[curves] Curve448

Jason A. Donenfeld Jason at zx2c4.com
Tue Oct 20 06:41:59 PDT 2015

On Mon, Oct 19, 2015 at 10:59 PM, Michael Hamburg <mike at shiftleft.org>
> There isn’t any concern that Curve25519 might get broken, unless of course
> someone manages to build a quantum computer.  DJB’s security estimate still
> holds.

I presume, though, that the construction of a quantum computer would have
catastrophic effects on pretty much all crypto primitives, independent of
the bit size, except those designed to be post-quantum secure (such as the
ideal lattice crypto I've seen discussed recently).

I don’t expect that the 448 prime would resist future attacks any better
> than 2^255-19, except by being larger.

Alright so it's just a time trade-off situation: if computers get faster,
or a faster-than-brute-force method is developed, low bit sizes could be
compromised. DES->3DES story, among others. I've read places that
Curve25519 is "equivalent to 3072bit RSA", whatever that means. But
considering 2048bit RSA is still considered very much acceptable, this
alleged "3072bit" number still offers some margin. On the other hand, the
scope of hypothetical future attacks is boundless.

So how does one make a decision here? How does one *choose* and *act* based
on hypotheticals? I am a mere programmer, not an army general or a
politician, and am thus entirely unable to reason on that basis.

Single file implementation at

WOW! Awesome Mike -- that was so ridiculously fast. Thank you. I will
definitely play around with this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20151020/a9e99355/attachment.html>

More information about the Curves mailing list