[curves] Second day NIST workshop notes
Trevor Perrin
trevp at trevp.net
Mon Jun 15 11:49:35 PDT 2015
On Mon, Jun 15, 2015 at 8:04 AM, D. J. Bernstein <djb at cr.yp.to> wrote:
> Trevor Perrin writes:
>> Random field primes are ~2x faster than special primes like Curve25519
>> and Goldilocks, given a special implementation. But a certain
>> technique (scalar blinding) for power sidechannel resistance is slower
>> for special primes.
>
> You mean "slower" in the first sentence.
Oops, yes.
> Anyway, I agree that the
> details of the high-security performance picture across platforms need
> to be carefully quantified, so that people can understand the impact of
> curve choices upon costs.
Yeah, I think that's the important takeaway: the scalar-blinding
discussion is about efficiency rather than security. Someone smart
enough to choose this countermeasure will be smart enough to use the
recommended-size blinding factor.
Quantifying the recommendation for random vs special primes, and
comparing the efficiency hit, seems like the way forward.
Trevor
More information about the Curves
mailing list