[curves] BADA55 elliptic curves
Trevor Perrin
trevp at trevp.net
Wed May 21 14:09:45 PDT 2014
http://safecurves.cr.yp.to/bada55.html
elaborates on some points from:
http://safecurves.cr.yp.to/rigid.html
The BADA55-VR curves are generated by what the "Rigidity" page calls a
"manipulatable" method (similar to NIST curves), and the BADA55-VPR
curve by a "somewhat rigid" method (similar to Brainpool).
I think the main point is how much freedom remains within the
"somewhat rigid" approach. BADA55-VPR makes a small number of
innocent-looking choices ("nothing-up-my sleeve number" as seed,
deterministic search based on hashing seed || counter), but still is
able to satisfy a roughly 1-in-2^17 property (it claims
"one-in-a-million" (~2^20), but note BADA55 doesn't appear at the
beginning of BADA55-VPR-224's A).
Trevor
More information about the Curves
mailing list