Why this over Curve448 and Ed448. Does the curve lend itself to an easier implementation? From what I can see there doesn't seem to be a compelling story here.
geocar•2h ago
No. The claim is that it's about as fast as 22519 but stronger than 448, and might be resistant to some specific attacks. If that's true, that is a good thing.
But please do not take this as endorsement: I don't think you or anyone else should use this.
448 and 22519 go to great lengths to "nothing-up-my-sleeves" the parameters, and this one just keeps saying "custom designed" parameters.
This might be my failing to find it, but it's something I've come to expect in serious crypto papers front-and-centre.
It might also be the subject of another paper the author is working on, mere naiveté (on the authors part or mine), or part of a deliberate attempt to infiltrate some other/popular piece of software (like OpenSSL).
commandersaki•1h ago
I only see performance comparisons with NIST P-521? I don’t even see a claim for performance on par with Curve25519.
commandersaki•2h ago
geocar•2h ago
But please do not take this as endorsement: I don't think you or anyone else should use this.
448 and 22519 go to great lengths to "nothing-up-my-sleeves" the parameters, and this one just keeps saying "custom designed" parameters.
This might be my failing to find it, but it's something I've come to expect in serious crypto papers front-and-centre.
It might also be the subject of another paper the author is working on, mere naiveté (on the authors part or mine), or part of a deliberate attempt to infiltrate some other/popular piece of software (like OpenSSL).
commandersaki•1h ago