AW: Re: ECC curve name from parameters
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
AW: Re: ECC curve name from parameters
by olaf.keller.bc@bluewin.ch
::
Rate this Message:
Hi Tomas
There is in fact an advantage of using the Brainpool curves compared to NIST (I do not know about Certicom). The NIST curves are chosen over prime fields having the property, that the primes can be written as the sum or difference of a small number of powers of 2. E.g. P_192 = 2^192 - 2^64 - 1. This property yields reduction algorithms (used e.g. in multiplication in the prime field) that are especially fast on machines with wordsize 32. This means, if your hard- and software cannot take advantage of this property, you will not have any speedup compared to using Brainpool curves. However, an adversary could make use of such a property to do faster cryptanalysis. And as Maarten already stated, the process of creating the Brainpool curves has been very well documented, see http://www.ecc-brainpool.org/download/Domain-parameters.pdf Hence, if speed is not an issue or if your hard- and software is not tuned to NIST curves, it looks like you're better off using Brainpool curves. Cheers, Olaf ----Ursprüngliche Nachricht---- Von: tomasg@... Datum: 06.10.2009 09:51 An: "Maarten Bodewes"<maarten.bodewes@...> Kopie: <dev-crypto@...> Betreff: Re: [dev-crypto] ECC curve name from parameters ... Btw, is there any advantage with brainpool curves compared to nist and certicom? Cheers, Tomas |
|
|
Re: AW: Re: ECC curve name from parameters
by Tomas Gustavsson-3
::
Rate this Message:
Very interesting, thanks for the info. Now I only wish that implementations such as HSMs and JDK would support brainpool as named curves one of these days... Regards, Tomas olaf.keller.bc@... wrote: > Hi Tomas > > There is in fact an advantage of using the Brainpool curves compared to NIST (I do not know about Certicom). > > The NIST curves are chosen over prime fields having the property, that the primes can be written as the sum or > difference of a small number of powers of 2. E.g. P_192 = 2^192 - 2^64 - 1. This property yields reduction algorithms > (used e.g. in multiplication in the prime field) that are especially fast on machines with wordsize 32. > > > > This means, if your hard- and software cannot take advantage of this property, you will not have any speedup compared > to using Brainpool curves. However, an adversary could make use of such a property to do faster cryptanalysis. And as > Maarten already stated, the process of creating the Brainpool curves has been very well documented, see http://www.ecc-brainpool.org/download/Domain-parameters.pdf > > > > Hence, if speed is not an issue or if your hard- and software is not tuned to NIST curves, it looks like you're better > off using Brainpool curves. > > Cheers, > Olaf > > > ----Ursprüngliche Nachricht---- > Von: tomasg@... > Datum: 06.10.2009 09:51 > An: "Maarten Bodewes"<maarten.bodewes@...> > Kopie: <dev-crypto@...> > Betreff: Re: [dev-crypto] ECC curve name from parameters > > ... > > Btw, is there any advantage with brainpool curves compared to nist and > certicom? > > Cheers, > Tomas > > > > |
| Free embeddable forum powered by Nabble | Forum Help |
