[Cryptography] Many curves versus one curve
David Leon Gil
coruus at gmail.com
Sun Aug 10 19:36:55 EDT 2014
On Sunday, August 10, 2014, William Allen Simpson <
william.allen.simpson at gmail.com
<javascript:_e(%7B%7D,'cvml','william.allen.simpson at gmail.com');>> wrote:
> E.g., ECDSA is not subject to key-share attacks if all users use the same
>> curve; it is, if arbitrary curves are permitted.
>> (Koblitz and Menezes discuss this in their 'Another look' papers.)
>>
>> Which one?
They may mention this in 'Serpentine course', but 'Security definitions'
has the most succinct description, at 2.2.4:
http://cacr.uwaterloo.ca/~ajmeneze/anotherlook/papers/definitions.pdf
(This is unrelated to nonce issues, by the way.)
That is the argument we've been making for over 20 years.
I claim no priority!
-dlg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140810/3cd49714/attachment.html>
More information about the cryptography
mailing list