Author

Topic: Alternative Elliptic Curve Coins (Read 1008 times)

legendary
Activity: 1066
Merit: 1050
Khazad ai-menu!
January 28, 2015, 01:13:51 PM
#3
Monero (and other CryptoNote coins) use EdDSA (you typoed:) for signatures, and Curve25519 for DH key exchange.

Honestly I don't know how much credence I'd put into that post, as the two he recommends (NIST P-256 and NIST P-384) are viewed as "unsafe" by DJB (Daniel J. Bernstein) - http://safecurves.cr.yp.to

I'd probably trust DJB more than the author of the blog post you referenced, which is why Monero has continued with Curve25519 and DJB's fast Schnorr algo (EdDSA). We will absolutely switch curves if sufficient evidence shows that the curves / algos we use are questionable.

Thanks for your reply and the correction (edited).  It looks like safecurves mostly is concerned with minimizing the ways that algos can be implemented badly, while the one I linked is mostly concerned about what has been used the most. 

Another criteria might be which one has the most immediately takeable cash riding on it.  In that case secp256k1 would come out on top Smiley 

 
donator
Activity: 1274
Merit: 1060
GetMonero.org / MyMonero.com
January 28, 2015, 12:50:29 PM
#2
Monero (and other CryptoNote coins) use EdDSA (you typoed:) for signatures, and Curve25519 for DH key exchange.

Honestly I don't know how much credence I'd put into that post, as the two he recommends (NIST P-256 and NIST P-384) are viewed as "unsafe" by DJB (Daniel J. Bernstein) - http://safecurves.cr.yp.to

I'd probably trust DJB more than the author of the blog post you referenced, which is why Monero has continued with Curve25519 and DJB's fast Schnorr algo (EdDSA). We will absolutely switch curves if sufficient evidence shows that the curves / algos we use are questionable.
legendary
Activity: 1066
Merit: 1050
Khazad ai-menu!
January 28, 2015, 11:13:49 AM
#1
I came across an interesting article on elliptic curve digital signatures.

http://infosecurity.ch/20100926/not-every-elliptic-curve-is-the-same-trough-on-ecc-security/

He comes to a remarkable conclusion:

Quote
I would like to state that Koblitz curves should be avoided, in any key size as they do not have enough warranty on crypto analytic activity and effectively they are:

    Not part of NSA Suite-B cryptography selection
    Not part of ECC Brainpool selection
    Not part of ANSI X9.62 selection
    Not part of OpenPGP ECC extension selection
    Not part of Kerberos extension for ECC curve selection


In general, I am not a huge fan of his analysis method which is simply appeal to authority rather than actual discussion of the curves.  However there may be something to it.  It is worth pointing out that woodcoin is the only coin I know of which follows his recommendations.

The only other coins I know of which do not use Koblitz curves (in particular secp256k1) are the ones built with CryptoNote.  CryptoNote usees EdDSA which like Koblitz curves may have some advantages but according to the criteria of the linked article still fails to have been recommended by the various authorities.  

Any comments and corrections, especially pointing me to alternative coins, would be greatly appreciated.  

-- funkenstein the dwarf
Jump to: