Here we go again.
The problem here is not science. It's rhetoric. Here we have someone who is entirely confined to a premise that certain problems are difficult (e.g. DLP, CDH, DDH). This pers
Forum: 2010 Reports
Here's an illustrative example. An application generates a uniform random integer a_6 modulo a large prime p. What's the chance that the curve y^2=x^3-3x+a_6 is a "maximal" elliptic curve over F_p, i.
Forum: 2010 Reports
We could have done this over email.
"Only about x^2/(log(x))^2 of those curves have prime or near prime order." --djb
This is wrong, and everything concluded from it is also wrong. The mistake
Forum: 2010 Reports
As I said: Choosing a prime power q<=x and an elliptic curve E over F_q up to isomorphism produces about x^2/log x choices of curves. Only about x^2/(log x)^2 of those curves have prime or near-prime
Forum: 2010 Reports
Dan, do you really think the issue here is about "isomorphisms" of elliptic curves? A first year student knows this isn't the case. Isomorphism needs to be isogeny. Do you understand elliptic curve
Forum: 2010 Reports
No, there was never any regression in IEEE P1363 on this issue. In particular, the prime-or-power-of-2 requirement was never dropped from the IEEE P1363 curve-generation and curve-verification algorit
Forum: 2010 Reports
So, let's recap. We've dropped the "wild exaggerations" complaint about the title. We've accepted the fact that these curves occur in your work. And we've dropped the complaint that my work might n
Forum: 2010 Reports
I've checked a 1999 draft of IEEE P1363. The "algorithm for generating EC parameters" (A.16.7) requires the field size q to be "an odd prime p or 2^m." The "algorithm for validating EC parameters" has
Forum: 2010 Reports
So, you drop the "title" debate. We are making progress! Let's try for some more. Let's also work on formatting so that as you abandon certain issues and try to bring up new ones, I can keep a clea
Forum: 2010 Reports
No, these curves don't show up in my ECC work. The talk that Johnston cited recommends precisely one elliptic curve for cryptography, namely Curve25519, and of course Curve25519 (like all of the NIST
Forum: 2010 Reports
As to the reference to your own work where these curves show up, I disagree with you that someone would be inspired to fix the problem with a magic internet search inspired by the words "et al." This
Forum: 2010 Reports
No. All ECC standards in the past ten years are immune to Weil-descent attacks. The only fields allowed by the standards are F_p and F_{2^p} for various sensible choices of p. The safety of F_p agains
Forum: 2010 Reports
To hit those who work on this problem with the "standards" complaint is disingenuous. First, it's wrong, and second, it's unhelpful.
Although some standards (like NIST) certainly forbid the base f
Forum: 2010 Reports
2010/575 says that it speeds up ECDLP for a "large class of elliptic curves." In fact, the elliptic curves targeted in this paper are quite special and rare, and are already excluded by every ECC stan
Forum: 2010 Reports