[Cryptography] IETF discussion on new ECC curves.
William Allen Simpson
william.allen.simpson at gmail.com
Mon Jul 28 21:05:14 EDT 2014
On 7/27/14 1:57 PM, Watson Ladd wrote:
> Picking from 6 curves means that 1/6 curves has to be weak to force the choice.
> Picking a BADA55 curve means 1/2^32 curves has to be weak. The rigidity issue
> is much less bad than you make it out to be.
>
> By contrast, rigidly picking curves ignoring performance means that
> people will use
> the small curve instead of the big curve, when they would prefer the
> medium curve.
> These curves are all about speed.
Never-the-less, all protocols should be designed so that one
party (usually the responder/server) lists all supported
algorithms, and the other party chooses from that list. This
avoids reliance on particular curves, and allows the parties to
choose appropriate strengths.
Who are we to decide that the application needs the "utmost"
security instead of speed?
Moreover, there are too few curves. We should also encourage as
many good curves to be published and analyzed as possible.
Certainly there are even better to come!
More information about the cryptography
mailing list