On Tue, 2016-09-27 at 05:28 +0000, Zooko Wilcox-OHearn wrote: > I was totally wrong about this. Our performance bottleneck is in a > path (zk-SNARK proving) that doesn't require pairing operations, so > using a curve which was 2.5 times slower at pairing operations would > not worsen our performance issues. However, if it was also 2.5 slower > for curve operations, then it would.
It's still slower for scalar multiplication due to being a larger curve, no? In any case, you said there are no risks to the anonymity here, so an alternative to changing curves might be to prevent attacks from being profitable by capping the maximum value in a transaction or account, right? In the short term, this should not require dong anything. Jeff
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Curves mailing list Curves@moderncrypto.org https://moderncrypto.org/mailman/listinfo/curves