[curves] Million Dollar Curve
thomas at sockpuppet.org
Wed Feb 24 10:35:25 PST 2016
One reason might be: because you like almost everything else about Curve25519 other than the specially chosen sparse prime, aren’t especially performance sensitive, and your application is cryptographically very conservative, so you’re willing to trade off performance for totally unstructured and “provably” random parameters.
Alyssa Rowan suggested on HN yesterday that a plausible (but weird) scenario for that would be that you’re reusing RSA hardware for your ECC stuff, want all the security benefits of Curve25519, but 2^255-19 might be leak-prone on that hardware.
(I am parroting some of this from a brief conversation with one of the paper authors, which set me off on a reading jag yesterday, and while I don’t find the argument especially persuasive, it at least makes sense to me now.)
On February 24, 2016 at 12:31:08 PM, Salz, Rich (rsalz at akamai.com) wrote:
> 2. Their paper doesn’t claim anything is wrong with 25519. They’re just proposing a random Edwards curve alternative to 25519
Which brings me back to the million-dollar question: why do I want this?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Curves