Please use Ed448-Goldilocks or named Curve448 (suggest) and Curve25519 only. Curve448 potentially offering 224 bits of security, even safer than NIST P-384. Curve25519 potentially offering 128 bits of security and safer and faster than NIST P-256. More important, they're both ECC Security, not only ECDLP Security. ECC Security doesn't equal to ECDLP Security. " Unfortunately, there is a gap between ECDLP difficulty and ECC security. None of these standards do a good job of ensuring ECC security. There are many attacks that break real-world ECC without solving ECDLP. The core problem is that if you implement the standard curves, chances are you're doing it wrong: -Your implementation produces incorrect results for some rare curve points. -Your implementation leaks secret data when the input isn't a curve point. -Your implementation leaks secret data through branch timing. -Your implementation leaks secret data through cache timing. " (https://safecurves.cr.yp.to/) And those curves are recommended by RFC 7748: https://tools.ietf.org/html/rfc7748 If possible, use Curve448 only. It's even safer than NIST P-384 and it's new.
publickey - Tom255@protonmail.com - 0x26CCDADB.asc
Description: application/pgp-keys
Description: PGP signature
Description: OpenPGP digital signature_______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
