Get ready to implement

https://tools.ietf.org/html/draft-ladd-safecurves

nice! thanks for sharing sage-kun

Page 9:
Point encoding is clear in both cases. To decode a point on an
Edwards curve with parameter d, one takes the y value and computes
Alternative encodings are used by existing software, and protocol
designers should be aware of this. Alternative encodings may be
useful if preexisting software is to be used without changes.

One takes the y value and computes what?

so who's up for a dc implementation?

elliptic curves

They're not playing around. This shit is impervious to Shor's algorithm. Implement it far and wide.

>>5
http://www.mathcs.richmond.edu/~jad/summerwork/ellipticcurvequantum.pdf That research is nearing 20 years old, but there's also http://arxiv.org/abs/quant-ph/0301141 which is more recent. I don't understand EC crypto myself beyond the basic idea, since I haven't read any actual papers dealing with it, so perhaps I'm wrong. Is Ladd's proposal a modification that is immune to the modified Shor's?

Of course, even if this stuff is only as good as existing crypto, it should be implemented. RSA is not above suspicion, but Caesar's wife must be.

>>3
Looks like a failed copy-paste from material referenced in http://www.ietf.org/mail-archive/web/cfrg/current/msg04015.html.

Point encoding is clear in both cases. To decode a point on an Edwards
curve with parameter d, one takes the y value and computes the
valuex^2, then takes the square root. Methods for taking the square
root are sadly highly prime-dependent, but [COHEN] contains a large
number of options.

^{(Perhaps nobody has raised the issue because they are intimidated by `Point encoding is clear'?)}

>>5
No it isn't.

http://crypto.cs.mcgill.ca/~crepeau/PDF/memoire-hong.pdf
http://arxiv.org/abs/quantph/0301141
http://pqcrypto.org/www.springer.com/cda/content/document/cda_downloaddocument/9783540887010-c1.pdf

>>7
There's really just three possibilities: the prime is 3 mod 4, or it is 5 mod 8, or it is 1 mod 8. In the first two cases there are efficient and deterministic algorithms for taking the square root; in the last case, there are somewhat efficient but non-deterministic algorithms.

Oh yes, and what I meant to say (and forgot) is that all of the Edwards curves listed in the above document are modulo a prime that is either 3 mod 4 or 5 mod 8.

The NSA supports elliptic curves though.

>>11
That probably means EC isn't perfect, but the links posted already show it's vulnerable to a version of Shor's, so we already know that. I know I'm being foolishly optimistic, but what if that they're just saying ``Yeah, what you're using now is backdoor'd as fuck, but since we've been propping up D-Wave to build fake chips, we're pretty confident that we have the only usable EC breakers. So go ahead and switch to EC before any more someone else finds out that RSA is vulnerable to ROT39. You'll still be no match against, us, but it will be only us.''?

>>12
That was almost coherent. Try again, you're bound to get it right eventually.

>>13
Take your epic ``shill'' meme back to the imagereddits, please.

>>14
Kindly suck my anus.

The only quantum-resistant cryptosystem is McEliece. Elliptic curve cryptography just scales better with the rise in classical computing power.

The future of cryptography are cryptosystems like McEliece and homomorphic encryption.