[curves] The great debate over point formats (Mike Hamburg)

Watson Ladd watsonbladd at gmail.com
Thu Feb 20 12:52:55 PST 2014

On Thu, Feb 20, 2014 at 12:19 PM, Samuel Neves <sneves at dei.uc.pt> wrote:
> On 02-02-2014 21:52, Michael Hamburg wrote:
>> I was referring to the Weierstrass form with this comment, not the prime shape.  I agree with Robert and Watson from a few posts ago (and, it seems, with you) that it’s dangerous to try to reuse Weierstrass implementations with new curves, because they’ll have the problems of the old ones (incomplete formulas) and the new (cofactors), and possibly worse ones from the combination (cofactors leading to corner cases).
> The recent report by Bos et al [1] might be helpful here to get actual
> drop-in replacements to the NIST curves. The reported speeds of the
> proposed Weierstrass curves are not so bad in comparison with Edwards,
> although those cycle counts are still rather high compared to the
> current state of the art.

Changing prime shapes is going to get a small, architecture dependent
improvement. OpenSSL has recently been patched by Shay Gurion and Adam
Langley to get major improvements to P256 performance. This has to be
weighed against the cost of a new curve: new code, configuration pain,
and you can't get rid of the old one.

The big win for Edwards is correctness. Efficiency is the icing on the
cake, but it's pretty tasty icing.

Watson Ladd
> [1] https://research.microsoft.com/apps/pubs/default.aspx?id=209303
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

More information about the Curves mailing list