ECC curves that are safe safecurves.cr.yp.to
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Jan 10 17:38:25 PST 2014
gwen hastings <gwen at cypherpunks.to> writes:
>DJ Bernstein and Tanja Lange did a study on which ECC curves are safe to
>implement and use, found at http://safecurves.cr.yp.to/
Some of their objections seem pretty subjective though, I mean they don't like
the Brainpool curves because of:
Several unexplained decisions: Why SHA-1 instead of, e.g., RIPEMD-160 or
SHA-256? Why use 160 bits of hash input independently of the curve size? Why
pi and e instead of, e.g., sqrt(2) and sqrt(3)? Why handle separate key
sizes by more digits of pi and e instead of hash derivation? Why counter
mode instead of, e.g., OFB? Why use overlapping counters for A and B
(producing the repeated 26DC5C6CE94A4B44F330B5D9)? Why not derive separate
seeds for A and B?
Is that really a big deal? SHA-1 vs. RIPEMD-160.
Peter.
More information about the cypherpunks
mailing list