Trevor Perrin writes: > Random field primes are ~2x faster than special primes like Curve25519 > and Goldilocks, given a special implementation. But a certain > technique (scalar blinding) for power sidechannel resistance is slower > for special primes.
You mean "slower" in the first sentence. Anyway, I agree that the details of the high-security performance picture across platforms need to be carefully quantified, so that people can understand the impact of curve choices upon costs. But this wasn't the perspective taken by the side-channel people at the NIST workshop. Those people were trying to paint a picture of _security risks_ from next-generation ECC---as if side-channel attacks against Montgomery curves and fast primes were some scary new research area. ---Dan _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
