On Sat, Sep 12, 2015 at 6:33 PM, Trevor Perrin <[email protected]> wrote: > There's an updated paper and new code for MSR's FourQ curve: > > http://eprint.iacr.org/2015/565 > > http://research.microsoft.com/en-us/projects/fourqlib/ > > I tossed the numbers into the spreadsheet at [1], but the paper has a > better performance analysis across several platforms. > > What do people think? > > Without using the endomorphisms the performance is better than 25519, > and then endomorphisms are close to a 2x speedup. And if unencumbered > use of the endomorphisms is just ~4 years away [2], that's not that > long, in the scheme of things.
The FourQ paper insists that rejecting invalid points is a viable implementation strategy that provides compatibility with existing software. Recently teams have independently rediscovered (or perhaps just republicized) vulnerabilities in Bouncycastle version 1.50 that stemmed from not validating points. It may be true that their software properly handles all inputs, and carefully documents what callers must do to get the claimed security. But in practice we know that reimplementation frequently happens, and that these reimplementations frequently contain issues around point validation. When callers are asked to apply nontrivial amounts of care, they often fail. This is an issue for Kummer surfaces also, but there we do not know how to attack invalid points. > > > Trevor > > [1] > https://docs.google.com/spreadsheets/d/1SO3NGX-EgIZ1slw9uExb5FoeFy5TVkuA2lEutP6roYI/edit#gid=0 > > [2] https://moderncrypto.org/mail-archive/curves/2014/000133.html > _______________________________________________ > Curves mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/curves -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
