> On Jun 12, 2015, at 3:17 PM, Ron Garret <[email protected]> wrote: > > > On Jun 12, 2015, at 12:08 PM, Michael Hamburg <[email protected]> wrote: > >> Would be nice if new curves support a=-3. Would be even nicer if prime >> order. Would be nice if sqrt(b) doesn’t exist. Unfortunately with >> curve25519, sqrt(b) does exist in short Weierstrass form and a=-3 not >> possible. > > Can you please elaborate on this a bit? Why is it desirable if sqrt(b) > doesn’t exist, and to set a=-3? >
This is in the context of short Weierstrass curves. Some of the formulas are slightly more efficient with a=-3. Also, if sqrt(b) exists, then there is a point (0,sqrt(b)) on the curve. The value x=0 will show through projective blinding. If this point does not exist, and there is no 2-torsion point (y=0), then projective blinding is more effective. — Mike _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
