On Thu, Feb 20, 2014 at 12:19 PM, Samuel Neves <[email protected]> wrote: > On 02-02-2014 21:52, Michael Hamburg wrote: >> I was referring to the Weierstrass form with this comment, not the prime >> shape. I agree with Robert and Watson from a few posts ago (and, it seems, >> with you) that it’s dangerous to try to reuse Weierstrass implementations >> with new curves, because they’ll have the problems of the old ones >> (incomplete formulas) and the new (cofactors), and possibly worse ones from >> the combination (cofactors leading to corner cases). > > The recent report by Bos et al [1] might be helpful here to get actual > drop-in replacements to the NIST curves. The reported speeds of the > proposed Weierstrass curves are not so bad in comparison with Edwards, > although those cycle counts are still rather high compared to the > current state of the art.
Changing prime shapes is going to get a small, architecture dependent improvement. OpenSSL has recently been patched by Shay Gurion and Adam Langley to get major improvements to P256 performance. This has to be weighed against the cost of a new curve: new code, configuration pain, and you can't get rid of the old one. The big win for Edwards is correctness. Efficiency is the icing on the cake, but it's pretty tasty icing. Sincerely, Watson Ladd > > [1] https://research.microsoft.com/apps/pubs/default.aspx?id=209303 > _______________________________________________ > Curves mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/curves -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
