[curves] Second day NIST workshop notes
Michael Hamburg
mike at shiftleft.org
Fri Jun 12 13:08:52 PDT 2015
> On Jun 12, 2015, at 3:17 PM, Ron Garret <ron at flownet.com> wrote:
>
>
> On Jun 12, 2015, at 12:08 PM, Michael Hamburg <mike at shiftleft.org> wrote:
>
>> Would be nice if new curves support a=-3. Would be even nicer if prime order. Would be nice if sqrt(b) doesn’t exist. Unfortunately with curve25519, sqrt(b) does exist in short Weierstrass form and a=-3 not possible.
>
> Can you please elaborate on this a bit? Why is it desirable if sqrt(b) doesn’t exist, and to set a=-3?
>
This is in the context of short Weierstrass curves. Some of the formulas are slightly more efficient with a=-3. Also, if sqrt(b) exists, then there is a point (0,sqrt(b)) on the curve. The value x=0 will show through projective blinding. If this point does not exist, and there is no 2-torsion point (y=0), then projective blinding is more effective.
— Mike
More information about the Curves
mailing list