[curves] Curve448

Mon Oct 19 11:06:41 PDT 2015

Hi folks,

I've got a few naive question about Goldilocks.

Why would somebody use Curve448? Curve25519 is 126bits, which I
thought was considered unfeasible to break, and DJB wrote back in
2006, "Breaking the Curve25519 function—for example, computing the
shared secret from the two public keys—is conjectured to be extremely
difficult. Every known attack is more expensive than performing a
brute-force search on a typical 128-bit secret-key cipher." I don't
know whether or not this claim still holds in 2015. Do folks have
doubts about 25519? Are these realistic doubts to have for the next,
say, 50 years?

Does anybody know of a simple and minimal implementation of DH on 448
(not signatures) that's as pleasant to use as curve25519-donna? I like
how donna is essentially one file with one public function. This makes
it very easy to use and integrate. I'd love to have something similar
for Curve448 to play around with.

How come Curve448 is receiving much attention, but Curve41417 is not?
Is 448 faster? More easily implemented in a secure fashion?

Thanks,
Jason