[curves] Second day NIST workshop notes

Trevor Perrin trevp at trevp.net
Mon Jun 15 11:49:35 PDT 2015

On Mon, Jun 15, 2015 at 8:04 AM, D. J. Bernstein <djb at cr.yp.to> wrote:
> Trevor Perrin writes:
>> Random field primes are ~2x faster than special primes like Curve25519
>> and Goldilocks, given a special implementation.  But a certain
>> technique (scalar blinding) for power sidechannel resistance is slower
>> for special primes.
> You mean "slower" in the first sentence.

Oops, yes.

> Anyway, I agree that the
> details of the high-security performance picture across platforms need
> to be carefully quantified, so that people can understand the impact of
> curve choices upon costs.

Yeah, I think that's the important takeaway:  the scalar-blinding
discussion is about efficiency rather than security.  Someone smart
enough to choose this countermeasure will be smart enough to use the
recommended-size blinding factor.

Quantifying the recommendation for random vs special primes, and
comparing the efficiency hit, seems like the way forward.


More information about the Curves mailing list