[curves] Curves Digest, Vol 5, Issue 1

Mike Hamburg mike at shiftleft.org
Fri Jan 31 09:34:56 PST 2014


On Jan 31, 2014, at 2:12 AM, Robert Ransom <rransom.8774 at gmail.com> wrote:

> On 1/31/14, Paulo S. L. M. Barreto <pbarreto at larc.usp.br> wrote:
>> On Thu, 30 Jan 2014 22:45:03 -0800 Robert Ransom wrote:
>> 
>>> A true drop-in replacement for one of the NSA curves would be a
>>> small-parameter Edwards curve over the same field, satisfying the
>>> ?SafeCurves? criteria, with a=1 and non-square d, such that:
>> 
>> This is impossible per se. Most NIST fields simply do not satisfy the
>> SafeCurves criteria (this is pointed out in Mike Hamburg et al's Elligator
>> paper wrt P-256).
> 
> Good point.  I forgot that ‘indistinguishability’ was one of those
> criteria.  I meant that as a shorthand for the other properties, which
> affect security of implementations in all protocols, rather than
> allowing use in new protocols which specifically require
> steganographic embedding.
> 
> Though it's worth noting that the SafeCurves verification script
> currently does not consider the field order when deciding whether a
> curve supports ‘indistinguishability’.

It's just NIST P-256, right?  The rest are fine, I think: they are 2^big - (less than 2^(big/2)).

-- Mike


More information about the Curves mailing list