On Wed, 2016-02-24 at 18:20 +0000, Salz, Rich wrote: > > > > > > > > > http://cryptoexperts.github.io/million-dollar-curve/ > Who are these folks? What is wrong with25519 and/or 448?
From the paper: Q2. Is there anything wrong with Curve25519? No. We, at CryptoExperts, actually use Curve25519 and recommend it to our partners. Yet, we think that people should not rely on the same few safe curves that are currently out. Our methodology allows to easily produce safe alternatives. Q3. Curve25519 vs. Million Dollar Curve Curve25519 was designed to be as fast as possible, with no security compromise. This is both a strength and a potential weakness: – a strength because it gives a valid argument that no trapdoor was introduced in the design, – a potential weakness because Curve25519 uses a very specific prime field. As of now, no attack exploiting this specificity is known. For applications where speed is paramount, Curve25519 is probably the best option. But for most applications, where losing a little on the efficiency side is “not a big deal”, Million Dollar Curve is probably the safest choice. See also the answer by Ruggero on Stack Exchange. _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
