[cryptography] Curve25519 OID

James A. Donald jamesd at echeque.com
Mon Oct 7 22:32:30 EDT 2013


On 2013-10-08 03:40, Billy Brumley wrote:
> People seem to be mixing curve25519 as a function and curve25519 as a 
> ... well, curve (I prefer this).
>
> The form Samuel gives is compatible with many standards. And of course 
> it can be used for digital signatures. Implementations can choose to 
> transform to and from the Montgomery form and benefit from all the 
> implementation slickness.
>
> I suspect Dan wouldn't like this because, viewing curve25519 as just a 
> curve and in "standards compatible form", there's so many ways an 
> implementation would violate all that curve25519 as a function brings 
> to the table. I can expand on these horror scenarios, or just use your 
> imagination.

I would appreciate expansion on all these horror scenarios.

Most of the desirable characteristics of curve25519 are things that make 
it different from NIST curves, for example montgomery coordinates 
protect you against point compression patents, since you don't calculate 
y, therefore cannot violate someone's patent for calculating y, not to 
mention that point compression, montgomery coordinate style, has prior 
art going a long way back.

Further, we should automatically distrust everything touched by NIST, 
because we cannot invest the time, energy and thought to check out 
everything they have touched.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20131008/03e00abb/attachment.html>


More information about the cryptography mailing list