On Mon, Jun 15, 2015 at 8:04 AM, D. J. Bernstein <[email protected]> wrote: > Trevor Perrin writes: >> Random field primes are ~2x faster than special primes like Curve25519 >> and Goldilocks, given a special implementation. But a certain >> technique (scalar blinding) for power sidechannel resistance is slower >> for special primes. > > You mean "slower" in the first sentence.
Oops, yes. > Anyway, I agree that the > details of the high-security performance picture across platforms need > to be carefully quantified, so that people can understand the impact of > curve choices upon costs. Yeah, I think that's the important takeaway: the scalar-blinding discussion is about efficiency rather than security. Someone smart enough to choose this countermeasure will be smart enough to use the recommended-size blinding factor. Quantifying the recommendation for random vs special primes, and comparing the efficiency hit, seems like the way forward. Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
