On Mon, Jun 15, 2015 at 11:54 AM, Watson Ladd <[email protected]> wrote: > > On Jun 15, 2015 11:32 AM, "Trevor Perrin" <[email protected]> wrote: >> >> Lochter's complaint may be more about the tone of BADA55 than its >> contents, but he has a point - BADA55 focuses on >> "nothing-up-my-sleeve" curves, but doesn't do a similarly deep >> analysis of the flexibility of performance-based curve choices like >> 25519 or 448. > > That flexibility is far less.
Maybe. My point was neither the BADA55 paper - nor yourself - are quantifying that flexibility and providing a serious analysis, like BADA55 did for Brainpool. Even your sketch below suggests thousands of choices. If this is between a 1-in-few-thousand process (performance-based) vs 1-in-a-million (nothing-up-my-sleeve-numbers-based), it's not clear this is an important distinction - or that these analyses are accurate enough to be meaningful. Anyways, more precision here would be useful, if anyone wants to take that up. > Craig Costello could only argue that the exact > choice of security level could be manipulated, at most 521 choices. > > Of course this has to be multiplied by the number of order and twist > critera, which seem to apply to all the other proposals. Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
