> What do you guys think of this?: > http://cryptoexperts.github.io/million-dollar-curve/
this is another case of solving a nonexistent problem. in particular, let's observe this mastery of misdirection: > "ANSSI FRP256v1, NIST P-256, NIST P-384, Curve25519, secp256k1, > brainpoolP256t1, Curve1174 and a few others. However, several of > these curves parameters generation processes contain unjustified > choices yeah, several. but not all! so why put together a list of a few safe and few unsafe curves, and then complain the lack of security of some? the fact is, there are curves with a veryfiable parameter choice. what can we randomize? we can't randomize the prime. we need very carefully crafted prime to enable fast calculation modulo that prime. we need primes very close to powers of two, with the differences being at very specific locations. just check the goldilocks paper to see how hard it is to find a good prime. we don't have too many of them. the curve form (edwards, etc) also come from the same rationale. goldilocks paper for the lazy: https://eprint.iacr.org/2015/625.pdf we can randomize the curve parameter, like d for a montgomery curve. however, minizmizing the constant has the same effect. we can randomize the generator, but it does not make a whole lot of difference, and minimizing has the same effect. so please explain to me, how randomizing improves security in any meaningful way. it does not. _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves
