[curves] Second day NIST workshop notes

Trevor Perrin trevp at trevp.net
Mon Jun 15 13:24:53 PDT 2015

On Mon, Jun 15, 2015 at 11:54 AM, Watson Ladd <watsonbladd at gmail.com> wrote:
> On Jun 15, 2015 11:32 AM, "Trevor Perrin" <trevp at trevp.net> wrote:
>> Lochter's complaint may be more about the tone of BADA55 than its
>> contents, but he has a point - BADA55 focuses on
>> "nothing-up-my-sleeve" curves, but doesn't do a similarly deep
>> analysis of the flexibility of performance-based curve choices like
>> 25519 or 448.
> That flexibility is far less.

Maybe.  My point was neither the BADA55 paper - nor yourself - are
quantifying that flexibility and providing a serious analysis, like
BADA55 did for Brainpool.

Even your sketch below suggests thousands of choices.

If this is between a 1-in-few-thousand process (performance-based) vs
1-in-a-million (nothing-up-my-sleeve-numbers-based), it's not clear
this is an important distinction - or that these analyses are accurate
enough to be meaningful.

Anyways, more precision here would be useful, if anyone wants to take that up.

> Craig Costello could only argue that the exact
> choice of security level could be manipulated, at most 521 choices.
> Of course this has to be multiplied by the number of order and twist
> critera, which seem to apply to all the other proposals.


More information about the Curves mailing list