[tahoe-dev] elliptic curves with verifiably pseudorandom parameters
David-Sarah Hopwood
david-sarah at jacaranda.org
Mon Feb 14 11:05:23 PST 2011
On 2011-02-14 07:19, Zooko O'Whielacronx wrote:
> (Part two in an on-going series of comments on this ticket, at a rate
> of approximately one per night, apparently. :-))
>
> Here is my pitch for why we should consider using Brainpool curves
> instead of NIST curves. The key technical difference is that the
> Brainpool parameters were generated in a verifiably pseudorandom way,
> so they are unlikely to have some sort of backdoor built into the
> choice of parameters:
>
> http://tools.ietf.org/html/rfc5639
I approve of using Brainpool curves. I actually think the fact that
the curves are of prime order is more important than the verifiably
pseudorandom generation, since that defeats small-subgroup attacks
that are demonstrably practical.
(There are other ways to prevent small-subgroup attacks, but using
a prime-order curve is the simplest way.)
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20110214/cf964073/attachment.pgp>
More information about the tahoe-dev
mailing list