Change to quadratic twist-secure curve.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
2019-09-17 11:28:59 +01:00 · 2019-09-17 11:28:59 +01:00 · fc4c16613d
parent 6ca713d91f
commit fc4c16613d
7 changed files with 16 additions and 12 deletions
--- a/Ep/l
+++ b/Ep/l
@ -1 +1 @@
-28948022309329048855892746252171976963328925580104350145334818258365412540417
+28948022309329048855892746252171976963322203655954433126947083963168578338817
--- a/Ep/p
+++ b/Ep/p
@ -1 +1 @@
-28948022309329048855892746252171976963328925580104355652489057042149991776257
+28948022309329048855892746252171976963322203655955319056773317069363642105857
--- a/Ep/rigid
+++ b/Ep/rigid
@ -1 +1 @@
-somewhat rigid
+fully rigid
--- a/Eq/l
+++ b/Eq/l
@ -1 +1 @@
-28948022309329048855892746252171976963328925580104355652489057042149991776257
+28948022309329048855892746252171976963322203655955319056773317069363642105857
--- a/Eq/p
+++ b/Eq/p
@ -1 +1 @@
-28948022309329048855892746252171976963328925580104350145334818258365412540417
+28948022309329048855892746252171976963322203655954433126947083963168578338817
--- a/Eq/rigid
+++ b/Eq/rigid
@ -1 +1 @@
-somewhat rigid
+fully rigid
--- a/README.md
+++ b/README.md
@ -9,8 +9,8 @@ prime-order curves:

 with

-* p = 2^254 + 11429413694214642624661040171709366273
-* q = 2^254 + 11429413694209135470422256387130130433
+* p = 2^254 + 4707489545178046908921067385359695873
+* q = 2^254 + 4707489544292117082687961190295928833

 satisfy *some* of the [SafeCurves criteria](https://safecurves.cr.yp.to/index.html).

@ -22,14 +22,18 @@ The criteria that are *not* satisfied are, in summary:
  criterion);
 * ladder support (not possible for prime-order curves);
 * Elligator 2 support (indistinguishability is possible using
-  [Elligator Squared](https://ifca.ai/pub/fc14/paper_25.pdf), but not using Elligator 2);
-* twist security.
+  [Elligator Squared](https://ifca.ai/pub/fc14/paper_25.pdf), but not using Elligator 2).

 (Provisional) Tweedledum/Tweedledee is the first cycle output by
-``sage amicable.sage --nearpowerof2 255 30``.
+``sage amicable.sage --sequential --nearpowerof2 255 32``.
+
+(The `--sequential` option makes the output completely deterministic and so resolves
+ambiguity about which result is "first". For exploratory searches it is faster not to
+use `--sequential`.)

 **Which cycle we call Tweedledum/Tweedledee is subject to change as we make further
-optimizations to Halo.**
+optimizations and security enhancements to Halo, and has already changed several times
+from the initial draft of the paper.**

 Prerequisites: