Trevor Perrin schrieb am 15.06.2015 um 22:24: > On Mon, Jun 15, 2015 at 11:54 AM, Watson Ladd <[email protected]> wrote: >> >> On Jun 15, 2015 11:32 AM, "Trevor Perrin" <[email protected]> wrote: >>> >>> Lochter's complaint may be more about the tone of BADA55 than its >>> contents, but he has a point - BADA55 focuses on >>> "nothing-up-my-sleeve" curves, but doesn't do a similarly deep >>> analysis of the flexibility of performance-based curve choices like >>> 25519 or 448. >> >> That flexibility is far less. > > Maybe. My point was neither the BADA55 paper - nor yourself - are > quantifying that flexibility and providing a serious analysis, like > BADA55 did for Brainpool. > > Even your sketch below suggests thousands of choices. > > If this is between a 1-in-few-thousand process (performance-based) vs > 1-in-a-million (nothing-up-my-sleeve-numbers-based), it's not clear > this is an important distinction - or that these analyses are accurate > enough to be meaningful. > > Anyways, more precision here would be useful, if anyone wants to take that up. >
I had posted a detailed answer to the BADA55 paper on the CFRG list, where I explain why I deem its analysis unsuitable for the Brainpool curves. http://www.ietf.org/mail-archive/web/cfrg/current/msg05353.html Of course, there are some degrees of freedom in the procedure, but IMHO these have been grossly overestimated in the BADA55 paper. The flexibility is small enough to give a very high confidence in the procedure - apart from the fact that the procedure was agreed upon in an open process among the ECC Brainpool participants which included Tanja Lange. Johannes _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
