As a quick note, I think that the more significant aspect of Flori's work is that he appears to have code that can output efficiently verifiable certificates for curves with the wrong cofactor.<br><br>(I have tried to get the necessary output from PARI's SEA early-aborts, based on some code of Mike's, but have mainly succeeded in causing segfaults because of PARI's rather obtuse stack-based garbage collection.)<br><br>- David<br><div class="gmail_quote">On Fri, Jun 12, 2015 at 5:30 AM William Whyte <<a href="mailto:wwhyte@securityinnovation.com">wwhyte@securityinnovation.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"><a href="http://eprint.iacr.org/2014/832" target="_blank">http://eprint.iacr.org/2014/832</a></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Brian Smith [mailto:<a href="mailto:brian@briansmith.org" target="_blank">brian@briansmith.org</a>] <br><b>Sent:</b> Friday, June 12, 2015 5:28 AM<br><b>To:</b> William Whyte<br><b>Cc:</b> Michael Hamburg; Trevor Perrin; Watson Ladd; <a href="mailto:curves@moderncrypto.org" target="_blank">curves@moderncrypto.org</a></span></p></div></div><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><br><b>Subject:</b> Re: [curves] Review of NIST workshop</span></p></div></div><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""></span></p><p class="MsoNormal"> </p><div><div><p class="MsoNormal"> </p><div><p class="MsoNormal">On Thu, Jun 11, 2015 at 11:18 PM, William Whyte <<a href="mailto:wwhyte@securityinnovation.com" target="_blank">wwhyte@securityinnovation.com</a>> wrote:</p></div></div></div></div></div><div lang="EN-US" link="blue" vlink="purple"><div><div><div><div><div><p class="MsoNormal">There is also significant pressure from BSI against<br>ed25519, which doesn't directly affect the US OEMs but which does muddy the<br>waters about which curve actually is technically superior.</p></div></div></div></div></div></div><div lang="EN-US" link="blue" vlink="purple"><div><div><div><p class="MsoNormal"><br>Where can we read more about BSI's position regarding ed25519?</p></div></div></div></div><div lang="EN-US" link="blue" vlink="purple"><div><div><div></div><div><p class="MsoNormal"> </p></div><div><p class="MsoNormal">Thanks,</p></div><div><p class="MsoNormal">Brian</p></div></div></div></div>
_______________________________________________<br>
Curves mailing list<br>
<a href="mailto:Curves@moderncrypto.org" target="_blank">Curves@moderncrypto.org</a><br>
<a href="https://moderncrypto.org/mailman/listinfo/curves" rel="noreferrer" target="_blank">https://moderncrypto.org/mailman/listinfo/curves</a><br>
</blockquote></div>