slower with SFL are either very small examples (where their time is irrelevant because its very low per tx compared to...

@sipa Though there may be other patterns which are a worst case even more worse than the particular lattice used for testing without those optimizations? If you've been searching for...