[curves] The Pareto frontiers of sleeveless primes
David Leon Gil
coruus at gmail.com
Thu Oct 30 07:00:08 PDT 2014
(Just as a note, my goal is to come up with a decent quantification of
how rigid "rigid curves" are; if anyone is looking to *implement* a
new finite field, they should read Mike's, djb's, and Robert Ransom's
mails on efficient implementations.)
The upshot: << 2^4 good primes in the 192-to-256-bit dlp security
strength range.
On Mon, Oct 27, 2014 at 2:57 AM, Mike Hamburg <mike at shiftleft.org> wrote:
>
> Right. In my try, I had calculated it by multiplication not requiring
> internal carry propagation, which depends on c as well as nail length.
I'll try to implement your suggested cost-function. Thank you very
much for all the details!
> Why n-3?
Ah, I wasn't really thinking at all at the time. (Was thinking about
private scalars a la Curve25519 with clamped bits.)
It should just be n, I think? (Assuming that some variant on your
sign-recovery trick is used.)
More information about the Curves
mailing list