On 1/31/14, Paulo S. L. M. Barreto <[email protected]> wrote: > On Thu, 30 Jan 2014 22:45:03 -0800 Robert Ransom wrote: > >> A true drop-in replacement for one of the NSA curves would be a >> small-parameter Edwards curve over the same field, satisfying the >> ?SafeCurves? criteria, with a=1 and non-square d, such that: > > This is impossible per se. Most NIST fields simply do not satisfy the > SafeCurves criteria (this is pointed out in Mike Hamburg et al's Elligator > paper wrt P-256).
Good point. I forgot that ‘indistinguishability’ was one of those criteria. I meant that as a shorthand for the other properties, which affect security of implementations in all protocols, rather than allowing use in new protocols which specifically require steganographic embedding. Though it's worth noting that the SafeCurves verification script currently does not consider the field order when deciding whether a curve supports ‘indistinguishability’. Robert Ransom _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
