[curves] Second day NIST workshop notes
johannes.merkle at secunet.com
Tue Jun 16 06:12:12 PDT 2015
Trevor Perrin schrieb am 15.06.2015 um 22:24:
> On Mon, Jun 15, 2015 at 11:54 AM, Watson Ladd <watsonbladd at gmail.com> wrote:
>> On Jun 15, 2015 11:32 AM, "Trevor Perrin" <trevp at trevp.net> wrote:
>>> Lochter's complaint may be more about the tone of BADA55 than its
>>> contents, but he has a point - BADA55 focuses on
>>> "nothing-up-my-sleeve" curves, but doesn't do a similarly deep
>>> analysis of the flexibility of performance-based curve choices like
>>> 25519 or 448.
>> That flexibility is far less.
> Maybe. My point was neither the BADA55 paper - nor yourself - are
> quantifying that flexibility and providing a serious analysis, like
> BADA55 did for Brainpool.
> Even your sketch below suggests thousands of choices.
> If this is between a 1-in-few-thousand process (performance-based) vs
> 1-in-a-million (nothing-up-my-sleeve-numbers-based), it's not clear
> this is an important distinction - or that these analyses are accurate
> enough to be meaningful.
> Anyways, more precision here would be useful, if anyone wants to take that up.
I had posted a detailed answer to the BADA55 paper on the CFRG list, where I explain why I deem its analysis unsuitable
for the Brainpool curves.
Of course, there are some degrees of freedom in the procedure, but IMHO these have been grossly overestimated in the
BADA55 paper. The flexibility is small enough to give a very high confidence in the procedure - apart from the fact that
the procedure was agreed upon in an open process among the ECC Brainpool participants which included Tanja Lange.
More information about the Curves