On Apr 23, 2014, at 12:48 PM, Trevor Perrin <[email protected]> wrote: > Thanks Diego, CodesInChaos, > > I've added those (and the DJB Kummer work) to my table. > > I'm not sure I'm comparing apples-to-apples anymore (GLS curves? > "Lainey" curves (snowshoe)? Kummer surfaces?) The speed of these > things is impressive, but are there downsides? > > I was mainly interested in "extra-strength" curves like > Goldilocks-448, E-521, and Curve41417, since I assumed the non-NIST, > 128-bit security level was pretty much won for Curve25519/Ed25519. > But maybe things are more interesting at 128-bits than I thought?
There’s been a long stream of papers at the 120-something-ish-bit security level. Curve25519 / Ed25519 is the go-to because it’s been around the longest, it has free high-quality source available for multiple platforms, and it’s simple and conservatively designed, and it implements a fairly complete set of operations. Cheers, — Mike _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
