[curves] Million Dollar Curve

Nathaniel McCallum npmccallum at redhat.com
Wed Feb 24 10:48:37 PST 2016

On Wed, 2016-02-24 at 18:20 +0000, Salz, Rich wrote:
> > 
> > > 
> > > http://cryptoexperts.github.io/million-dollar-curve/
> Who are these folks?  What is wrong with25519 and/or 448?

>From the paper:

Q2. Is there anything wrong with Curve25519?

No. We, at CryptoExperts, actually use Curve25519 and recommend it to
our partners. Yet, we think that people should not rely on the same few
safe curves that are currently out. Our methodology allows to easily
produce safe alternatives.

Q3. Curve25519 vs. Million Dollar Curve

Curve25519 was designed to be as fast as possible, with no security
compromise. This is both a strength and a potential weakness:
    – a strength because it gives a valid argument that no trapdoor was
      introduced in the design,
    – a potential weakness because Curve25519 uses a very specific
      prime field.

As of now, no attack exploiting this specificity is known. For
applications where speed is paramount, Curve25519 is probably the best
option. But for most applications, where losing a little on the
efficiency side is “not a big deal”, Million Dollar Curve is probably
the safest choice.

See also the answer by Ruggero on Stack Exchange.

More information about the Curves mailing list