Hi folks, I've got a few naive question about Goldilocks.
Why would somebody use Curve448? Curve25519 is 126bits, which I thought was considered unfeasible to break, and DJB wrote back in 2006, "Breaking the Curve25519 function—for example, computing the shared secret from the two public keys—is conjectured to be extremely difficult. Every known attack is more expensive than performing a brute-force search on a typical 128-bit secret-key cipher." I don't know whether or not this claim still holds in 2015. Do folks have doubts about 25519? Are these realistic doubts to have for the next, say, 50 years? Does anybody know of a simple and minimal implementation of DH on 448 (not signatures) that's as pleasant to use as curve25519-donna? I like how donna is essentially one file with one public function. This makes it very easy to use and integrate. I'd love to have something similar for Curve448 to play around with. How come Curve448 is receiving much attention, but Curve41417 is not? Is 448 faster? More easily implemented in a secure fashion? Thanks, Jason _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
