[curves] Curves Digest, Vol 5, Issue 1

Robert Ransom rransom.8774 at gmail.com
Fri Jan 31 02:12:12 PST 2014

On 1/31/14, Paulo S. L. M. Barreto <pbarreto at larc.usp.br> wrote:
> On Thu, 30 Jan 2014 22:45:03 -0800 Robert Ransom wrote:
>> A true drop-in replacement for one of the NSA curves would be a
>> small-parameter Edwards curve over the same field, satisfying the
>> ?SafeCurves? criteria, with a=1 and non-square d, such that:
> This is impossible per se. Most NIST fields simply do not satisfy the
> SafeCurves criteria (this is pointed out in Mike Hamburg et al's Elligator
> paper wrt P-256).

Good point.  I forgot that ‘indistinguishability’ was one of those
criteria.  I meant that as a shorthand for the other properties, which
affect security of implementations in all protocols, rather than
allowing use in new protocols which specifically require
steganographic embedding.

Though it's worth noting that the SafeCurves verification script
currently does not consider the field order when deciding whether a
curve supports ‘indistinguishability’.

Robert Ransom

More information about the Curves mailing list