On 10/13/2014 06:14 PM, Tony Arcieri wrote: > On Mon, Oct 13, 2014 at 7:51 AM, Derek Miller <dreemkil...@gmail.com > <mailto:dreemkil...@gmail.com>> wrote: > > If the NIST curves are weak in a way that we don't understand, this > means that ECC has properties that we don't understand. > > > While there's djb's worry that the NSA may have tweaked a curve > parameter in such a way as to generate a curve with a one-in-a-million > weakness that only they know how to exploit, the NIST curves are weak in > other known ways: > > https://safecurves.cr.yp.to > > Additionally, newer curves are being picked with an emphasis on performance
dbj also tries to explain why his choices of curve parameters are of the "nothing-up-my-sleeve" variety (like "smallest number that satisfies such and such security property"). See for instance section 1.2 and 2 of the Curve41417 paper: http://eprint.iacr.org/2014/526.pdf Ondrej _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography