On Sat, Feb 1, 2014 at 4:55 PM, Samuel Neves <[email protected]> wrote: > On 31-01-2014 09:59, Paulo S. L. M. Barreto wrote: >> On Thu, 30 Jan 2014 22:45:03 -0800 Robert Ransom wrote: >> >>> A true drop-in replacement for one of the NSA curves would be a >>> small-parameter Edwards curve over the same field, satisfying the >>> ?SafeCurves? criteria, with a=1 and non-square d, such that: >> This is impossible per se. Most NIST fields simply do not satisfy the >> SafeCurves criteria (this is pointed out in Mike Hamburg et al's Elligator >> paper wrt P-256). >> > > Another wrinkle here is that the NIST curves have prime order, which > makes them naturally immune to small subgroup attacks (assuming > implementations are verifying points are on the curve). Replacing them > with cofactor >= 4 curves may have some unexpected results.
Revelation of the low three bits. You need a smooth group order to do much damage: a large prime factor is good enough. > _______________________________________________ > Curves mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/curves -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
