[curves] Million Dollar Curve
Nathaniel McCallum
npmccallum at redhat.com
Wed Feb 24 10:48:37 PST 2016
On Wed, 2016-02-24 at 18:20 +0000, Salz, Rich wrote:
>
> >
> > >
> > > http://cryptoexperts.github.io/million-dollar-curve/
> Who are these folks? What is wrong with25519 and/or 448?
>From the paper:
Q2. Is there anything wrong with Curve25519?
No. We, at CryptoExperts, actually use Curve25519 and recommend it to
our partners. Yet, we think that people should not rely on the same few
safe curves that are currently out. Our methodology allows to easily
produce safe alternatives.
Q3. Curve25519 vs. Million Dollar Curve
Curve25519 was designed to be as fast as possible, with no security
compromise. This is both a strength and a potential weakness:
– a strength because it gives a valid argument that no trapdoor was
introduced in the design,
– a potential weakness because Curve25519 uses a very specific
prime field.
As of now, no attack exploiting this specificity is known. For
applications where speed is paramount, Curve25519 is probably the best
option. But for most applications, where losing a little on the
efficiency side is “not a big deal”, Million Dollar Curve is probably
the safest choice.
See also the answer by Ruggero on Stack Exchange.
More information about the Curves
mailing list