[curves] The Pareto frontiers of sleeveless primes

David Leon Gil coruus at gmail.com
Thu Oct 30 07:00:08 PDT 2014

(Just as a note, my goal is to come up with a decent quantification of
how rigid "rigid curves" are; if anyone is looking to *implement* a
new finite field, they should read Mike's, djb's, and Robert Ransom's
mails on efficient implementations.)

The upshot: << 2^4 good primes in the 192-to-256-bit dlp security
strength range.

On Mon, Oct 27, 2014 at 2:57 AM, Mike Hamburg <mike at shiftleft.org> wrote:
> Right.  In my try, I had calculated it by multiplication not requiring
> internal carry propagation, which depends on c as well as nail length.

I'll try to implement your suggested cost-function. Thank you very
much for all the details!

> Why n-3?

Ah, I wasn't really thinking at all at the time. (Was thinking about
private scalars a la Curve25519 with clamped bits.)

It should just be n, I think? (Assuming that some variant on your
sign-recovery trick is used.)

More information about the Curves mailing list