On Wed, Feb 24, 2016 at 2:36 PM, Krisztián Pintér <[email protected]> wrote: > > Nathaniel McCallum <[email protected]> wrote: > >> – a potential weakness because Curve25519 uses a very specific >> prime field. > > as well as every other curve on the planet. even nist curves use > special primes.
No, Brainpool curves and million dollar curve use "randomly"-chosen primes. Yes, this incurs a slowdown (~2x). Some would argue it's worth it because randomly-chosen primes might be more conservative than special-form primes. Others would argue that if you want to spend extra cycles in pursuit of security, you're better off with special-form primes but a larger curve (eg 448). This has been debated many times, here and elsewhere. Lots of people (or at least me) seem happy with special-form primes. Anyways, if this thread continues, hopefully someone can point out interesting aspects of this new curve or make some novel arguments, let's not repeat old debates. Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
