[curves] Curves Digest, Vol 5, Issue 1

Samuel Neves sneves at dei.uc.pt
Sat Feb 1 16:55:32 PST 2014

On 31-01-2014 09:59, Paulo S. L. M. Barreto wrote:
> On Thu, 30 Jan 2014 22:45:03 -0800 Robert Ransom wrote:
>> A true drop-in replacement for one of the NSA curves would be a
>> small-parameter Edwards curve over the same field, satisfying the
>> ?SafeCurves? criteria, with a=1 and non-square d, such that:
> This is impossible per se. Most NIST fields simply do not satisfy the
> SafeCurves criteria (this is pointed out in Mike Hamburg et al's Elligator
> paper wrt P-256).

Another wrinkle here is that the NIST curves have prime order, which
makes them naturally immune to small subgroup attacks (assuming
implementations are verifying points are on the curve). Replacing them
with cofactor >= 4 curves may have some unexpected results.

More information about the Curves mailing list