On Wed, Jul 8, 2015 at 3:12 AM, Tony Arcieri <[email protected]> wrote: > I made this poster for the DEFCON Crypto and Privacy Village. It's intended > for audiences of mixed ability levels: > > https://i.imgur.com/hwbSRHh.png > > Would appreciate technical feedback on it. If you'd like to suggest copy > changes, please consider design constraints (i.e. available room on the > page).
Very nice poster; Just an unsolicited opinion that won't help you with your poster... There are many many things on the internet which have focused on the point additional formula. Which is certantly interesting (because its far from obvious that addition could work at all!) but it's my expirence that too much attention on the addition mechnics results in people knowing a lot of things without having a lot of understanding. A concrete result of this is 1,001 _really_ slow, timing attack vulnerable, naieve, incidentally insecure (e.g. bad RNGs), and sometimes incorrect implementations of ECC in scripting language dejure but very little work in doing interesting things algebraically -- interesting optimizations, new protocols.. most of that is nowhere to be found. Which is unfortunate, because you actually can often those things while the point arithemetic is a blackbox. I think people might benefit more from some better understanding of how you get rich and interesting cryptosystems out of such a simple construct as an additively homorphic cryptographic hash (one way of looking at what a DL hard group gives you), even ifs at the expense of teaching them about the chord-and-tangent addition, which hopefully 99.999% of them will never need to implement. The mechncial-knoweldge-of-the-procedure is especially dangerous because it gives people no intution about what is likely to be safe vs unsafe. Hairsplitting on montogomery: Off-curve points are potentially problematic, at least in contrived protocols if the curve is not also twist secure. The x-only ladder lets you skip the sqrt needed to recover y (hurray for speed!) but the sqrt would have also told you if the point was on the curve. So I think really the security point being made there is about twist-secure not about montgomery. With respect to the speed; performing a multiply x-only is possible for other curves too and isn't unique to montgomery (though perhaps uniquely efficient there?) It is also not correct that all curve equations can be converted into all other ones (text under your curve forms headings). Rather any of these can be converted to a Weierstrass equation, but -- for example-- Montgomery (at least as normally defined) can only be used when the group has a cofactor which is divisible by 4. _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
