[cryptography] What's the point of using non-NIST ECC Curves?

Ondrej Mikle ondrej.mikle at nic.cz
Mon Oct 13 12:27:30 EDT 2014


On 10/13/2014 06:14 PM, Tony Arcieri wrote:
> On Mon, Oct 13, 2014 at 7:51 AM, Derek Miller <dreemkiller at gmail.com
> <mailto:dreemkiller at gmail.com>> wrote:
> 
>     If the NIST curves are weak in a way that we don't understand, this
>     means that ECC has properties that we don't understand.
> 
> 
> While there's djb's worry that the NSA may have tweaked a curve
> parameter in such a way as to generate a curve with a one-in-a-million
> weakness that only they know how to exploit, the NIST curves are weak in
> other known ways:
> 
> https://safecurves.cr.yp.to
> 
> Additionally, newer curves are being picked with an emphasis on performance 

dbj also tries to explain why his choices of curve parameters are of the
"nothing-up-my-sleeve" variety (like "smallest number that satisfies
such and such security property"). See for instance section 1.2 and 2 of
the Curve41417 paper: http://eprint.iacr.org/2014/526.pdf

Ondrej


More information about the cryptography mailing list