[146971] in cryptography@c2.net mail archive
[Cryptography] Time for djb's Edwards curves in TLS?
daemon@ATHENA.MIT.EDU (Viktor Dukhovni)
Tue Sep 10 15:07:47 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 10 Sep 2013 16:15:38 +0000
From: Viktor Dukhovni <cryptography@dukhovni.org>
To: cryptography@metzdowd.com
Reply-To: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Is there a TLS WG draft adding djb's Curve1174 to the list of named
curves supported by TLS? If there's credible doubt about the safety
of the NIST curves, it seems that Curve1174 (in Edwards form) would
make a good choice for EECDH, perhaps coupled with a similar curve
with ~512 bits.
Slides with rationale:
http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf
Detailed paper motivating Curve1174:
http://cr.yp.to/elligator/elligator-20130527.pdf
The current situation with EECDH over the NIST prime curves not
shown compromised, but no longer trusted is rather sub-optimal.
--
Viktor.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
