[curves] Curves Digest, Vol 5, Issue 1

Watson Ladd watsonbladd at gmail.com
Sat Feb 1 17:01:30 PST 2014


On Sat, Feb 1, 2014 at 4:55 PM, Samuel Neves <sneves at dei.uc.pt> wrote:
> On 31-01-2014 09:59, Paulo S. L. M. Barreto wrote:
>> On Thu, 30 Jan 2014 22:45:03 -0800 Robert Ransom wrote:
>>
>>> A true drop-in replacement for one of the NSA curves would be a
>>> small-parameter Edwards curve over the same field, satisfying the
>>> ?SafeCurves? criteria, with a=1 and non-square d, such that:
>> This is impossible per se. Most NIST fields simply do not satisfy the
>> SafeCurves criteria (this is pointed out in Mike Hamburg et al's Elligator
>> paper wrt P-256).
>>
>
> Another wrinkle here is that the NIST curves have prime order, which
> makes them naturally immune to small subgroup attacks (assuming
> implementations are verifying points are on the curve). Replacing them
> with cofactor >= 4 curves may have some unexpected results.

Revelation of the low three bits. You need a smooth group order to do
much damage: a large
prime factor is good enough.

> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin


More information about the Curves mailing list