[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ECC curves that are safe safecurves.cr.yp.to

To: [email protected], [email protected]
Subject: ECC curves that are safe safecurves.cr.yp.to
From: [email protected] (Peter Gutmann)
Date: Sat, 11 Jan 2014 14:38:25 +1300
In-reply-to: <[email protected]>

gwen hastings <[email protected]> writes:

>DJ Bernstein and Tanja Lange did a study on which ECC curves are safe to
>implement and use, found at http://safecurves.cr.yp.to/

Some of their objections seem pretty subjective though, I mean they don't like
the Brainpool curves because of:

  Several unexplained decisions: Why SHA-1 instead of, e.g., RIPEMD-160 or
  SHA-256? Why use 160 bits of hash input independently of the curve size? Why
  pi and e instead of, e.g., sqrt(2) and sqrt(3)? Why handle separate key
  sizes by more digits of pi and e instead of hash derivation? Why counter
  mode instead of, e.g., OFB? Why use overlapping counters for A and B
  (producing the repeated 26DC5C6CE94A4B44F330B5D9)? Why not derive separate
  seeds for A and B?

Is that really a big deal?  SHA-1 vs. RIPEMD-160.

Peter.

References:
- ECC curves that are safe safecurves.cr.yp.to
  - From: [email protected] (gwen hastings)

Prev by Date: Swartz, Weev & radical libertarian lexicon (Re: Jacob Appelbaum in Germany - Aaron Swartz)
Next by Date: Your errors about me in your book.
Previous by thread: ECC curves that are safe safecurves.cr.yp.to
Next by thread: Fw: Hi, I'm from the government (addenda)
Index(es):
- Date
- Thread