[curves] Curves Digest, Vol 5, Issue 1
Mike Hamburg
mike at shiftleft.org
Fri Jan 31 09:34:56 PST 2014
On Jan 31, 2014, at 2:12 AM, Robert Ransom <rransom.8774 at gmail.com> wrote:
> On 1/31/14, Paulo S. L. M. Barreto <pbarreto at larc.usp.br> wrote:
>> On Thu, 30 Jan 2014 22:45:03 -0800 Robert Ransom wrote:
>>
>>> A true drop-in replacement for one of the NSA curves would be a
>>> small-parameter Edwards curve over the same field, satisfying the
>>> ?SafeCurves? criteria, with a=1 and non-square d, such that:
>>
>> This is impossible per se. Most NIST fields simply do not satisfy the
>> SafeCurves criteria (this is pointed out in Mike Hamburg et al's Elligator
>> paper wrt P-256).
>
> Good point. I forgot that ‘indistinguishability’ was one of those
> criteria. I meant that as a shorthand for the other properties, which
> affect security of implementations in all protocols, rather than
> allowing use in new protocols which specifically require
> steganographic embedding.
>
> Though it's worth noting that the SafeCurves verification script
> currently does not consider the field order when deciding whether a
> curve supports ‘indistinguishability’.
It's just NIST P-256, right? The rest are fine, I think: they are 2^big - (less than 2^(big/2)).
-- Mike
More information about the Curves
mailing list