On Mon, Jan 22, 2018 at 7:21 PM, Russell O'Connor <rocon...@blockstream.io> wrote: > At this point, is it better just to use GF(2^256+n)? Is GF(2^256+n) going > to be that much slower than GF(2^8) that we care to make things this > complicated? (I honestly don't know the answer.)
I expect it would be especially since operations must be implemented in sidechannel resistant manners. Also, binary extension fields are doing to have linear subgroup properties where leaking part of elements wouldn't be good. Not as obviously broken as the example I gave above, but still in the domain of "get chunks of a lot of a supra threshold set of shares, and setup a latices basis problem that can provide an efficient subspace to search". _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
