[curves] Million Dollar Curve
Trevor Perrin
trevp at trevp.net
Wed Feb 24 16:17:30 PST 2016
On Wed, Feb 24, 2016 at 2:36 PM, Krisztián Pintér <pinterkr at gmail.com> wrote:
>
> Nathaniel McCallum <npmccallum at redhat.com> wrote:
>
>> – a potential weakness because Curve25519 uses a very specific
>> prime field.
>
> as well as every other curve on the planet. even nist curves use
> special primes.
No, Brainpool curves and million dollar curve use "randomly"-chosen primes.
Yes, this incurs a slowdown (~2x). Some would argue it's worth it
because randomly-chosen primes might be more conservative than
special-form primes. Others would argue that if you want to spend
extra cycles in pursuit of security, you're better off with
special-form primes but a larger curve (eg 448).
This has been debated many times, here and elsewhere. Lots of people
(or at least me) seem happy with special-form primes.
Anyways, if this thread continues, hopefully someone can point out
interesting aspects of this new curve or make some novel arguments,
let's not repeat old debates.
Trevor
More information about the Curves
mailing list