[curves] The Pareto frontiers of sleeveless primes

Ben Harris mail at bharr.is
Thu Oct 30 09:32:18 PDT 2014

There aren't many useful ones with low c then (I guess they'd already have
curves developed for them). 2^810-5 for the "now you are just being silly"
level, 2^216 - 2^108 - 1 for the "looks better on paper than 25519, and
probably strong enough", and 2^96 - 17 for the "hyperelliptic >80 criteria".

P.S. You've prepared lots of interesting stuff for Ed448, thanks. I'll try
and learn some more about ECC through a toy implementation of it in
[favourite language here].

On 31 October 2014 00:00, Mike Hamburg <mike at shiftleft.org> wrote:

> On 10/30/2014 06:58 AM, David Leon Gil wrote:
>> On Thu, Oct 30, 2014 at 12:44 AM, Ben Harris <mail at bharr.is> wrote:
>>> Are there recommended
>>> limits on the small 'c' in Crandall primes? This list is only up to 32,
>>> but
>>> many on the SafeCurves list are in the 100s.
>> It's purely a matter of speed.
>> I.e., large values of 'c' are all mainly due to targeting a specific
>> field-size, rather than a speed/security-optimal field size.
>> Most of the Crandalls in SafeCurves with large 'c' are due to Aranha
>> et al.: http://eprint.iacr.org/2013/647
> If you have more than log2 ((n-1)c + 1) + epsilon bits of headroom in
> your n limbs, then you can implement the multiplication and reduction all
> in one go without crossing limbs, and then do all the carry propagation.
> If you have 2 more bits on top of that, you have to propagate carries
> twice.
> So to maximize efficiency, you want limbs close to the word size and c
> small.
> -- Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20141031/75e6353f/attachment.html>

More information about the Curves mailing list