[curves] Second day NIST workshop notes

D. J. Bernstein djb at cr.yp.to
Mon Jun 15 08:04:41 PDT 2015

Trevor Perrin writes:
> Random field primes are ~2x faster than special primes like Curve25519
> and Goldilocks, given a special implementation.  But a certain
> technique (scalar blinding) for power sidechannel resistance is slower
> for special primes.

You mean "slower" in the first sentence. Anyway, I agree that the
details of the high-security performance picture across platforms need
to be carefully quantified, so that people can understand the impact of
curve choices upon costs.

But this wasn't the perspective taken by the side-channel people at the
NIST workshop. Those people were trying to paint a picture of _security
risks_ from next-generation ECC---as if side-channel attacks against
Montgomery curves and fast primes were some scary new research area.


More information about the Curves mailing list