On Jan 31, 2014, at 2:12 AM, Robert Ransom <[email protected]> wrote:
> On 1/31/14, Paulo S. L. M. Barreto <[email protected]> wrote: >> On Thu, 30 Jan 2014 22:45:03 -0800 Robert Ransom wrote: >> >>> A true drop-in replacement for one of the NSA curves would be a >>> small-parameter Edwards curve over the same field, satisfying the >>> ?SafeCurves? criteria, with a=1 and non-square d, such that: >> >> This is impossible per se. Most NIST fields simply do not satisfy the >> SafeCurves criteria (this is pointed out in Mike Hamburg et al's Elligator >> paper wrt P-256). > > Good point. I forgot that ‘indistinguishability’ was one of those > criteria. I meant that as a shorthand for the other properties, which > affect security of implementations in all protocols, rather than > allowing use in new protocols which specifically require > steganographic embedding. > > Though it's worth noting that the SafeCurves verification script > currently does not consider the field order when deciding whether a > curve supports ‘indistinguishability’. It's just NIST P-256, right? The rest are fine, I think: they are 2^big - (less than 2^(big/2)). -- Mike _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
