--- Day changed Tue Nov 17 2015 01:03 < gmaxwell> Anyone have any theories why his example uses a field of F(2^226), http://www.embeddedrelated.com/showarticle/857/elliptic-curve-cryptography or rather, any theories OTHER than intentionally causing people to use parameters vulnerable to weil descent?? 01:40 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1 02:05 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Quit: Leaving.] 02:05 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1 02:05 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Client Quit] 02:51 -!- GAit [~GAit@2-228-102-98.ip191.fastwebnet.it] has joined #secp256k1 03:04 -!- sipa_ is now known as sipa 03:17 < Apocalyptic> gmaxwell, speaking of weil descent and what we discussed earlier I don't think sage has the descent process built in. The only other implementation than the KASH program I found is some magma functions documented at https://magma.maths.usyd.edu.au/magma/handbook/text/1414#crvell:ec_weil_desc 03:39 -!- Madars [~null@unaffiliated/madars] has joined #secp256k1 03:42 -!- GAit [~GAit@2-228-102-98.ip191.fastwebnet.it] has quit [Quit: Leaving.] 03:45 -!- GAit [~GAit@2-228-102-98.ip191.fastwebnet.it] has joined #secp256k1 04:44 -!- jtimon [~quassel@74.29.134.37.dynamic.jazztel.es] has joined #secp256k1 05:09 -!- GAit [~GAit@2-228-102-98.ip191.fastwebnet.it] has quit [Quit: Leaving.] 05:31 -!- GAit [~GAit@2-228-102-98.ip191.fastwebnet.it] has joined #secp256k1 06:08 -!- GAit [~GAit@2-228-102-98.ip191.fastwebnet.it] has quit [Quit: Leaving.] 09:14 < andytoshi> gmaxwell: there's a ton of fishy stuff in that link, i think he's just clueless 09:15 < andytoshi> "This means the hash of a pass phrase can be used and for very secure systems it never needs to be stored." is bizarre, "two dimensional curve" is wrong, giving the full weierstrass form then saying "only for the reals or mod prime > 3" 09:51 -!- btcdrak [uid115429@gateway/web/irccloud.com/x-ycavaifvoqdrsxim] has quit [Ping timeout: 240 seconds] 09:53 -!- CodeShark [uid126576@gateway/web/irccloud.com/x-estmhssftbtzwzlu] has quit [Read error: Connection reset by peer] 09:55 -!- zmanian_ [uid113594@gateway/web/irccloud.com/x-hajqnxerbyvtyssb] has quit [Ping timeout: 250 seconds] 10:00 -!- maaku [~quassel@botbot.xen.prgmr.com] has quit [Ping timeout: 265 seconds] 10:28 < Apocalyptic> the "two dimensional curve" is particularly worrying 10:43 -!- andytoshi [~andytoshi@wpsoftware.net] has quit [Ping timeout: 250 seconds] 10:49 < gmaxwell> yea but basically all these "u can ecc" articles are a bit clueless, thats not concerning. This is the first time I've seen someone use example parameters which were large enough to be cryptographic but not standard. 11:11 -!- zmanian_ [sid113594@gateway/web/irccloud.com/x-nhhpsseihgioqkpd] has joined #secp256k1 11:15 -!- btcdrak [uid115429@gateway/web/irccloud.com/x-nimlgqombgnllegr] has joined #secp256k1 11:17 -!- andytoshi [~andytoshi@wpsoftware.net] has joined #secp256k1 11:19 < gmaxwell> He replied to me on the article... very weird. 11:27 < Apocalyptic> "Many people prefer working over GF(p) directly for more security." sure, any curve over GF(p) is secure and the constants in the Weierstrass don't matter... oh wait 11:40 -!- CodeShark [uid126576@gateway/web/irccloud.com/x-tktxznjpsgfjzthy] has joined #secp256k1 11:41 < andytoshi> gmaxwell: he comes off as having a very common "engineering" mindset of "as long as it's understood what is meant, there is no need to be pedantic", which is why he says stuff like "two-dimensional curves" which obviously means a curve in a 2D space but literally means like a space-filling curve or something 11:42 < andytoshi> like, almost every line in that article is technically wrong, and i bet he'd defend them all by calling you a pedant or "good enough for me" 11:46 < Apocalyptic> "So a composite extension would be the same order as the base security (~2^113)" is this true ? more generally does the factorization of the exponent impact the genus of the hyperelliptic curve in this way ? 12:02 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds] 12:10 < gmaxwell> Apocalyptic: I ~believe~ thats correct, you end up with a genius 2 curve over 2^113. 12:11 < sipa> a genius curve! 12:13 < gmaxwell> haha 12:39 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has joined #secp256k1 12:59 < Apocalyptic> gmaxwell, he answered you citing a strange "type 1 optimal normal basis" concept 13:02 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds] 13:04 < gmaxwell> I certantly wouldn't be surprised if the construction results in faster arithemetic. But this kind of optimization stuff is way out of character with the aritcle; my guess now is that he's just used that construction commercially and is defending it. 13:47 -!- belcher [~user@unaffiliated/belcher] has joined #secp256k1 18:18 -!- belcher [~user@unaffiliated/belcher] has quit [Quit: Leaving] 22:07 -!- jtimon [~quassel@74.29.134.37.dynamic.jazztel.es] has quit [Ping timeout: 240 seconds]