2010 Reports :  Cryptology ePrint Archive Forum
Discussion forum for Cryptology ePrint Archive reports posted in 2010. Please put the report number in the subject.  

Current Page: 1 of 1
Results 1 - 14 of 14
03-Dec-2010 13:38
johnston
Here we go again. The problem here is not science. It's rhetoric. Here we have someone who is entirely confined to a premise that certain problems are difficult (e.g. DLP, CDH, DDH). This pers
Forum: 2010 Reports
03-Dec-2010 04:57
djb
Here's an illustrative example. An application generates a uniform random integer a_6 modulo a large prime p. What's the chance that the curve y^2=x^3-3x+a_6 is a "maximal" elliptic curve over F_p, i.
Forum: 2010 Reports
29-Nov-2010 16:31
johnston
We could have done this over email. "Only about x^2/(log(x))^2 of those curves have prime or near prime order." --djb This is wrong, and everything concluded from it is also wrong. The mistake
Forum: 2010 Reports
29-Nov-2010 04:12
djb
As I said: Choosing a prime power q<=x and an elliptic curve E over F_q up to isomorphism produces about x^2/log x choices of curves. Only about x^2/(log x)^2 of those curves have prime or near-prime
Forum: 2010 Reports
28-Nov-2010 12:15
johnston
Dan, do you really think the issue here is about "isomorphisms" of elliptic curves? A first year student knows this isn't the case. Isomorphism needs to be isogeny. Do you understand elliptic curve
Forum: 2010 Reports
27-Nov-2010 14:57
djb
No, there was never any regression in IEEE P1363 on this issue. In particular, the prime-or-power-of-2 requirement was never dropped from the IEEE P1363 curve-generation and curve-verification algorit
Forum: 2010 Reports
27-Nov-2010 10:43
johnston
So, let's recap. We've dropped the "wild exaggerations" complaint about the title. We've accepted the fact that these curves occur in your work. And we've dropped the complaint that my work might n
Forum: 2010 Reports
27-Nov-2010 04:00
djb
I've checked a 1999 draft of IEEE P1363. The "algorithm for generating EC parameters" (A.16.7) requires the field size q to be "an odd prime p or 2^m." The "algorithm for validating EC parameters" has
Forum: 2010 Reports
26-Nov-2010 21:29
johnston
So, you drop the "title" debate. We are making progress! Let's try for some more. Let's also work on formatting so that as you abandon certain issues and try to bring up new ones, I can keep a clea
Forum: 2010 Reports
26-Nov-2010 17:30
djb
No, these curves don't show up in my ECC work. The talk that Johnston cited recommends precisely one elliptic curve for cryptography, namely Curve25519, and of course Curve25519 (like all of the NIST
Forum: 2010 Reports
25-Nov-2010 11:27
johnston
As to the reference to your own work where these curves show up, I disagree with you that someone would be inspired to fix the problem with a magic internet search inspired by the words "et al." This
Forum: 2010 Reports
25-Nov-2010 08:12
djb
No. All ECC standards in the past ten years are immune to Weil-descent attacks. The only fields allowed by the standards are F_p and F_{2^p} for various sensible choices of p. The safety of F_p agains
Forum: 2010 Reports
22-Nov-2010 21:45
johnston
To hit those who work on this problem with the "standards" complaint is disingenuous. First, it's wrong, and second, it's unhelpful. Although some standards (like NIST) certainly forbid the base f
Forum: 2010 Reports
22-Nov-2010 02:48
djb
2010/575 says that it speeds up ECDLP for a "large class of elliptic curves." In fact, the elliptic curves targeted in this paper are quite special and rare, and are already excluded by every ECC stan
Forum: 2010 Reports
Current Page: 1 of 1

Search Messages   Search Authors