[curves] Million Dollar Curve

Tue Mar 1 14:16:34 PST 2016

Tuesday, March 1, 2016, 5:41:09 PM, Thomas Baigneres wrote:

> We believe that, in general, relying on a single solution for
> cryptography always increases the risk.

surely. also reduces the cost. the question is where is the balance.
as things are now, having our miriad of software implement a primitive
is an enourmous undertaking. not only you need to get it to a number
of libraries, but then you need to standardize it into rfcs, and add
to servers and clients. it is not something we want if there is no
serious reason for it.

and i claim that having two similar curves is not a serious reason. if
we want backup, pick some very different algo. pick some post quantum,
does not matter if inefficient, nobody will use it, it is just a
backup.

but i think since we have RSA/DSA as backup, we can go five more years
without something new.

> We agree that for busy servers speed is an issue. Still, most
> “busy” servers on the planet still use RSA over ECC.

i don't find this a compelling argument. most servers use old
primitives because of the cost of transition, not because they don't
care enough for performance.

this is, again, an optimization problem. how much verifiable
randomness weighs against 2x speed? if i'm the buyer, sign me up for
the 2x speed.

> Our opinion is that a generic implementation of an Edwards Curve (like
> Million Dollar Curve) is much simpler than an optimized
> implementation of Curve25519.

i don't find this argument compelling either. what we want both
performance and simplicity at the same time. they are, of course,
contradictory to each other. you can also count safety (e.g. side
channel) as a third factor. it is easy to excel in one aspect. it is
easy to improve one at the expense of another. what is hard is to
improve all. yet, that is what we want.

and of course you can add verifiable randomness as a fourth variable.
but the question is, again, what is the value of that? what weight
will it have compared to the other three?

> For the record, we do believe Curve25519 is a great work and we
> will ourselves continue to use it as a backup plan for Million Dollar Curve ;-)

for the record: i don't think there is anything wrong with MDC, or its
random generation method (although i haven't looked into the details).
what i say is this: the benefits are lower, and the cost is higher
than advertised.

(also some very unfortunate wording on the website)