Tuesday, March 1, 2016, 5:41:09 PM, Thomas Baigneres wrote:
> We believe that, in general, relying on a single solution for > cryptography always increases the risk. surely. also reduces the cost. the question is where is the balance. as things are now, having our miriad of software implement a primitive is an enourmous undertaking. not only you need to get it to a number of libraries, but then you need to standardize it into rfcs, and add to servers and clients. it is not something we want if there is no serious reason for it. and i claim that having two similar curves is not a serious reason. if we want backup, pick some very different algo. pick some post quantum, does not matter if inefficient, nobody will use it, it is just a backup. but i think since we have RSA/DSA as backup, we can go five more years without something new. > We agree that for busy servers speed is an issue. Still, most > “busy” servers on the planet still use RSA over ECC. i don't find this a compelling argument. most servers use old primitives because of the cost of transition, not because they don't care enough for performance. this is, again, an optimization problem. how much verifiable randomness weighs against 2x speed? if i'm the buyer, sign me up for the 2x speed. > Our opinion is that a generic implementation of an Edwards Curve (like > Million Dollar Curve) is much simpler than an optimized > implementation of Curve25519. i don't find this argument compelling either. what we want both performance and simplicity at the same time. they are, of course, contradictory to each other. you can also count safety (e.g. side channel) as a third factor. it is easy to excel in one aspect. it is easy to improve one at the expense of another. what is hard is to improve all. yet, that is what we want. and of course you can add verifiable randomness as a fourth variable. but the question is, again, what is the value of that? what weight will it have compared to the other three? > For the record, we do believe Curve25519 is a great work and we > will ourselves continue to use it as a backup plan for Million Dollar Curve > ;-) for the record: i don't think there is anything wrong with MDC, or its random generation method (although i haven't looked into the details). what i say is this: the benefits are lower, and the cost is higher than advertised. (also some very unfortunate wording on the website) _______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves