The great debate over point formats (Mike Hamburg)

Paulo S. L. M. Barreto pbarreto at larc.usp.br
Sun Feb 2 11:55:58 PST 2014

On Sun, February 2, 2014 16:10, Mike Hamburg wrote:
> Furthermore, P-384 is pretty ugly -- it's a non-64-bit-aligned pentanomial --
> and I don't think it makes sense to use that field unless we want some sort of
> compatibility.

I wonder where this baffling "ugliness" trend originated. It is clearly
impossible to make everybody happy. Some will find non-NIST field "ugly"
because of compatibility concerns, some others will find NIST fields "ugly"
because they are outdated, and so on. Someone might well find all
non-trinomials (e.g. 2^255 - 2^4 - 2^1 - 1) "ugly," someone else might find
all polinomials whose exponents are not all multiples of 64 (e.g. 2^255 - 2^4
- 2^1 - 1) "ugly," and yet someone else might find non-128-bit aligned
trinomials or pentanomials (e.g. 2^448 - 2^224 - 1) "ugly," without end (this
list is clearly far from exhaustive). Tell me about Greeks and Trojans...

> I agree that there are serious concerns about any compatibility strategy.
> "Nobody pours new wine into old wineskins," such a compatible design would
> have most of the problems of both new and old.

This is utterly impossible to solve. NIST primes are old. They were designed
with 32-bit processors in mind. If we focus on 64 bits, or even on 128 bits,
we'll soon enough have people complaining "why didn't those short-sighted guys
choose 256-bit aligned polynomials?"


