On Sun, February 2, 2014 16:10, Mike Hamburg wrote: > Furthermore, P-384 is pretty ugly -- it's a non-64-bit-aligned pentanomial -- > and I don't think it makes sense to use that field unless we want some sort of > compatibility.
I wonder where this baffling "ugliness" trend originated. It is clearly impossible to make everybody happy. Some will find non-NIST field "ugly" because of compatibility concerns, some others will find NIST fields "ugly" because they are outdated, and so on. Someone might well find all non-trinomials (e.g. 2^255 - 2^4 - 2^1 - 1) "ugly," someone else might find all polinomials whose exponents are not all multiples of 64 (e.g. 2^255 - 2^4 - 2^1 - 1) "ugly," and yet someone else might find non-128-bit aligned trinomials or pentanomials (e.g. 2^448 - 2^224 - 1) "ugly," without end (this list is clearly far from exhaustive). Tell me about Greeks and Trojans... > I agree that there are serious concerns about any compatibility strategy. > "Nobody pours new wine into old wineskins," such a compatible design would > have most of the problems of both new and old. This is utterly impossible to solve. NIST primes are old. They were designed with 32-bit processors in mind. If we focus on 64 bits, or even on 128 bits, we'll soon enough have people complaining "why didn't those short-sighted guys choose 256-bit aligned polynomials?" Paulo. _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
