<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">I actually have code for this based on PARI’s early aborts, and I used it to generate a cert for Ed448-Goldilocks that it uses the smallest d.  But my cert generation code is a huge mess.  Hopefully Jean-Pierre Flori’s work is cleaner.</div><br class=""><div><blockquote type="cite" class=""><div class="">On Jun 12, 2015, at 9:53 AM, David Leon Gil <<a href="mailto:coruus@gmail.com" class="">coruus@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">As a quick note, I think that the more significant aspect of Flori's work is that he appears to have code that can output efficiently verifiable certificates for curves with the wrong cofactor.<br class=""><br class="">(I have tried to get the necessary output from PARI's SEA early-aborts, based on some code of Mike's, but have mainly succeeded in causing segfaults because of PARI's rather obtuse stack-based garbage collection.)<br class=""><br class="">- David<br class=""><div class="gmail_quote">On Fri, Jun 12, 2015 at 5:30 AM William Whyte <<a href="mailto:wwhyte@securityinnovation.com" class="">wwhyte@securityinnovation.com</a>> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple" class=""><div class=""><p class="MsoNormal"><span style="font-size: 10pt; font-family: 'Courier New';" class=""><a href="http://eprint.iacr.org/2014/832" target="_blank" class="">http://eprint.iacr.org/2014/832</a></span></p><div class=""><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""> </span><br class="webkit-block-placeholder"></div><div class=""><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""> </span><br class="webkit-block-placeholder"></div><p class="MsoNormal"><b class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""> Brian Smith [mailto:<a href="mailto:brian@briansmith.org" target="_blank" class="">brian@briansmith.org</a>] <br class=""><b class="">Sent:</b> Friday, June 12, 2015 5:28 AM<br class=""><b class="">To:</b> William Whyte<br class=""><b class="">Cc:</b> Michael Hamburg; Trevor Perrin; Watson Ladd; <a href="mailto:curves@moderncrypto.org" target="_blank" class="">curves@moderncrypto.org</a></span></p></div></div><div lang="EN-US" link="blue" vlink="purple" class=""><div class=""><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""><br class=""><b class="">Subject:</b> Re: [curves] Review of NIST workshop</span></p></div></div><div lang="EN-US" link="blue" vlink="purple" class=""><div class=""><div class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""></span><br class="webkit-block-placeholder"></div><div class=""> <br class="webkit-block-placeholder"></div><div class=""><div class=""><div class=""> <br class="webkit-block-placeholder"></div><div class=""><p class="MsoNormal">On Thu, Jun 11, 2015 at 11:18 PM, William Whyte <<a href="mailto:wwhyte@securityinnovation.com" target="_blank" class="">wwhyte@securityinnovation.com</a>> wrote:</p></div></div></div></div></div><div lang="EN-US" link="blue" vlink="purple" class=""><div class=""><div class=""><div class=""><div class=""><div class=""><p class="MsoNormal">There is also significant pressure from BSI against<br class="">ed25519, which doesn't directly affect the US OEMs but which does muddy the<br class="">waters about which curve actually is technically superior.</p></div></div></div></div></div></div><div lang="EN-US" link="blue" vlink="purple" class=""><div class=""><div class=""><div class=""><p class="MsoNormal"><br class="">Where can we read more about BSI's position regarding ed25519?</p></div></div></div></div><div lang="EN-US" link="blue" vlink="purple" class=""><div class=""><div class=""><div class=""></div><div class=""><div class=""> <br class="webkit-block-placeholder"></div></div><div class=""><p class="MsoNormal">Thanks,</p></div><div class=""><p class="MsoNormal">Brian</p></div></div></div></div>
_______________________________________________<br class="">
Curves mailing list<br class="">
<a href="mailto:Curves@moderncrypto.org" target="_blank" class="">Curves@moderncrypto.org</a><br class="">
<a href="https://moderncrypto.org/mailman/listinfo/curves" rel="noreferrer" target="_blank" class="">https://moderncrypto.org/mailman/listinfo/curves</a><br class="">
</blockquote></div>
_______________________________________________<br class="">Curves mailing list<br class=""><a href="mailto:Curves@moderncrypto.org" class="">Curves@moderncrypto.org</a><br class="">https://moderncrypto.org/mailman/listinfo/curves<br class=""></div></blockquote></div><br class=""></body></html>