(Just as a note, my goal is to come up with a decent quantification of how rigid "rigid curves" are; if anyone is looking to *implement* a new finite field, they should read Mike's, djb's, and Robert Ransom's mails on efficient implementations.)
The upshot: << 2^4 good primes in the 192-to-256-bit dlp security strength range. On Mon, Oct 27, 2014 at 2:57 AM, Mike Hamburg <[email protected]> wrote: > > Right. In my try, I had calculated it by multiplication not requiring > internal carry propagation, which depends on c as well as nail length. I'll try to implement your suggested cost-function. Thank you very much for all the details! > Why n-3? Ah, I wasn't really thinking at all at the time. (Was thinking about private scalars a la Curve25519 with clamped bits.) It should just be n, I think? (Assuming that some variant on your sign-recovery trick is used.) _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
