[curves] Million Dollar Curve

Krisztián Pintér pinterkr at gmail.com
Wed Feb 24 11:32:22 PST 2016


> What do you guys think of this?:
> http://cryptoexperts.github.io/million-dollar-curve/


this is another case of solving a nonexistent problem.

in particular, let's observe this mastery of misdirection:

> "ANSSI FRP256v1, NIST P-256, NIST P-384, Curve25519, secp256k1,
> brainpoolP256t1, Curve1174 and a few others. However, several of
> these curves parameters generation processes contain unjustified
> choices

yeah, several. but not all! so why put together a list of a few safe
and few unsafe curves, and then complain the lack of security of some?
the fact is, there are curves with a veryfiable parameter choice.

what can we randomize? we can't randomize the prime. we need very
carefully crafted prime to enable fast calculation modulo that prime.
we need primes very close to powers of two, with the differences being
at very specific locations. just check the goldilocks paper to see how
hard it is to find a good prime. we don't have too many of them. the
curve form (edwards, etc) also come from the same rationale.

goldilocks paper for the lazy: https://eprint.iacr.org/2015/625.pdf

we can randomize the curve parameter, like d for a montgomery curve.
however, minizmizing the constant has the same effect.

we can randomize the generator, but it does not make a whole lot of
difference, and minimizing has the same effect.

so please explain to me, how randomizing improves security in any
meaningful way. it does not.




More information about the Curves mailing list