[tahoe-dev] elliptic curves with verifiably pseudorandom parameters

David-Sarah Hopwood david-sarah at jacaranda.org
Mon Feb 14 11:05:23 PST 2011


On 2011-02-14 07:19, Zooko O'Whielacronx wrote:
> (Part two in an on-going series of comments on this ticket, at a rate
> of approximately one per night, apparently. :-))
> 
> Here is my pitch for why we should consider using Brainpool curves
> instead of NIST curves. The key technical difference is that the
> Brainpool parameters were generated in a verifiably pseudorandom way,
> so they are unlikely to have some sort of backdoor built into the
> choice of parameters:
> 
> http://tools.ietf.org/html/rfc5639

I approve of using Brainpool curves. I actually think the fact that
the curves are of prime order is more important than the verifiably
pseudorandom generation, since that defeats small-subgroup attacks
that are demonstrably practical.

(There are other ways to prevent small-subgroup attacks, but using
a prime-order curve is the simplest way.)

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20110214/cf964073/attachment.pgp>


More information about the tahoe-dev mailing list