On 2/1/14, Watson Ladd <[email protected]> wrote: > I don't know that isogeny to a short Weierstrass curve actually solves > anything, unless we transmit the points in that manner. > But then a lot of the security gains vanish: we need to validate > points, formulas get slow, etc.
* Using a curve specified in short-Weierstrass form, and transmitting points in short-Weierstrass form, makes updating an existing NSA-curve DH or DSA implementation to start using the new curve nearly trivial. * After an implementation has been modified to use the new curve, it can later be patched to use the isomorphic and/or isogenous curves with faster/safer formulas, with most of the benefits. The only security issues compared to e.g. Curve25519 would be the possibility of undefined cases in the isomorphism/isogeny formulas. Robert Ransom _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
