[curves] Same Value Analysis on Edwards Curves

[Ray Dillinger]

I have no strong mathematical reason to believe this, but I have
a nasty suspicion that the same properties that make ECC curves
fast to compute are likely to be the properties that enable future
attacks that no one has thought of yet.  The recent break on
Edwards Curves seems tied to their shift properties.

Are there any canonical examples of completely un-optimized curves
that mean you have to use actual bignumber math to do every step of?

				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20150727/7399aff4/attachment.sig>